ssl-version (SSL-encrypted traffic detection profile view)
Format
ssl-version { server-side | client-side } version &<1–5>
undo ssl-version { server-side | client-side }
Parameters
| Parameter | Description | Value |
|---|---|---|
server-side |
Indicates the SSL protocol version used by the FW when the FW establishes an SSL connection with the server. |
- |
client-side |
Indicates the SSL protocol version used by the FW when the FW establishes an SSL connection with the client. |
- |
version &<1–5> |
Indicates the supported SSL protocol version. |
Value options are as follows:
|
Usage Guidelines
Currently, the FW supports SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3, with security levels in an ascending order.
Multiple SSL versions can be configured for a client or a server. At least one SSL version must be configured. The selected SSL version is negotiated between the server and the client during the establishment of an SSL connection with the FW. If the client or the server uses an SSL version that is not supported by the FW, the FW blocks or allows the establishment of SSL connections according to actual situations.
TLS 1.0 ,TLS1.1 and SSL 3.0 have security risks. TLS1.2 and later versions are recommended.
Only TLS 1.3 is recommended for an environment that requires high security.
Example
# Configure the supported SSL version number for the client.
<sysname> system-view [sysname] profile type decryption name profile1 [sysname-profile-decryption-profile1] detect type inbound [sysname-profile-decryption-profile1] ssl-version client-side ssl3.0 tls1.0 tls1.1 tls1.2 tls1.3
# Configure the supported SSL version number for the server.
<sysname> system-view [sysname] profile type decryption name profile1 [sysname-profile-decryption-profile1] detect type inbound [sysname-profile-decryption-profile1] ssl-version server-side ssl3.0 tls1.0 tls1.1 tls1.2 tls1.3