ssl-cipher
Parameters
| Parameter | Description | Value |
|---|---|---|
| server-side | Indicates the SSL encryption algorithm used by the FW when the FW establishes an SSL connection with the server. | - |
| client-side | Indicates the SSL encryption algorithm used by the FW when the FW establishes an SSL connection with the client. | - |
| cipher &<1–3> | Indicates the supported SSL encryption algorithm. | Value options are as follows:
|
| user-defined user-defined | Specifies a user-defined encryption algorithm. | The user-defined encryption algorithm must meet the requirements of the OpenSSL database for the algorithm format, such as DHE-RSA-AES128-SHA:AES128-SHA:AES128-SHA256:DHE-RSA-AES128-SHA256. |
Usage Guidelines
Multiple SSL encryption algorithms can be configured for a client or a server. At least one SSL encryption algorithm must be configured. The selected SSL encryption algorithm is negotiated between the client and the server during the establishment of an SSL connection with the FW. If the client or the server uses an encryption algorithm that is not supported by the FW, the FW blocks or allows the establishment of SSL connections according to actual situations.
The SSL encryption algorithm supported by SSL-encrypted traffic
detection is from the OpenSSL library. Currently, the OpenSSL library
version is V1.1.1. For details about the algorithm list,
refer to the corresponding OpenSSL library.
Example
# Configure the supported SSL encryption algorithm for the client.
<sysname> system-view [sysname] profile type decryption name profile1 [sysname-profile-decryption-profile1] detect type inbound [sysname-profile-decryption-profile1] ssl-cipher client-side medium
# Configure the supported SSL encryption algorithm for the server.
<sysname> system-view [sysname] profile type decryption name profile1 [sysname-profile-decryption-profile1] detect type inbound [sysname-profile-decryption-profile1] ssl-cipher server-side high medium low