TTLSConnectionAdvancedParms statement

Use the TTLSConnectionAdvancedParms statement to specify attributes for a subset of connections that need attributes different from those specified on the TTLSEnvironmentAdvancedParms statement that is referenced by the same TTLSRule statement.

Syntax


>>-TTLSConnectionAdvancedParms--+------+--| Put Braces and Parameters on Separate Lines |-><
                                '-name-'                                                    

Put Braces and Parameters on Separate Lines

|--+-{------------------------------------------+---------------|
   +-| TTLSConnectionAdvancedParms Parameters |-+   
   '-}------------------------------------------'   

TTLSConnectionAdvancedParms Parmeters

|--+----------------+--+----------------+--+----------------+--->
   '-SSLv2--+-On--+-'  '-SSLv3--+-On--+-'  '-TLSv1--+-On--+-'   
            '-Off-'             '-Off-'             '-Off-'     

>--+------------------+--+------------------+------------------->
   '-TLSv1.1--+-On--+-'  '-TLSv1.2--+-On--+-'   
              '-Off-'               '-Off-'     

>--+--------------------------------+--------------------------->
   '-ApplicationControlled--+-Off-+-'   
                            '-On--'     

>--+---------------------+--+---------------------+------------->
   '-HandshakeTimeout--n-'  '-ResetCipherTimer--n-'   

>--+-------------------------+--+-----------------------+------->
   '-CertificateLabel--value-'  '-SecondaryMap--+-On--+-'   
                                                '-Off-'     

>--+-----------------------------+------------------------------>
   '-TruncatedHMAC--+-Required-+-'   
                    +-Optional-+     
                    '-Off------'     

>--+-----------------------------------------------------------------------+-->
   +-ClientMaxSSLFragment-+-Required-+-ClientMaxSSLFragmentLength-+-512--+-+   
   |                      '-Optional-'                            +-1024-+ |   
   |                                                              +-2048-+ |   
   |                                                              '-4096-' |   
   '-ClientMaxSSLFragment--Off---------------------------------------------'   

>--+------------------------------------+----------------------->
   '-ServerMaxSSLFragment--+-Required-+-'   
                           +-Optional-+     
                           '-Off------'     

>--+---------------------------------------------------------------------------------------------------------+-->
   |                                                                      .--------------------------------. |   
   |                                                                      V                                | |   
   +-ClientHandshakeSNI-+-Required-+-ClientHandshakeSNIMatch-+-Required-+---ClientHandshakeSNIList --value-+-+   
   |                    '-Optional-'                         '-Optional-'                                    |   
   '-ClientHandshakeSNI Off----------------------------------------------------------------------------------'   

>--+---------------------------------------------------------------------------------------------------------+--|
   |                                                                      .--------------------------------. |   
   |                                                                      V                                | |   
   +-ServerHandshakeSNI-+-Required-+-ServerHandshakeSNIMatch-+-Required-+---ServerHandshakeSNIList --value-+-+   
   |                    '-Optional-'                         '-Optional-'                                    |   
   '-ServerHandshakeSNI Off----------------------------------------------------------------------------------'

Parameters

name

A string 1 - 32 characters in length specifying the name of this TTLSConnectionAdvancedParms statement.

Rule: If this TTLSConnectionAdvancedParms statement is not specified inline within another statement, a name value must be provided. If a name value is not specified for an inline TTLSConnectionAdvancedParms statement, a nonpersistent system name is created.

SSLv2

Specifies the state of the SSL Version 2 protocol. For System SSL, the GSK_PROTOCOL_SSLV2 value is set to this value. Possible values are:

On: Enables the SSL Version 2 protocol.
Off: Disable the SSL Version 2 protocol.

SSLv3

Specifies the state of the SSL Version 3 protocol. For System SSL, the GSK_PROTOCOL_SSLV3 value is set to this value. Possible values are:

On: Enable the SSL Version 3 protocol.
Off: Disable the SSL Version 3 protocol.

TLSv1

Specifies the state of the TLS Version 1 protocol. For System SSL, the GSK_PROTOCOL_TLSV1 value is set to this value. Possible values are:

On: Enable the TLS Version 1.0 protocol.
Off: Disable the TLS Version 1.0 protocol.

TLSv1.1

Specifies the state of the TLS version 1.1 protocol. For System SSL, the GSK_PROTOCOL_TLSV1.1 value is set to this value. Possible values are:

On: Enable the TLS Version 1.1 protocol.
Off: Disable the TLS Version 1.1 protocol.

TLSv1.2

Specifies the state of the TLS version 1.2 protocol. For System SSL, the GSK_PROTOCOL_TLSV1.2 value is set to this value. Possible values are:

On: Enable the TLS Version 1.2 protocol.
Off: Disable the TLS Version 1.2 protocol.

TruncatedHMAC

For TLSv1.0 protocol or later, this keyword specifies whether clients and servers support the use of 80-bit truncated HMACs. For System SSL, the extension ID is set to GSK_TLS_SET_TRUNCATED_HMAC and a flag is set in the gsk_tls_extension structure if it is required. Possible values are:

Required: Specifies that 80-bit truncated HMAC support must be accepted by both endpoints. Connections fail if the remote endpoint does not support the 80-bit truncated HMAC.
Tip: When you specify TruncatedHMAC as Required, specify SSLv3 as Off.
Optional: Specifies that support is provided for 80-bit truncated HMAC negotiation, but connections with endpoints that do not support the truncated 80-bit HMAC are allowed.
Off: Specifies that support is not provided for 80-bit truncated HMAC negotiation. The function is not enabled. Connections fail if the remote endpoint requires support for the 80-bit truncated HMAC.

ClientMaxSSLFragment

For TLSv1.0 protocol or later, this keyword specifies whether the maximum SSL fragment function is supported when AT-TLS is the TLS client on the connection. For System SSL, the extension ID is set to GSK_TLS_SET_CLIENT_MFL and a flag is set in the gsk_tls_extension structure if it is required. Possible values are:

Required: Specifies that maximum SSL fragment function support must be accepted by the server. Connections fail if the server does not support the maximum SSL fragment function.
Tip: When you specify ClientMaxSSLFragment as Required, specify SSLv3 as Off.
Optional: Specifies support for maximum SSL fragment function negotiation, but allows connections with servers that do not support maximum SSL fragment function.
Off: Specifies that maximum SSL fragment function negotiation is not supported. The function is not enabled. Connections fail if the server requires support for maximum SSL fragment function.

ClientMaxSSLFragmentLength

Specifies the maximum SSL fragment function, in bytes, to request on the connection when AT-TLS is the TLS client using TLSv1.0 protocol or later. The valid values are 512, 1024, 2048, and 4096. For System SSL, the maximum fragment function is set to GSK_TLS_MFL_512, GSK_TLS_MFL_1024, GSK_TLS_MFL_2048, or GSK_TLS_MFL_4096. This parameter is required when ClientMaxSSLFragment is set to Required or Optional.

ServerMaxSSLFragment

For TLSv1.0 protocol or later, this keyword specifies whether the maximum SSL fragment function is supported when AT-TLS is the TLS server on the connection. For System SSL, the extension ID is set to GSK_TLS_SET_SERVER_MFL and a flag is set in the gsk_tls_extension structure if it is required. Possible values are:

Required: Specifies that maximum SSL fragment function support must be accepted by the client. Connections fail if the client does not support the maximum SSL fragment function.
Tip: When you specify ServerMaxSSLFragment as Required, specify SSLv3 as Off.
Optional: Specifies that support is provided for maximum SSL fragment function, but allow connections with clients that do not support the maximum SSL fragment function.
Off: Specifies that maximum SSL fragment function is not supported. The function is not enabled. Connections fail if the client requires support for maximum SSL fragment function.

ClientHandshakeSNI

For TLSv1.0 protocol or later, this keyword specifies whether a client can specify a list of server names. The server chooses a certificate based on that server name list for this connection. For System SSL, the extension ID is set to GSK_TLS_SET_SNI_CLIENT_SNAMES and a flag is set in the gsk_tls_extension structure if it is required. Valid values are:

Required: Specifies that server name indication support must be accepted by the server. Connections fail if the server does not support server name indication.
Tip: When you specify ClientHandshakeSNI as required, specify SSLv3 as Off.
Optional: Specifies that server name indication negotiation is supported, but allows connections with servers that do not support server name indication negotiation.
Off: Specifies that server name indication is not supported. The function is not enabled. Connections fail if the server requires support for server name indication. This is the default.

ClientHandshakeSNIMatch

Code this parameter if ClientHandshakeSNI is set to Required or Optional. For system SSL, a flag is set in the gsk_sni_client_snames structure if a match is required. Possible values are:

Required: Specifies that a server name in the list of server names provided by the TLS client must match a server name in the list of server names and certificate labels on the TLS server. The connection ends if no match was found for the server name at the server.
Optional: Specifies that connections can continue if no match is found for the server name.

ClientHandshakeSNIList

For SSL clients using TLSv1.0 protocol or later, this keyword specifies a server name. You can code multiple ClientHandshakeSNIList statements. The list of server names is passed to the server in the SSL handshake. For System SSL, the server names are anchored in the gsk_sni_client_snames structure. A server name can be 1 - 255 characters in length. This parameter is required when ClientHandshakeSNI is set to Required or Optional.

Restriction: The total length of all the server names specified must be less than 32K.

ServerHandshakeSNI

For TLSv1.0 protocol or later, this keyword specifies whether a certificate is chosen based on the server name list provided by the TLS client. For System SSL, the extension ID is set to GSK_TLS_SET_SNI_SERVER_SNAMES and a flag is set in the gsk_tls_extension structure if it is required. Possible values are:

Required: Specifies that server name indication support must be accepted by the client. Connections fail if the client does not support server name indication.
Tip: When you specify ServerHandshakeSNI as Required, specify SSLv3 as Off.
Optional: Specifies that server name indication negotiation is supported, but allow connections with clients that do not support server name indication.
Off: Specifies that server name indication is not supported. The function is not enabled. Connections fail if the client requires support for server name indication.

ServerHandshakeSNIMatch

You must code this parameter when ServerHandshakeSNI is set to Required or Optional. For system SSL, a flag is set in the gsk_sni_server_labels structure if a match is required. Possible values are:

Required: Specifies that a server name in the list of server names provided by the TLS client must match a server name in the ServerHandshakeSNIList. The connection ends if no match can be found for the server name.
Optional: Specifies that connections to continue if no match is found for the server name.

ServerHandshakeSNIList

For SSL servers using TLSv1.0 protocol or later, this keyword specifies a server name and certificate label pair to be used by the server, separated by a slash (/). Multiple ServerHandshakeSNIList statements can be coded. The server matches the server name provided by the client to a certificate label. For System SSL, the server names and labels are anchored in the gsk_sni_server_labels structure. A server name can be 1 - 255 characters in length. A certificate label can be 1 - 127 characters in length. This parameter is required when ServerHandshakeSNI is set to Required or Optional.

Rule: You can use comment indicators and embedded blanks as part of the certificate label value for this attribute. For example:

ServerHandshakeSNIList myservername/Root#CA  Certificate 
value used: myservername/Root#CA  Certificate

Restrictions:

The total length of all the server names and certificate labels specified must be less than 32K.
When the certificate label value contains embedded blanks, you must specify the entire parameter value within the first 1 536 characters of the configuration file line.

ApplicationControlled

Specifies whether the application can control AT-TLS security for a connection. Valid values are:

Off: An application cannot control AT-TLS security. The connection automatically negotiates AT-TLS security.
On: An application can control AT-TLS security. AT-TLS security is used only when requested by the application, using the SIOCTTLSCTL ioctl.

HandshakeTimeout

Specifies the number of seconds to wait for the initial handshake to complete. Valid values of n are in the range 0 - 600.

For connections with the HandshakeRole parameter set to Client, the timer is initially set to 5 times the value of n, allowing for network delay and any delay on the server in processing the connection. When the initial response is received from the server, the timer is set again for n seconds, to allow the initial handshake to complete.

For connections with the HandshakeRole parameter set to Server or ServerWithClientAuth, when the server starts to process the new connection the timer is set to n seconds, waiting for the initial request from the client. The timer is reset to n seconds when the server sends the initial response, to allow the initial handshake to complete.

If the timer expires, the TCP connection is reset. A value of 0 indicates that the connection does not time out waiting for the initial handshake to complete.

ResetCipherTimer

Specifies the number of minutes a secure connection can be active before a new session key is generated for the connection. AT-TLS initiates a handshake on the next read or write after the timer expires. For System SSL, the GSK_RESET_CIPHER function is used to initiate handshake. This timer applies only to connections using SSLv3 or TLSv1 protocol. If the session ID has expired, a full handshake is performed. Otherwise, a short handshake is performed. For System SSL, session expiration is controlled by the GSK_V3_SESSION_TIMEOUT statement. Valid values of n are in the range 0 - 1440. Specifying 0 means that the session key refresh is not initiated by AT-TLS for the life of the connection.

CertificateLabel

Specifies the label of the certificate to be used for authentication. Valid values are in the range 1 - 127 characters in length. For System SSL, the GSK_KEYRING_LABEL value is set to this value.

Rule: Comment indicators and embedded blanks are treated as part of the value for this attribute. For example:

CertificateLabel  Root#CA  Certificate
value used:   Root#CA  Certificate

Restriction: When the value contains embedded blanks, you must specify the entire value within the first 1 536 characters of the configuration file line.

SecondaryMap

Specifies whether the application establishes secondary connections that should use the secondary policy mapping method. When specified in the TTLSConnectionAdvancedParms, this statement overrides the values specified in the TTLSEnvironmentAdvancedParms and TTLSGroupAdvancedParms. Valid values are:

Off: A connection that maps to this policy should not be used as a primary connection in the secondary policy mapping method.
On: A connection that maps to this policy should be used as a primary connection in the secondary policy mapping method. Future connections established between the same two IP addresses by the same process that do not map to any policy or map to a policy with a lower priority are considered secondary connections. These secondary connections use the same policy mapped by the associated primary connection.