profile (SSL Termination)
Syntax
profile name {
custom-ciphers;
enable-flow-tracing enable-flow-tracing;
enable-session-cache enable-session-cache;
preferred-ciphers (custom | medium | strong | weak);
protocol-version (all | ssl3 | tls1 | tls11 | tls12);
server-certificate server-certificate;
trusted-ca ;
}
Hierarchy Level
[edit services ssl termination]
Description
Specify the name of the profile for SSL termination support service.
Traffic from the client to SRX Series is encrypted and terminated at SRX Series, which then re-encrypts traffic to the back-end server.
SSL termination is a process where the SRX Series Firewall acts as an SSL proxy server, terminates the SSL session from the client. The SRX Series Firewall receives encrypted data from the HTTP client. It decrypts and transmits the data as unencrypted request to the other servers (HTTP server).
The profile contains the settings for the SSL-terminated connections. This includes the list of supported ciphers and their priority, the supported versions of SSL/TLS, and a few other options.
Options
| custom-ciphers | Configure custom cipher for an SSL profile. Custom ciphers allow you to define your own cipher list. If you do not want to use one of the three categories (strong, medium, or week) of preferred ciphers, you can select ciphers from each of the categories to form a custom cipher set. To configure custom ciphers, you must set preferred-ciphers to custom. See preferred-ciphers for more details. |
| enable-flow-tracing | Enable flow tracing to enable debug tracing. |
| enable-session-cache | Enable SSL session cache. You can enable session caching to cache session information, such as the pre-master secret key and agreed-upon ciphers, for both the client and server. |
| preferred-ciphers | Select preferred ciphers. Preferred ciphers allow you to define an SSL cipher that can be used with acceptable key strength. Ciphers are divided in three categories depending on their key strength: strong, medium, or weak. |
| protocol-version | Specify the accepted SSL protocol version. You can specify the SSL/TLS protocol version the security device uses to negotiate in SSL connections. |
| server-certificate | Local certificate identifier. Server certificates are used to authenticate the identity of a server. A server is required to present a certificate as part of the initial connection setup. SSL proxy generates a new certificate by replacing the original issuer of the certificate with its own identity and signs this new certificate with its own public key (provided as a part of the proxy profile configuration). |
| trusted-ca | List of trusted certificate authority profiles. SSL forward proxy uses trusted CA certificates for server authentication. Junos OS provides a default list of trusted CA certificates that you can easily load on to your system using a default command option. |
Required Privilege Level
services—To view this statement in the configuration.
services-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release
12.1X44-D10. The protocol-version statement is updated
to include tls11 and tls12 from Junos OS Release
15.1X49-D30.