z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Setting server side extensions

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

The following example illustrates how to define each of the supported System SSL TLS extensions for a TLS server. The extensions are defined at the environment level and are optional. Optional allows the TLS server to communicate with TLS clients that support the extensions, including TLS clients that do not support the extensions.

int                                  rc;
gsk_handle                           envHandle;

gsk_tls_extension                    tls_extn[3];
char                                 server1[] = "server1.ibm.com";
char                                 server2[] = "server2.ibm.com";
char                                 server3[] = "server3.ibm.com";
char                                 label1[] = "Server1 Certificate";
char                                 label2[] = "Server2 Certificate";
char                                 label3[] = "Server3 Certificate";
gsk_server_key_label                 serverLabelPairs[] = {{server1, label1},
                                                           {server2, label2},
                                                           {server3, label3}};

    /* 
     * Open the SSL environment 
     */
rc = gsk_environment_open(&envHandle);  

    /* 
     * Set truncated HMAC extension 
     */ 
memset(&tls_extn[0], 0, sizeof(gsk_tls_extension)); 
tls_extn[0].extId = GSK_TLS_EXTID_TRUNCATED_HMAC; 
tls_extn[0].required = FALSE; /* optional extension */ 
tls_extn[0].u.truncateHmac = TRUE; /* enable extension */ 
rc = gsk_attribute_set_tls_extension(envHandle, &tls_extn[0]);  

    /*
     * Set maximum fragment length extension 
     */ 
memset(&tls_extn[1], 0, sizeof(gsk_tls_extension)); 
tls_extn[1].extId = GSK_TLS_EXTID_SERVER_MFL; 
tls_extn[1].required = FALSE;   /* optional extension */ 
tls_extn[1].u.maxFragmentLength = GSK_TLS_MFL_ON; 
                                /* enable extension */ 
rc = gsk_attribute_set_tls_extension(envHandle, &tls_extn[1]);  

    /* 
     * Set server name indication extension 
     */ 
memset(&tls_extn[2], 0, sizeof(gsk_tls_extension)); 
tls_extn[2].extId = GSK_TLS_EXTID_SNI_SERVER_LABELS; 
tls_extn[2].required = FALSE;     /* optional extension */ 
tls_extn[2].u.serverLabels.setSni = TRUE; 
                                   /* enable extension */ 
tls_extn[2].u.serverLabels.unrecognized_name_fatal = TRUE; 
                                  /* unrecognized name is fatal */ 
tls_extn[2].u.serverLabels.count = 3; 
tls_extn[2].u.serverLabels.serverKeyLabel = serverLabelPairs; 
rc = gsk_attribute_set_tls_extension(envHandle, &tls_extn[2]);  

    /* 
     * Initialize the SSL environment 
     */ 
rc = gsk_environment_init(envHandle);
Parent topic: TLS extensions

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014