|
version 1.4, 2006/09/29 17:38:11
|
version 1.6.8.1, 2013/06/03 22:34:46
|
|
|
|
| checked first against the CRL (if specified) and then against the | checked first against the CRL (if specified) and then against the |
| server truststore. The <a href="#CLI">cimcrl CLI</a> should be used for | server truststore. The <a href="#CLI">cimcrl CLI</a> should be used for |
| CRL management. </p> | CRL management. </p> |
| |
<p><b>sslCipherSuite</b><br> |
| |
This setting specifies the cipher list used by the server during the |
| |
SSL handshake phase. If not specified, the "DEFAULT" OpenSSL cipher |
| |
list is used. The cipher list should be mentioned between single |
| |
quotes since it can contain special characters like .+, !, -. The |
| |
cipher lists can be found at <a |
| |
href="http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT">http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT</a> |
| |
</p> |
| <h4>Configuration Limitations</h4> | <h4>Configuration Limitations</h4> |
| The following are configuration limitations: | The following are configuration limitations: |
| <ul> | <ul> |
|
|
|
| password needed to unencrypt it. Therefore, the best way to secure the | password needed to unencrypt it. Therefore, the best way to secure the |
| file is to follow the file permissions settings specified in <a | file is to follow the file permissions settings specified in <a |
| href="#CERTS">Creating SSL Certificates.</a></li> | href="#CERTS">Creating SSL Certificates.</a></li> |
| <li>There is no property to specify supported cipher lists at this |
|
| time. Pegasus uses the default OpenSSL cipher list. The cipher lists |
|
| can be found at <a |
|
| href="http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_</a> |
|
| and <a |
|
| href="http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_</a></li> |
|
| <li>The verification depth cannot be specified. Pegasus uses the | <li>The verification depth cannot be specified. Pegasus uses the |
| default OpenSSL depth of 9. This means the OpenSSL will only accept | default OpenSSL depth of 9. This means the OpenSSL will only accept |
| client certificate chains up to 9 levels deep.</li> | client certificate chains up to 9 levels deep.</li> |
|
|
|
| </p> | </p> |
| <ul> | <ul> |
| <font face="courier"> client.connect( hostname, port, <b>SSLContext(trustStore, | <font face="courier"> client.connect( hostname, port, <b>SSLContext(trustStore, |
| certPath, keyPath, verifyCert, randomFile),</b> username, password); </font> |
certPath, keyPath, verifyCert, randomFile, cipherSuite),</b> username, password); </font> |
| </ul> | </ul> |
| <p></p> | <p></p> |
| <p> Here's a code snippet that shows how to call a client constructor | <p> Here's a code snippet that shows how to call a client constructor |
|
|
|
| does not perform by default.</li> | does not perform by default.</li> |
| <li><b>randomFile</b> -- A file to seed the pseudo random number | <li><b>randomFile</b> -- A file to seed the pseudo random number |
| generator (PRNG).</li> | generator (PRNG).</li> |
| |
<li><b>cipherSuite</b> -- This specifies the cipher list used by the |
| |
client during the SSL handshake phase. This is an experimental |
| |
interface.</li> |
| </ul> | </ul> |
| <p>Here are some general guidelines on implementing peer verification | <p>Here are some general guidelines on implementing peer verification |
| for the client: | for the client: |
|
|
|
| <ul> | <ul> |
| <li>The verification depth cannot be specified. Pegasus uses the | <li>The verification depth cannot be specified. Pegasus uses the |
| default OpenSSL depth of 9.</li> | default OpenSSL depth of 9.</li> |
| <li>The cipher list cannot be specified. Pegasus uses the default |
|
| OpenSSL cipher list. The cipher lists can be found at <a |
|
| href="http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_</a> |
|
| and <a |
|
| href="http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_</a></li> |
|
| <li>No hostname checking is performed to ensure that the subject | <li>No hostname checking is performed to ensure that the subject |
| field of the distinguished name (DN) matches the hostname. If desired, | field of the distinguished name (DN) matches the hostname. If desired, |
| a user-specified callback should be configured to perform this check or | a user-specified callback should be configured to perform this check or |
|
|
|
| <a href="http://www.faqs.org/rfcs/rfc2617.html">http://www.faqs.org/rfcs/rfc2617.html</a> | <a href="http://www.faqs.org/rfcs/rfc2617.html">http://www.faqs.org/rfcs/rfc2617.html</a> |
| </p> | </p> |
| <hr> | <hr> |
| <p><i><font size="2">Copyright (c) 2005 EMC Corporation; |
<p>Licensed to The Open Group (TOG) under one or more contributor license |
| Hewlett-Packard Development Company, L.P.; IBM Corp.; The Open Group; |
agreements. Refer to the OpenPegasusNOTICE.txt file distributed with |
| VERITAS Software Corporation</font><br> |
this work for additional information regarding copyright ownership. |
| <br> |
Each contributor licenses this file to you under the OpenPegasus Open |
| <font size="1">Permission is hereby granted, free of charge, to any |
Source License; you may not use this file except in compliance with the |
| person obtaining a copy of this software and associated |
License.</p> |
| documentation files (the "Software"), to deal in the Software without |
<p>Permission is hereby granted, free of charge, to any person obtaining a |
| restriction, including without limitation the rights to use, copy, |
copy of this software and associated documentation files (the "Software"), |
| modify, merge, publish, distribute, sublicense, and/or sell copies of |
to deal in the Software without restriction, including without limitation |
| the Software, and to permit persons to whom the Software is furnished |
the rights to use, copy, modify, merge, publish, distribute, sublicense, |
| to do so, subject to the following conditions:</font><br> |
and/or sell copies of the Software, and to permit persons to whom the |
| <font size="2"><br> |
Software is furnished to do so, subject to the following conditions:</p> |
| </font> |
<p>The above copyright notice and this permission notice shall be included |
| <font size="1">THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE |
in all copies or substantial portions of the Software.</p> |
| SHALL BE INCLUDED IN ALL COPIES OR SUBSTANTIAL PORTIONS OF THE |
<p>THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS |
| SOFTWARE. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF |
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF |
| ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE |
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. |
| WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY |
| NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE |
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, |
| LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION |
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE |
| OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION |
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p> |
| WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</font></i></p> |
|
| <hr> | <hr> |
| </body> | </body> |
| </html> | </html> |
Return to
PegasusSSLGuidelines.htm
CVS log
Up to [Pegasus] / pegasus / doc