The client-auth block command enables the FW to block the SSL connection between a client and a server when the server requires to verify the client certificate.
The undo client-auth block command enables the FW to allow the establishment of an SSL connection between a client and a server.
By default, the FW allows the establishment of an SSL connection between a client and a server.
Usage Scenario
In the client protection scenario, the FW verifies the client certificate for SSL-encrypted traffic.
Precautions
When establishing an SSL connection with the server, the client verifies the server certificate. In some cases, the server also verifies the client certificate, which forms a bidirectional verification. If the server needs to verify the client certificate, the FW does not support SSL traffic decryption. For example, when you access a website involving personal privacy, for example, bank or social security website, generally the server needs to verify the client certificate. The FW transparently transmits such traffic instead of performing SSL decryption without manual configuration.
# Set the FW to block the SSL connection between a client and a server when the server requires to verify the client certificate.
<sysname> system-view [sysname] profile type decryption name profile1 [sysname-profile-decryption-profile1] detect type outbound [sysname-profile-decryption-profile1] client-auth block