DataSource for C SDK  8.0.3.290770-7760911e
Configuration: SSL

The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet, and offers a greater level of protection than standard HTTP transmission.

DataSource is capable of communicating with its peers over SSL, providing an encrypted channel over which the data sources can publish their data.

Making an SSL Connection

SSL certificates can be configured at either or both client and server ends of the channel - DataSource is said to be operating in server mode when requesting information and in client mode when receiving information.

Server mode only configuration

To configure DataSource for SSL when in server mode, use the datasrc-sslport option to select the network port to listen for SSL connections from DataSource peers.

It is possible for DataSource to accept both SSL and non-SSL connections on different ports. Non-SSL connections should be configured using the datasrc-port option.

Client mode only configuration

To configure DataSource for SSL when in client mode, use the ssl option in the add-peer entry for the DataSource peer that acts as server.

Note: There is no failback to non-SSL operation should the SSL connection fail to be established.

Server and client mode configuration

To configure DataSource for SSL at both client and server ends of the channel, use the start-ssl group. This group is needed in the configuration file of both client and server applications.

Configuring hardware devices

OpenSSL has built-in support for cryptographic acceleration. In newer versions of OpenSSL (versions of 0.9.6 that include the name engine in the version) an application can get a reference to a specific representation, often a hardware device. These representations are referred to as Engines.

These following configuration options are set by editing the ssl-engine-id and ssl-engine-flags configuration options.


datasrc-ssl-accept-certificate

Type: String Array
Default: None

DataSource Server certificate to accept


datasrc-ssl-enable

Type: Boolean
Default: FALSE

SSL enable SSL


datasrc-ssl-port

Type: Integer
Default: 0

SSL port


datasrc-ssl-certificate

Type: String
Deprecated: Yes
Default: None

Use datasrc-ssl-present-certificate


datasrc-ssl-present-certificate

Type: String
Default: None

Certificate presented to remote peers


datasrc-ssl-passwordfile

Type: String
Default: None

file containing the password for the private key


datasrc-ssl-privatekey

Type: String
Default: None

private key file for the certificate


datasrc-ssl-cipherlist

Type: String
Default: TLSv1.2+ECDHE+AESGCM:TLSv1.2+ECDHE+AESCCM:TLSv1.2+ECDHE+CHACHA20:TLSv1.2+DHE+AESGCM:TLSv1.2+DHE+AESCCM:TLSv1.2+DHE+CHACHA20

optional list of ciphers to use (TLSv1.2 and below)


datasrc-ssl-ciphersuites

Type: String
Default: None

optional suite of ciphers to use


datasrc-ssl-ssloptions

Type: Long integer
Default: 1442840704
Acceptable Values:

NameValueDesc
SSL_OP_ALL2147485776
SSL_OP_LEGACY_SERVER_CONNECT4
SSL_OP_TLSEXT_PADDING16
SSL_OP_SAFARI_ECDHE_ECDSA_BUG64
SSL_OP_ALLOW_NO_DHE_KEX1024
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS2048
SSL_OP_NO_QUERY_MTU4096
SSL_OP_COOKIE_EXCHANGE8192
SSL_OP_NO_TICKET16384
SSL_OP_CISCO_ANYCONNECT32768
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION65536
SSL_OP_NO_COMPRESSION131072
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION262144
SSL_OP_NO_ENCRYPT_THEN_MAC524288
SSL_OP_ENABLE_MIDDLEBOX_COMPAT1048576
SSL_OP_PRIORITIZE_CHACHA2097152
SSL_OP_CIPHER_SERVER_PREFERENCE4194304
SSL_OP_TLS_ROLLBACK_BUG8388608
SSL_OP_NO_ANTI_REPLAY16777216
SSL_OP_NO_SSLv333554432
SSL_OP_NO_TLSv167108864
SSL_OP_NO_TLSv1_2134217728
SSL_OP_NO_TLSv1_1268435456
SSL_OP_NO_TLSv1_3536870912
SSL_OP_NO_DTLSv167108864
SSL_OP_NO_DTLSv1_2134217728
SSL_OP_NO_RENEGOTIATION1073741824
SSL_OP_CRYPTOPRO_TLSEXT_BUG2147483648
SSL_OP_MICROSOFT_SESS_ID_BUG0
SSL_OP_NETSCAPE_CHALLENGE_BUG0
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG0
SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG0
SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER0
SSL_OP_MSIE_SSLV2_RSA_PADDING0
SSL_OP_SSLEAY_080_CLIENT_DH_BUG0
SSL_OP_TLS_D5_BUG0
SSL_OP_TLS_BLOCK_PADDING_BUG0
SSL_OP_SINGLE_ECDH_USE0
SSL_OP_SINGLE_DH_USE0
SSL_OP_EPHEMERAL_RSA0
SSL_OP_NO_SSLv20
SSL_OP_PKCS1_CHECK_10
SSL_OP_PKCS1_CHECK_20
SSL_OP_NETSCAPE_CA_DN_BUG0
SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG0

optional list of SSL options to use


ssl-debug

Type: Boolean
Default: FALSE

Enables SSL connection negotiation debugging.


ssl-random-seed

Type: Function
Default: None

Configures the seeding of the OpenSSL random number generator, which Caplin Liberator uses for session IDs and HTTPS and DataSource SSL connections.

The parameters for this option are:

Name
Description
type
Type of random number generation. Must be one of the following:

builtin This takes no arguments and uses various system commands to produce random output.
file Uses the data in the file to seed the random number generator.
exec Uses the output of the command to seed the random number generator.
arg1
If type is file, this is a filename (relative to the root directory).<br

If type is exec, this is a command (relative to the root directory)
arg2
If type is file, this specifies how many bytes of the file to use.
If type if exec, thisspecifies how many bytes of the output to use.

Examples:

ssl-random-seed builtin
ssl-random-seed file etc/randomdata
ssl-random-seed file etc/randomdata 1024
ssl-random-seed exec etc/random.sh
ssl-random-seed exec etc/random.sh 512
Note
On Linux OpenSSL is seeded by a hardware device so using ssl-randomseed may be unnecessary.

ssl-engine-id

Type: String
Default: None

This option configures the SSL hardware or software engine to support. The available engines are listed in the table below:

ssl-engine-id optionEngine
opensslThe engine uses the normal built-in software functions (this is the default)
rdrandIntel RDRAND engine
dynamicDynamic engine loading support

ssl-engine-flags

Type: String
Default: all

This option affects the flags passed to the engine implementation.

The flags in the table below may be ORed together using the "|" operator to represent multiple flags: for example "dsa|rsa" equates to using only DSA and RSA operations

Flag Description
dh Limit engine usage to only DH operations
dsa Limit engine usage to only DSA operations
rand Limit engine usage to only random operations
rsa Limit engine usage to only RSA operations
all Allow OpenSSL to use any of the above implementations

ssl-config-name

Type: String
Default: None

The OpenSSL config name to load (default=system default)



Generated on Wed Jul 31 2024 16:32:49 for DataSource for C SDK