tfSslSetSessionOptions

Jump to: navigation, search

Table of Contents >> SSL Programmer's Reference


#include <trsocket.h>


int tfSslSetSessionOptions (
int sessionId,
int optionName,
int optionValue
);


Function Description

This function sets session options at run-time.


Parameters

  • sessionId
    The session we are setting the options on.
  • optionName
    The option to change, valid value are:
TM_SSL_OPTNAM_CLIENTAUTH
This option enables client authentication on an SSL server session. It takes effect only if the session is bound to an SSL server socket, in which case, upon receiving the Client Hello message, the SSL server is going to send back a CertificateRequest message along with its own Certificate, ServerHello and ServerHelloDone messages.
TM_SSL_OPTNAM_SERVERPROP
This option allows the SSL server to have more control on which cipher suite to use. If this option is not used on an SSL server session, upon receiving a ClientHello message, the SSL server just choose the first SUPPORTED cipher suite to use. However, if this option is enabled on an SSL server session, the SSL server will choose the first MATCHED cipher suite in its own session proposal list. If a cipher suite proposed by the client is not in the SSL server session's proposal list, even if the SSL server supports that cipher suite, it won't be chosen. See tfSslSetSessionProposals() and tfSslNewSession() for more details.
TM_SSL_OPTNAM_NO_SEND_EMPTY_FRAG
This option specifies whether Treck sends a 0-byte record or a 1-byte record at the beginning of a session in order to mitigate the CBC IV attack mentioned here: http://www.openssl.org/~bodo/tls-cbc.txt. If this option is disabled (default) then Treck will send a 0-byte record at the beginning of the session. Since this may cause compatibility issues with some SSL implementations (notably Microsoft Internet Explorer), the user may enable this option forcing Treck to send a 1-byte record instead.
TM_SSL_OPTNAM_C_DNY_RENEG
When non-zero, this option prevents the Treck SSL client from renegotiating.
TM_SSL_OPTNAM_S_DNY_RENEG
When non-zero, this option prevents the Treck SSL server from renegotiating.
TM_SSL_OPTNAM_C_SEND_RI_EXT
This option allows the user to enable (default) or disable Treck's SSL client from sending the renegotiation information extension. This option requires TM_SSL_DISABLE_CLIENT_SEC_RENEG to not be defined in trsystem.h.
TM_SSL_OPTNAM_C_ALW_LEG_SERVERS
This option allows the user to enable or disable (default) Treck's SSL client from negotiating with insecure/legacy/unupgraded SSL servers (as defined in RFC 5746). This option requires TM_SSL_DISABLE_CLIENT_SEC_RENEG to not be defined in trsystem.h.
TM_SSL_OPTNAM_C_ALW_LEG_RENEG
This option allows the user to enable or disable (default) Treck's SSL client from renegotiating (initial negotiations are allowed) with insecure/legacy/unupgraded SSL servers (as defined in RFC 5746). This option requires TM_SSL_DISABLE_CLIENT_SEC_RENEG to not be defined in trsystem.h.
TM_SSL_OPTNAM_S_ALW_LEG_CLIENTS
This option allows the user to enable or disable (default) Treck's SSL server from negotiating with insecure/legacy/unupgraded SSL clients (as defined in RFC 5746). This option requires TM_SSL_DISABLE_SERVER_SEC_RENEG to not be defined in trsystem.h.
TM_SSL_OPTNAM_S_ALW_LEG_RENEG
This option allows the user to enable or disable (default) Treck's SSL server from renegotiating (initial negotiations are allowed) with insecure/legacy/unupgraded SSL clients (as defined in RFC 5746). This option requires TM_SSL_DISABLE_SERVER_SEC_RENEG to not be defined in trsystem.h.
TM_SSL_OPTNAM_S_NO_RSA_CVER_CHK
This option addresses RFC 5246, section 7.4.7.1, which defines a procedure for receiving an RSA-encrypted pre-master secret based on the SSL/TLS version. Setting this option causes a Treck SSL server to bypass the client version check for SSL 3.0 and TLS 1.0 clients and accept the pre-master secret as received. Avoiding the client version check is a security risk and should be done only if necessary. This option is disabled by default.
TM_SSL_OPTNAM_SNI_NACK
Specify how a server should respond if it does not recognize the name in the Server Name Indication (SNI) extension (RFC 6066): 0 (zero) to continue the TLS/SSL handshake without sending a SNI response, or non-zero to terminate the handshake with a fatal alert. Zero is the default setting. (TLS server option.)
TM_SSL_OPTNAM_SNI_CN_ALWAYS
Specify a non-zero value to always check the Subject CommonName of the server's certificate when verifying the name in a Server Name Indication (SNI) extension (RFC 6066). Specify zero for the default—check only if the certificate has no SubjectAltName extension. (TLS server option.)
TM_SSL_OPTNAM_SNI_CN_NEVER
Specify a non-zero value to never check the Subject CommonName of the server's certificate when verifying the name in a Server Name Indication (SNI) extension (RFC 6066). Specify zero for the default—check only if the certificate has no SubjectAltName extension. (TLS server option.)
  • optionValue
    Any non-zero value will enable the option specified by optionName, a zero value will disable it.


Returns

  • TM_ENOERROR
    Success
  • TM_EINVAL
    Invalid optionName or invalid sessionId.


Table of Contents >> SSL Programmer's Reference