ssl (Services)
Syntax
ssl {
initiation {
profile profile-name {
actions {
crl {
disable;
if-not-present (allow | drop);
ignore-hold-instruction-code;
}
ignore-server-auth-failure;
}
client-certificate;
custom-ciphers [cipher];
enable-flow-tracing;
enable-session-cache;
preferred-ciphers (custom | medium | strong | weak);
protocol-version (all | tls1 | tls11 | tls12);
trusted-ca (all | [ca-profile] );
}
}
proxy {
global-config {
session-cache-timeout seconds;
}
profile profile-name {
actions {
crl {
disable;
if-not-present (allow | drop);
ignore-hold-instruction-code;
}
disable-session-resumption;
ignore-server-auth-failure;
log {
all;
errors;
info;
sessions-allowed;
sessions-dropped;
sessions-ignored;
sessions-whitelisted;
warning;
}
renegotiation {
(allow | allow-secure | drop);
}
}
custom-ciphers [cipher];
enable-flow-tracing;
preferred-ciphers (custom | medium | strong | weak);
root-ca root-certificate;
trusted-ca (all | [ca-profile] );
whitelist [global-address-book-addresses];
}
}
termination {
profile profile-name {
custom-ciphers [cipher];
enable-flow-tracing;
enable-session-cache;
preferred-ciphers (custom | medium | strong | weak);
protocol-version (all | tls1 | tls11 | tls12);
server-certificate certificate-identifier;
}
}
traceoptions {
file {
filename;
files number;
match regular-expression;
(no-world-readable | world-readable);
size maximum-file-size;
}
flag flag;
level [brief | detail | extensive | verbose];
no-remote-trace;
}
}
Hierarchy Level
[edit services]
Description
Enabling tracing can adversely impact scale and performance and may increase security risk. We strongly recommend using the trace, tracing, or traceoptions commands only under the guidance of a JTAC support engineer. After collecting the debug information, immediately disable tracing to minimize risk and restore normal system performance.
Specify the configuration for Secure Socket Layer (SSL) support service. This statement is supported on the SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices and vSRX Virtual Firewall.
Options
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
services—To view this statement in the configuration.
services-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release
12.1X44-D10. The crl statement is supported from 15.1X49-D30.
The protocol-version statement is updated to include tls11 and tls12 from Junos OS Release 15.1X49-D30.