security-settings

This command configures various TLS certificate security settings.

Syntax

(config-network)# security-settings
(network-security)#

Command

Description

PEERHOSTNAMEVERIFICATIONMODE {0|1|2}

Enables the device to verify the Subject Name of a TLS certificate received from SIP entities for authentication and establishing TLS connections:

0 = Disable (default)
1 = Verify Subject Name only when acting as a client for the TLS connection.
2 = Verify Subject Name when acting as a server or client for the TLS connection.

SIPSREQUIRECLIENTCERTIFICATE {off|on}

Defines the device's mode of operation regarding mutual authentication and certificate verification for TLS connections.

off = Disable
Device acts as a client: Verification of the server’s certificate depends on the VerifyServerCertificate parameter.
Device acts as a server: The device does not request the client certificate.
on = Enable
Device acts as a client: Verification of the server certificate is required to establish the TLS connection.
Device acts as a server: The device requires the receipt and verification of the client certificate to establish the TLS connection.

Note: For the parameter to take effect, a device reset is required.

fips140mode {off|on}

 Enables FIPS 140-2 conformance mode for TLS.

Note: Applicable only to specific products.

tls-re-hndshk-int

Defines the time interval (in minutes) between TLS Re-Handshakes initiated by the device.

tls-rmt-subs-name

Defines the Subject Name that is compared with the name defined in the remote side certificate when establishing TLS connections.

tls-vrfy-srvr-cert {off|on}

Enables the device, when acting as a client for TLS connections, to verify the Server certificate. The certificate is verified with the Root CA information.

Command Mode

Privileged User

Example

This example enables the device to verify the Server certificate with the Root CA information:

(config-network)# security-settings
(network-security)# tls-vrfy-srvr-cert on