The unsupport ssl-version block command enables the FW to block the establishment of an SSL connection with a client or a server when an SSL protocol version is not supported.
The undo unsupport ssl-version block command enables the FW to allow the establishment of an SSL connection between a client and a server.
SSL protocol version used for negotiation between a client and a server during the establishment of an SSL connection with the FW. Currently, the FW supports only SSL3.0, TSL1.0, TSL1.1, and TSL1.2. If the client or the server uses an SSL protocol version (for example, SSL2.0) not supported by the FW for negotiation, by default, the FW allows the establishment of an SSL connection between the client and the server. The FW does not function as an SSL proxy, and the FW transparently transmits SSL-encrypted traffic without decryption.
Usage Scenario
In the client protection and server protection scenarios, the FW checks whether the SSL protocol version in the SSL traffic is supported.
# Enable the FW to block the establishment of an SSL connection with a client or a server when an SSL protocol version is not supported.
<sysname> system-view [sysname] profile type decryption name profile1 [sysname-profile-decryption-profile1] detect type outbound [sysname-profile-decryption-profile1] unsupport ssl-version block