Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

profile (SSL Initiation)

Syntax

Hierarchy Level

Description

Specify the name of the profile for SSL initiation support service.

SSL initiation is a process where the SRX Series Firewall acts as in SSL proxy client, initiates the SSL sessions with an SSL server. The SRX Series Firewall receives clear text from an HTTP client. It encrypts and transmits the data as ciphertext to the SSL server. On the reverse side, the SRX Series decrypts the ciphertext that it receives from the SSL server and sends the data to the client as clear text.

The profile contains the settings for the SSL-initiated connections. This includes the list of supported ciphers and their priority, the supported versions of SSL/TLS, and a few other options.

Options

actions

Specify the certification revocation checks and traffic related actions for configuring SSL initiation support service.

crl

Specify certificate revocation actions. The certificate revocation list (CRL) contains the list of digital certificates that have been canceled before their expiration date. When a participating device uses a digital certificate, it checks the certificate signature and validity. It also acquires the most recently issued CRL and checks that the certificate serial number is not on that CRL. By default, CRL verification is enabled on SSL profile.

ignore-hold-instruction-code

Ignore server authentication failure. By selecting this option, you can choose to ignore certificate validation, root CA expiration dates, and other such issues based on your requirements.

client-certificate

Local certificate. It is a certificate that client connects to server with. It is usually signed by a CA that the SRX Series Firewall trusts.

crypto-hardware-offload

Trusted Platform Module (TPM) mode. Configure tpm based SSL Initiation sessions.

custom-ciphers

Configure custom cipher for an SSL profile.

Custom ciphers allow you to define your own cipher list. If you do not want to use one of the three categories (strong, medium, or week) of preferred ciphers, you can select ciphers from each of the categories to form a custom cipher set.

To configure custom ciphers, you must set preferred-ciphers to custom. See preferred-ciphers for more details.

enable-flow-tracing

Enable flow tracing to enable debug tracing.

enable-session-cache

Enable SSL session cache. You can enable session caching to cache session information, such as the pre-master secret key and agreed-upon ciphers, for both the client and server.

ignore-server-auth-failure

Ignore server authentication completely. In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).

preferred-ciphers

Select preferred ciphers. Preferred ciphers allow you to define an SSL cipher that can be used with acceptable key strength. Ciphers are divided in three categories depending on their key strength: strong, medium, or weak.

protocol-version

Specify the accepted SSL protocol version. You can specify the SSL/TLS protocol version the security device uses to negotiate in SSL connections.

trusted-ca

List of trusted certificate authority profiles. SSL forward proxy uses trusted CA certificates for server authentication. Junos OS provides a default list of trusted CA certificates that you can easily load on to your system using a default command option.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

services—To view this statement in the configuration.

services-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 12.1X44-D10. The protocol-version statement is updated to include tls11 and tls12 from Junos OS Release 15.1X49-D30.