TLS client profile commands
TLS client profile mode provides the commands to create or modify a TLS client profile.
To enter the mode, use the crypto ssl-client command. To delete a TLS client profile, use the no ssl-client command.
While in this mode, use the commands in the following table to define the TLS client profile.
- To view the current configuration, use the show command.
- To restore default values, use the reset command.
- To exit this configuration mode without saving changes to the running configuration, use the cancel command.
- To exit this configuration mode and save changes to the running configuration, use the exit command.
| Command | Purpose |
|---|---|
| admin-state | This command sets the administrative state for the configuration. |
| cache-size | This command specifies the maximum number of client sessions to cache. |
| cache-timeout | This command sets the time that TLS sessions remain in the client session cache before they are removed. |
| caching | This command controls whether to cache TLS sessions when the DataPower Gateway is the TLS client. |
| ciphers | This command specifies the preference order of cipher suites that the TLS client profile uses to establish a secure connection. |
| curves | This command specifies the list of elliptic curves that the TLS client profile supports. |
| custom-sni-hostname | This command specifies a custom server name in the SNI extension in
the TLS ClientHello message. |
| disable-renegotiation | This command indicates whether to disable TLS negotiation completely for the TLS client profile. |
| enable-tls13-compat | This command controls whether to enable middlebox compatibility with TLS version 1.3. |
| hostname-validation-fail | This command controls whether to terminate the handshake when hostname validation fails. |
| hostname-validation-flags | This command sets the flags that fine tunes the validation methods and settings during the handshake. |
| idcred | This command specifies the keystore that the DataPower Gateway uses to authenticate itself to a TLS server when the TLS server requests client authentication. |
| kem-alg | This command specifies the list of PQC KEM algorithms that the TLS client profile advertises and supports. |
| require-closure-notification | This command controls whether to log a TLS library error when TLS
peers do not send the close_notify alert on shutdown. |
| protocols | This command sets the supported protocol versions for the TLS client profile. |
| sign-alg | This command specifies the list of signature algorithms that the TLS client profile advertises and supports. |
| ssl-client-features | This command specifies the TLS features to allow in the TLS client profile. |
| summary | This command specifies the brief, descriptive summary for the object instance. |
| use-custom-sni-hostname | This command controls whether to use a custom server name in the SNI
extension in the ClientHello message. |
| valcred | This command specifies the name of the truststore to validate the server certificate during the handshake. |
| validate-hostname | This command controls whether to validate the hostname in the server certificate during the handshake. |
| validate-server-cert | This command controls whether to validate the server certificate during the handshake. |