z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Setting client side extensions

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

The following example illustrates how to define each of the supported System SSL TLS extensions for a TLS client. The HMAC and maximum fragment extensions are defined at the environment level. The server name indication extension is defined, while the HMAC extension is modified for a particular connection. The environment level extensions are being defined as required and connection level extensions as optional. Required extensions require that the partner TLS server support the specified TLS extensions. If it does not support the extensions, the TLS handshake fails. 

int                                             rc; 
gsk_handle                                      envHandle; 
gsk_handle                                      conHandle;  

gsk_tls_extension                               tls_extn_env[2]; 
gsk_tls_extension                               tls_extn_con[2]; 
char                                            server1[] = "server1.ibm.com"; 
char                                            server2[] = "server2.ibm.com"; 
char *                                          serverNames[] = {server1, server2};  

    /* 
     * Open the SSL environment 
     */ 
rc = gsk_environment_open(&envHandle);  

    /* 
     * Set truncated HMAC extension 
     */ 
memset(&tls_extn_env[0], 0, sizeof(gsk_tls_extension)); 
tls_extn_env[0].extId = GSK_TLS_EXTID_TRUNCATED_HMAC; 
tls_extn_env[0].required = TRUE; /* required extension */ 
tls_extn_env[0].u.truncateHmac = TRUE; /* enable extension */ 
rc = gsk_attribute_set_tls_extension(envHandle,&tls_extn_env[0]);  

    /* 
     * Set maximum fragment length extension 
     */ 
memset(&tls_extn_env[1], 0, sizeof(gsk_tls_extension)); 
tls_extn_env[1].extId = GSK_TLS_EXTID_CLIENT_MFL; 
tls_extn_env[1].required = TRUE; /* required extension */ 
tls_extn_env[1].u.maxFragmentLength = GSK_TLS_MFL_4096; 
                                 /* set 4096 bit fragment length */ 
rc = gsk_attribute_set_tls_extension(envHandle,&tls_extn_env[1]);  

    /* 
     * Initialize the SSL environment 
     */ 
rc = gsk_environment_init(envHandle);  

    /* 
     * Open the SSL connection 
     */ 
rc = gsk_secure_socket_open(envHandle, &conHandle);  

    /* 
     * Set server name indication extension 
     */ 
memset(&tls_extn_con[0], 0, sizeof(gsk_tls_extension)); 
tls_extn_con[0].extId = GSK_TLS_EXTID_SNI_CLIENT_SNAMES; 
tls_extn_con[0].required = FALSE;           /* optional extension */ 
tls_extn_con[0].u.clientSnameList.setSni = TRUE; 
                                            /* enable extension */ 
tls_extn_con[0].u.clientSnameList.unrecognized_name_fatal = TRUE; 
                                            /* unrecognized name is fatal */ 
tls_extn_con[0].u.clientSnameList.count = 2; 
tls_extn_con[0].u.clientSnameList.serverNames = serverNames; 
rc = gsk_attribute_set_tls_extension(envHandle,&tls_extn_con[0]);  

    /* 
     * Modify truncated HMAC extension 
     */ 
memset(&tls_extn_con[0], 0, sizeof(gsk_tls_extension)); 
tls_extn_con[0].extId = GSK_TLS_EXTID_TRUNCATED_HMAC; 
tls_extn_con[1].required = FALSE;         /* optional extension */ 
tls_extn_con[0].u.truncateHmac = TRUE;    /* enable extension */ 
rc = gsk_attribute_set_tls_extension(envHandle,&tls_extn_con[1]);   

     /* 
      * Initialize the SSL connection 
      */ 
rc = gsk_secure_socket_init(conHandle)
Parent topic: TLS extensions

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014