You can control how an SSL listener processes communications or the criteria certificates must fulfil. This is specified
anywhere in the
Configuration Information field of the listener:
[MF SSL]
Maximum chain length=number
Allow invalid purpose=yes | no
Match client hostname=yes | no
where:
- Maximum chain length=number
- Sets the maximum length of the certificate chain. A value of 1 means the certificate must be signed by the root certificate.
By default, the maximum chain length is 1.
Note: This setting is not currently honored, and certificate chains can be of any length.
- Allow invalid purpose=yes | no
- Sets whether a certificate's intended purpose matches its usage. For instance, using a server certificate as a client certificate
would require this to be on. By default, the allow invalid purpose is set to no.
Note: This setting is not currently honored, and certificate purpose is never enforced.
- Match client hostname=yes | no
- Sets whether a certificate must be issued to the client machine. If this is enabled, then either the certificate must have
a 'subject alternate name' which identifies the client machine by hostname or IP address, or the certificate's subject distinguished
name must end in a CN (common name) component which is the client machine's hostname. This must be disabled if client certificates
instead identify the user, also known as 'personal certificates'. By default, the match client hostname is set to yes.