No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Client SSL Policy

Configuring a Client SSL Policy


The PKI domain has been configured.


The SSL protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols. A client SSL policy can be applied to application layer protocols such as the CPE WAN Management Protocol (CWMP) to provide secure connections.

Figure 17-3  Router functions as an SSL client

As shown in Figure 17-3, the Figure 17-3 functions as an SSL client and has a client SSL policy configured. During an SSL handshake, the Router uses the SSL parameters in the client SSL policy to negotiate session parameters with the SSL server. After the handshake is complete, the Router establishes a session with the server.

When functioning as an SSL client, the Router does not allow SSL servers to authenticate it, but it can authenticate SSL servers. When the Router functions as an SSL client, enable it to authenticate servers to ensure secure communication.


  1. Run system-view

    The system view is displayed.

  2. Run ssl policy policy-name type client

    A client SSL policy is created, and the client SSL policy view is displayed.

  3. Run server-verify enable

    SSL server authentication is enabled.

    By default, SSL server authentication is enabled in a client SSL policy.

  4. Run pki-realm realm-name

    A PKI domain is specified for the client SSL policy.

    By default, no PKI domain is specified for a client SSL policy on the Router.


    The Router obtains a CA certificate chain from CAs in the specified PKI domain. The Router authenticates an SSL server by checking the server certificate and CA certificates against the CA certificate chain.

  5. (Optional) Run version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }

    The SSL protocol version is specified.

    By default, a client SSL policy uses Transport Layer Security (TLS) version 1.2.


    Ensure that the specified SSL protocol version is supported by the SSL server. Before performing this step, check the SSL protocol versions that the SSL server supports.

    TLS1.2 version is recommended, other protocol version has potential security risks.

  6. (Optional) Run prefer-ciphersuite { rsa_3des_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_128_sha256 | rsa_aes_256_sha256 | rsa_aes128_ccm | rsa_aes128_gcm_sha256 | rsa_aes256_ccm | rsa_aes256_gcm_sha384 } *

    A cipher suite is specified.

    By default, a client SSL policy uses the cipher suites: rsa_aes_128_sha256 and rsa_aes_256_sha256.


    Ensure that the specified cipher suite is supported by the SSL server. Before performing this step, check the cipher suites that the SSL server supports.

  7. (Optional) Configure the SSL renegotiation function.

    Disabling the renegotiation function on the device can protect the device against renegotiation attacks, but will interrupt services. Therefore, you can keep the renegotiation function enabled, and set the SSL renegotiation rate to minimize the impact of renegotiation attacks on services. Choose either of the following tasks:

    • Disable renegotiation.

      Run the undo renegotiation enable command to disable SSL renegotiation.

      By default, SSL renegotiation is enabled.

    • Set the renegotiation rate.
      1. Run the quit command to return to the system view.
      2. Run the ssl renegotiation-rate rate command to set the SSL renegotiation rate.

        By default, the SSL renegotiation is performed once per second. You can set the rate according to the CPU capability of the device.

        This configuration applies to all SSL policies.

Verifying the Configuration

Run the display ssl policy [ policy-name ] command to view the configuration of the SSL policy.

Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 128436

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next