Transformer SDK For C
6.2.11.309924
|
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet, and offers a greater level of protection than standard HTTP transmission.
DataSource is capable of communicating with its peers over SSL, providing an encrypted channel over which the data sources can publish their data.
SSL certificates can be configured at either or both client and server ends of the channel - DataSource is said to be operating in server mode when requesting information and in client mode when receiving information.
To configure DataSource for SSL when in server mode, use the datasrc-sslport
option to select the network port to listen for SSL connections from DataSource peers.
It is possible for DataSource to accept both SSL and non-SSL connections on different ports. Non-SSL connections should be configured using the datasrc-port
option.
To configure DataSource for SSL when in client mode, use the ssl option in the add-peer entry for the DataSource peer that acts as server.
Note: There is no failback to non-SSL operation should the SSL connection fail to be established.
To configure DataSource for SSL at both client and server ends of the channel, use the start-ssl
group. This group is needed in the configuration file of both client and server applications.
OpenSSL has built-in support for cryptographic acceleration. In newer versions of OpenSSL (versions of 0.9.6 that include the name engine in the version) an application can get a reference to a specific representation, often a hardware device. These representations are referred to as Engines.
These following configuration options are set by editing the ssl-engine-id
and ssl-engine-flags
configuration options.
datasrc-ssl-enable
Type: Boolean
Default: FALSE
datasrc-ssl-port
Type: Integer
Default: 0
datasrc-ssl-certificate
Type: String
Default: None
datasrc-ssl-passwordfile
Type: String
Default: None
file containing the password for the private key
datasrc-ssl-privatekey
Type: String
Default: None
private key file for the certificate
datasrc-ssl-cipherlist
Type: String
Default: None
optional list of ciphers to use
datasrc-ssl-ssloptions
Type: Integer
Default: 16777216
Acceptable Values:
Name | Value | Desc |
---|---|---|
SSL_OP_ALL | -2147483648 | |
SSL_OP_NO_SSLv2 | 16777216 | |
SSL_OP_NO_SSLv3 | 33554432 | |
SSL_OP_NO_TLSv1 | 67108864 | |
SSL_OP_NO_TLSv1_2 | 134217728 | |
SSL_OP_NO_TLSv1_1 | 268435456 | |
SSL_OP_NO_DTLSv1 | 67108864 | |
SSL_OP_NO_DTLSv1_2 | 134217728 |
optional list of SSL options to use
ssl-debug
Type: Boolean
Default: FALSE
Enables SSL connection negotiation debugging.
ssl-random-seed
Type: Function
Default: None
Configures the seeding of the OpenSSL random number generator, which Caplin Liberator uses for session IDs and HTTPS and DataSource SSL connections.
The parameters for this option are:
Name | Description |
type | Type of random number generation. Must be one of the following: builtin This takes no arguments and uses various system commands to produce random output. file Uses the data in the file to seed the random number generator. exec Uses the output of the command to seed the random number generator. |
arg1 | If type is file, this is a filename (relative to the root directory).<br If type is exec, this is a command (relative to the root directory) |
arg2 | If type is file, this specifies how many bytes of the file to use. If type if exec, thisspecifies how many bytes of the output to use. |
Examples:
ssl-random-seed builtin ssl-random-seed file etc/randomdata ssl-random-seed file etc/randomdata 1024 ssl-random-seed exec etc/random.sh ssl-random-seed exec etc/random.sh 512
ssl-engine-id
Type: String
Default: None
This option configures the SSL hardware or software engine to support. The available engines are listed in the table below:
ssl-engine-id option | Engine |
openssl | The engine uses the normal built-in software functions (this is the default) |
openbsd_dev_crypto | On OpenBSD, this engine will use the kernel level cryptography built into the OS. |
aep | Uses the Aep acceleration hardware |
atalla | Uses the Compaq Atalla acceleration hardware |
chil | Uses the nCipher CHIL acceleration hardware |
cswift | Uses the CryptoSwift acceleration hardware |
nuron | Uses the Nuron acceleration hardware |
ubsec | Uses the Broadcom uBSec acceleration hardware |
sureware | Uses the SureWare acceleration hardware |
ssl-engine-flags
Type: String
Default: all
This option affects the flags passed to the engine implementation.
The flags in the table below may be ORed together using the "|" operator to represent multiple flags: for example "dsa|rsa" equates to using only DSA and RSA operations
Flag | Description |
dh | Limit engine usage to only DH operations |
dsa | Limit engine usage to only DSA operations |
rand | Limit engine usage to only random operations |
rsa | Limit engine usage to only RSA operations |
all | Allow OpenSSL to use any of the above implementations |
ssl-config-name
Type: String
Default: None
The OpenSSL config name to load (default=system default)