gsk_environment_open()

Creates an SSL environment.

Format

   #include <gskssl.h>

   gsk_status gsk_environment_open (
                                     gsk_handle *     env_handle)

Parameters

env_handle
Returns the handle for the environment. The application should call the gsk_environment_close() routine to release the environment when it is no longer needed.

Results

The function return value will be 0 (GSK_OK) if no error is detected. Otherwise, it will be one of the return codes listed in the gskssl.h include file. These are some possible errors:
[GSK_ATTRIBUTE_INVALID_ENUMERATION]
The value of an environment variable is not valid.
[GSK_ATTRIBUTE_INVALID_LENGTH]
The length of an environment variable value is not valid.
[GSK_ATTRIBUTE_INVALID_NUMERIC_VALUE]
The value of an environment variable is not valid.
[GSK_INSUFFICIENT_STORAGE]
Insufficient storage is available.

Usage

The gsk_environment_open() routine creates an SSL environment. The environment will be initialized with default values and then any SSL environment variables will be processed. These values can be changed by the application using the appropriate gsk_attribute_set_*() routines. The gsk_environment_init() routine should then be called to initialize the SSL environment. This environment can then be used to establish one or more SSL connections.

When not executing in FIPS mode, the following default values are set:
  • Start of changeTLS V1.0 is enabled (SSL V2, SSL V3, TLS V1.1 and TLS V1.2 are disabled by default).End of change
  • The connection type is set to CLIENT.
  • The SSL V2 connection timeout is set to 100 seconds.
  • The SSL V3 connection timeout is set to 86400 seconds.
  • The SSL V2 cache size is set to 256.
  • The SSL V3 cache size is set to 512.
  • The sysplex session cache is disabled.
  • The default key will be used.
  • No revoked certificate checking performed.
  • The default callback routines will be used.
  • The SSL V2 cipher specification is set to "713642" if United States only encryption is enabled Start of change(System SSL Security Level 3 FMID installed)End of change and "642" otherwise.
  • 2-character cipher definitions in GSK_V3_CIPHER_SPECS will be used for SSL V3 cipher values.
  • Start of changeThe SSL V3 cipher specification is set to "35363738392F303132330A1613100D0915120F0C" if United States only encryption is enabled (System SSL Security Level 3 FMID installed) and "0915120F0C" otherwise.End of change
  • The supported elliptic curve list is set to "00210023002400250019".
  • The signature algorithm pair list is set to "0601060305010503040104030402030103030201020302020101".
  • No TLS extensions are initialized.
  • Suite B is disabled.
  • Start of changeOCSP support is disabled (OCSP URL is not defined and AIA extensions are not enabled).End of change
  • Start of changeHTTP CDP CRL support is disabled.End of change
  • Start of changeLDAP CRL support is disabled.End of change
When executing in FIPS mode, the following default values are set:
  • Start of changeTLS V1.0 is enabled (SSL V2, SSL V3, TLS V1.1 and TLS V1.2 are disabled by default).End of change
  • The connection type is set to CLIENT.
  • The connection timeout is set to 86400 seconds.
  • The cache size is set to 512.
  • The sysplex session cache is disabled.
  • The default key will be used.
  • No revoked certificate checking performed.
  • The default callback routines will be used.
  • 2-character cipher definitions in GSK_V3_CIPHER_SPECS will be used for SSL V3 cipher values.
  • The cipher specification is set to "35363738392F303132330A1613100D".
  • The supported elliptic curve list is set to "00210023002400250019".
  • The signature algorithm pair list is set to "060106030501050304010403040203010303020102030202".
  • Suite B is disabled.
  • Start of changeOCSP support is disabled (OCSP URL is not defined and AIA extensions are not enabled).End of change
  • Start of changeHTTP CDP CRL support is disabled.End of change
  • Start of changeLDAP CRL support is disabled.End of change

See Table 1 for a list of supported SSL V2 cipher specifications.

See Table 2 for a list of supported 2-character SSL V3 cipher specifications.

See Table 3 for a list of supported 4-character SSL V3 cipher specifications.

See Table 5 for a list of supported 4-character elliptic curve specifications.

Applications wanting to use cipher suites that use elliptic curve certificates must set an appropriate cipher specification in GSK_V3_CIPHER_SPECS_EXPANDED. If an application requires an SSL V3, TLS V1.0, or higher session to use the 4-character cipher suites specified in GSK_V3_CIPHER_SPECS_EXPANDED then it must explicitly call gsk_attribute_set_enum() and set the enumeration identifier GSK_V3_CIPHERS to have a value of GSK_V3_CIPHERS_CHAR4.

Start of changeIf an application has indicated it is using the 4-character cipher specifications by setting GSK_V3_CIPHERS to GSK_V3_CIPHERS_CHAR4, but does not set a cipher specification in GSK_V3_CIPHER_SPECS_EXPANDED, the default cipher specification will be set as follows:
  • Executing in non-FIPS mode with United States only encryption enabled (System SSL Security Level 3 FMID installed): 
    "00350036003700380039002F0030003100320033000A00160013
0010000D000900150012000F000C"
  • Executing in non-FIPS mode with United States only encryption disabled (System SSL Security Level 3 FMID is not installed):
    "000900150012000F000C"
  • Executing in FIPS mode:
    "00350036003700380039002F0030003100320033000A001600130010000D"
End of change
If an application has indicated it will be running in Suite B compatibility mode by setting GSK_SUITE_B_PROFILE to a value other than GSK_SUITE_B_PROFILE_OFF, the cipher specification will be set based on the values for GSK_SUITE_B_PROFILE as follows:
  • Executing with GSK_SUITE_B_PROFILE_128 "C02BC023"
  • Executing with GSK_SUITE_B_PROFILE_192 "C02CC024"
  • Executing with GSK_SUITE_B_PROFILE_ALL "C02CC024C02BC023"
If executing in FIPS mode, the following cipher specifications are supported:
  • When using 2-character cipher suites:

    0A 0D 10 13 16 2F 30 31 32 33 35 36 37 38 39 3C 3D 3E 3F 40 67 68 69
    6A 6B 9C 9D 9E 9F A0 A1 A2 A3 A4 A5

  • When using 4-character cipher suites:

    000A 000D 0010 0013 0016 002F 0030 0031 0032 0033 0035 0036 0037 0038
    0039 003C 003D 003E 003F 0040 0067 0068 0069 006A 006B 009C 009D 009E
    009F 00A0 00A1 00A2 00A3 00A4 00A5 C003 C004 C005 C008 C009 C00A
    C00D C00E C00F C012 C013 C014 C023 C024 C025 C026 C027 C028 C029
    C02A C02B C02C C02D C02E C02F C030 C031 C032

If using the TLS V1.1 or higher protocols, export ciphers are not supported. The 40-bit ciphers (cipher specifications "03" and "06" or "0003" and "0006") will be ignored if specified.

If using the TLS V1.2 or higher protocols the 56-bit DES cipher suites "09", "0C", "0F", "12" and "15" (or "0009", "000C", "000F", "0012" and "0015") will be ignored if specified.

Start of changeThese environment variables are processed (See Environment variables for information about environment variables):
GSK_AIA_CDP_PRIORITY
Specifies the priority order that the AIA and the CDP extensions are checked for certificate revocation information.
GSK_CERT_VALIDATION_KEYRING_ROOT
Specifies how certificates in a SAF key ring are validated.
GSK_CERT_VALIDATION_MODE
Specifies which internet standard is used for certificate validation.
GSK_CLIENT_AUTH_NOCERT_ALERT
Specifies whether the SSL server application accepts a connection from a client where client authentication is requested and the client fails to supply an X.509 certificate.
GSK_CLIENT_ECURVE_LIST
Specifies the list of elliptic curves that are supported by the client.
GSK_CRL_CACHE_ENTRY_MAXSIZE
Specifies the maximum size in bytes of a CRL to be kept in the LDAP CRL cache.
GSK_CRL_CACHE_EXTENDED
Specifies that LDAP extended CRL cache support is enabled.
GSK_CRL_CACHE_SIZE
Specifies the maximum number of CRLs that are allowed to be stored in the LDAP CRL cache.
GSK_CRL_CACHE_TIMEOUT
Specifies the number of hours that a cached LDAP CRL remains valid.
GSK_CRL_CACHE_TEMP_CRL
Specifies if a temporary LDAP CRL cache entry is added to the LDAP CRL cache when the CRL does not reside on the LDAP server.
GSK_CRL_CACHE_TEMP_CRL_TIMEOUT
Specifies the time in hours that a temporary CRL cache entry resides in the LDAP CRL cache.
GSK_CRL_SECURITY_LEVEL
Specifies the level of security used when contacting LDAP servers to check CRLs for revoked certificates.
GSK_EXTENDED_RENEGOTIATION_INDICATOR
Specifies the level of enforcement of renegotiation indication.
GSK_HTTP_CDP_CACHE_ENTRY_MAXSIZE
Specifies the maximum size in bytes of a CRL that can be stored in the HTTP CDP CRL cache.
GSK_HTTP_CDP_CACHE_SIZE
Specifies the maximum number of CRLs that are allowed to be stored in the HTTP CDP CRL cache.
GSK_HTTP_CDP_ENABLE
Specifies if certificate revocation checking with the HTTP URI values in the CDP extension is enabled.
GSK_HTTP_CDP_MAX_RESPONSE_SIZE
Specifies the maximum size in bytes accepted as a response from an HTTP server when retrieving a CRL.
GSK_HTTP_CDP_PROXY_SERVER_NAME
Specifies the DNS name or IP address of the HTTP proxy server.
GSK_HTTP_CDP_PROXY_SERVER_PORT
Specifies the HTTP proxy server port.
GSK_HTTP_CDP_RESPONSE_TIMEOUT
Specifies the time in seconds to wait for a response from the HTTP server.
GSK_KEY_LABEL
Specifies the label of the key that used to authenticate the application.
GSK_KEYRING_FILE
Specifies the name of the key database file, PKCS #12 file, SAF key ring, or z/OS PKCS #11 token.
GSK_KEYRING_PW
Specifies the password for the key database or PKCS #12 file.
GSK_KEYRING_STASH
Specifies the name of the key database password stash file.
GSK_LDAP_PASSWORD
Specifies the password to use when connecting to the LDAP server.
GSK_LDAP_PORT
Specifies the LDAP server port.
GSK_LDAP_RESPONSE_TIMEOUT
Specifies the time in seconds to wait for a response from the LDAP server.
GSK_LDAP_SERVER
Specifies one or more blank-separated LDAP server host names.
GSK_LDAP_USER
Specifies the distinguished name to use when connecting to the LDAP server.
GSK_MAX_SOURCE_REV_EXT_LOC_VALUES
Specifies the maximum number of location values that will be contacted per data source when attempting validation of a certificate.
GSK_MAX_VALIDATION_REV_EXT_LOC_VALUES
Specifies the maximum number of location values that will be contacted when performing validation of a certificate.
GSK_OCSP_CLIENT_CACHE_ENTRY_MAXSIZE
Specifies the maximum number of OCSP responses or cached certificate statuses that are allowed to be kept in the OCSP response cache for an issuing CA certificate.
GSK_OCSP_CLIENT_CACHE_SIZE
Specifies the maximum number of OCSP responses or cached certificate statuses to be kept in the OCSP response cache.
GSK_OCSP_ENABLE
Specifies whether the AIA extensions are to be used for revocation checking.
GSK_OCSP_MAX_RESPONSE_SIZE
Specifies the maximum size in bytes allowed in a response from an OCSP responder.
GSK_OCSP_NONCE_CHECK_ENABLE
Specifies if OCSP response nonce checking is on or off.
GSK_OCSP_NONCE_GENERATION_ENABLE
Specifies whether an OCSP request will contain a generated nonce.
GSK_OCSP_NONCE_SIZE
Specifies the size in bytes for the value of the nonce to be sent in OCSP requests.
GSK_OCSP_PROXY_SERVER_NAME
Specifies the DNS name or IP address of the OCSP proxy server.
GSK_OCSP_PROXY_SERVER_PORT
Specifies the OCSP responder port for the proxy.
GSK_OCSP_REQUEST_SIGALG
Specifies the hash and signature algorithm pair to be used to sign OCSP requests.
GSK_OCSP_REQUEST_SIGKEYLABEL
Specifies the label of the key to be used to sign OCSP requests.
GSK_OCSP_RESPONSE_TIMEOUT
Specifies the time in seconds to wait for a complete response from the OCSP responder.
GSK_OCSP_RETRIEVE_VIA_GET
Specifies whether the HTTP request to the OCSP responder is sent using the HTTP Get Method or the HTTP Post method.
GSK_OCSP_URL
Specifies the URI of an OCSP responder.
GSK_OCSP_URL_PRIORITY
Specifies the order of precedence for contacting OCSP responder locations if both GSK_OCSP_URL and GSK_OCSP_ENABLE are active.
GSK_PROTOCOL_SSLV2
Start of changeSpecifies whether the SSL V2 protocol is supported.End of change
GSK_PROTOCOL_SSLV3
Start of changeSpecifies whether the SSL V3 protocol is supported.End of change
GSK_PROTOCOL_TLSV1
Specifies whether the TLS V1.0 protocol is supported.
GSK_PROTOCOL_TLSV1_1
Specifies whether the TLS V1.1 protocol is supported.
GSK_PROTOCOL_TLSV1_2
Specifies whether the TLS V1.2 protocol is supported.
GSK_REVOCATION_SECURITY_LEVEL
Specifies the level of security to be used when contacting an OCSP responder or an HTTP server specified in a URI value of the CDP extension.
GSK_RENEGOTIATION
Specifies the type of session renegotiation allowed for an SSL environment.
GSK_RENEGOTIATION_PEER_CERT_CHECK
Specifies if the peer certificate is allowed to change during renegotiation.
GSK_SUITE_B_PROFILE
Specifies the Suite B profile to be applied to TLS V1.2 sessions.
GSK_SYSPLEX_SIDCACHE
Specifies whether sysplex session caching is supported.
Start of changeGSK_TLS_CBC_PROTECTION_METHODEnd of change
Start of changeSpecifies an optional SSL V3.0 or TLS V1.0 CBC IV protection method when writing application data.End of change
GSK_TLS_SIG_ALG_PAIRS
Specifies the list of TLS V1.2 hash and signature algorithm pair specifications that are supported by the client or server.
GSK_V2_CIPHER_SPECS
Specifies the SSL V2 cipher specifications in order of preference.
GSK_V2_SESSION_TIMEOUT
Specifies the session timeout value in seconds for the SSL V2 protocol.
GSK_V2_SIDCACHE_SIZE
Specifies the number of session identifiers that can be contained in the SSL V2 cache.
GSK_V3_CIPHER_SPECS
Specifies the SSL V3 cipher specifications in order of preference (2-character values).
GSK_V3_CIPHER_SPECS_EXPANDED
Specifies the SSL V3 cipher specifications in order of preference (4-character values).
GSK_V3_SESSION_TIMEOUT
Specifies the session timeout value in seconds for the SSL V3, TLS V1.0, and higher protocols.
GSK_V3_SIDCACHE_SIZE
Specifies the number of session identifiers that can be contained in the SSL V3 cache.
End of change

Related Topics

gsk_environment_init()

gsk_environment_close()

Parent topic: API reference