SSL Policy Policy_1 Menu] backend - Backend SSL Configuration Menu name - Set descriptive policy name passinfo - Pass SSL Information to Backend Servers Menu frver - Allowed Frontend SSL Protocol Version Menu bever - Allowed Backend SSL Protocol Version Menu cipher - Set allowed cipher-suites in frontend SSL sslgrps - Set allowed groups in frontend SSL sslsigs - Set allowed signature algorithms in frontend SSL intermca - Set Intermediate CA certificate chain becipher - Set allowed cipher-suites in backend SSL authpol - Set client authentication policy convuri - Set Host regex for HTTP redirection conversion secreng - Set Max allowed Frontend and Backend SSL Secure Renegotiation dhkey - Set Diffie Helman key size hwoffld - SSL HW offload Menu zerortt - Zero RTT Resumption Menu fessl - Enable/Disable frontend SSL encryption fessl - Set frontend SSL mode bessl - Enable/Disable backend SSL encryption fereuse - Frontend SSL sessions cache menu hstmout - Frontend SSL handshake timeout in msec convert - Enable/Disable HTTP redirection conversion ena - Enable policy dis - Disable policy del - Delete Policy cur - Display current policy configuration |
Command Syntax and Usage | |
---|---|
backend | |
Displays the SSL Policy Backend menu. To view this menu, see /cfg/slb/ssl/sslpol/backend SSL Policy Backend Menu. | |
name | |
An optional descriptive name of the policy in addition to the policy ID. Values: 0 – 128 characters | |
passinfo | |
Displays the SSL Policy Passinfo menu. To view this menu, see /cfg/slb/ssl/sslpol/passinfo SSL Policy Passinfo Menu. | |
frver | |
Displays the SSL Policy front-end SSL protocol version menu. To view this menu, see /cfg/slb/ssl/sslpol/frver SSL Policy Front-end Version Menu. | |
bever | |
Displays the SSL Policy back-end SSL protocol version menu. To view this menu, see /cfg/slb/ssl/sslpol/bever SSL Policy Back-end Version Menu. | |
cipher | |
When establishing an SSL connection, the client and server negotiate a cipher suite, exchanging cipher suite codes in the client “Hello” and server “Hello” messages which specifies a combination of cryptographic algorithms for the connection. The key exchange and authentication algorithms are typically public key algorithms. The message authentication codes are derived from cryptographic hash functions using the HMAC construction for TLS, and a non-standard pseudorandom function for SSL. This is the cipher suite used by the client during the SSL handshake. You can optionally set which cipher suite is allowed during the SSL handshake. For example, if you select rsa, only traffic with the RSA cipher suite is allowed to reach the Alteon service that is using this SSL policy. When you enter this command, the currently set cipher suite and allowed values display: ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() | |
cipher (cont.) | ![]() ![]() Notes: Regarding user-defined and user-defined-expert ciphers: • Radware recommends using user-defined-expert (rather than user-defined) when defining custom cipher suits or strings. • After you enter user-defined or user-defined-expert, you are prompted to enter new user-defined cipher-suite in OpenSSL format (for example, des-cbc-sha). • Only use user-defined or user-defined-expert parameters if you are sure that you have the exact cipher string that is required for the cipher-suite you want to define. • The maximum user-defined or user-defined-expert cipher length is 900 characters. Default: main Notes: • OpenSSL cipher names and keywords differentiate upper and lower-case letters. • For more information, refer to the OpenSSL documentation. • Refer to Cipher Suites, for a complete list of the content of all the supported cipher suites. |
intermca | |
Use Intermediate CA certificates when the CA providing the virtual service’s server certificate is not directly trusted by the SSL client’s trusted certificate store. This is typical in an organization that has its own CA server for generating server certificates. To construct the trust chain from the user’s browsers list of trusted CAs to the organization’s CA server, an intermediate CA certificate or chain of certificates can be provided. This is an optional configuration that lets you bind an intermediate CA certificate to the SSL policy. You can also create a group of intermediate certificates (a complete CA chain) and bind it to the SSL policy. For more information on importing an intermediate CA certificate and/or creating a CA chain using a certificate group, see /cfg/slb/ssl/certs/cert Server Certificate Menu. Values: ![]() ![]() ![]() | |
becipher | |
If you enable back-end encryption, you can set the cipher strength to use during the back-end SSL handshake using the becipher option. Values: ![]() ![]() ![]() Note: For back-end encryption, Alteon plays the client role and negotiates the session key. HIGH implies highest security is used for the session key and allows back-end encryption to be as secure as the front-end SSL, or even use higher security than the front-end connection. You can use LOW for front-end and HIGH for back-end connection. | |
authpol | |
Displays the Client Authentication Policy menu. To view this menu, see /cfg/slb/ssl/authpol Authentication Policy Menu. With this menu, you can optionally define a client authentication policy that authenticates the client’s identity as a further operation of the SSL handshake. | |
convuri | |
When using HTTP redirection conversion, you can define a regex to further expand the URIs included in redirection conversion. Note: This option is only available if HTTP redirection conversion is enabled (see the convert command in this table). Caution: Simple wildcards, such as question marks and asterisks are not considered regex and will not result in the desired behavior. The regex match for the simple wildcard asterisk (*) is dot-asterisk (.*) To use this command, compare the Host header in the request message with the host part of the Location header in the response. If they are equal there will be a modification of protocol (https) and service port. If the hosts are not equal, then do a regex match between the host in the location header and the regex provided in the convuri command. If there is a regex match, modification is done. Example: If a user requests the www.ab.com/base_redirect.html page, and the request is redirected by the server to www.bb.com/Redirect/Path/redirect_page.html, if the redirect was from ab.com to ab.com/some-other-path, no regular expression is needed because this is the same host. In this example, the redirect was from ab.com to bb.com. This works only when the regular expression matches the host (the new host). As a result, the regular expression should be set to include bb.com for the conversion to be performed on it. | |
secreng | |
Specifies the maximum number of allowed secure renegotiations. Values: ![]() ![]() ![]() Default: 5 | |
dhkey | |
Specifies the Diffie Helman key size. Values: ![]() ![]() Default: 2048 bits | |
hwoffld | |
Displays the SSL HW offload menu. To view this menu, see /cfg/slb/ssl/sslpol/hwoffld SSL Policy Hardware Offload Menu. | |
zerortt | |
Displays the Zero RTT Resumption menu. To view this menu, see /cfg/slb/ssl/sslpol/zerortt Zero RTT Resumption Menu. | |
fessl | |
Specifies whether to establish an SSL connection with the client and allow decryption/encryption of client traffic. Values: ![]() ![]() ![]() ![]() Default: e (enable) | |
bessl | |
Specifies whether to perform SSL encryption towards the server. Note: Radware recommends multiplexing when back-end encryption is enabled. Values: ![]() ![]() ![]() ![]() Default: d (Disable) | |
fereuse | |
Displays the Front-end SSL Sessions Cache menu. To view this menu, see /cfg/slb/ssl/sslpol/fereuse Front-end SSL Session Reuse Menu. | |
hstmout | |
Specifies the maximum time (milliseconds) it should take to complete the TLS handshake with the client. If the handshake is not completed within the specified time, the session is closed to protect against low and slow (Slowloris) attacks. Values: 0 (protection disabled), 100 - 60000 Default: 0 | |
convert | |
When Alteon performs SSL offload for the back-end servers, the servers receive the requests in HTTP format. When the servers redirect to another page or site (using HTTP headers in response to the location header), they send the redirect to Alteon using HTTP. When sending the response back to the clients, if this option is enabled, Alteon modifies the server’s redirection location URL appearing in the HTTP header from HTTP:// to HTTPS://. Notes: ![]() ![]() When enabled, conversion is always done when hostname in response matches hostname in request. To perform protocol conversion for additional hosts configure Host Regex for Redirection. The modification is performed automatically whenever the hostname in the client’s request matches the hostname in the server’s response, or when matching criteria are met. Matching criteria can consist of a regex that represents the hostname and defined for the convuri parameter. Notes: • When SSL policy protocol redirection and HTTP header and body modifications are enabled on the same service, and the server sends a 302 Redirect response, the protocol of the new location is always set to HTTPS to enable the redirect location to work for the clients. This is enforced in addition to (and regardless of) the setting in the HTTP modification rule. For more information about HTTP modifications, see /cfg/slb/virt <server number>/service/http Virtual Server HTTP Service Configuration Menu. • Simple wildcards, such as question marks and asterisks are not considered regex and will not result in the desired behavior. The regex match for the simple wildcard asterisk (*) is dot-asterisk (.*) Values: d (disabled), e (enabled) Default: enabled | |
ena | |
When you configure the SSL policy, it is disabled by default. In order for SSL offloading to work, you must enable and apply the SSL policy. | |
dis | |
When you configure the SSL policy, it is disabled by default. Select disable to make it non-operational. | |
del | |
Deletes this SSL policy. | |
cur | |
Displays the current SSL policy settings. |