The unsupport ssl-cipher block command enables the FW to block the establishment of an SSL connection with a client or a server when an encryption algorithm is not supported.
The undo unsupport ssl-cipher block command enables the FW to allow the establishment of an SSL connection between a client and a server.
The selected SSL encryption algorithm is negotiated between a client and a server during the establishment of an SSL connection with the FW. If the client or the server uses an encryption algorithm not supported by the FW for negotiation, by default, the FW allows the establishment of an SSL connection between the client and the server. The FW does not function as an SSL proxy, but transparently transmits SSL-encrypted traffic without decryption.
Usage Scenario
In the client protection and server protection scenarios, the FW checks whether the encryption algorithm in the SSL traffic is supported.
# Enable the FW to block the establishment of an SSL connection with a client or a server when an encryption algorithm is not supported.
<sysname> system-view [sysname] profile type decryption name profile1 [sysname-profile-decryption-profile1] detect type inbound [sysname-profile-decryption-profile1] unsupport ssl-cipher block