CORBA 2.6 Administration Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series

121

122

123

124

125

126

127

128

129

130

CA_file

OSS

path/filename

None

The name of a file containing trusted CA

certificates in PEM format. More than one

certificate may be present in the file. Note that to

protect against unauthorized writes, CA_file

should be secured with the proper permissions.

CA_path

OSS path None

The name of a directory containing trusted CA

certificates in PEM format. Each file in the

directory must contain only one CA certificate,

and the files must be named by the subject

name's hash and an extension of .0 Note that to

protect against unauthorized writes, CA_path

should be secured with the proper permissions.

ssl_version

TLSv1 or

SSLv3 or

SSLv2 or

SSLv23

SSLv3

The specific SSL protocol version to use. TLSv1

or SSLv3 are recommended. SSLv2 and

SSLv23 are not recommended, but are provided

for completeness.

ssl_ciphers

Cipher list

follows this

table

DEFAULT ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH

ssl_cert_file

OSS

path/filename

$NSD_ROOT/ssliop/default/cert.pem

Certificate file. (The certificate file may also

contain the private key.)

ssl_pkey_file

OSS

path/filename

$NSD_ROOT/ssliop/default/cert.pem

Private key file. (The private key file may also

contain the certificate.)

ssl_pkey_pswd

OSS

path/filename

None. If ssl_cert_file is not set, then

ssl_pkey_pswd will be set to

$NSD_ROOT/ssliop/default/certpswd.txt

Defines the file containing the password for the

private key file. If ssl_pkey_pswd does not

have a value, the operator is prompted for the

password.

OpenSSL Cipher List for Use with ssl_ciphers

The ssl_ciphers protocol key takes values defined by OpenSSL, and these values are passed directly to the

SSL_set_cipher_list() function. Note that these OpenSSL cipher strings are case-sensitive.

The cipher list consists of one or more cipher strings separated by colons. The actual cipher string can take several different forms. It can

consist of a single cipher suite, such as RC4-SHA. Or, the cipher string can represent a list of cipher suites containing a certain algorithm or

cipher suites of a certain type. For example, 3DES represents all cipher suites using triple DES, and SSLv3 represents all SSL v3 algorithms.

Lists of cipher suites can be combined in a single cipher string by using the plus-sign (+) character, which is used as a logical AND operation.

For example, SHA1+DES represents all cipher suites containing SHA1 and the DES algorithms.

Each cipher string can be preceded by one of the characters bang (!), minus-sign () or plus-sign (+). If bang (!) is used, the ciphers are

permanently deleted from the list. The ciphers deleted may never reappear in the list even if they are explicitly stated. If minus-sign () is

used, the ciphers are deleted from the list, but some or all of the ciphers may be added again by other options. If plus-sign (+) is used, the

ciphers are moved to the end of the list. This option does not add any new ciphers; it just moves matching existing ones. If none of these

characters are present, the string is just interpreted as a list of ciphers to be appended to the current preference list. If the list includes any

ciphers already present, they are ignored.

Additionally, the cipher string @STRENGTH can be used at any point to sort the current cipher list in order of the encryption-algorithm key

length.

DHE-RSA-AES256-SHA

DHE-DSS-AES256-SHA

AES256-SHA

EDH-RSA-DES-CBC3-SHA

EDH-DSS-DES-CBC3-SHA

DES-CBC3-SHA

DHE-RSA-AES128SHA

DHE-DSS-AES128-SHA

AES128-SHA

DHE-DSS-RC4-SHA

ADH-DES-CBC3-SHA

RC4-SHA