Use this page to set options for encryption and for authentication of online entities.
- Accept all clients
- Click this to allow all clients to communicate with the server without being checked for an SSL certificate.
- Request client certificate, and verify if present
- Click this to request the client for a certificate, and to verify the returned certificate. If the client does not return
a certificate, communication continues between the client and server. If a certificate is returned and it fails to verify,
communication stops.
If you check this, you must specify the CA root certificates file below.
- Require client certificate and verify
- Click this to always require a client certificate and to verify it. This ensures that the client is trusted. If a certificate
is not returned or it cannot be verified, communication between the client and server is stopped.
If you check this, you must specify the CA root certificates file below.
- CA root certificates file
- This field is mandatory if you have chosen to request or require a client certificate.
Specify the path and filename of the file containing root and intermediate certificates of CAs that you trust. This file
must contain the root certificate of the CA that signed the client certificate, and also any intermediate CA certificates
that are used in the client certificate chain and are not provided by the client. For example, if you want to use client certificates
signed by Demo CA, you could set this to:
DemoCA-dir/entities/CAs/EC_CAcollection.pem
where
DemoCA-dir is the absolute path of the directory you specified to Demo CA when creating certificates and keys.
Note: Visual COBOL supports DER, CER, PKCS#7, PKCS#8, PKCS#12 and PEM certificate file formats and PKCS#8, PKCS#12 and PEM for key file formats.
- TLS honor server cipher list
- By default, the
TLS honor server cipher list is checked. This forces clients to use the protocols and cipher suites specified in order of their priority.
Note: If the
TLS protocols and
Cipher suites list are not specified then it uses the default. See
Configuring a TLS Protocols List
and
Configuring a Cipher Suites List
for more information.
- TLS protocols
- Specifies the list of TLS protocols to be used in order of precedence listed.
Valid protocols are SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, and TLS1.4, where TLS1.4 is a placeholder to enable support
for future versions. By default, only the TLS protocols are enabled. Each specified protocol is preceded by one of the following
operators:
- !
- Exclude. Permanently exclude the protocol and ignore any subsequent attempt to add the protocol back in.
- +
- Add. Add the protocol to the existing collection.
- -
- Delete. Delete the protocol from the existing collection.
Note: You can use the special option ALL to specify all of the supported protocols. Use -ALL to empty the default options list followed
by the new options you require.
You must use @SECLEVEL=0 for TLS 1.1 and earlier. See
Security Levels for more information.
For example, to only use TLS1.1 and TLS1.2, type the following:
-ALL+TLS1.1+TLS1.2
- Cipher suites
- Specifies the priority of cipher suites to be used.
The cipher suite priority is formed using a combination of keywords and keyword modifiers for a space-separated string:
- !
- Exclude. Permanently exclude the cipher suite and ignore any subsequent attempt to add the cipher suite back in.
- +
- Add. Add the cipher suite to the end of the collection.
- -
- Delete. Delete the cipher suite from the existing collection.
By default, the following cipher suite list is used:
kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM +3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP
To determine the cipher suites supported by your version of OpenSSL, type the following from a command prompt:
openssl ciphers -v 'ALL:COMPLEMENTOFALL'
- DH minimum group size
- Specifies the size in bits of the modulus length of the Diffie-Hellman group.
Note: Micro Focus recommends a minimum modulus size of 2048 bits.
- Key Exchange Cipher Groups
- Specifies the Elliptic Curve Cryptograph (ECC) curve collection to be used. By default, the collection used is:
secp521r1;secp384r1;prime256v1;secp256k1;secp224r1;secp224k1;prime192v1
See
Configuring a Cipher Suites List and
Security Levels for more information.
For additional information on cipher suite configuration please refer to the OpenSSL documentation,
click here.