Login
- Table of Contents
-
- 06-Security Configuration Guide
- 00-Preface
- 01-AAA Configuration
- 02-802.1X Configuration
- 03-MAC Authentication Configuration
- 04-Triple Authentication Configuration
- 05-Port Security Configuration
- 06-User Profile Configuration
- 07-HABP Configuration
- 08-Public Key Configuration
- 09-PKI Configuration
- 10-SSH2.0 Configuration
- 11-SSL Configuration
- 12-TCP Attack Protection Configuration
- 13-IP Source Guard Configuration
- 14-ARP Attack Protection Configuration
- 15-ND Attack Defense Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 11-SSL Configuration | 125.91 KB |
Contents
Configuring an SSL server policy
SSL server policy configuration example
Configuring an SSL client policy
Displaying and maintaining SSL
This chapter includes these sections:
· Displaying and maintaining SSL
|
|
NOTE: · The term "switch" or "device" in this chapter refers to the switching engine on a WX3000E wireless switch. · The WX3000E series comprises WX3024E and WX3010E wireless switches. · The port numbers in this chapter are for illustration only. |
SSL overview
Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTP. It is widely used in e-business and online bank fields to ensure secure data transmission over the Internet.
SSL security mechanism
Secure connections provided by SSL have these features:
· Confidentiality—SSL uses a symmetric encryption algorithm to encrypt data and uses the asymmetric key algorithm of Rivest, Shamir, and Adelman (RSA) to encrypt the key to be used by the symmetric encryption algorithm.
· Authentication—SSL supports certificate-based identity authentication of the server and client by using the digital signatures. The SSL server and client obtain certificates from a certificate authority (CA) through the Public Key Infrastructure (PKI).
· Reliability—SSL uses the key-based message authentication code (MAC) to verify message integrity. A MAC algorithm transforms a message of any length to a fixed-length message. Figure 1 illustrates how SSL uses a MAC algorithm to verify message integrity. With the key, the sender uses the MAC algorithm to compute the MAC value of a message. Then, the sender suffixes the MAC value to the message and sends the result to the receiver. The receiver uses the same key and MAC algorithm to compute the MAC value of the received message, and compares the locally computed MAC value with that received. If the two match, the receiver considers the message intact; otherwise, the receiver considers that the message has been tampered with in transit and discards the message.
Figure 1 Message integrity verification by a MAC algorithm
|
|
NOTE: · For more information about symmetric key algorithms, asymmetric key algorithm RSA and digital signature, see the chapter “Public key configuration.” · For more information about PKI, certificate, and CA, see the chapter “PKI configuration.” |
SSL protocol stack
As shown in Figure 2, the SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer.
· SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and encrypts the data before transmitting it to the peer end.
· SSL handshake protocol—Negotiates the cipher suite to be used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), securely exchanges the key between the server and client, and implements identity authentication of the server and client. Through the SSL handshake protocol, a session is established between a client and the server. A session consists of a set of parameters, including the session ID, peer certificate, cipher suite, and master secret.
· SSL change cipher spec protocol—Used for notification between the client and the server that the subsequent packets are to be protected and transmitted based on the newly negotiated cipher suite and key.
· SSL alert protocol—Enables the SSL client and server to send alert messages to each other. An alert message contains the alert severity level and a description.
SSL configuration task list
Complete the following tasks to configure SSL:
|
Task |
Remarks |
|
Required |
|
|
Optional |
Configuring an SSL server policy
An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application layer protocol such as HTTP.
Configuration prerequisites
Configure the PKI domain for the SSL server policy to use to obtain a certificate for the SSL server. For more information about PKI domain configuration, see the chapter “PKI configuration.”
Configuration procedure
Follow these steps to configure an SSL server policy:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Create an SSL server policy and enter its view |
ssl server-policy policy-name |
Required |
|
Specify a PKI domain for the SSL server policy |
pki-domain domain-name |
Required By default, no PKI domain is specified for an SSL server policy. |
|
Specify the cipher suite(s) for the SSL server policy to support |
ciphersuite [ rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] * |
Optional By default, an SSL server policy supports all cipher suites. |
|
Set the handshake timeout time for the SSL server |
handshake timeout time |
Optional 3,600 seconds by default |
|
Set the SSL connection close mode |
close-mode wait |
Optional Not wait by default |
|
Set the maximum number of cached sessions and the caching timeout time |
session { cachesize size | timeout time } * |
Optional The defaults are as follows: · 500 for the maximum number of cached sessions, · 3600 seconds for the caching timeout time. |
|
Configure the server to require certificate-based SSL client authentication |
client-verify enable |
Optional By default, the SSL server does not require the client to be authenticated. |
|
|
NOTE: · If you enable client authentication here, you must request a local certificate for the client. · SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1. When the device acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify Hello packets from clients running SSL 2.0. If a client running SSL 2.0 also supports SSL 3.0 or TLS 1.0 (information about supported versions is carried in the packet that the client sends to the server), the server will notify the client to use SSL 3.0 or TLS 1.0 to communicate with the server. |
SSL server policy configuration example
Network requirements
As shown in Figure 3, users can access and control the device through web pages. For security of the device, users must use HTTPS (HTTP Security, which uses SSL) to log in to the web interface of the device and use SSL for identity authentication to ensure that data will not be eavesdropped or tampered with.
To achieve the goal, perform the following configurations:
· Configure Device to work as the HTTPS server and request a certificate for Device.
· Request a certificate for Host so that Device can authenticate the identity of Host.
· Configure a CA server to issue certificates to Device and Host.
|
|
NOTE: · In this example, Windows Server works as the CA server and the Simple Certificate Enrollment Protocol (SCEP) plug-in is installed on the CA server. · Before performing the following configurations, ensure that the device, the host, and the CA server can reach each other. |
Figure 3 Network diagram for SSL server policy configuration
Configuration procedure
1. Configure the HTTPS server (Device)
# Create a PKI entity named en, and configure the common name as http-server1 and the FQDN as ssl.security.com.
<Device> system-view
[Device] pki entity en
[Device-pki-entity-en] common-name http-server1
[Device-pki-entity-en] fqdn ssl.security.com
[Device-pki-entity-en] quit
# Create PKI domain 1, specify the trusted CA as ca server, the URL of the registration server as http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request as RA, and the entity for certificate request as en.
[Device] pki domain 1
[Device-pki-domain-1] ca identifier ca server
[Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll
[Device-pki-domain-1] certificate request from ra
[Device-pki-domain-1] certificate request entity en
[Device-pki-domain-1] quit
# Create the local RSA key pairs.
[Device] public-key local create rsa
# Retrieve the CA certificate.
[Device] pki retrieval-certificate ca domain 1
# Request a local certificate for Device.
[Device] pki request-certificate domain 1
# Create an SSL server policy named myssl.
[Device] ssl server-policy myssl
# Specify the PKI domain for the SSL server policy as 1.
[Device-ssl-server-policy-myssl] pki-domain 1
# Enable client authentication.
[Device-ssl-server-policy-myssl] client-verify enable
[Device-ssl-server-policy-myssl] quit
# Configure HTTPS service to use SSL server policy myssl.
[Device] ip https ssl-server-policy myssl
# Enable HTTPS service.
[Device] ip https enable
# Create a local user named usera, and set the password to 123 and service type to telnet.
[Device] local-user usera
[Device-luser-usera] password simple 123
[Device-luser-usera] service-type telnet
2. Configure the HTTPS client (Host)
On Host, launch IE, enter http://10.1.2.2/certsrv in the address bar and request a certificate for Host as prompted.
3. Verify your configuration
Launch IE on the host, enter https://10.1.1.1 in the address bar, and select the certificate issued by the CA server. The web interface of the device should appear. After entering username usera and password 123, you should be able to log in to the web interface to access and manage the device.
|
|
NOTE: · For more information about PKI configuration commands, see the chapter “PKI configuration.” · For more information about the public-key local create rsa command, see the Security Command Reference. · For more information about HTTPS, see the Fundamentals Configuration Guide. |
Configuring an SSL client policy
An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL client policy takes effect only after it is associated with an application layer protocol.
Configuration prerequisites
If the SSL server is configured to authenticate the SSL client, you must configure the PKI domain for the SSL client policy to use to obtain the certificate of the client. For more information about PKI domain configuration, see the chapter “PKI configuration.”
Configuration procedure
Follow these steps to configure an SSL client policy:
|
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
Create an SSL client policy and enter its view |
ssl client-policy policy-name |
Required |
|
Specify a PKI domain for the SSL client policy |
pki-domain domain-name |
Optional No PKI domain is configured by default. |
|
Specify the preferred cipher suite for the SSL client policy |
prefer-cipher { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } |
Optional rsa_rc4_128_md5 by default |
|
Specify the SSL protocol version for the SSL client policy |
version { ssl3.0 | tls1.0 } |
Optional TLS 1.0 by default |
|
Enable certificate-based SSL server authentication |
server-verify enable |
Optional Enabled by default |
|
|
NOTE: If you enable client authentication on the server, you must request a local certificate for the client. |
Displaying and maintaining SSL
|
To do… |
Use the command… |
Remarks |
|
Display SSL server policy information |
display ssl server-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Display SSL client policy information |
display ssl client-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] |
Troubleshooting SSL
SSL handshake failure
Symptom
As the SSL server, the device fails to handshake with the SSL client.
Analysis
SSL handshake failure may result from the following causes:
· The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the certificate is not trusted.
· The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the certificate is not trusted.
· The server and the client have no matching cipher suite.
Solution
1. Issue the debugging ssl command and view the debugging information to locate the problem:
· If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate, request one for it.
· If the server’s certificate cannot be trusted, install the root certificate of the CA that issues the local certificate to the SSL server on the SSL client, or let the server request a certificate from the CA that the SSL client trusts.
· If the SSL server is configured to authenticate the client, but the SSL client has no certificate or the certificate cannot be trusted, request and install a certificate for the client.
2. Use the display ssl server-policy command to view the cipher suites that the SSL server policy supports. If the server and the client have no matching cipher suite, use the ciphersuite command to modify the cipher suite configuration of the SSL server.
