Use the TTLSEnvironmentAdvancedParms
statement to specify advanced attributes for an AT-TLS environment.
Syntax
>>-TTLSEnvironmentAdvancedParms--+------+--| Put Braces and Parameters on Separate Lines |-><
'-name-'
Put Braces and Parameters on Separate Lines
|--+-{-------------------------------------------+--------------|
+-| TTLSEnvironmentAdvancedParms Parameters |-+
'-}-------------------------------------------'
TTLSEnvironmentAdvancedParms Parameters
.-SSLv2 Off-----. .-SSLv3 Off-----. .-TLSv1 On------.
|--+---------------+--+---------------+--+---------------+------>
'-SSLv2-+-On--+-' '-SSLv3-+-On--+-' '-TLSv1-+-On--+-'
'-Off-' '-Off-' '-Off-'
.-TLSv1.1 On------. .-TLSv1.2 Off-----.
>--+-----------------+--+-----------------+--------------------->
'-TLSv1.1-+-On--+-' '-TLSv1.2-+-On--+-'
'-Off-' '-Off-'
.-ApplicationControlled Off-----. .-HandshakeTimeout 10-.
>--+-------------------------------+--+---------------------+--->
'-ApplicationControlled-+-On--+-' '-HandshakeTimeout n--'
'-Off-'
.-ResetCipherTimer 0-. .-Renegotiation--Default--------.
>--+--------------------+--+-------------------------------+---->
'-ResetCipherTimer n-' '-Renegotiation-+-Disabled----+-'
+-All---------+
'-Abbreviated-'
.-RenegotiationIndicator--Optional--.
>--+-----------------------------------+------------------------>
'-RenegotiationIndicator-+-Client-+-'
+-Server-+
'-Both---'
.-RenegotiationCertCheck---Off---.
>--+--------------------------------+--------------------------->
'-RenegotiationCertCheck---On----'
>--+------------------------+----------------------------------->
'-CertificateLabel value-'
.-ClientAuthType--Required-----.
>--+------------------------------+----------------------------->
'-ClientAuthType--+-PassThru-+-'
+-Full-----+
+-Required-+
'-SAFCheck-'
.-TruncatedHMAC Off-----------.
>--+-----------------------+--+-----------------------------+--->
'-SecondaryMap--+-On--+-' '-TruncatedHMAC--+-Required-+-'
'-Off-' +-Optional-+
'-Off------'
.-CertValidationMode Any----------.
>--+---------------------------------+-------------------------->
'-CertValidationMode--+-Any-----+-'
+-RFC2459-+
'-RFC3280-'
.-ClientMaxSSLFragment Off----------------------------------------------.
>--+-----------------------------------------------------------------------+-->
+-ClientMaxSSLFragment-+-Required-+-ClientMaxSSLFragmentLength-+-512--+-+
| '-Optional-' +-1024-+ |
| +-2048-+ |
| '-4096-' |
'-ClientMaxSSLFragment Off----------------------------------------------'
.-ServerMaxSSLFragment Off-----------.
>--+------------------------------------+----------------------->
'-ServerMaxSSLFragment--+-Required-+-'
+-Optional-+
'-Off------'
.-ClientHandshakeSNI Off---------------------------------------------------------------------------------.
>--+--------------------------------------------------------------------------------------------------------+-->
| .-------------------------------. |
| V | |
+-ClientHandshakeSNI-+-Required-+-ClientHandshakeSNIMatch-+-Required-+---ClientHandshakeSNIList--value-+-+
| '-Optional-' '-Optional-' |
'-ClientHandshakeSNI Off---------------------------------------------------------------------------------'
.-ServerHandshakeSNI Off---------------------------------------------------------------------------------.
>--+--------------------------------------------------------------------------------------------------------+--|
| .-------------------------------. |
| V | |
+-ServerHandshakeSNI-+-Required-+-ServerHandshakeSNIMatch-+-Required-+---ServerHandshakeSNIList--value-+-+
| '-Optional-' '-Optional-' |
'-ServerHandshakeSNI Off---------------------------------------------------------------------------------'
Parameters
- name
- A string
1 - 32 characters in length specifying the name of this TTLSEnvironmentAdvancedParms
statement.
Rule: If this TTLSEnvironmentAdvancedParms statement
is not specified inline within another statement, a name value must be provided. If a name value is not
specified for an inlineTTLSEnvironmentAdvancedParms statement, a nonpersistent
system name is created.
- SSLv2
- Specifies the state of the SSL Version 2 protocol. For System
SSL, the GSK_PROTOCOL_SSLV2 value is set to this value. Possible
values are:
- On
- Enables the SSL Version 2 protocol.
- Off
- Disables the SSL Version 2 protocol. This is the default.
- SSLv3
- Specifies the state of the SSL Version 3 protocol. For System
SSL, the GSK_PROTOCOL_SSLV3 value is set to this value. Possible
values are:
- On
- Enable the SSL Version 3 protocol.
- Off
- Disable the SSL Version 3 protocol. This is the
default.
- TLSv1
- Specifies the state of the TLS Version 1 protocol. For System
SSL, the GSK_PROTOCOL_TLSV1 value is set to this value. Possible
values are:
- On
- Enable the TLS Version 1.0 protocol. This is the default.
- Off
- Disable the TLS Version 1.0 protocol.
- TLSv1.1
- Specifies the state of the TLS Version 1.1 protocol. For System
SSL, the GSK_PROTOCOL_TLSV1_1 value is set to this value. Possible
values are:
- On
- Enable the TLS Version 1.1 protocol. This is the default.
- Off
- Disable the TLS Version 1.1 protocol.
- TLSv1.2
- Specifies the state of the TLS Version 1.2 protocol. For System
SSL, the GSK_PROTOCOL_TLSV1_2 value is set to this value. Possible
values are:
- On
- Enable the TLS Version 1.2 protocol.
Tip: When you
specify TLSv1.2 as On, System SSL will not negotiate SSLv2 sessions
even if you specify SSLv2 as On.
- Off
- Disable the TLS Version 1.2 protocol. This is the default.
- CertValidationMode
- Specifies the method of certificate validation. For System SSL,
the GSK_CERT_VALIDATION_MODE value is set to this value. Possible
values are:
- Any
- Specifies that certificate validation can use any supported X.509
certificate validation method. This is the default.
- RFC2459
- Specifies that certificates are validated using the method described
in RFC 2459.
- RFC3280
- Specifies that certificates are validated using the method described
in RFC 3280.
- TruncatedHMAC
- For TLSv1.0 protocol and later, this keyword specifies
whether clients and servers support the use of 80-bit truncated HMACs.
For System SSL, the extension ID is set to GSK_TLS_SET_TRUNCATED_HMAC
and a flag is set in the gsk_tls_extension structure, if it is required.
Possible values are:
- Required
- Specifies that 80-bit truncated HMAC support must be accepted
by both endpoints. Connections fail if the remote endpoint does not
support the 80-bit truncated HMAC.
Tip: When you specify
TruncatedHMAC as Required, specify SSLv3 as Off.
- Optional
- Specifies that support is provided for 80-bit truncated HMAC negotiation,
but connections with endpoints that do not support the truncated 80-bit
HMAC are allowed.
- Off
- Specifies that support is not provided for 80-bit truncated HMAC
negotiation. The function is not enabled. Connections fail if the
remote endpoint requires support for the 80-bit truncated HMAC. This
is the default.
- ClientMaxSSLFragment
- For TLSv1.0 protocol and later, this keyword specifies
whether maximum SSL fragment function is supported when AT-TLS is
the TLS client on the connection. For System SSL, the extension ID
is set to GSK_TLS_SET_CLIENT_MFL and a flag is set in the gsk_tls_extension
structure if it is required. Possible values are:
- Required
- Specifies that maximum SSL fragment function support must be accepted
by the server. Connections fail if the server does not support maximum
SSL fragment function.
Tip: When you specify ClientMaxSSLFragment
as Required, specify SSLv3 as Off.
- Optional
- Specifies support for maximum SSL fragment function negotiation,
but allows connections with servers that do not support maximum SSL
fragment function.
- Off
- Specifies that maximum SSL fragment function negotiation is not
supported. The function is not enabled. Connections fail if the server
requires support for maximum SSL fragment function. This is the default.
- ClientMaxSSLFragmentLength
- For TLSv1.0 protocol and later, this value specifies
maximum SSL fragment function, in bytes, to request on the connection
when AT-TLS is the TLS client using TLSv1.0 and TLSv1.1 protocols.
The valid values are 512, 1024, 2048, and 4096. For System SSL,
the maximum fragment length is set to GSK_TLS_MFL_512, GSK_TLS_MFL_1024,
GSK_TLS_MFL_2048, or GSK_TLS_MFL_4096. This parameter is required
when ClientMaxSSLFragment is set to Required or Optional.
- ServerMaxSSLFragment
- For TLSv1.0 protocol and later, this keyword specifies
whether the maximum SSL fragment function is supported when AT-TLS
is the TLS server on the connection. For System SSL, the extension
ID is set to GSK_TLS_SET_SERVER_MFL and a flag is set in the gsk_tls_extension
structure if it is required. Possible values are:
- Required
- Specifies that maximum SSL fragment function support must be accepted
by the client. Connections fail if the client does not support maximum
SSL fragment function.
Tip: When you specify ServerMaxSSLFragment
as Required, specify SSLv3 as Off.
- Optional
- Specifies that support is provided for maximum SSL fragment function,
but allow connections with clients that do not support maximum SSL
fragment function.
- Off
- Specifies that maximum SSL fragment function is not supported.
The function is not enabled. Connections fail if the client requires
support for maximum SSL fragment function. This is the default value.
- ClientHandshakeSNI
- For TLSv1.0 protocol and later, this keyword specifies
whether a client can specify a list of server names. The server chooses
a certificate based on that server name list for this connection.
For System SSL, the extension ID is set to GSK_TLS_SET_SNI_CLIENT_SNAMES
and a flag is set in the gsk_tls_extension structure if it is required.
Valid values are:
- Required
- Specifies that server name indication support must be accepted
by the server. Connections fail if the server does not support server
name indication.
Tip: When you specify ClientHandshakeSNI
as required, specify SSLv3 as Off.
- Optional
- Specifies that server name indication negotiation is supported,
but allows connections with servers that do not support server name
indication negotiation.
- Off
- Specifies that server name indication is not supported. The function
is not enabled. Connections fail if the server requires support for
server name indication. This is the default.
- ClientHandshakeSNIMatch
- Code this parameter if ClientHandshakeSNI is set to Required or
Optional. For system SSL, a flag is set in the gsk_sni_client_snames
structure if a match is required. Possible values are:
- Required
- Specifies that a server name in the list of server names provided
by the TLS client must match a server name in the list of server names
and certificate labels on the TLS server. The connection ends if no
match was found for the server name at the server.
- Optional
- Specifies that connections can continue if no match is found for
the server name.
- ClientHandshakeSNIList
- For SSL clients using TLSv1.0 protocol and later, this
keyword specifies a server name. You can code multiple ClientHandshakeSNIList
statements. The list of server names is passed to the server in the
SSL handshake. For System SSL, the server names are anchored in the
gsk_sni_client_snames structure. A server name can be 1 - 255 characters
in length. This parameter is required when ClientHandshakeSNI is set
to Required or Optional.
Restriction: The total length of
all the server names specified must be less than 32K.
- ServerHandshakeSNI
- For TLSv1.0 protocol and later, this keyword specifies
whether a certificate is chosen based on the server name list provided
by the TLS client. For System SSL, the extension ID is set to GSK_TLS_SET_SNI_SERVER_SNAMES
and a flag is set in the gsk_tls_extension structure if it is required.
Possible values are:
- Required
- Specifies that server name indication support must be accepted
by the client. Connections fail if the client does not support server
name indication.
Tip: When you specify ServerHandshakeSNI
as Required, specify SSLv3 as Off.
- Optional
- Specifies that server name indication negotiation is supported,
but allow connections with clients that do not support server name
indication.
- Off
- Specifies that server name indication is not supported. The function
is not enabled. Connections fail if the client requires support for
server name indication. This is the default value.
- ServerHandshakeSNIMatch
- You must code this parameter when ServerHandshakeSNI is set to
Required or Optional. For system SSL, a flag is set in the gsk_sni_server_labels
structure if a match is required. Possible values are:
- Required
- Specifies that a server name in the list of server names provided
by the TLS client must match a server name in the ServerHandshakeSNIList
. The connection ends if no match can be found for the server name.
- Optional
- Specifies that connections continue if no match is found for the
server name.
- ServerHandshakeSNIList
- For SSL servers using TLSv1.0 protocol and later, this
keyword specifies a server name and certificate label pair to be used
by the server, separated by a slash (/). Multiple ServerHandshakeSNIList
statements can be coded. The server matches the server name provided
by the client to a certificate label. For System SSL, the server
names and labels are anchored in the gsk_sni_server_labels structure.
A server name can be 1 - 255 characters in length. A certificate
label can be 1 - 127 characters in length. This parameter is required
when ServerHandshakeSNI is set to Required or Optional.
Rule: You can use comment indicators and embedded blanks as
part of the certificate label value for this attribute. For example:
ServerHandshakeSNIList myservername/Root#CA Certificate
value used: myservername/Root#CA Certificate
Restrictions: - The total length of all the server names and certificate labels
specified must be less than 32K.
- When the certificate label value contains embedded blanks, you
must specify the entire parameter value within the first 1 536 characters
of the configuration file line.
- ApplicationControlled
- Specifies whether the application can control AT-TLS security
for a connection. Valid values are:
- Off
- An application cannot control AT-TLS security. The connection
automatically negotiates AT-TLS security. This is the default.
- On
- An application can control AT-TLS security. AT-TLS security is
used only when requested by the application, using the SIOCTTLSCTL
ioctl.
- HandshakeTimeout
- Specifies the number of seconds to wait for the initial handshake
to complete. Valid values of n are in the
range 0 - 600. The default value is 10.
For connections with the
HandshakeRole parameter set to Client, the timer is initially set
to 5 times the value of n, allowing for
network delay and any delay on the server in processing the connection.
When the initial response is received from the server, the timer is
set again for n seconds, to allow the initial
handshake to complete.
For connections with that HandshakeRole
parameter set to Server or ServerWithClientAuth, when the server
starts to process the new connection the timer is set to n seconds, waiting for the initial request from the
client. The timer is reset to n seconds
when the server sends the initial response, to allow the initial handshake
to complete.
If the timer expires, the TCP connection is reset.
A value of 0 indicates that the connection does not time out waiting
for the initial handshake to complete.
- ResetCipherTimer
- Specifies the number of minutes a secure connection can be active
before a new session key is generated for the connection. AT-TLS
initiates a handshake on the next read or write after the timer expires.
For System SSL, the GSK_RESET_CIPHER function is used to initiate
this. If the session ID has expired, controlled by the GSK_V3_SESSION_TIMEOUT
statement, a full handshake is performed. Otherwise, a short handshake
is performed. This timer applies only to connections using SSLv3
or TLSv1 protocol. Valid values of n are
in the range 0 - 1440. Specifying 0 means that session key refresh
is not initiated by AT-TLS for the life of the connection. The
default value is 0.
- Renegotiation
- Specifies the type of session key renegotiation that is allowed. For System SSL, the GSK_RENEGOTIATION value is set. The following
values are valid:
- Default
- GSK_RENEGOTIATION set to NONE. Disables SSL V3 and TLS handshake
renegotiation as a server and allows RFC 5746 renegotiation. This
is the default.
- Disabled
- Disables SSL V3 and TLS handshake renegotiation as a server and
disables RFC 5746 renegotiation.
- All
- Allows SSL V3 and TLS handshake renegotiation as a server and
allows RFC 5746 renegotiation.
- Abbreviated
- Allows SSL V3 and TLS abbreviated handshake renegotiation as a
server for resuming the current session only, while disabling SSL
V3 and TLS full handshake renegotiation as a server. The System SSL
session ID cache is not checked when resuming the current session.
Allows RFC 5746 renegotiation.
- RenegotiationIndicator
- Sets the enforcement level of the initial handshake renegotiation
indication as RFC 5746 specifies. For System SSL, the GSK_EXTENDED_RENEGOTIATION_INDICATOR
value is set to this value. The following values are valid:
- Optional
- The renegotiation indicator is not required during initial handshake.
- Client
- Allow the client initial handshake to proceed only when the server
indicates support for RFC 5746 renegotiation.
- Server
- Allow the server initial handshake to proceed only when the client
indicates support for RFC 5746 renegotiation.
- Both
- Allow the client and server initial handshakes to proceed only
when the partner indicates support for RFC 5746 renegotiation.
- RenegotiationCertCheck
- Specifies whether to perform an identity check against the peer's
certificate during renegotiation. For System SSL, the GSK_RENEGOTIATION_PEER_CERT_CHECK
value is set to this value. Valid values are:
- Off
- An identity check is not performed. This allows the peer certificate
to change during renegotiation.
- On
- An identity check is performed. This ensures that the peer certificate
does not change during renegotiation.
- CertificateLabel
- Specifies the label of the certificate to be used for authentication.
Valid values are in the range 1 - 127 characters in length. For
System SSL, the GSK_KEYRING_LABEL value is set to this value.
Rule: Comment indicators and embedded blanks are treated as
part of the value for this attribute. For example:
CertificateLabel Root#CA Certificate
value used: Root#CA Certificate
Restriction: When the value contains embedded blanks, you
must specify the entire value within the first 1 536 characters of
the configuration file line.
- ClientAuthType
- Specifies the type of client certificate validation to be performed
for connections in this AT-TLS environment. Client certificates are
requested only if HandshakeRole is set to ServerWithClientAuth. Valid values are:
- PassThru
- Bypasses client certificate validation.
- Full
- Performs client certificate validation if the client presents
a certificate.
- Required
- Requires the client to present a certificate and performs client
certificate validation. This is the default.
- SAFCheck
- Requires the client to present a certificate, performs client
certificate validation and requires the client certificate to have
an associated user ID defined to the security product.
- SecondaryMap
- Specifies whether the application establishes secondary connections
that should use the secondary policy mapping method. When specified
in the TTLSEnvironmentAdvancedParms, this statement overrides the
value specified in the TTLSGroupAdvancedParms. Valid values are:
- Off
- A connection that maps to this policy should not be used as a
primary connection in the secondary policy mapping method.
- On
- A connection that maps to this policy should be used as a primary
connection in the secondary policy mapping method. Future connections
established between the same two IP addresses by the same process
that do not map to any policy or map to a policy with a lower priority
are considered secondary connections. These secondary connections
use the same policy mapped by the associated primary connection.