gsk_attribute_set_enum()--Set enumerated information for a secure session
or an SSL environment
Syntax
#include <gskssl.h>
int gsk_attribute_set_enum(gsk_handle my_gsk_handle,
GSK_ENUM_ID enumID,
GSK_ENUM_VALUE enumValue);
Service Program Name: QSYS/QSOSSLSR
Default Public Authority: *USE
Threadsafe: Yes
The gsk_attribute_set_enum() function is used to set a
specified enumerated type attribute to an enumerated value in the secure
session or SSL environment.
Parameters
my_gsk_handle (Input)
Indicates one of the following handles:
The handle for the secure session. (my_session_handle)
The handle for the SSL environment. (my_env_handle)
enumID (Input)
Indicates one of the following operations:
GSK_PROTOCOL_TLSV12 (438) - Enables or disables the TLS
Version 1.2 protocol. enumValue must specify one of the following:
GSK_TRUE (1) - Enable TLS Version 1.2.
GSK_FALSE (0) - Disable TLS Version 1.2.
GSK_PROTOCOL_TLSV11 (437) - Enables or disables the TLS
Version 1.1 protocol. enumValue must specify one of the following:
GSK_TRUE (1) - Enable TLS Version 1.1.
GSK_FALSE (0) - Disable TLS Version 1.1.
GSK_PROTOCOL_TLSV10 (436) - Enables or disables the TLS
Version 1.0 protocol. enumValue must specify one of the following:
GSK_TRUE (1) - Enable TLS Version 1.0.
GSK_FALSE (0) - Disable TLS Version 1.0.
GSK_PROTOCOL_TLSV1 (407) - Enables or disables the
TLS Version 1.0 protocol. enumValue must specify one of the following:
GSK_PROTOCOL_TLSV1_ON (518) - Enable TLS Version 1.0.
GSK_PROTOCOL_TLSV1_OFF (519) - Disable TLS Version 1.0.
GSK_PROTOCOL_SSLV3 (404) - Enables or disables the SSL
Version 3 protocol. enumValue must specify one of the following:
GSK_PROTOCOL_SSLV3_ON (512) - Enable SSL Version 3.
GSK_PROTOCOL_SSLV3_OFF (513) - Disable SSL Version 3.
GSK_PROTOCOL_SSLV2 (403) - Enables or disables the SSL
Version 2 protocol. enumValue must specify one of the following:
GSK_PROTOCOL_SSLV2_ON (510) - Enable SSL Version 2.
GSK_PROTOCOL_SSLV2_OFF (511) - Disable SSL Version 2.
GSK_SESSION_TYPE (402) - Type of handshake to be used for
this secure session or SSL environment. enumValue must specify one of
the following operations:
GSK_CLIENT_SESSION (507) - Secure sessions act as
clients.
GSK_SERVER_SESSION (508) - Secure sessions act as a server
with no client authentication. The client is not asked for a certificate.
GSK_SERVER_SESSION_WITH_CL_AUTH (509) - Secure sessions
act as a server that requests the client to send a certificate. The value for
GSK_CLIENT_AUTH_TYPE will determine what happens if the client
certificate is not valid or not provided.
GSK_SERVER_SESSION_WITH_CL_AUTH_CRITICAL (594) - Secure
sessions act as a server that requires the client to send a certificate. If the
client does not send a certificate, the secure session will not start, and
gsk_secure_soc_init() will return
GSK_ERROR_NO_CERTIFICATE. This provides the same functionality as setting
GSK_SERVER_SESSION_WITH_CL_AUTH and GSK_OS400_CLIENT_AUTH_REQUIRED.
GSK_CLIENT_AUTH_TYPE (401) - Type of client authentication
to use for this session. enumValue must specify one of the following:
GSK_CLIENT_AUTH_FULL (503) - All received certificates are
validated. If an invalid certificate is received, the secure session does not
start, and an error code is returned from
gsk_secure_soc_init().
If no certificate is sent by the client, the start of the secure session is
successful. Applications can detect this situation by checking the
GSK_CERTIFICATE_VALIDATION_CODE enumId through
gsk_attribute_get_numeric_value().
A numValue of GSK_ERROR_NO_CERTIFICATE will indicate no certificate was
sent by client. In this case, the application is responsible for the
authentication of the client.
GSK_CLIENT_AUTH_PASSTHRU (505) - All received certificates
are validated. If validation is successful or validation fails because the
certificate is expired or does not have a trusted root, the
secure session will start. For the other validation failure cases the secure
session does not start, and an error code is returned from
gsk_secure_soc_init(). Applications can
detect the situation where the secure session started but validation failed by
checking the
GSK_CERTIFICATE_VALIDATION_CODE enumId via
gsk_attribute_get_numeric_value(). The numValue will
indicate the certificate validation return code for client's certificate. In
this situation, the application is responsible for the authentication of the
client.
If no certificate is sent by the client, the start of the secure session is
successful. Applications can detect this situation by checking the
GSK_CERTIFICATE_VALIDATION_CODE enumId as well. A numValue of
GSK_ERROR_NO_CERTIFICATE will indicate no certificate was sent by client. In
this case, the application is also responsible for the authentication of the
client.
NOTE: If Authentication PassThru is set, and the application set the
certificate callback to GSK_VALIDATION_REQUIRED, SSL will reject the call with
an error code GSK_CONFLICTING_VALIDATION_SETTING. If a certificate validation
callback has been set to GSK_VALIDATION_REQUIRED, and application set
authentication to PassThru, SSL will also reject the call with an error code
GSK_CONFLICTING_VALIDATION_SETTING.
GSK_OS400_CLIENT_AUTH_REQUIRED (6995) - All received
certificates are validated. If a certificate that is not valid is received, the
secure session does not start, and an error code is returned from
gsk_secure_soc_init(). If no certificate
is sent by the client, the secure session does not start, and an error code of
GSK_ERROR_NO_CERTIFICATE is returned from
gsk_secure_soc_init().
GSK_ALLOW_UNAUTHENTICATED_RESUME (423) - Indicate if a
cached handshake can be used if the client did not provide a certificate
during the initial handshake. This attribute is only relevant when the
server is configured for optional (GSK_CLIENT_AUTH_PASSTHRU or
GSK_CLIENT_AUTH_FULL) client authentication. enumValue must
specify one of the following:
GSK_ALLOW_UNAUTHENTICATED_RESUME_ON (588) - A session
resume can use a session ID without an associated client certificate for the
cached handshake.
GSK_ALLOW_UNAUTHENTICATED_RESUME_OFF (589) -
A session resume attempt will force a full SSL handshake if the proposed
session ID to resume does not have an associated client certificate. The
server will have the opportunity to ask the client for a certificate again.
GSK_SERVER_AUTH_TYPE (410) - Type of server authentication
to use for this session. enumValue must specify one of the following:
GSK_SERVER_AUTH_FULL (534) - All received
certificates are validated. If a certificate that is not valid is received, the
secure session does not start, and an error code is returned from
gsk_secure_soc_init(). If no certificate is sent by the
server, the secure session does not start, and an error code of
GSK_ERROR_NO_CERTIFICATE is returned from
gsk_secure_soc_init().
GSK_SERVER_AUTH_PASSTHRU (535) - All received certificates
are validated. If validation is successful or validation fails because the
certificate has expired or does not have a trusted root, the
secure session will start. For the other validation failure cases the secure
session does not start, and an error code is returned from
gsk_secure_soc_init(). Applications can detect the situation
where the secure session started but validation failed by checking the
GSK_CERTIFICATE_VALIDATION_CODE enumId via
gsk_attribute_get_numeric_value(). The
numValue will indicate the certificate validation return code for
server's certificate. In this situation, the application is responsible for the
authentication of the server.
It is highly recommended that this option only be used if an alternate authentication
method is used.
NOTE: If Authentication PassThru is set, and the application set the
certificate callback to GSK_VALIDATION_REQUIRED, SSL will reject the call with
an error code GSK_CONFLICTING_VALIDATION_SETTING. If a certificate validation
callback has been set to GSK_VALIDATION_REQUIRED, and application set
authentication to PassThru, SSL will also reject the call with an error code
GSK_CONFLICTING_VALIDATION_SETTING.
GSK_ENVIRONMENT_CLOSE_OPTIONS (411) -
Type of special close options to use for this environment. If
gsk_environment_close() is issued prior
to all secure sessions being closed, the active secure sessions will continue to
work and the environment close will effectively be delayed. The resources for
the SSL environment will not be freed up until after the last secure session
closes. No new secure sessions will be allowed to start using the closed SSL
environment. enumValue must specify one of the following:
GSK_DELAYED_ENVIRONMENT_CLOSE (536) - Enable the environment close
callback routine support.
GSK_NORMAL_ENVIRONMENT_CLOSE (537) - Field is ignored.
GSK_OCSP_ENABLE (426) - Enable Online Certificate Status
Protocol (OCSP) certificate revocation checking using Authority Information Access
(AIA) certificate extension information. If the certificate being validated
has an AIA extension, the first OCSP responder identified in the AIA
extension will be queried for revocation status. See the usage notes for
further use of this attribute in conjunction with GSK_OCSP_URL.
enumValue must specify one of the following:
GSK_OCSP_NONCE_GENERATION_ENABLE (428) - Enable OCSP nonce
extension generation as part of the OCSP request.
enumValue must specify one of the following:
GSK_TRUE (1) - Enable OCSP nonce extension generation and
send nonce in OCSP requests.
GSK_OCSP_NONCE_CHECK_ENABLE (427) - Determine if OCSP
nonce extension checking is required. The nonce extension improves security
to prevent replay attacks by validating that the request matches the
response. enumValue must specify one of the
following:
GSK_TRUE (1) - Enable OCSP nonce extension validation. If
the OCSP response nonce does not match the nonce sent in the OCSP request,
the response is rejected.
Setting GSK_OCSP_NONCE_CHECK_ENABLE to
GSK_TRUE will automatically set GSK_OCSP_NONCE_GENERATION_ENABLE to
GSK_TRUE.
GSK_OCSP_RETRIEVE_VIA_GET (435) - The method with
which the OCSP request will be sent. If enumValue is set to GSK_TRUE, the
OCSP request will be sent via HTTP GET if the total request size after
BASE64 encoding is less than or equal to 255 bytes. If enumValue is
GSK_FALSE or the total request size after encoding is greater than 255 bytes
the request will be sent via HTTP POST. enumValue must
specify one of the following:
GSK_TRUE (1) - Send OCSP request via HTTP GET when
possible.
GSK_FALSE (0) - Always send OCSP request via HTTP
POST.
GSK_EXTENDED_RENEGOTIATION_CRITICAL_CLIENT (451) -
Client session RFC 5746 renegotiation indication requirement level. The
initial system SSL default is GSK_FALSE however that default can be changed
using System Service Tools (SST) Advanced Analysis Command SSLCONFIG.
enumValue must specify one of the following:
GSK_TRUE (1) - The server must provide RFC 5746
renegotiation indication during the initial handshake in order for the
handshake to be successful. Warning - The client will no longer be able to
handshake with servers that have not or can not be updated to support RFC
5746.
GSK_FALSE (0) - RFC 5746 renegotiation indication from
the server is not required on initial handshake. RFC 5746 renegotiation
indication will still be required for all renegotiated handshakes.
GSK_EXTENDED_RENEGOTIATION_CRITICAL_SERVER (452) -
Server session RFC 5746 renegotiation indication requirement level. The
initial system SSL default is GSK_FALSE however that default can be changed
using System Service Tools (SST) Advanced Analysis Command SSLCONFIG.
enumValue must specify one of the following:
GSK_TRUE (1) - The client must provide RFC 5746
renegotiation indication during the initial handshake in order for the
handshake to be successful. Warning - The server will no longer be able to
handshake with clients that have not or can not be updated to support RFC
5746.
GSK_FALSE (0) - RFC 5746 renegotiation indication from
the client is not required on initial handshake. RFC 5746 renegotiation
indication will still be required for all renegotiated handshakes.
GSK_CERTREQ_DNLIST_ENABLE (457) - Enables the sending of
the distinguished name (DN) list in the CertificateRequest message. This
attribute only applies to a server.
enumValue must specify one of the following:
GSK_TRUE (1) - The DN list is sent.
GSK_FALSE (0) - The DN list is not sent.
enumValue (Input)
An enumerated type appropiate to the enumID.
Authorities
No authorization is required.
Return Value
gsk_attribute_set_enum() returns an integer. Possible
values are:
[GSK_OK]
gsk_attribute_set_enum() was successful.
[GSK_ATTRIBUTE_INVALID_ENUMERATION]
The enumeration specified for the enumValue was not valid.
[GSK_ATTRIBUTE_INVALID_ID]
The enumID specified was not valid.
[GSK_CONFLICTING_VALIDATION_SETTING]
The value for GSK_SERVER_AUTH_TYPE or GSK_CLIENT_AUTH_TYPE conflicts
with the setting for the validationCallBack.validateRequired
field for GSK_CERT_VALIDATION_CALLBACK set by
gsk_attribute_set_callback().
The following GSK_ENUM_ID values may be set in the SSL environment after
gsk_environment_open() and before
gsk_environment_init(). They are used as
defaults for subsequent secure sessions:
GSK_PROTOCOL_TLSV12
GSK_PROTOCOL_TLSV11
GSK_PROTOCOL_TLSV10
GSK_PROTOCOL_TLSV1
GSK_PROTOCOL_SSLV3
GSK_PROTOCOL_SSLV2
GSK_SESSION_TYPE
GSK_CLIENT_AUTH_TYPE
GSK_SERVER_AUTH_TYPE
GSK_ENVIRONMENT_CLOSE_OPTIONS
GSK_OCSP_ENABLE
GSK_OCSP_NONCE_CHECK_ENABLE
GSK_OCSP_NONCE_GENERATION_ENABLE
GSK_OCSP_RETRIEVE_VIA_GET
GSK_EXTENDED_RENEGOTIATION_CRITICAL_CLIENT
GSK_EXTENDED_RENEGOTIATION_CRITICAL_SERVER
GSK_ALLOW_UNAUTHENTICATED_RESUME
GSK_CERTREQ_DNLIST_ENABLE
The following GSK_ENUM_ID values may be set for each individual secure
session after gsk_secure_soc_open() and
before gsk_secure_soc_init(). These
values will override values set in the SSL environment:
GSK_PROTOCOL_TLSV12
GSK_PROTOCOL_TLSV11
GSK_PROTOCOL_TLSV10
GSK_PROTOCOL_TLSV1
GSK_PROTOCOL_SSLV3
GSK_PROTOCOL_SSLV2
GSK_SESSION_TYPE
GSK_CLIENT_AUTH_TYPE
GSK_SERVER_AUTH_TYPE
When
GSK_OS400_APPLICATION_ID is set, the settings of some of the SSL environment
attributes will be determined by the corresponding value in the Application ID
definition in Digital Certificate Manager (DCM). These are the enum
attributes that can be overwritten by DCM during the call to gsk_environment_init():
GSK_PROTOCOL_TLSV12
GSK_PROTOCOL_TLSV11
GSK_PROTOCOL_TLSV10
GSK_PROTOCOL_TLSV1
GSK_PROTOCOL_SSLV3
GSK_PROTOCOL_SSLV2
GSK_OCSP_ENABLE
GSK_EXTENDED_RENEGOTIATION_CRITICAL_CLIENT
GSK_EXTENDED_RENEGOTIATION_CRITICAL_SERVER
There are two ways to enable OCSP that can be used either separately or
together:
GSK_OCSP_URL is set with
gsk_attribute_set_buffer()
to the URL of the OCSP
responder. OCSP will be used for revocation status checking
regardless of whether the certificate has an AIA extension or not,
so it will work with existing certificates.
GSK_OCSP_ENABLE is set with
gsk_attribute_set_enum() to GSK_TRUE. OCSP will be
used if the certificate being validated has an AIA extension with a
PKIK_AD_OCSP access method containing a URI of the HTTP location of the
OCSP responder.
When both attributes are set the GSK_OCSP_ENABLE functionality will
only be used if GSK_OCSP_URL functionality results in an undetermined
revocation status. The definition of undetermined revocation status is
located in the Secure Sockets Layer
topic.
Note: Using OCSP results in a performance impact to System SSL.
Related Information
gsk_attribute_get_enum()--Get
enumerated information about a secure session or an SSL environment.
gsk_attribute_set_buffer()--Set
character string information for a secure session or an SSL
environment.