Appendix: Supported GSKit attributes

You can configure the these GSKit attributes with Security Access Manager.

Strings

GSK_HTTP_PROXY_SERVER_NAME: Sets the http proxy server for http CDP CRL retrieval if required. The numeric identifier is 225.
GSK_SSL_EXTN_SERVERNAME_REQUEST: Sets the server name to be requested. The numeric identifier is 230.
GSK_SSL_EXTN_SERVERNAME_CRITICAL_REQUEST: Sets the server name to be requested. This request must be satisfied. If this request is not satisfied, an error is returned. The numeric identifier is 231.

Enums

GSK_ALLOW_UNAUTHENTICATED_RESUME

The numeric identifier is 423. One of the following ENUM values must be specified (The default is GSK_ALLOW_UNAUTHENTICATED_RESUME_OFF):

GSK_ALLOW_UNAUTHENTICATED_RESUME_ON: Indicates that a session resume can be completed successfully even if the client has not provided a certificate during the initial handshake when the server is configured for client authentication. The numeric identifier is 588.
GSK_ALLOW_UNAUTHENTICATED_RESUME_OFF: Indicates that a session resume cannot be completed successfully when a client has not provided a certificate during the initial handshake when the server is configured for client authentication. This will cause the connection to complete an entire SSL handshake. This will ensure that server has the opportunity to authenticate the client. The numeric identifier is 589.

This ENUM_ID may only be set prior to gsk_environment_init().

GSK_SSL_SUITEB_MODE_PROCESSING

The numeric identifier is 454. One of the following ENUM values must be specified (The default is GSK_FALSE):

GSK_TRUE: SSL Suite B mode is set. The setting will restrict SSL session negotiation to only use TLS Suite B Profile; RFC 5430, approved mode of operation which restricts Cipher Suites, Certificates and Signature and Hash Algorithms. The numeric identifier is 1.
Note: This setting enables both 128 bit and 192 bit Security levels of Suite B. Do not make other settings related to CipherSuites, Protocol and Signature and Hash Algorithms once this setting has been made.
GSK_FALSE: SSL Suite B mode is not enabled. The numeric identifier is 0.

GSK_SSL_SUITEB_128BIT_MODE_PROCESSING

The numeric identifier is 455. One of the following ENUM values must be specified (The default is GSK_FALSE):

GSK_TRUE: SSL Suite B 128 bit Security mode is set. The setting will restrict SSL session negotiation to only use TLS Suite B Profile; RFC 5430, approved mode of operation which restricts Cipher Suites, Certificates and Signature and Hash Algorithms. The numeric identifier is 1.
Note: This setting enables only 128 bit Security level of Suite B. Do not make other settings related to CipherSuites, Protocol and Signature and Hash Algorithms once this setting has been made.
GSK_FALSE: SSL Suite B mode is not enabled. The numeric identifier is 0.

Note: This ENUM may only be set prior to gsk_environment_init(). FIPS-140 certified cryptographic modules should also be configured if using this setting. This setting will enable the TLS12 Protocol and disable all others.

GSK_SSL_SUITEB_192BIT_MODE_PROCESSING

The numeric identifier is 456. One of the following ENUM values must be specified (The default is GSK_FALSE):

GSK_TRUE: SSL Suite B 192 bit Security mode is set. The setting will restrict SSL session negotiation to only use TLS Suite B Profile; RFC 5430, approved mode of operation which restricts Cipher Suites, Certificates and Signature and Hash Algorithms. The numeric identifier is 1.
Note: This setting enables only 192 bit Security level of Suite B. Do not make other settings related to CipherSuites, Protocol and Signature and Hash Algorithms once this setting has been made.
GSK_FALSE: SSL Suite B mode is not enabled. The numeric identifier is 0.

GSK_LDAP_REQUIRED_AT_INIT

Specify the requirements of an LDAP server at environment initialization. The numeric identifier is 412. One of the following ENUM values must be specified (The default is GSK_INIT_CRL_LDAP_REQUIRED_OFF) :

GSK_INIT_CRL_LDAP_REQUIRED_ON: Operational LDAP server (CRL database) is required during environment initialization. The numeric identifier is 538.
GSK_INIT_CRL_LDAP_REQUIRED_OFF: Availability of an active LDAP server (CRL database) is not required during environment initialization. The numeric identifier is 539.

GSK_CC_MODE_CONTROL

This group controls the Common Criteria Mode operational requirements. The numeric identifier is 418. One of the following ENUM_VALUE values must be specified (The defaults is OFF for each of these):

GSK_CC_MODE_DISABLE_STASH_FILE_ON: Disable the use of stash files to open keystores. The numeric identifier is 555.
GSK_CC_MODE_DISABLE_STASH_FILE_OFF: Allow the use of stash files to open keystores. The numeric identifier is 556.
This ENUM may only be set prior to gsk_environment_init(). gsk_environment_init() will fail if the use of stash files have been disallowed but no keystore password has been given. It cannot be set using an environment variable.
GSK_CC_MODE_FIPS_ON: FIPS mode is set. The numeric value is 557. The enumerated value for GSK_BASE_CRYPTO_LIBRARY must not be GSK_BASE_CRYPTO_RSA (the default is GSK_BASE_CRYPTO_ICC) or an error is returned. This enum has the same effect as setting all of GSK_FIPS_MODE_PROCESSING_ON, GSK_SSL_FIPS_MODE_PROCESSING_ON, GSK_ICC_FIPS_MODE_PROCESSING_ON. Additionally setting this enum will have a similar effect to setting GSK_NIST_DES_FIPS_DEPRECATION except that the deprecation of DES will happen immediately and not wait until May 18 2007.
GSK_CC_MODE_FIPS_OFF: FIPS mode is not enabled. The numeric identifier is 558. This enum has the same effect as GSK_FIPS_MODE_PROCESSING_OFF. This ENUM may only be set prior to gsk_environment_init(). gsk_environment_init() will fail if FIPS mode is not supported on the platform. It cannot be set using an environment variable.
GSK_CC_MODE_ENFORCE_STRONG_PWD_ON: Enforce the use of Common Criteria strength passwords for keystore operations. The numeric identifier is 559.
GSK_CC_MODE_ENFORCE_STRONG_PWD_OFF: Remove the enforcement of the use of Common Criteria strength passwords for keystore operations. The numeric identifier is 560.
This ENUM may only be set prior to gsk_environment_init(). gsk_environment_init() will fail if the given password does not meet the strength rules. It cannot be set using an environment variable.
GSK_CC_MODE_DISABLE_PKCS11_ON: Disable the use of pkcs#11 devices. The numeric identifier is 561.
GSK_CC_MODE_DISABLE_PKCS11_OFF: Allow the use of pkcs#11 devices. The numeric identifier is 562.
This ENUM may only be set prior to gsk_environment_init(). It cannot be set using an environment variable.
GSK_CC_MODE_ENFORCE_STRONG_KDB_ON: Enforce that only newer version cms keystores that have stronger tamper protection be used. The numeric identifier is 563.
GSK_CC_MODE_ENFORCE_STRONG_KDB_OFF: Remove the enforcement that only newer version cms keystores that have stronger tamper protection be used. The numeric identifier is 564.
GSK_CC_MODE_STRICT_BASIC_CONST_ON: Enforce the rule that non end entity certificates that are missing the Basic Constraints extension are not permitted to be used in a validation chain. The numeric identifier is 565.
GSK_CC_MODE_STRICT_BASIC_CONST_OFF: Allow non end entity certificates that are missing the Basic Constraints extension to be permitted to be used in a validation chain. The numeric identifier is 566.
GSK_CC_MODE_ENFORCE_RIP_ON: Ensure that GSKit clears residual information for a session when that session encounters ssl errors. The numeric identifier is 567.
GSK_CC_MODE_ENFORCE_RIP_OFF: Do not enforce that GSKit clears residual information for a session when that session encounters ssl errors. The numeric identifier is 568.

GSK_NIST_DES_FIPS_DEPRECATION

On May 19 2007 NIST have determined that DES will no longer be a FIPS certified cipher. Turning this flag on will cause DES to be removed from the cipher list in FIPS mode after this date. The numeric identifier is 433.

GSK_TRUE: Turn DES deprecation on after May 18 2007. The numeric identifier is 1.
GSK_FALSE: Do not remove DES from the FIPS cipher list after May 18 2007. The numeric identifier is 0.

GSK_BINARY_DN_MATCHING_ENABLE

Allows for faster operation by comparing DN names using Binary DER Encoding The default is off (Disabled). The numeric identifier is 441.

GSK_TRUE: Turn Binary Matching On (Not recommended). The numeric identifier is 1.
GSK_FALSE: Turn Binary Matching Off. The numeric identifier is 0.

GSK_PROTOCOL_SSLV2

Enables or disables the SSL V2 protocol. Note that in FIPs mode of operation (see GSK_FIPS_MODE_PROCESSING) this setting will have no effect. The numeric identifier is 403. ENUM_VALUE must specify one of the following operations (The default is GSK_PROTOCOL_SSLV2_ON):

GSK_PROTOCOL_SSLV2_ON: Enable SSL V2
GSK_PROTOCOL_SSLV2_OFF: Disable SSL V2

GSK_PROTOCOL_SSLV3

Enables or disables the SSL V3 protocol. The numeric identifier is 404. ENUM_VALUE must specify one of the following operations (The default is GSK_PROTOCOL_SSLV3_ON):

GSK_PROTOCOL_SSLV3_ON: Enable SSL V3
GSK_PROTOCOL_SSLV3_OFF: Disable SSL V3

GSK_PROTOCOL_TLSV10

Enables or disables the TLSV10 protocol. The numeric identifier is 436. ENUM_VALUE must specify one of the following operations (The default is on):

GSK_TRUE: Enable TLSV10
GSK_FALSE: Disable TLSV10

GSK_PROTOCOL_TLSV11

Enables or disables the TLSV11 protocol. The numeric identifier is 437. ENUM_VALUE must specify one of the following operations (The default is on):

GSK_TRUE: Enable TLSV11
GSK_FALSE: Disable TLSV11

GSK_PROTOCOL_TLSV12

Enables or disables the TLSV12 protocol. The numeric identifier is 438. ENUM_VALUE must specify one of the following operations (The default is on):

GSK_TRUE: Enable TLSV12
GSK_FALSE: Disable TLSV12

GSK_V2_CIPHER_SPECS

If multiple connections occur under a SSL session the values set for this field may not be used. The cipher specification negotiated during the first SSL connection of a session will be used until that session expires. Here is the list of available cipher specs. The list contains the string values that can be used with the buf_value for this buffer ID. Any combination of these may be used; none may be used twice.

1-RC4 US
2-RC4 Export
3-RC2 US
4-RC2 Export
6-DES 56-Bit
7-Triple DES US

If a NULL string ("") is specified for the cipherspec list, SSL version 2 protocols will not be used.

The default cipherspec is "713642". The numeric identifier is 205.

GSK_V3_CIPHER_SPECS_EX, GSK_TLSV10_CIPHER_SPECS_EX, GSK_TLSV11_CIPHER_SPECS_EX, GSK_TLSV12_CIPHER_SPECS_EX

Allows the user to specify Cipher Specs for TLS protocol versions. The numeric identifiers are 240, 241, 242, and 243. Different TLS Protocols may have mutually exclusive Cipher Spec.

The buffer cotains a list of comma delimted string values that are defined by RFC 2246, 4346, 5246, 4492, 5289.

Example : Setting AES TLS Ciphersuite would require a buffer comtaining « TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA”

Numbers

GSK_LDAP_FAILOVER_RECONNECTION_PERIOD

If multiple LDAP servers are specified for the failover function and the first LDAP server on the list is not available, the next one on the list will be queried until one is available or all the LDAP servers are tried. Periodically, an attempt will be made to retry the LDAP server query process. This attribute specifies the time period before the query retry is to begin. The value of int_value must be in the range of 0 - 86400 seconds. Defaults:

For a single LDAP server, 0 seconds.
When multiple LDAP servers are specified, 300 seconds.

The numeric identifier is 307.

GSK_V2_SIDCACHE_SIZE

The number of entries in the SID (Session ID) cache used for SSLV2, range 0-2047 (default=256). The numeric identifier is 304.

GSK_V3_SIDCACHE_SIZE

The number of entries in the SID (Session ID) cache used for SSLV3 and TLSV1, range 0-MAXINT (default=512). This setting does not impose an upper limit, however GSKit internally imposes a limit that may be reviewed over time. Currently the internal limit is 655360. Note: Very large cache sizes could have adverse impacts on process performance due to the large memory usage. The cache memory allocation is dynamic in that memory is not allocated for cache entries until they are required, thus the memory usage may in fact be far less than the maximum number of cache entries specified. It is suggested that application consider these aspects when setting the cache size. The numeric identifier is 305.

GSK_OCSP_TIMEOUT

Sets the timeout in seconds that we will wait for a response from the server. The default is 30. The numeric identifier is 318.

GSK_HTTP_CDP_MAX_RESPONSE_SIZE

Sets the maximum size in bytes that GSKit will accept as a response from a HTTP Server when retrieving a CRL. This may help protect against a denial of service attack. The default is 204800 (200K). The numeric identifier is 316.

GSK_HTTP_CDP_TIMEOUT

Sets the timeout in seconds that we will wait for a response from the server. The default is 30. The numeric identifier is 319.

GSK_MAX_SSL_MESSAGE_SIZE

Sets the maximum message size that can be received by GSKit. This setting is design to protect against certain Denial of Service attack where very lare message can be used to exhust memory on a system. The default is 128K bytes. The numeric identifier is 320.

GSK_HTTP_PROXY_SERVER_PORT

Sets the http proxy server port for http CDP CRL retrieval if needed. The numeric identifier is 317.

GSK_LDAP_SERVER_VERSION

Sets the LDAP protocol version to be used. This should be set to 2 or 3. The numeric identifier is 314.

GSK_V2_SESSION_TIMEOUT

SSL V2 session time-out. int_value must be in the range 0-100 seconds (default=100). The numeric identifier is 301.

GSK_V3_SESSION_TIMEOUT

SSL V3 session time-out. int_value must be in the range 0-86400 seconds (default=86400, 24 hours). The numeric identifier is 302.