TLS server profile commands
TLS server profile mode provides the commands to create or modify a TLS server profile.
To enter the mode, use the crypto ssl-server command. To delete a TLS server profile, use the no ssl-server command.
While in this mode, use the commands in the following table to define the TLS server profile.
- To view the current configuration, use the show command.
- To restore default values, use the reset command.
- To exit this configuration mode without saving changes to the running configuration, use the cancel command.
- To exit this configuration mode and save changes to the running configuration, use the exit command.
| Command | Purpose |
|---|---|
| admin-state | This command sets the administrative state for the configuration. |
| allow-legacy-renegotiation | This command controls whether to allow or prevent TLS renegotiation with TLS clients that do not support RFC 5746. |
| cache-size | This command specifies the maximum number of server sessions to cache. |
| cache-timeout | This command sets the time that TLS sessions remain in the server session cache before they are removed. |
| caching | This command controls whether to cache the TLS sessions when the DataPower Gateway is the TLS server. |
| ciphers | This command specifies the preference order of cipher suites that the TLS server profile uses to establish a secure connection. |
| compression | This command controls whether to enable TLS compression when the DataPower Gateway is the TLS server. |
| curves | This command specifies the list of elliptic curves that the TLS server profile supports. |
| disable-renegotiation | This command indicates whether to disable TLS negotiation completely for the TLS server profile. |
| idcred | This command specifies the keystore that authenticates the DataPower Gateway during the handshake. |
| hostname-validation-fail | This command controls whether to terminate the handshake when hostname validation fails. |
| hostname-validation-flags | This command sets the flags that fine tunes the client validation methods and settings during the handshake. |
| kem-alg | This command specifies the list of PQC KEM algorithms that the TLS server profile advertises and supports. |
| max-duration | This command specifies the maximum time to maintain a TLS session after the initial negotiated handshake when the DataPower Gateway is a TLS server. |
| max-renegotiation-allowed | This command specifies the maximum number of renegotiation attempts that a client can initiate per session. |
| prefer-server-ciphers | This command controls whether to use the order of the server cipher suites instead of the order of the client cipher suites during negotiation. |
| prioritize-chacha | This command controls whether the server prioritizes the ChaCha20-Poly1305 cipher suite when this cipher suite is at the beginning of the client list. |
| prohibit-resume-on-reneg | This command controls whether to resume a previous TLS session during a renegotiation handshake. |
| protocols | This command sets the supported protocol versions for the TLS server profile. |
| request-client-auth | This command controls whether to request client authentication during the handshake. |
| require-client-auth | This command controls whether to require client authentication during the handshake. |
| require-closure-notification | This command controls whether to log a TLS library error when TLS
peers do not send the close_notify alert on shutdown. |
| send-client-auth-ca-list | This command controls whether to transmit the client CA list during the handshake. |
| sign-alg | This command specifies the list of signature algorithms that the TLS server profile advertises and supports. |
| ssl-options | This command specifies the options to apply to the connection when the DataPower Gateway is a TLS server. |
| summary | This command specifies the brief, descriptive summary for the object instance. |
| valcred | This command specifies the name of the truststore to validate the TLS client certificate during the handshake. |
| validate-client-cert | This command controls whether to validate the client certificate during the handshake when the client certificate is provided. |
| validate-client-name | This command specifies which values in the client certificate to use for client hostname validate during the handshake. |