Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

xnm-ssl

Syntax

Hierarchy Level

Description

Allow Junos XML protocol SSL requests from remote systems to the local router.

Warning:

Starting with Junos OS Release 15.1, the sslv3-support option is not available for configuration with the set system services xnm-ssl and file copy commands. SSLv3 is no longer supported and available.

For all releases prior to and including Junos OS Release 14.2, SSLv3 is disabled by default at runtime. The sslv3-support option is hidden and deprecated in Junos OS Release 14.2 and earlier releases. However, you can use the set system services xnm-ssl sslv3-support command to enable SSLv3 for a Junos XML protocol client application to use as the protocol to connect to the Junos XML protocol server on a router, and you can use the file copy source destination sslv3-support command to enable the copying of files from an SSLv3 URL.

Using SSLv3 presents a potential security vulnerability, and we recommend that you not use SSLv3. For more details about this security vulnerability, go to https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10656.

Note:

When FIPS mode is enabled on the device, the xnm-ssl service does not support TLS 1.0. For a device in FIPS mode, the clients must communicate with the xnm-ssl service using TLS 1.1 or later. In non-FIPS mode, clients can communicate with the xnm-ssl service using TLS 1.0 or later. The xnm-ssl service never negotiates with the SSLv2 or SSLv3 (the predecessors to TLS 1.0) even if the FIPS mode is enabled or disbaled.

Options

connection-limit limit

Configure the maximum number of connections sessions for the ftp service per protocol (either IPv6 or IPv4).

Note:

The actual number of maximum connections depends on the availability of system resources, and might be fewer than the configured connection-limit value if the system resources are limited.

  • Range: 1 through 250 connections

  • Default: 75 connections

local-certificate name

Import or reference an SSL certificate by specifying the name of the local certificate to use.

There is no default. The value for local-certificate should be the same as the name provided during the import of the certificate using the CLI configuration statement local at the [edit security certificates] hierarchy level.

rate-limit limit

Configure the maximum number of connections attempts per minute, per protocol (either IPv6 or IPv4) on an access service. For example, a rate limit of 10 allows 10 IPv6 ftp session connection attempts per minute and 10 IPv4 ftp session connection attempts per minute.

  • Range: 1 through 250 connections

  • Default: 150 connections

ssl-renegotiation

Enable SSL re-negotiation for xnm-ssl service.

  • Default: Disabled

Required Privilege Level

system—To view this statement in the configuration.

system-control—To add this statement to the configuration.

Release Information

Statement introduced before Junos OS Release 7.4.

ssl-renegotiation introduced in Junos OS Release 13.3.