The untrust-certificate block command enables the FW to block the establishment of an SSL connection when a server certificate is untrusted.
The undo untrust-certificate block command enables the FW to allow the establishment of an SSL connection.
By default, the FW allows the establishment of an SSL connection between a client and a server.
If the server certificate is untrusted and the FW allows the establishment of an SSL connection, the server is reliable. If the security of the server certificate is unclear, it is recommended that the FW block the establishment of an SSL connection.
Usage Scenario
In the SSL no-decrypt scenario, the FW verifies the server certificate. If the server certificate is untrusted, the FW blocks the establishment of the SSL connection between a client and a server (the FW transparently transmits the traffic instead of functioning as an SSL proxy).
In the client protection scenario, the FW verifies the server certificate. If the server certificate is untrusted, the FW blocks the establishment of the SSL connection between servers (the FW functions as an SSL proxy).
# Enable the FW to block the establishment of an SSL connection when a server certificate is untrusted.
<sysname> system-view [sysname] profile type decryption name profile1 [sysname-profile-decryption-profile1] detect type outbound [sysname-profile-decryption-profile1] untrust-certificate block