Certificate Options

Config Type Default Description
c.certs.allowed string '' The list of SHA1 fingerprints that are allowed. Each fingerprint should be separated by a CR/LF ('\r\n'). The fingerprint line may be just a fingerprint, or may include a descriptive name, e.g. “collect.scannex.com=8e:52:81:63:7b:06:a6:d4:8b:ef:d1:0a:03:05:be:2d:54:0d:74:88”
c.certs.clients integer 0 Whether to verify clients against the approved fingerprint list. 0=ignore, 1=verify.
c.certs.date integer 0 Whether to check the date validity of server and client certificates. 0=ignore, 1=verify.
c.certs.ignorecerterrors integer 0 (Optional) Whether to ignore errors while parsing and checking the signing of the certificate chain. These checks are performed before checking the fingerprint. You SHOULD only include fingerprints for the device. #Firmware/v291
c.certs.name integer 0 Whether to check that the address matches the CN (Common Name) field for server certificates. 0=ignore, 1=verify.
c.certs.servers integer 0 Whether to check server certificates against the approved list of fingerprints. 0=ignore, 1=verify.
c.certs.source integer 0 (Optional) By default Source-side certificates (both client & server) are not validated. This is because some devices have weakly protected private keys and can be compromised. However, if you can trust the source as much as the destination, you can set this to “1” to apply the same checks to source. #Firmware/v291
c.certs.cbcsplit integer 1 Whether to perform AES-CBC record splitting 1/n-1 for server operations. #Firmware/v293
c.certs.ciphers string 'normal' (Optional) Descriptor to restrict cipher suites used by TLS/SSL for server operations. See User Manual. #Firmware/v280
c.certs.keymin integer 1024 (Optional) Specify the minimum peer RSA key size. 512/1024/2048. #Firmware/v292
c.certs.signhash string '' (Optional) Override the signature hashes presented during TLS, and allowed in the peer's TLS certificates. #Firmware/v292
c.certs.sslmin integer 0
c.certs.sslmax integer 3 (Optional) The minimum & maximum TLS/SSL version to accept for server operations. 0 = SSLv3; 1 = TLSv1.0; 2 = TLSv1.1; 3 = TLSv1.2 #Firmware/v291
c.certs.client.cbcsplit integer 0 Whether to perform AES-CBC record splitting 1/n-1 for client operations. #Firmware/v301
c.certs.client.ciphers string '' (Optional) Descriptor to restrict cipher suites used by TLS/SSL for client operations. #Firmware/v301
c.certs.client.keymin integer 1024 (Optional) For client sockets - Specify the minimum peer RSA key size. 512/1024/2048 #Firmware/v301
c.certs.client.signhash string '' (Optional) For client sockets - Override the signature hashes presented during TLS, and allowed in the peer's TLS certificates. #Firmware/v301
c.certs.client.sslmin integer 2
c.certs.client.sslmax integer 3 (Optional) The minimum & maximum TLS/SSL version. (See c.certs.sslmin & c.certs.sslmax for value.) #Firmware/v301
c.certs.src.cbcsplit integer 0 Whether to perform AES-CBC record splitting 1/n-1 #Firmware/v293
c.certs.src.ciphers string '' (Optional) Descriptor to restrict cipher suites used by TLS/SSL. #Firmware/v292
c.certs.src.keymin integer 512 (Optional) For source sockets - Specify the minimum peer RSA key size. 512/1024/2048 #Firmware/v292
c.certs.src.signhash string '' (Optional) For source sockets - Override the signature hashes presented during TLS, and allowed in the peer's TLS certificates. #Firmware/v292
c.certs.src.sslmin integer 0
c.certs.src.sslmax integer 3 (Optional) The minimum & maximum TLS/SSL version to accept for source connections. (See c.certs.sslmin & c.certs.sslmax for value.) #Firmware/v293