CCITCP Security Options in the CCI.INI File

ssl_only_verify_literally

By default, in this and previous releases an SSL/TLS client can trust a server which resides on an IP address that is not an intended connection target.

This trust is possible if the server has DNS aliases of the target name that is used as a Subject Alternate Name (SAN) or Common Name (CN) of the identification certificate that the server is using. This feature is deprecated and will be removed in a future release. To preserve backward compatibility this behavior has been maintained.

The ssl_only_verify_literally option enables you to restrict the certificate check to improve security. This stricter behavior can be enforced with global effect when specified as an CCI.INI option. Alternatively, you can use it as a specific application configuration. Specific application configuration is documented with the applications that support this option.

When using applications that do not yet support the configuration of this option the following CCI.INI setting can be used to override the applications behavior:

[ccitcp-base]
ssl_only_verify_literally=[yes|true|no|false]

where:

yes|true: Enforce strict checking of SAN and CN identities. Use of DNS lookup is not permitted. The connection address specified MUST match either a SAN or CN string of the appropriate type, that is IP addresses must be a SAN with type "IP Address:" and server names must match a SAN entry with type "DNS:" or a CN.
no|false: Default, enables DNS lookup of IP addresses to derive a text based location name with which to compare the contents of the peer's certificates.

Note: Some individual applications might expose this option as part of their configuration options.

Close Negotiation

The use of a controlled connection closure negotiation sequence enables you to close connections as an alternative to the typical socket linger options.

A controlled connection closure negotiation works in the following sequence:

A call shutdown of the writable part of the connection. This enables other threads that may be receiving data on the connection to complete their receiving sequence and process any received data. This action causes a FIN flag to be sent to the peer.
If a timeout is set for close negotiation, wait for any incoming data to complete. At this point you have either received a FIN acknowledgement from the peer or it has timed out.
You have closed the shutdown and the reading side of the socket.
The socket is closed.

This ensures the socket descriptor is valid until the conversation-closing handshake has completed. Alternatively, you can use a socket linger option.

You can use the close_negotiate_msecs option in the CCI.INI to specify the time to wait and control the preference of the controlled connection closure negotiation method versus the use of the socket linger method to close connections:

[ccitcp_base]

close_negotiate_msecs=[yes|no|disabled|<n>]

where:

yes|-2: Default, wait for 2 seconds for the peer to close.
no|disabled|0: Disable controlled connection closure negotiation behavior and close using SO_LINGER.
-1: Wait forever for the peer to close its end of the socket. Micro Focus recommends that you do not use this option.
>0: Wait for the specified time in milliseconds for the peer to close.

Note: Some applications support the configuration of the close_negotiate_msecs option. If the option is present in the application, then this will be used in preference to the option specified in the CCI.INI.