The following example illustrates how to define each of the supported
System SSL TLS extensions for a TLS server. The extensions are defined
at the environment level and are optional. Optional allows the
TLS server to communicate with TLS clients that support the extensions,
including TLS clients that do not support the extensions.
int rc;
gsk_handle envHandle;
gsk_tls_extension tls_extn[3];
char server1[] = "server1.ibm.com";
char server2[] = "server2.ibm.com";
char server3[] = "server3.ibm.com";
char label1[] = "Server1 Certificate";
char label2[] = "Server2 Certificate";
char label3[] = "Server3 Certificate";
gsk_server_key_label serverLabelPairs[] = {{server1, label1},
{server2, label2},
{server3, label3}};
/*
* Open the SSL environment
*/
rc = gsk_environment_open(&envHandle);
/*
* Set truncated HMAC extension
*/
memset(&tls_extn[0], 0, sizeof(gsk_tls_extension));
tls_extn[0].extId = GSK_TLS_EXTID_TRUNCATED_HMAC;
tls_extn[0].required = FALSE; /* optional extension */
tls_extn[0].u.truncateHmac = TRUE; /* enable extension */
rc = gsk_attribute_set_tls_extension(envHandle, &tls_extn[0]);
/*
* Set maximum fragment length extension
*/
memset(&tls_extn[1], 0, sizeof(gsk_tls_extension));
tls_extn[1].extId = GSK_TLS_EXTID_SERVER_MFL;
tls_extn[1].required = FALSE; /* optional extension */
tls_extn[1].u.maxFragmentLength = GSK_TLS_MFL_ON;
/* enable extension */
rc = gsk_attribute_set_tls_extension(envHandle, &tls_extn[1]);
/*
* Set server name indication extension
*/
memset(&tls_extn[2], 0, sizeof(gsk_tls_extension));
tls_extn[2].extId = GSK_TLS_EXTID_SNI_SERVER_LABELS;
tls_extn[2].required = FALSE; /* optional extension */
tls_extn[2].u.serverLabels.setSni = TRUE;
/* enable extension */
tls_extn[2].u.serverLabels.unrecognized_name_fatal = TRUE;
/* unrecognized name is fatal */
tls_extn[2].u.serverLabels.count = 3;
tls_extn[2].u.serverLabels.serverKeyLabel = serverLabelPairs;
rc = gsk_attribute_set_tls_extension(envHandle, &tls_extn[2]);
/*
* Initialize the SSL environment
*/
rc = gsk_environment_init(envHandle);