DataSource for C SDK
8.0.3.290770-7760911e
|
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet, and offers a greater level of protection than standard HTTP transmission.
DataSource is capable of communicating with its peers over SSL, providing an encrypted channel over which the data sources can publish their data.
SSL certificates can be configured at either or both client and server ends of the channel - DataSource is said to be operating in server mode when requesting information and in client mode when receiving information.
To configure DataSource for SSL when in server mode, use the datasrc-sslport
option to select the network port to listen for SSL connections from DataSource peers.
It is possible for DataSource to accept both SSL and non-SSL connections on different ports. Non-SSL connections should be configured using the datasrc-port
option.
To configure DataSource for SSL when in client mode, use the ssl option in the add-peer entry for the DataSource peer that acts as server.
Note: There is no failback to non-SSL operation should the SSL connection fail to be established.
To configure DataSource for SSL at both client and server ends of the channel, use the start-ssl
group. This group is needed in the configuration file of both client and server applications.
OpenSSL has built-in support for cryptographic acceleration. In newer versions of OpenSSL (versions of 0.9.6 that include the name engine in the version) an application can get a reference to a specific representation, often a hardware device. These representations are referred to as Engines.
These following configuration options are set by editing the ssl-engine-id
and ssl-engine-flags
configuration options.
Type: String Array
Default: None
DataSource Server certificate to accept
Type: Boolean
Default: FALSE
SSL enable SSL
Type: Integer
Default: 0
SSL port
Type: String
Deprecated: Yes
Default: None
Use datasrc-ssl-present-certificate
Type: String
Default: None
Certificate presented to remote peers
Type: String
Default: None
file containing the password for the private key
Type: String
Default: None
private key file for the certificate
Type: String
Default: TLSv1.2+ECDHE+AESGCM:TLSv1.2+ECDHE+AESCCM:TLSv1.2+ECDHE+CHACHA20:TLSv1.2+DHE+AESGCM:TLSv1.2+DHE+AESCCM:TLSv1.2+DHE+CHACHA20
optional list of ciphers to use (TLSv1.2 and below)
Type: String
Default: None
optional suite of ciphers to use
Type: Long integer
Default: 1442840704
Acceptable Values:
Name | Value | Desc |
---|---|---|
SSL_OP_ALL | 2147485776 | |
SSL_OP_LEGACY_SERVER_CONNECT | 4 | |
SSL_OP_TLSEXT_PADDING | 16 | |
SSL_OP_SAFARI_ECDHE_ECDSA_BUG | 64 | |
SSL_OP_ALLOW_NO_DHE_KEX | 1024 | |
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS | 2048 | |
SSL_OP_NO_QUERY_MTU | 4096 | |
SSL_OP_COOKIE_EXCHANGE | 8192 | |
SSL_OP_NO_TICKET | 16384 | |
SSL_OP_CISCO_ANYCONNECT | 32768 | |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | 65536 | |
SSL_OP_NO_COMPRESSION | 131072 | |
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION | 262144 | |
SSL_OP_NO_ENCRYPT_THEN_MAC | 524288 | |
SSL_OP_ENABLE_MIDDLEBOX_COMPAT | 1048576 | |
SSL_OP_PRIORITIZE_CHACHA | 2097152 | |
SSL_OP_CIPHER_SERVER_PREFERENCE | 4194304 | |
SSL_OP_TLS_ROLLBACK_BUG | 8388608 | |
SSL_OP_NO_ANTI_REPLAY | 16777216 | |
SSL_OP_NO_SSLv3 | 33554432 | |
SSL_OP_NO_TLSv1 | 67108864 | |
SSL_OP_NO_TLSv1_2 | 134217728 | |
SSL_OP_NO_TLSv1_1 | 268435456 | |
SSL_OP_NO_TLSv1_3 | 536870912 | |
SSL_OP_NO_DTLSv1 | 67108864 | |
SSL_OP_NO_DTLSv1_2 | 134217728 | |
SSL_OP_NO_RENEGOTIATION | 1073741824 | |
SSL_OP_CRYPTOPRO_TLSEXT_BUG | 2147483648 | |
SSL_OP_MICROSOFT_SESS_ID_BUG | 0 | |
SSL_OP_NETSCAPE_CHALLENGE_BUG | 0 | |
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG | 0 | |
SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG | 0 | |
SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | 0 | |
SSL_OP_MSIE_SSLV2_RSA_PADDING | 0 | |
SSL_OP_SSLEAY_080_CLIENT_DH_BUG | 0 | |
SSL_OP_TLS_D5_BUG | 0 | |
SSL_OP_TLS_BLOCK_PADDING_BUG | 0 | |
SSL_OP_SINGLE_ECDH_USE | 0 | |
SSL_OP_SINGLE_DH_USE | 0 | |
SSL_OP_EPHEMERAL_RSA | 0 | |
SSL_OP_NO_SSLv2 | 0 | |
SSL_OP_PKCS1_CHECK_1 | 0 | |
SSL_OP_PKCS1_CHECK_2 | 0 | |
SSL_OP_NETSCAPE_CA_DN_BUG | 0 | |
SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG | 0 |
optional list of SSL options to use
Type: Boolean
Default: FALSE
Enables SSL connection negotiation debugging.
Type: Function
Default: None
Configures the seeding of the OpenSSL random number generator, which Caplin Liberator uses for session IDs and HTTPS and DataSource SSL connections.
The parameters for this option are:
Name | Description |
type | Type of random number generation. Must be one of the following: builtin This takes no arguments and uses various system commands to produce random output. file Uses the data in the file to seed the random number generator. exec Uses the output of the command to seed the random number generator. |
arg1 | If type is file, this is a filename (relative to the root directory).<br If type is exec, this is a command (relative to the root directory) |
arg2 | If type is file, this specifies how many bytes of the file to use. If type if exec, thisspecifies how many bytes of the output to use. |
Examples:
ssl-random-seed builtin ssl-random-seed file etc/randomdata ssl-random-seed file etc/randomdata 1024 ssl-random-seed exec etc/random.sh ssl-random-seed exec etc/random.sh 512
Type: String
Default: None
This option configures the SSL hardware or software engine to support. The available engines are listed in the table below:
ssl-engine-id option | Engine |
---|---|
openssl | The engine uses the normal built-in software functions (this is the default) |
rdrand | Intel RDRAND engine |
dynamic | Dynamic engine loading support |
Type: String
Default: all
This option affects the flags passed to the engine implementation.
The flags in the table below may be ORed together using the "|" operator to represent multiple flags: for example "dsa|rsa" equates to using only DSA and RSA operations
Flag | Description |
dh | Limit engine usage to only DH operations |
dsa | Limit engine usage to only DSA operations |
rand | Limit engine usage to only random operations |
rsa | Limit engine usage to only RSA operations |
all | Allow OpenSSL to use any of the above implementations |
Type: String
Default: None
The OpenSSL config name to load (default=system default)