config firewall ssl setting
SSL proxy settings.
config firewall ssl setting Description: SSL proxy settings. set abbreviate-handshake [enable|disable] set cert-cache-capacity {integer} set cert-cache-timeout {integer} set kxp-queue-threshold {integer} set no-matching-cipher-action [bypass|drop] set proxy-connect-timeout {integer} set session-cache-capacity {integer} set session-cache-timeout {integer} set ssl-dh-bits [768|1024|...] set ssl-queue-threshold {integer} set ssl-send-empty-frags [enable|disable] end
config firewall ssl setting
Parameter |
Description |
Type |
Size |
Default |
||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
abbreviate-handshake |
Enable/disable use of SSL abbreviated handshake. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
cert-cache-capacity |
Maximum capacity of the host certificate cache. |
integer |
Minimum value: 0 Maximum value: 500 |
200 |
||||||||||
cert-cache-timeout |
Time limit to keep certificate cache. |
integer |
Minimum value: 1 Maximum value: 120 |
10 |
||||||||||
kxp-queue-threshold * |
Maximum length of the CP KXP queue. When the queue becomes full, the proxy switches cipher functions to the main CPU. |
integer |
Minimum value: 0 Maximum value: 512 |
16 |
||||||||||
no-matching-cipher-action |
Bypass or drop the connection when no matching cipher is found. |
option |
- |
bypass |
||||||||||
|
|
|||||||||||||
proxy-connect-timeout |
Time limit to make an internal connection to the appropriate proxy process. |
integer |
Minimum value: 1 Maximum value: 60 |
30 |
||||||||||
session-cache-capacity |
Capacity of the SSL session cache. |
integer |
Minimum value: 0 Maximum value: 1000 |
500 |
||||||||||
session-cache-timeout |
Time limit to keep SSL session state. |
integer |
Minimum value: 1 Maximum value: 60 |
20 |
||||||||||
ssl-dh-bits |
Bit-size of Diffie-Hellman. |
option |
- |
2048 |
||||||||||
|
|
|||||||||||||
ssl-queue-threshold * |
Maximum length of the CP SSL queue. When the queue becomes full, the proxy switches cipher functions to the main CPU. |
integer |
Minimum value: 0 Maximum value: 512 |
32 |
||||||||||
ssl-send-empty-frags |
Enable/disable sending empty fragments to avoid attack on CBC IV (for SSL 3.0 and TLS 1.0 only). |
option |
- |
enable |
||||||||||
|
|
* This parameter may not exist in some models.