TTLSEnvironmentAdvancedParms statement

Use the TTLSEnvironmentAdvancedParms statement to specify advanced attributes for an AT-TLS environment.

Syntax


>>-TTLSEnvironmentAdvancedParms--+------+--| Put Braces and Parameters on Separate Lines |-><
                                 '-name-'                                                    

Put Braces and Parameters on Separate Lines

|--+-{-------------------------------------------+--------------|
   +-| TTLSEnvironmentAdvancedParms Parameters |-+   
   '-}-------------------------------------------'   

TTLSEnvironmentAdvancedParms Parameters

   .-SSLv2 Off-----.  .-SSLv3 Off-----.  .-TLSv1 On------.   
|--+---------------+--+---------------+--+---------------+------>
   '-SSLv2-+-On--+-'  '-SSLv3-+-On--+-'  '-TLSv1-+-On--+-'   
           '-Off-'            '-Off-'            '-Off-'     

   .-TLSv1.1 On------.  .-TLSv1.2 Off-----.   
>--+-----------------+--+-----------------+--------------------->
   '-TLSv1.1-+-On--+-'  '-TLSv1.2-+-On--+-'   
             '-Off-'              '-Off-'     

   .-ApplicationControlled Off-----.  .-HandshakeTimeout 10-.   
>--+-------------------------------+--+---------------------+--->
   '-ApplicationControlled-+-On--+-'  '-HandshakeTimeout n--'   
                           '-Off-'                              

   .-ResetCipherTimer 0-.  .-Renegotiation--Default--------.   
>--+--------------------+--+-------------------------------+---->
   '-ResetCipherTimer n-'  '-Renegotiation-+-Disabled----+-'   
                                           +-All---------+     
                                           '-Abbreviated-'     

   .-RenegotiationIndicator--Optional--.   
>--+-----------------------------------+------------------------>
   '-RenegotiationIndicator-+-Client-+-'   
                            +-Server-+     
                            '-Both---'     

   .-RenegotiationCertCheck---Off---.   
>--+--------------------------------+--------------------------->
   '-RenegotiationCertCheck---On----'   

>--+------------------------+----------------------------------->
   '-CertificateLabel value-'   

   .-ClientAuthType--Required-----.   
>--+------------------------------+----------------------------->
   '-ClientAuthType--+-PassThru-+-'   
                     +-Full-----+     
                     +-Required-+     
                     '-SAFCheck-'     

                              .-TruncatedHMAC Off-----------.   
>--+-----------------------+--+-----------------------------+--->
   '-SecondaryMap--+-On--+-'  '-TruncatedHMAC--+-Required-+-'   
                   '-Off-'                     +-Optional-+     
                                               '-Off------'     

   .-CertValidationMode Any----------.   
>--+---------------------------------+-------------------------->
   '-CertValidationMode--+-Any-----+-'   
                         +-RFC2459-+     
                         '-RFC3280-'     

   .-ClientMaxSSLFragment Off----------------------------------------------.   
>--+-----------------------------------------------------------------------+-->
   +-ClientMaxSSLFragment-+-Required-+-ClientMaxSSLFragmentLength-+-512--+-+   
   |                      '-Optional-'                            +-1024-+ |   
   |                                                              +-2048-+ |   
   |                                                              '-4096-' |   
   '-ClientMaxSSLFragment Off----------------------------------------------'   

   .-ServerMaxSSLFragment Off-----------.   
>--+------------------------------------+----------------------->
   '-ServerMaxSSLFragment--+-Required-+-'   
                           +-Optional-+     
                           '-Off------'     

   .-ClientHandshakeSNI Off---------------------------------------------------------------------------------.   
>--+--------------------------------------------------------------------------------------------------------+-->
   |                                                                      .-------------------------------. |   
   |                                                                      V                               | |   
   +-ClientHandshakeSNI-+-Required-+-ClientHandshakeSNIMatch-+-Required-+---ClientHandshakeSNIList--value-+-+   
   |                    '-Optional-'                         '-Optional-'                                   |   
   '-ClientHandshakeSNI Off---------------------------------------------------------------------------------'   

   .-ServerHandshakeSNI Off---------------------------------------------------------------------------------.   
>--+--------------------------------------------------------------------------------------------------------+--|
   |                                                                      .-------------------------------. |   
   |                                                                      V                               | |   
   +-ServerHandshakeSNI-+-Required-+-ServerHandshakeSNIMatch-+-Required-+---ServerHandshakeSNIList--value-+-+   
   |                    '-Optional-'                         '-Optional-'                                   |   
   '-ServerHandshakeSNI Off---------------------------------------------------------------------------------'

Parameters

name

A string 1 - 32 characters in length specifying the name of this TTLSEnvironmentAdvancedParms statement.

Rule: If this TTLSEnvironmentAdvancedParms statement is not specified inline within another statement, a name value must be provided. If a name value is not specified for an inlineTTLSEnvironmentAdvancedParms statement, a nonpersistent system name is created.

SSLv2

Specifies the state of the SSL Version 2 protocol. For System SSL, the GSK_PROTOCOL_SSLV2 value is set to this value. Possible values are:

On: Enables the SSL Version 2 protocol.
Off: Disables the SSL Version 2 protocol. This is the default.

SSLv3

Specifies the state of the SSL Version 3 protocol. For System SSL, the GSK_PROTOCOL_SSLV3 value is set to this value. Possible values are:

On: Enable the SSL Version 3 protocol.
Off: Disable the SSL Version 3 protocol. This is the default.

TLSv1

Specifies the state of the TLS Version 1 protocol. For System SSL, the GSK_PROTOCOL_TLSV1 value is set to this value. Possible values are:

On: Enable the TLS Version 1.0 protocol. This is the default.
Off: Disable the TLS Version 1.0 protocol.

TLSv1.1

Specifies the state of the TLS Version 1.1 protocol. For System SSL, the GSK_PROTOCOL_TLSV1_1 value is set to this value. Possible values are:

On: Enable the TLS Version 1.1 protocol. This is the default.
Off: Disable the TLS Version 1.1 protocol.

TLSv1.2

Specifies the state of the TLS Version 1.2 protocol. For System SSL, the GSK_PROTOCOL_TLSV1_2 value is set to this value. Possible values are:

On: Enable the TLS Version 1.2 protocol.
Tip: When you specify TLSv1.2 as On, System SSL will not negotiate SSLv2 sessions even if you specify SSLv2 as On.
Off: Disable the TLS Version 1.2 protocol. This is the default.

CertValidationMode

Specifies the method of certificate validation. For System SSL, the GSK_CERT_VALIDATION_MODE value is set to this value. Possible values are:

Any: Specifies that certificate validation can use any supported X.509 certificate validation method. This is the default.
RFC2459: Specifies that certificates are validated using the method described in RFC 2459.
RFC3280: Specifies that certificates are validated using the method described in RFC 3280.

TruncatedHMAC

For TLSv1.0 protocol and later, this keyword specifies whether clients and servers support the use of 80-bit truncated HMACs. For System SSL, the extension ID is set to GSK_TLS_SET_TRUNCATED_HMAC and a flag is set in the gsk_tls_extension structure, if it is required. Possible values are:

Required: Specifies that 80-bit truncated HMAC support must be accepted by both endpoints. Connections fail if the remote endpoint does not support the 80-bit truncated HMAC.
Tip: When you specify TruncatedHMAC as Required, specify SSLv3 as Off.
Optional: Specifies that support is provided for 80-bit truncated HMAC negotiation, but connections with endpoints that do not support the truncated 80-bit HMAC are allowed.
Off: Specifies that support is not provided for 80-bit truncated HMAC negotiation. The function is not enabled. Connections fail if the remote endpoint requires support for the 80-bit truncated HMAC. This is the default.

ClientMaxSSLFragment

For TLSv1.0 protocol and later, this keyword specifies whether maximum SSL fragment function is supported when AT-TLS is the TLS client on the connection. For System SSL, the extension ID is set to GSK_TLS_SET_CLIENT_MFL and a flag is set in the gsk_tls_extension structure if it is required. Possible values are:

Required: Specifies that maximum SSL fragment function support must be accepted by the server. Connections fail if the server does not support maximum SSL fragment function.
Tip: When you specify ClientMaxSSLFragment as Required, specify SSLv3 as Off.
Optional: Specifies support for maximum SSL fragment function negotiation, but allows connections with servers that do not support maximum SSL fragment function.
Off: Specifies that maximum SSL fragment function negotiation is not supported. The function is not enabled. Connections fail if the server requires support for maximum SSL fragment function. This is the default.

ClientMaxSSLFragmentLength

For TLSv1.0 protocol and later, this value specifies maximum SSL fragment function, in bytes, to request on the connection when AT-TLS is the TLS client using TLSv1.0 and TLSv1.1 protocols. The valid values are 512, 1024, 2048, and 4096. For System SSL, the maximum fragment length is set to GSK_TLS_MFL_512, GSK_TLS_MFL_1024, GSK_TLS_MFL_2048, or GSK_TLS_MFL_4096. This parameter is required when ClientMaxSSLFragment is set to Required or Optional.

ServerMaxSSLFragment

For TLSv1.0 protocol and later, this keyword specifies whether the maximum SSL fragment function is supported when AT-TLS is the TLS server on the connection. For System SSL, the extension ID is set to GSK_TLS_SET_SERVER_MFL and a flag is set in the gsk_tls_extension structure if it is required. Possible values are:

Required: Specifies that maximum SSL fragment function support must be accepted by the client. Connections fail if the client does not support maximum SSL fragment function.
Tip: When you specify ServerMaxSSLFragment as Required, specify SSLv3 as Off.
Optional: Specifies that support is provided for maximum SSL fragment function, but allow connections with clients that do not support maximum SSL fragment function.
Off: Specifies that maximum SSL fragment function is not supported. The function is not enabled. Connections fail if the client requires support for maximum SSL fragment function. This is the default value.

ClientHandshakeSNI

For TLSv1.0 protocol and later, this keyword specifies whether a client can specify a list of server names. The server chooses a certificate based on that server name list for this connection. For System SSL, the extension ID is set to GSK_TLS_SET_SNI_CLIENT_SNAMES and a flag is set in the gsk_tls_extension structure if it is required. Valid values are:

Required: Specifies that server name indication support must be accepted by the server. Connections fail if the server does not support server name indication.
Tip: When you specify ClientHandshakeSNI as required, specify SSLv3 as Off.
Optional: Specifies that server name indication negotiation is supported, but allows connections with servers that do not support server name indication negotiation.
Off: Specifies that server name indication is not supported. The function is not enabled. Connections fail if the server requires support for server name indication. This is the default.

ClientHandshakeSNIMatch

Code this parameter if ClientHandshakeSNI is set to Required or Optional. For system SSL, a flag is set in the gsk_sni_client_snames structure if a match is required. Possible values are:

Required: Specifies that a server name in the list of server names provided by the TLS client must match a server name in the list of server names and certificate labels on the TLS server. The connection ends if no match was found for the server name at the server.
Optional: Specifies that connections can continue if no match is found for the server name.

ClientHandshakeSNIList

For SSL clients using TLSv1.0 protocol and later, this keyword specifies a server name. You can code multiple ClientHandshakeSNIList statements. The list of server names is passed to the server in the SSL handshake. For System SSL, the server names are anchored in the gsk_sni_client_snames structure. A server name can be 1 - 255 characters in length. This parameter is required when ClientHandshakeSNI is set to Required or Optional.

Restriction: The total length of all the server names specified must be less than 32K.

ServerHandshakeSNI

For TLSv1.0 protocol and later, this keyword specifies whether a certificate is chosen based on the server name list provided by the TLS client. For System SSL, the extension ID is set to GSK_TLS_SET_SNI_SERVER_SNAMES and a flag is set in the gsk_tls_extension structure if it is required. Possible values are:

Required: Specifies that server name indication support must be accepted by the client. Connections fail if the client does not support server name indication.
Tip: When you specify ServerHandshakeSNI as Required, specify SSLv3 as Off.
Optional: Specifies that server name indication negotiation is supported, but allow connections with clients that do not support server name indication.
Off: Specifies that server name indication is not supported. The function is not enabled. Connections fail if the client requires support for server name indication. This is the default value.

ServerHandshakeSNIMatch

You must code this parameter when ServerHandshakeSNI is set to Required or Optional. For system SSL, a flag is set in the gsk_sni_server_labels structure if a match is required. Possible values are:

Required: Specifies that a server name in the list of server names provided by the TLS client must match a server name in the ServerHandshakeSNIList . The connection ends if no match can be found for the server name.
Optional: Specifies that connections continue if no match is found for the server name.

ServerHandshakeSNIList

For SSL servers using TLSv1.0 protocol and later, this keyword specifies a server name and certificate label pair to be used by the server, separated by a slash (/). Multiple ServerHandshakeSNIList statements can be coded. The server matches the server name provided by the client to a certificate label. For System SSL, the server names and labels are anchored in the gsk_sni_server_labels structure. A server name can be 1 - 255 characters in length. A certificate label can be 1 - 127 characters in length. This parameter is required when ServerHandshakeSNI is set to Required or Optional.

Rule: You can use comment indicators and embedded blanks as part of the certificate label value for this attribute. For example:

ServerHandshakeSNIList myservername/Root#CA Certificate 
value used: myservername/Root#CA Certificate

Restrictions:

The total length of all the server names and certificate labels specified must be less than 32K.
When the certificate label value contains embedded blanks, you must specify the entire parameter value within the first 1 536 characters of the configuration file line.

ApplicationControlled

Specifies whether the application can control AT-TLS security for a connection. Valid values are:

Off: An application cannot control AT-TLS security. The connection automatically negotiates AT-TLS security. This is the default.
On: An application can control AT-TLS security. AT-TLS security is used only when requested by the application, using the SIOCTTLSCTL ioctl.

HandshakeTimeout

Specifies the number of seconds to wait for the initial handshake to complete. Valid values of n are in the range 0 - 600. The default value is 10.

For connections with the HandshakeRole parameter set to Client, the timer is initially set to 5 times the value of n, allowing for network delay and any delay on the server in processing the connection. When the initial response is received from the server, the timer is set again for n seconds, to allow the initial handshake to complete.

For connections with that HandshakeRole parameter set to Server or ServerWithClientAuth, when the server starts to process the new connection the timer is set to n seconds, waiting for the initial request from the client. The timer is reset to n seconds when the server sends the initial response, to allow the initial handshake to complete.

If the timer expires, the TCP connection is reset. A value of 0 indicates that the connection does not time out waiting for the initial handshake to complete.

ResetCipherTimer

Specifies the number of minutes a secure connection can be active before a new session key is generated for the connection. AT-TLS initiates a handshake on the next read or write after the timer expires. For System SSL, the GSK_RESET_CIPHER function is used to initiate this. If the session ID has expired, controlled by the GSK_V3_SESSION_TIMEOUT statement, a full handshake is performed. Otherwise, a short handshake is performed. This timer applies only to connections using SSLv3 or TLSv1 protocol. Valid values of n are in the range 0 - 1440. Specifying 0 means that session key refresh is not initiated by AT-TLS for the life of the connection. The default value is 0.

Renegotiation

Specifies the type of session key renegotiation that is allowed. For System SSL, the GSK_RENEGOTIATION value is set. The following values are valid:

Default: GSK_RENEGOTIATION set to NONE. Disables SSL V3 and TLS handshake renegotiation as a server and allows RFC 5746 renegotiation. This is the default.
Disabled: Disables SSL V3 and TLS handshake renegotiation as a server and disables RFC 5746 renegotiation.
All: Allows SSL V3 and TLS handshake renegotiation as a server and allows RFC 5746 renegotiation.
Abbreviated: Allows SSL V3 and TLS abbreviated handshake renegotiation as a server for resuming the current session only, while disabling SSL V3 and TLS full handshake renegotiation as a server. The System SSL session ID cache is not checked when resuming the current session. Allows RFC 5746 renegotiation.

RenegotiationIndicator

Sets the enforcement level of the initial handshake renegotiation indication as RFC 5746 specifies. For System SSL, the GSK_EXTENDED_RENEGOTIATION_INDICATOR value is set to this value. The following values are valid:

Optional: The renegotiation indicator is not required during initial handshake.
Client: Allow the client initial handshake to proceed only when the server indicates support for RFC 5746 renegotiation.
Server: Allow the server initial handshake to proceed only when the client indicates support for RFC 5746 renegotiation.
Both: Allow the client and server initial handshakes to proceed only when the partner indicates support for RFC 5746 renegotiation.

RenegotiationCertCheck

Specifies whether to perform an identity check against the peer's certificate during renegotiation. For System SSL, the GSK_RENEGOTIATION_PEER_CERT_CHECK value is set to this value. Valid values are:

Off: An identity check is not performed. This allows the peer certificate to change during renegotiation.
On: An identity check is performed. This ensures that the peer certificate does not change during renegotiation.

CertificateLabel

Specifies the label of the certificate to be used for authentication. Valid values are in the range 1 - 127 characters in length. For System SSL, the GSK_KEYRING_LABEL value is set to this value.

Rule: Comment indicators and embedded blanks are treated as part of the value for this attribute. For example:

CertificateLabel  Root#CA  Certificate
value used:   Root#CA  Certificate

Restriction: When the value contains embedded blanks, you must specify the entire value within the first 1 536 characters of the configuration file line.

ClientAuthType

Specifies the type of client certificate validation to be performed for connections in this AT-TLS environment. Client certificates are requested only if HandshakeRole is set to ServerWithClientAuth. Valid values are:

PassThru: Bypasses client certificate validation.
Full: Performs client certificate validation if the client presents a certificate.
Required: Requires the client to present a certificate and performs client certificate validation. This is the default.
SAFCheck: Requires the client to present a certificate, performs client certificate validation and requires the client certificate to have an associated user ID defined to the security product.

SecondaryMap

Specifies whether the application establishes secondary connections that should use the secondary policy mapping method. When specified in the TTLSEnvironmentAdvancedParms, this statement overrides the value specified in the TTLSGroupAdvancedParms. Valid values are:

Off: A connection that maps to this policy should not be used as a primary connection in the secondary policy mapping method.
On: A connection that maps to this policy should be used as a primary connection in the secondary policy mapping method. Future connections established between the same two IP addresses by the same process that do not map to any policy or map to a policy with a lower priority are considered secondary connections. These secondary connections use the same policy mapped by the associated primary connection.