HP NonStop SSL Reference Manual
Configuration
•
47
suites to the SSL server. The server will then select a cipher suite from the list, or, if no acceptable choices are
presented, return a handshake failure alert and close the connection.
•
When running as an SSL server, HP NonStop SSL will select the first cipher from the list presented by the
client during the handshake that matches a cipher from CIPHERSUITES.
Notes:
•
If you trace the client handshake with a tool like wireshark, you will see one additional cipher with hex
representation 0x00FF. This is not an actual cipher but a hint for the server that the client supports secure
renegotiation. Please see section 4 of
http://tools.ietf.org/html/draft-ietf-tls-renegotiation-01
in case you like
more details on that.
WARNINGS!
•
Do NOT use ADH ciphers unless you know exactly what you are doing! ADH ciphers DO NOT include
authentication, thus they are vulnerable to Man-in-the-Middle attacks! Strongly not recommended!
•
The cipher suites 0.1 and 0.2 will NOT encrypt the traffic, they will only authenticate the partners and provide
message integrity checking. Please only use if encryption is not required.
CLIENTAUTH
Use this parameter to enforce SSL client authentication when running as SSL server. The CLIENTAUTH parameter
specifies a file (or a set of files) containing certificates. The certificate(s) will be sent to the client during connection
setup. The client will reply with its own client certificate which must be signed by one of the certificates configured with
the CLIENTAUTH parameter.
Parameter Syntax
CLIENTAUTH * |
file1 [, file2, ...]
Arguments
*
No certificate request will be sent to the client
file1, file2, ...
DER encoded X.509 CA certificate(s) which sign the certificate to be sent by the SSL client to HP NonStop SSL. If
the SSL client cannot send such a certificate, the connection setup will fail.
Default
If omitted, '*' is used and HP NonStop SSL will not enforce SSL client authentication when running as SSL server.
Example
CLIENTAUTH $DATA1.SSL.CACERT
CLIENTCERT
Use this parameter to specify the client certificate that HP NonStop SSL should use to authenticate itself to an SSL
server.
Parameter Syntax
CLIENTCERT * |
file
Arguments
*
Summary of Contents for NonStop SSL
Page 8: ...8 Preface HP NonStop SSL Reference Manual This is the initial version of this manual ...
Page 30: ...30 Installation HP NonStop SSL Reference Manual ...
Page 90: ...90 Monitoring HP NonStop SSL Reference Manual ...
Page 98: ...98 SSLCOM Command Interface HP NonStop SSL Reference Manual ...
Page 110: ...110 SSL Reference HP NonStop SSL Reference Manual ...
Page 116: ...116 Remote SSL Proxy HP NonStop SSL Reference Manual ...