ssl verify enable (DTLS policy view)

Function

The ssl verify enable command enables verification of a digital certificate.

The undo ssl verify enable command disables verification of a digital certificate.

By default, digital certificate verification is disabled.

Format

ssl verify basic-constrain enable

ssl verify key-usage enable

undo ssl verify basic-constrain enable

undo ssl verify key-usage enable

Parameters

None

Views

DTLS policy view

Default Level

3: Management level

Task Name and Operations

Task Name Operations
ssl write

Usage Guidelines

Usage Scenario

  • Verifying a digital certificate validity can avoid invalid digital certificates and improve security.
  • To enable verification on the extended key usage field of the peer digital certificate, run the ssl verify key-usage enable command. If the field does not exist, verification is not performed. OIDs to be verified: When the local end functions as a client, the system checks whether the field in the digital certificate sent from the server contains SSL server (id-kp 1, OID 1.3.6.1.5.5.7.3.1). When the local end functions as a server, the system checks whether the field in the digital certificate sent from the client contains SSL client (id-kp 2, OID 1.3.6.1.5.5.7.3.2).
  • To enable verification on the basic constraint fields of the CA certificate sent from the peer end, run the ssl verify basic-constrain enable command. The command output helps determine whether the entity type is CA. If no basic constraint field exists, verification fails.

Prerequisites

An SSL policy has been created using the dtls policy command.

Precautions

Verification on the peer digital certificate takes effect only after peer verification is enabled for the service to which the SSL policy is bound. If peer verification is not enabled for the local service, the peer digital certificate is checked only when the ssl verify version cert-version3 enable command is run and the local end functions as a client. The ssl verify key-usage enable or ssl verify basic-constrain enable command does not take effect.

Example

# Enable verification on the basic constraint fields of a digital certificate.
<HUAWEI> system-view
[~HUAWEI] dtls policy abc
[*HUAWEI-dtls-policy-abc] ssl verify basic-constrain enable
Parent Topic: SSL Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >