tfSslSetSessionOptions
Table of Contents >> SSL Programmer's Reference
#include <trsocket.h> |
int tfSslSetSessionOptions | ( |
int sessionId, | |
int optionName, | |
int optionValue | |
); |
Function Description
This function sets session options at run-time.
Parameters
- sessionId
- The session we are setting the options on.
- optionName
- The option to change, valid value are:
- TM_SSL_OPTNAM_CLIENTAUTH
- This option enables client authentication on an SSL server session. It takes effect only if the session is bound to an SSL server socket, in which case, upon receiving the Client Hello message, the SSL server is going to send back a CertificateRequest message along with its own Certificate, ServerHello and ServerHelloDone messages.
- TM_SSL_OPTNAM_SERVERPROP
- This option allows the SSL server to have more control on which cipher suite to use. If this option is not used on an SSL server session, upon receiving a ClientHello message, the SSL server just choose the first SUPPORTED cipher suite to use. However, if this option is enabled on an SSL server session, the SSL server will choose the first MATCHED cipher suite in its own session proposal list. If a cipher suite proposed by the client is not in the SSL server session's proposal list, even if the SSL server supports that cipher suite, it won't be chosen. See tfSslSetSessionProposals() and tfSslNewSession() for more details.
- TM_SSL_OPTNAM_NO_SEND_EMPTY_FRAG
- This option specifies whether Treck sends a 0-byte record or a 1-byte record at the beginning of a session in order to mitigate the CBC IV attack mentioned here: http://www.openssl.org/~bodo/tls-cbc.txt. If this option is disabled (default) then Treck will send a 0-byte record at the beginning of the session. Since this may cause compatibility issues with some SSL implementations (notably Microsoft Internet Explorer), the user may enable this option forcing Treck to send a 1-byte record instead.
- TM_SSL_OPTNAM_C_DNY_RENEG
- When non-zero, this option prevents the Treck SSL client from renegotiating.
- TM_SSL_OPTNAM_S_DNY_RENEG
- When non-zero, this option prevents the Treck SSL server from renegotiating.
- TM_SSL_OPTNAM_C_SEND_RI_EXT
- This option allows the user to enable (default) or disable Treck's SSL client from sending the renegotiation information extension. This option requires TM_SSL_DISABLE_CLIENT_SEC_RENEG to not be defined in trsystem.h.
- TM_SSL_OPTNAM_C_ALW_LEG_SERVERS
- This option allows the user to enable or disable (default) Treck's SSL client from negotiating with insecure/legacy/unupgraded SSL servers (as defined in RFC 5746). This option requires TM_SSL_DISABLE_CLIENT_SEC_RENEG to not be defined in trsystem.h.
- TM_SSL_OPTNAM_C_ALW_LEG_RENEG
- This option allows the user to enable or disable (default) Treck's SSL client from renegotiating (initial negotiations are allowed) with insecure/legacy/unupgraded SSL servers (as defined in RFC 5746). This option requires TM_SSL_DISABLE_CLIENT_SEC_RENEG to not be defined in trsystem.h.
- TM_SSL_OPTNAM_S_ALW_LEG_CLIENTS
- This option allows the user to enable or disable (default) Treck's SSL server from negotiating with insecure/legacy/unupgraded SSL clients (as defined in RFC 5746). This option requires TM_SSL_DISABLE_SERVER_SEC_RENEG to not be defined in trsystem.h.
- TM_SSL_OPTNAM_S_ALW_LEG_RENEG
- This option allows the user to enable or disable (default) Treck's SSL server from renegotiating (initial negotiations are allowed) with insecure/legacy/unupgraded SSL clients (as defined in RFC 5746). This option requires TM_SSL_DISABLE_SERVER_SEC_RENEG to not be defined in trsystem.h.
- TM_SSL_OPTNAM_S_NO_RSA_CVER_CHK
- This option addresses RFC 5246, section 7.4.7.1, which defines a procedure for receiving an RSA-encrypted pre-master secret based on the SSL/TLS version. Setting this option causes a Treck SSL server to bypass the client version check for SSL 3.0 and TLS 1.0 clients and accept the pre-master secret as received. Avoiding the client version check is a security risk and should be done only if necessary. This option is disabled by default.
- TM_SSL_OPTNAM_SNI_NACK
- Specify how a server should respond if it does not recognize the name in the Server Name Indication (SNI) extension (RFC 6066): 0 (zero) to continue the TLS/SSL handshake without sending a SNI response, or non-zero to terminate the handshake with a fatal alert. Zero is the default setting. (TLS server option.)
- TM_SSL_OPTNAM_SNI_CN_ALWAYS
- Specify a non-zero value to always check the Subject CommonName of the server's certificate when verifying the name in a Server Name Indication (SNI) extension (RFC 6066). Specify zero for the default—check only if the certificate has no SubjectAltName extension. (TLS server option.)
- TM_SSL_OPTNAM_SNI_CN_NEVER
- Specify a non-zero value to never check the Subject CommonName of the server's certificate when verifying the name in a Server Name Indication (SNI) extension (RFC 6066). Specify zero for the default—check only if the certificate has no SubjectAltName extension. (TLS server option.)
- TM_SSL_OPTNAM_CLIENTAUTH
- optionValue
- Any non-zero value will enable the option specified by optionName, a zero value will disable it.
Returns
- TM_ENOERROR
- Success
- TM_EINVAL
- Invalid optionName or invalid sessionId.