/cfg/slb/ssl/sslpol
SSL Policy Menu
Use this menu to configure an SSL policy. The SSL policy defines the SSL offloading behavior required for the virtual service to which it is associated. A single SSL policy can be associated to multiple virtual services if they share the same SSL configuration. The maximum number of policies is 1024.
An SSL policy should be associated to an SSL or HTTPS service. For more information on associating SSL policies to virtual services, see the section on SSL policies in the Alteon Command Line Interface Application Guide.
 
SSL Policy Policy_1 Menu]
backend - Backend SSL Configuration Menu
name - Set descriptive policy name
passinfo - Pass SSL Information to Backend Servers Menu
frver - Allowed Frontend SSL Protocol Version Menu
bever - Allowed Backend SSL Protocol Version Menu
cipher - Set allowed cipher-suites in frontend SSL
sslgrps - Set allowed groups in frontend SSL
sslsigs - Set allowed signature algorithms in frontend SSL
intermca - Set Intermediate CA certificate chain
becipher - Set allowed cipher-suites in backend SSL
authpol - Set client authentication policy
convuri - Set Host regex for HTTP redirection conversion
secreng - Set Max allowed Frontend and Backend SSL Secure Renegotiation
dhkey - Set Diffie Helman key size
   hwoffld - SSL HW offload Menu
    zerortt - Zero RTT Resumption Menu
    fessl - Enable/Disable frontend SSL encryption
fessl - Set frontend SSL mode
bessl - Enable/Disable backend SSL encryption
    fereuse - Frontend SSL sessions cache menu
hstmout - Frontend SSL handshake timeout in msec
convert - Enable/Disable HTTP redirection conversion
ena - Enable policy
dis - Disable policy
del - Delete Policy
cur - Display current policy configuration
 
SSL Policy Menu (/cfg/slb/ssl/sslpol)  
Command Syntax and Usage
backend
 
Displays the SSL Policy Backend menu. To view this menu, see /cfg/slb/ssl/sslpol/backend SSL Policy Backend Menu.
name
 
An optional descriptive name of the policy in addition to the policy ID.
Values: 0 – 128 characters
passinfo
 
Displays the SSL Policy Passinfo menu. To view this menu, see /cfg/slb/ssl/sslpol/passinfo SSL Policy Passinfo Menu.
frver
 
Displays the SSL Policy front-end SSL protocol version menu. To view this menu, see /cfg/slb/ssl/sslpol/frver SSL Policy Front-end Version Menu.
bever
 
Displays the SSL Policy back-end SSL protocol version menu. To view this menu, see /cfg/slb/ssl/sslpol/bever SSL Policy Back-end Version Menu.
cipher
 
When establishing an SSL connection, the client and server negotiate a cipher suite, exchanging cipher suite codes in the client “Hello” and server “Hello” messages which specifies a combination of cryptographic algorithms for the connection.
The key exchange and authentication algorithms are typically public key algorithms. The message authentication codes are derived from cryptographic hash functions using the HMAC construction for TLS, and a non-standard pseudorandom function for SSL. This is the cipher suite used by the client during the SSL handshake.
You can optionally set which cipher suite is allowed during the SSL handshake. For example, if you select rsa, only traffic with the RSA cipher suite is allowed to reach the Alteon service that is using this SSL policy.
When you enter this command, the currently set cipher suite and allowed values display:
*all — All cipher suites.
*main — The main (default) cipher suites.
*rsa — Cipher suite using RSA key exchange.
*http2 — The HTTP2 cipher suites.
*pci-dss-compliance — Payment Card Industry Data Security Standard ALL:!eNULL:!aNULL:!SSLv2:!ADH:!LOW:!EXP:-DHE-RSA-AES256-SHA:-DHE-RSA-AES128-SHA:@STRENGTH:!DSS:!SRP:!PSK (! means NOT).
*all-non-null-ciphers — All cipher suites except the NULL ciphers and ciphers offering no authentication, which must be explicitly enabled.
*sslv3 — SSL v3.0 cipher suites.
*tlsv1 — TLS v1.0 cipher suites
*tlsv1.2 — TLS v1.2 cipher suites
*export — Export encryption algorithms including 40- and 56-bit.
*low — “Low” exception cipher suites, currently using 64- or 56-bit encryption algorithms but excluding export cipher suites.
*medium — “Medium” encryption cipher suites, currently using 128-bit encryption
*high — “High” encryption cipher suites. Currently key lengths are larger than 128 bits.
*rsa-rc4-128-md5 — Cipher suites using RSA key exchange, 128-bit RC4 for encryption and MD5 for MAC.
*rsa-rc4-128-sha1 — Cipher suite using RSA key exchange, 128-bit RC4 for encryption and SHA1 hash for MAC.
*rsa-des-sha1 — Cipher suite using RSA key exchange, 3DES for encryption and SHA1 hash for MAC.
*rsa-3des-sha1 — Cipher suite using RSA key exchange, 3DES for encryption and SHA1 hash for MAC.
*rsa-aes-128-sha1 — Cipher suite using RSA key exchange, 128-bit AES for encryption and SHA1 hash for MAC.
*rsa-aes-256-sha1 — Cipher suite using RSA key exchange, 256-bit AES for encryption and SHA1 hash for MAC.
cipher
(cont.)
*user-defined — Alteon supports all ciphers and keywords supported by the OpenSSL format version that your Alteon platform supports.
*user-defined-expert — The expert user-defined cipher-suite allowed for SSL.
Notes: Regarding user-defined and user-defined-expert ciphers:
Radware recommends using user-defined-expert (rather than user-defined) when defining custom cipher suits or strings.
After you enter user-defined or user-defined-expert, you are prompted to enter new user-defined cipher-suite in OpenSSL format (for example, des-cbc-sha).
Only use user-defined or user-defined-expert parameters if you are sure that you have the exact cipher string that is required for the cipher-suite you want to define.
The maximum user-defined or user-defined-expert cipher length is 900 characters.
Default: main
Notes:
OpenSSL cipher names and keywords differentiate upper and lower-case letters.
For more information, refer to the OpenSSL documentation.
Refer to Cipher Suites, for a complete list of the content of all the supported cipher suites.
intermca
 
Use Intermediate CA certificates when the CA providing the virtual service’s server certificate is not directly trusted by the SSL client’s trusted certificate store. This is typical in an organization that has its own CA server for generating server certificates. To construct the trust chain from the user’s browsers list of trusted CAs to the organization’s CA server, an intermediate CA certificate or chain of certificates can be provided.
This is an optional configuration that lets you bind an intermediate CA certificate to the SSL policy. You can also create a group of intermediate certificates (a complete CA chain) and bind it to the SSL policy.
For more information on importing an intermediate CA certificate and/or creating a CA chain using a certificate group, see /cfg/slb/ssl/certs/cert Server Certificate Menu.
Values:
*cert — Associate the intermediate CA certificate ID. When an intermediate CA certificate is associated to the SSL policy, the intermediate CA certificate is presented to the client with the server SSL certificate. If the SSL client trust this intermediate CA, the SSL client implicitly trusts the SSL server certificate as well.
*group — Associate a new CA group ID. Associate an intermediate CA certificate group if you need to form the chain of trust between the Certificate Authority (CA) that signed the certificate and the CA that is already trusted by the end-user, to allow the end user to verify the validity of the certificates presented, even when the signing CA of that certificate is unknown. The chain validity is verified during Apply. Once the intermediate CA group is defined in the SSL policy, the intermediate CA chain is presented to the client with the server SSL certificate. If the SSL client trusts any of the intermediate CA in the chain, the SSL client implicitly trusts the SSL server certificate also.
*none — Do not use an intermediate CA.
becipher
 
If you enable back-end encryption, you can set the cipher strength to use during the back-end SSL handshake using the becipher option.
Values:
*low-“Low” exception cipher suites, currently using 64- or 56-bit encryption algorithms but excluding export cipher suites.
*medium-“Medium” encryption cipher suites, currently using 128-bit encryption.
*high-“High” encryption cipher suites. Currently key lengths are larger than 128 bits.
Note: For back-end encryption, Alteon plays the client role and negotiates the session key. HIGH implies highest security is used for the session key and allows back-end encryption to be as secure as the front-end SSL, or even use higher security than the front-end connection. You can use LOW for front-end and HIGH for back-end connection.
authpol
 
Displays the Client Authentication Policy menu. To view this menu, see /cfg/slb/ssl/authpol Authentication Policy Menu.
With this menu, you can optionally define a client authentication policy that authenticates the client’s identity as a further operation of the SSL handshake.
convuri
 
When using HTTP redirection conversion, you can define a regex to further expand the URIs included in redirection conversion.
Note: This option is only available if HTTP redirection conversion is enabled (see the convert command in this table).
Caution: Simple wildcards, such as question marks and asterisks are not considered regex and will not result in the desired behavior. The regex match for the simple wildcard asterisk (*) is dot-asterisk (.*)
To use this command, compare the Host header in the request message with the host part of the Location header in the response. If they are equal there will be a modification of protocol (https) and service port. If the hosts are not equal, then do a regex match between the host in the location header and the regex provided in the convuri command. If there is a regex match, modification is done.
Example: If a user requests the www.ab.com/base_redirect.html page, and the request is redirected by the server to www.bb.com/Redirect/Path/redirect_page.html, if the redirect was from ab.com to ab.com/some-other-path, no regular expression is needed because this is the same host.
In this example, the redirect was from ab.com to bb.com. This works only when the regular expression matches the host (the new host). As a result, the regular expression should be set to include bb.com for the conversion to be performed on it.
secreng
 
Specifies the maximum number of allowed secure renegotiations.
Values:
*0 (secure renegotiation is disabled on both front-end and back-end servers)
*1 – 1024
*unlimit (unlimited secure renegotiation is enabled)
Default: 5
dhkey
Specifies the Diffie Helman key size.
Values:
*1024 bits
*2048 bits
Default: 2048 bits
hwoffld
 
Displays the SSL HW offload menu. To view this menu, see /cfg/slb/ssl/sslpol/hwoffld SSL Policy Hardware Offload Menu.
zerortt
 
Displays the Zero RTT Resumption menu. To view this menu, see /cfg/slb/ssl/sslpol/zerortt Zero RTT Resumption Menu.
fessl
 
Specifies whether to establish an SSL connection with the client and allow decryption/encryption of client traffic.
Values:
*d (Disable): No decryption/encryption on the client-side connection
*e (Enable): SSL connection is established and traffic is decrypted/encrypted on the client-side connection
*r (enabled on request): SSL connection is established only upon explicit SSL connection initiation (HTTP Connect, STARTTLS or AUTHTLS). This option is relevant only for outbound SSL Inspection scenarios.
*h (handshake only): SSL connection is established only for the purpose of retrieving server certificate during outbound SSL inspection of non-HTTPS protocols.
Default: e (enable)
bessl
 
Specifies whether to perform SSL encryption towards the server.
Note: Radware recommends multiplexing when back-end encryption is enabled.
Values:
*d (disabled): No decryption/encryption on the client-side connection
*e (enabled, default): SSL connection is established and traffic is decrypted/encrypted on the client-side connection
*r (enabled on request): SSL connection to the server is established using explicit SSL connection initiation (STARTTLS or AUTHTLS). This option is relevant only for outbound SSL Inspection for non-HTTPS protocols.
*h (handshake only): SSL connection is established only for the purpose of retrieving server certificate during outbound SSL inspection of non-HTTPS protocols.
Default: d (Disable)
fereuse
 
Displays the Front-end SSL Sessions Cache menu. To view this menu, see /cfg/slb/ssl/sslpol/fereuse Front-end SSL Session Reuse Menu.
hstmout
 
Specifies the maximum time (milliseconds) it should take to complete the TLS handshake with the client. If the handshake is not completed within the specified time, the session is closed to protect against low and slow (Slowloris) attacks.
Values: 0 (protection disabled), 100 - 60000
Default: 0
convert
 
When Alteon performs SSL offload for the back-end servers, the servers receive the requests in HTTP format. When the servers redirect to another page or site (using HTTP headers in response to the location header), they send the redirect to Alteon using HTTP. When sending the response back to the clients, if this option is enabled, Alteon modifies the server’s redirection location URL appearing in the HTTP header from HTTP:// to HTTPS://.
Notes:
*When back-end SSL encryption is enabled, this option is not relevant.
*This option must be disabled for SSL Policy that is part of SSL Inspection configuration.
When enabled, conversion is always done when hostname in response matches hostname in request. To perform protocol conversion for additional hosts configure Host Regex for Redirection.
The modification is performed automatically whenever the hostname in the client’s request matches the hostname in the server’s response, or when matching criteria are met. Matching criteria can consist of a regex that represents the hostname and defined for the convuri parameter.
Notes:
When SSL policy protocol redirection and HTTP header and body modifications are enabled on the same service, and the server sends a 302 Redirect response, the protocol of the new location is always set to HTTPS to enable the redirect location to work for the clients. This is enforced in addition to (and regardless of) the setting in the HTTP modification rule. For more information about HTTP modifications, see /cfg/slb/virt <server number>/service/http Virtual Server HTTP Service Configuration Menu.
Simple wildcards, such as question marks and asterisks are not considered regex and will not result in the desired behavior. The regex match for the simple wildcard asterisk (*) is dot-asterisk (.*)
Values: d (disabled), e (enabled)
Default: enabled
ena
 
When you configure the SSL policy, it is disabled by default. In order for SSL offloading to work, you must enable and apply the SSL policy.
dis
 
When you configure the SSL policy, it is disabled by default. Select disable to make it non-operational.
del
 
Deletes this SSL policy.
cur
 
Displays the current SSL policy settings.