Manualshelf

SSL Reference Manual

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
31323334353637383940
Backwards compatibility to the former syntax is preserved, however in the mid-term ALLOWIP and DENYIP
should be changed to using CIDR format.
Default
If omitted, HP NonStop SSL will use * to allow all remote IP addresses.
Example
ALLOWIP 10.0.1.0/24, 10.0.2.0/24, 172.22.22.42
ALLOWIP A[abcd::ef00/120] , [abcd:1111::ab00] , [::ffff:172.1.1.0/104]
ALLOWRENEGOTIATION
This parameter can be used to allow or disallow SSL/TLS Session renegotiation.
Parameter Syntax
ALLOWRENEGOTIATION TRUE | FALSE
Arguments
FALSE
Renegotiation will not be permitted. If the peer tries to initiate a renegotiation, the corresponding session will be
closed and a warning including the detailed session information will be issued to the log.
TRUE
Renegotiation will be allowed and performed when the peer initiates a corresponding renegotiation request.
Default
By default, a value of FALSE will be used, i.e. starting with HP NonStop SSL AAH renegotiation is not permitted by
default anymore (see also under Considerations).
Considerations
Prior to the introduction of this parameter (pre HP NonStop SSL AAH), renegotiation requests were allowed to be
performed. This behavior was changed with the introduction of this parameter in HP NonStop SSL release AAH due to
security concerns. Even though renegotiation was intended to add security (refresh cryptographic parameters), it can be
misused to launch a Denial of Service (DoS) attack: a rogue SSL/TLS client can initiate renegotiation in an endless loop,
which leads to permanent high CPU load on the server side of the connection. With a few connections doing
renegotiation over and over, the server side can be kept in a state where it will be too busy to respond to new requests
anymore (DoS). Due to this risk, starting with NonStop SSL AAH, renegotiation will not be allowed by default anymore.
However, in case renegotiation is needed, it can be enabled again by explicitly setting this parameter to TRUE.
AUDITASCIIONLY
Use this parameter to define how HP NonStop SSL writes raw data to the audit log.
Parameter Syntax
AUDITASCIIONLY TRUE | FALSE
Arguments
TRUE
Data will be dumped in ASCII format; binary values with coded character will be represented as <hh> where hh
is the hexadecimal representation of the binary value.
38 Configuration HP NonStop SSL Reference Manual