version 1.6, 2008/12/18 16:41:52
|
version 1.7, 2012/03/30 04:22:50
|
|
|
checked first against the CRL (if specified) and then against the | checked first against the CRL (if specified) and then against the |
server truststore. The <a href="#CLI">cimcrl CLI</a> should be used for | server truststore. The <a href="#CLI">cimcrl CLI</a> should be used for |
CRL management. </p> | CRL management. </p> |
|
<p><b>sslCipherSuite</b><br> |
|
This setting specifies the cipher list used by the server during the |
|
SSL handshake phase. If not specified, the "DEFAULT" OpenSSL cipher |
|
list is used. The cipher list should be mentioned between single |
|
quotes since it can contain special characters like .+, !, -. The |
|
cipher lists can be found at <a |
|
href="http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT">http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT</a> |
|
</p> |
<h4>Configuration Limitations</h4> | <h4>Configuration Limitations</h4> |
The following are configuration limitations: | The following are configuration limitations: |
<ul> | <ul> |
|
|
password needed to unencrypt it. Therefore, the best way to secure the | password needed to unencrypt it. Therefore, the best way to secure the |
file is to follow the file permissions settings specified in <a | file is to follow the file permissions settings specified in <a |
href="#CERTS">Creating SSL Certificates.</a></li> | href="#CERTS">Creating SSL Certificates.</a></li> |
<li>There is no property to specify supported cipher lists at this |
|
time. Pegasus uses the default OpenSSL cipher list. The cipher lists |
|
can be found at <a |
|
href="http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_</a> |
|
and <a |
|
href="http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_</a></li> |
|
<li>The verification depth cannot be specified. Pegasus uses the | <li>The verification depth cannot be specified. Pegasus uses the |
default OpenSSL depth of 9. This means the OpenSSL will only accept | default OpenSSL depth of 9. This means the OpenSSL will only accept |
client certificate chains up to 9 levels deep.</li> | client certificate chains up to 9 levels deep.</li> |
|
|
</p> | </p> |
<ul> | <ul> |
<font face="courier"> client.connect( hostname, port, <b>SSLContext(trustStore, | <font face="courier"> client.connect( hostname, port, <b>SSLContext(trustStore, |
certPath, keyPath, verifyCert, randomFile),</b> username, password); </font> |
certPath, keyPath, verifyCert, randomFile, cipherSuite),</b> username, password); </font> |
</ul> | </ul> |
<p></p> | <p></p> |
<p> Here's a code snippet that shows how to call a client constructor | <p> Here's a code snippet that shows how to call a client constructor |
|
|
does not perform by default.</li> | does not perform by default.</li> |
<li><b>randomFile</b> -- A file to seed the pseudo random number | <li><b>randomFile</b> -- A file to seed the pseudo random number |
generator (PRNG).</li> | generator (PRNG).</li> |
|
<li><b>cipherSuite</b> -- This specifies the cipher list used by the |
|
client during the SSL handshake phase. This is an experimental |
|
interface.</li> |
</ul> | </ul> |
<p>Here are some general guidelines on implementing peer verification | <p>Here are some general guidelines on implementing peer verification |
for the client: | for the client: |
|
|
<ul> | <ul> |
<li>The verification depth cannot be specified. Pegasus uses the | <li>The verification depth cannot be specified. Pegasus uses the |
default OpenSSL depth of 9.</li> | default OpenSSL depth of 9.</li> |
<li>The cipher list cannot be specified. Pegasus uses the default |
|
OpenSSL cipher list. The cipher lists can be found at <a |
|
href="http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_</a> |
|
and <a |
|
href="http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_</a></li> |
|
<li>No hostname checking is performed to ensure that the subject | <li>No hostname checking is performed to ensure that the subject |
field of the distinguished name (DN) matches the hostname. If desired, | field of the distinguished name (DN) matches the hostname. If desired, |
a user-specified callback should be configured to perform this check or | a user-specified callback should be configured to perform this check or |