profile (SSL Initiation)
Syntax
profile profile-name {
actions {
crl {
disable disable;
if-not-present (allow | drop);
ignore-hold-instruction-code ignore-hold-instruction-code;
}
ignore-server-auth-failure ignore-server-auth-failure;
}
client-certificate client-certificate;
crypto-hardware-offload {
tpm;
}
custom-ciphers ;
enable-flow-tracing enable-flow-tracing;
enable-session-cache enable-session-cache;
preferred-ciphers (custom | medium | strong | weak);
protocol-version (all | ssl3 | tls1 | tls11 | tls12);
trusted-ca ;
}
Hierarchy Level
[edit services ssl initiation]
Description
Specify the name of the profile for SSL initiation support service.
SSL initiation is a process where the SRX Series Firewall acts as in SSL proxy client, initiates the SSL sessions with an SSL server. The SRX Series Firewall receives clear text from an HTTP client. It encrypts and transmits the data as ciphertext to the SSL server. On the reverse side, the SRX Series decrypts the ciphertext that it receives from the SSL server and sends the data to the client as clear text.
The profile contains the settings for the SSL-initiated connections. This includes the list of supported ciphers and their priority, the supported versions of SSL/TLS, and a few other options.
Options
| actions | Specify the certification revocation checks and traffic related actions for configuring SSL initiation support service.
|
||||
| client-certificate | Local certificate. It is a certificate that client connects to server with. It is usually signed by a CA that the SRX Series Firewall trusts. |
||||
| crypto-hardware-offload |
Trusted Platform Module (TPM) mode. Configure tpm based SSL Initiation sessions. |
||||
| custom-ciphers | Configure custom cipher for an SSL profile. Custom ciphers allow you to define your own cipher list. If you do not want to use one of the three categories (strong, medium, or week) of preferred ciphers, you can select ciphers from each of the categories to form a custom cipher set. To configure custom ciphers, you must set preferred-ciphers to custom. See preferred-ciphers for more details. |
||||
| enable-flow-tracing | Enable flow tracing to enable debug tracing. |
||||
| enable-session-cache | Enable SSL session cache. You can enable session caching to cache session information, such as the pre-master secret key and agreed-upon ciphers, for both the client and server. |
||||
| ignore-server-auth-failure | Ignore server authentication completely. In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry). |
||||
| preferred-ciphers | Select preferred ciphers. Preferred ciphers allow you to define an SSL cipher that can be used with acceptable key strength. Ciphers are divided in three categories depending on their key strength: strong, medium, or weak. |
||||
| protocol-version | Specify the accepted SSL protocol version. You can specify the SSL/TLS protocol version the security device uses to negotiate in SSL connections. |
||||
| trusted-ca | List of trusted certificate authority profiles. SSL forward proxy uses trusted CA certificates for server authentication. Junos OS provides a default list of trusted CA certificates that you can easily load on to your system using a default command option. |
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
services—To view this statement in the configuration.
services-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release
12.1X44-D10. The protocol-version statement is updated
to include tls11 and tls12 from Junos OS Release
15.1X49-D30.