Certificate Options
| Config | Type | Default | Description |
|---|---|---|---|
c.certs.allowed |
string | '' |
The list of SHA1 fingerprints that are allowed. Each fingerprint should be separated by a CR/LF ('\r\n'). The fingerprint line may be just a fingerprint, or may include a descriptive name, e.g. “collect.scannex.com=8e:52:81:63:7b:06:a6:d4:8b:ef:d1:0a:03:05:be:2d:54:0d:74:88” |
c.certs.clients |
integer | 0 |
Whether to verify clients against the approved fingerprint list. 0=ignore, 1=verify. |
c.certs.date |
integer | 0 |
Whether to check the date validity of server and client certificates. 0=ignore, 1=verify. |
c.certs.ignorecerterrors |
integer | 0 |
(Optional) Whether to ignore errors while parsing and checking the signing of the certificate chain. These checks are performed before checking the fingerprint. You SHOULD only include fingerprints for the device. #Firmware/v291 |
c.certs.name |
integer | 0 |
Whether to check that the address matches the CN (Common Name) field for server certificates. 0=ignore, 1=verify. |
c.certs.servers |
integer | 0 |
Whether to check server certificates against the approved list of fingerprints. 0=ignore, 1=verify. |
c.certs.source |
integer | 0 |
(Optional) By default Source-side certificates (both client & server) are not validated. This is because some devices have weakly protected private keys and can be compromised. However, if you can trust the source as much as the destination, you can set this to “1” to apply the same checks to source. #Firmware/v291 |
c.certs.cbcsplit |
integer | 1 |
Whether to perform AES-CBC record splitting 1/n-1 for server operations. #Firmware/v293 |
c.certs.ciphers |
string | 'normal' |
(Optional) Descriptor to restrict cipher suites used by TLS/SSL for server operations. See User Manual. #Firmware/v280 |
c.certs.keymin |
integer | 1024 |
(Optional) Specify the minimum peer RSA key size. 512/1024/2048. #Firmware/v292 |
c.certs.signhash |
string | '' |
(Optional) Override the signature hashes presented during TLS, and allowed in the peer's TLS certificates. #Firmware/v292 |
c.certs.sslmin |
integer | 0 |
|
c.certs.sslmax |
integer | 3 |
(Optional) The minimum & maximum TLS/SSL version to accept for server operations. 0 = SSLv3; 1 = TLSv1.0; 2 = TLSv1.1; 3 = TLSv1.2 #Firmware/v291 |
c.certs.client.cbcsplit |
integer | 0 |
Whether to perform AES-CBC record splitting 1/n-1 for client operations. #Firmware/v301 |
c.certs.client.ciphers |
string | '' |
(Optional) Descriptor to restrict cipher suites used by TLS/SSL for client operations. #Firmware/v301 |
c.certs.client.keymin |
integer | 1024 |
(Optional) For client sockets - Specify the minimum peer RSA key size. 512/1024/2048 #Firmware/v301 |
c.certs.client.signhash |
string | '' |
(Optional) For client sockets - Override the signature hashes presented during TLS, and allowed in the peer's TLS certificates. #Firmware/v301 |
c.certs.client.sslmin |
integer | 2 |
|
c.certs.client.sslmax |
integer | 3 |
(Optional) The minimum & maximum TLS/SSL version. (See c.certs.sslmin & c.certs.sslmax for value.) #Firmware/v301 |
c.certs.src.cbcsplit |
integer | 0 |
Whether to perform AES-CBC record splitting 1/n-1 #Firmware/v293 |
c.certs.src.ciphers |
string | '' |
(Optional) Descriptor to restrict cipher suites used by TLS/SSL. #Firmware/v292 |
c.certs.src.keymin |
integer | 512 |
(Optional) For source sockets - Specify the minimum peer RSA key size. 512/1024/2048 #Firmware/v292 |
c.certs.src.signhash |
string | '' |
(Optional) For source sockets - Override the signature hashes presented during TLS, and allowed in the peer's TLS certificates. #Firmware/v292 |
c.certs.src.sslmin |
integer | 0 |
|
c.certs.src.sslmax |
integer | 3 |
(Optional) The minimum & maximum TLS/SSL version to accept for source connections. (See c.certs.sslmin & c.certs.sslmax for value.) #Firmware/v293 |