SSL Reference Manual
Error Name Error number
X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35
X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36
X509_V_ERR_APPLICATION_VERIFICATION 50
Default
If omitted, HP NonStop SSL will work normally (all certificate validation errors are treated as such and connection
attempts will fail)
Example
ALLOWCERTERRORS 10
This will temporarily allow expired certificates.
ALLOWIP
Use this parameter to specify which remote IP addresses are to be allowed to establish sessions ("white list").
Note: With HP NonStop SSL AAE, the parameter syntax for specifying subnets has been changed to using Classless
Interdomain Routing (CIDR) format in order to prevent ambiguous subnet specification and simplify usage, especially
with IPv6 entries.
Parameter Syntax
ALLOWIP [direction]range
Arguments
direction
Optional character specifying realm on which rules shall be applied
o A = Apply rules on incoming connections only
o C = Apply rules on outgoing connections only
o B = Apply rules on all connections only (*default*)
range
One or more Classless Interdomain Routing (CIDR) format entries specifying an IP subnet or a single host IP
address. Entries have to be separated by comma. The network suffix can be left out for host entries (/32 or /128
will be assumed then). IPv6/DUAL entries have to be specified in square brackets. Entry types and the
corresponding CIDR format:
o IPv4 address: 10.1.2.196 ( /32 is assumed)
o IPv4 subnet : 10.2.0.0/16
o IPv6 address: [abcd:1111::ab00] ( /128 is assumed)
o IPv6 subnet : [abcd::ef00/120]
o DUAL address: [::ffff:172.0.0.28] ( /128 is assumed)
o DUAL subnet : [::ffff:172.1.1.0/104]
Considerations
• See section "Limiting Remote IP Addresses
" for the concept of remote IP filtering.
• The parameter can be changed at run time using SSLCOM, please see chapter "SSLCOM Command Interface"
for details.
HP NonStop SSL Reference Manual Configuration • 37