Appendix: Supported GSKit attributes

Appendix: Supported GSKit attributes

We can configure the these GSKit attributes with ISAM.
Strings

GSK_HTTP_PROXY_SERVER_NAME Set the http proxy server for http CDP CRL retrieval if required. The numeric identifier is 225.
GSK_SSL_EXTN_SERVERNAME_REQUEST Server name to be requested. The numeric identifier is 230.
GSK_SSL_EXTN_SERVERNAME_CRITICAL_REQUEST Server name to be requested. This request must be satisfied. If this request is not satisfied, an error is returned. The numeric identifier is 231.
GSK_HTTP_CRL_CACHE_SIZE CRL cache size for the HTTP server. The value must be equal or more than zero. If the value is greater than zero enables HTTP CRL caching and sets the number of cached CRL’s to be kept in cache to the value specified. The lifetime and validity of cache entries are maintained internally using the nextUpdate and max-age caching directives. The cache size is maintained by replacing entries in a LRU manner. Keep the value small (32 or less) as CRLs can be large and therefore, consume large amounts of memory to remain in cache.

Enums

GSK_ALLOW_UNAUTHENTICATED_RESUME The numeric identifier is 423. One of the following ENUM values must be specified (The default is GSK_ALLOW_UNAUTHENTICATED_RESUME_OFF):
GSK_ALLOW_UNAUTHENTICATED_RESUME_ON That a session resume can be completed successfully even if the client has not provided a certificate during the initial handshake when the server is configured for client authentication. The numeric identifier is 588.
GSK_ALLOW_UNAUTHENTICATED_RESUME_OFF That a session resume cannot be completed successfully when a client has not provided a certificate during the initial handshake when the server is configured for client authentication. This will cause the connection to complete an entire SSL handshake. This will ensure that server has the opportunity to authenticate the client. The numeric identifier is 589. This ENUM_ID may only be set prior to gsk_environment_init().
GSK_SSL_SUITEB_MODE_PROCESSING The numeric identifier is 454. One of the following ENUM values must be specified (The default is GSK_FALSE):

GSK_TRUE SSL Suite B mode is set. The setting will restrict SSL session negotiation to only use TLS Suite B Profile; RFC 5430, approved mode of operation which restricts Cipher Suites, Certificates and Signature and Hash Algorithms. The numeric identifier is 1. This setting enables both 128 bit and 192 bit Security levels of Suite B. Do not make other settings related to CipherSuites, Protocol and Signature and Hash Algorithms once this setting has been made.
GSK_FALSE SSL Suite B mode is not enabled. The numeric identifier is 0.

GSK_SSL_SUITEB_128BIT_MODE_PROCESSING The numeric identifier is 455. One of the following ENUM values must be specified (The default is GSK_FALSE):

GSK_TRUE SSL Suite B 128 bit Security mode is set. The setting will restrict SSL session negotiation to only use TLS Suite B Profile; RFC 5430, approved mode of operation which restricts Cipher Suites, Certificates and Signature and Hash Algorithms. The numeric identifier is 1. This setting enables only 128 bit Security level of Suite B. Do not make other settings related to CipherSuites, Protocol and Signature and Hash Algorithms once this setting has been made.
GSK_FALSE SSL Suite B mode is not enabled. The numeric identifier is 0.
This ENUM may only be set prior to gsk_environment_init(). FIPS-140 certified cryptographic modules should also be configured if using this setting. This setting will enable the TLS12 Protocol and disable all others.
GSK_SSL_SUITEB_192BIT_MODE_PROCESSING The numeric identifier is 456. One of the following ENUM values must be specified (The default is GSK_FALSE):

GSK_TRUE SSL Suite B 192 bit Security mode is set. The setting will restrict SSL session negotiation to only use TLS Suite B Profile; RFC 5430, approved mode of operation which restricts Cipher Suites, Certificates and Signature and Hash Algorithms. The numeric identifier is 1. This setting enables only 192 bit Security level of Suite B. Do not make other settings related to CipherSuites, Protocol and Signature and Hash Algorithms once this setting has been made.
GSK_FALSE SSL Suite B mode is not enabled. The numeric identifier is 0.

GSK_LDAP_REQUIRED_AT_INIT Requirements of an LDAP server at environment initialization. The numeric identifier is 412. One of the following ENUM values must be specified (The default is GSK_INIT_CRL_LDAP_REQUIRED_OFF) :

GSK_INIT_CRL_LDAP_REQUIRED_ON Operational LDAP server (CRL database) is required during environment initialization. The numeric identifier is 538.
GSK_INIT_CRL_LDAP_REQUIRED_OFF Availability of an active LDAP server (CRL database) is not required during environment initialization. The numeric identifier is 539.

GSK_CC_MODE_CONTROL This group controls the Common Criteria Mode operational requirements. The numeric identifier is 418. One of the following ENUM_VALUE values must be specified (The defaults is OFF for each of these):

GSK_CC_MODE_DISABLE_STASH_FILE_ON Disable the use of stash files to open keystores. The numeric identifier is 555.
GSK_CC_MODE_DISABLE_STASH_FILE_OFF Allow the use of stash files to open keystores. The numeric identifier is 556. This ENUM may only be set prior to gsk_environment_init(). gsk_environment_init() will fail if the use of stash files have been disallowed but no keystore password has been given. It cannot be set using an environment variable.
GSK_CC_MODE_FIPS_ON FIPS mode is set. The numeric value is 557. The enumerated value for GSK_BASE_CRYPTO_LIBRARY must not be GSK_BASE_CRYPTO_RSA (the default is GSK_BASE_CRYPTO_ICC) or an error is returned. This enum has the same effect as setting all of GSK_FIPS_MODE_PROCESSING_ON, GSK_SSL_FIPS_MODE_PROCESSING_ON, GSK_ICC_FIPS_MODE_PROCESSING_ON. Additionally setting this enum will have a similar effect to setting GSK_NIST_DES_FIPS_DEPRECATION except the deprecation of DES will happen immediately and not wait until May 18 2007.
GSK_CC_MODE_FIPS_OFF FIPS mode is not enabled. The numeric identifier is 558. This enum has the same effect as GSK_FIPS_MODE_PROCESSING_OFF. This ENUM may only be set prior to gsk_environment_init(). gsk_environment_init() will fail if FIPS mode is not supported on the platform. It cannot be set using an environment variable.
GSK_CC_MODE_ENFORCE_STRONG_PWD_ON Enforce the use of Common Criteria strength passwords for keystore operations. The numeric identifier is 559.
GSK_CC_MODE_ENFORCE_STRONG_PWD_OFF Remove the enforcement of the use of Common Criteria strength passwords for keystore operations. The numeric identifier is 560.
This ENUM may only be set prior to gsk_environment_init(). gsk_environment_init() will fail if the given password does not meet the strength rules. It cannot be set using an environment variable.
GSK_CC_MODE_DISABLE_PKCS11_ON Disable the use of pkcs#11 devices. The numeric identifier is 561.
GSK_CC_MODE_DISABLE_PKCS11_OFF Allow the use of pkcs#11 devices. The numeric identifier is 562.
This ENUM may only be set prior to gsk_environment_init(). It cannot be set using an environment variable.
GSK_CC_MODE_ENFORCE_STRONG_KDB_ON Enforce that only newer version cms keystores that have stronger tamper protection be used. The numeric identifier is 563.
GSK_CC_MODE_ENFORCE_STRONG_KDB_OFF Remove the enforcement that only newer version cms keystores that have stronger tamper protection be used. The numeric identifier is 564.
GSK_CC_MODE_STRICT_BASIC_CONST_ON Enforce the rule that non end entity certificates that are missing the Basic Constraints extension are not permitted to be used in a validation chain. The numeric identifier is 565.
GSK_CC_MODE_STRICT_BASIC_CONST_OFF Allow non end entity certificates that are missing the Basic Constraints extension to be permitted to be used in a validation chain. The numeric identifier is 566.
GSK_CC_MODE_ENFORCE_RIP_ON Ensure that GSKit clears residual information for a session when that session encounters ssl errors. The numeric identifier is 567.
GSK_CC_MODE_ENFORCE_RIP_OFF Do not enforce that GSKit clears residual information for a session when that session encounters ssl errors. The numeric identifier is 568.

GSK_NIST_DES_FIPS_DEPRECATION On May 19 2007 NIST have determined that DES will no longer be a FIPS certified cipher. Turning this flag on will cause DES to be removed from the cipher list in FIPS mode after this date. The numeric identifier is 433.

GSK_TRUE Turn DES deprecation on after May 18 2007. The numeric identifier is 1.
GSK_FALSE Do not remove DES from the FIPS cipher list after May 18 2007. The numeric identifier is 0.

GSK_BINARY_DN_MATCHING_ENABLE Allows for faster operation by comparing DN names using Binary DER Encoding The default is off (Disabled). The numeric identifier is 441.

GSK_TRUE Turn Binary Matching On (Not recommended). The numeric identifier is 1.
GSK_FALSE Turn Binary Matching Off. The numeric identifier is 0.

GSK_PROTOCOL_SSLV2 Enable or disable the SSL V2 protocol. Note that in FIPs mode of operation (see GSK_FIPS_MODE_PROCESSING) this setting will have no effect. The numeric identifier is 403. ENUM_VALUE must specify one of the following operations (The default is GSK_PROTOCOL_SSLV2_ON):

GSK_PROTOCOL_SSLV2_ON Enable SSL V2
GSK_PROTOCOL_SSLV2_OFF Disable SSL V2

GSK_PROTOCOL_SSLV3 Enable or disable the SSL V3 protocol. The numeric identifier is 404. ENUM_VALUE must specify one of the following operations (The default is GSK_PROTOCOL_SSLV3_ON):

GSK_PROTOCOL_SSLV3_ON Enable SSL V3
GSK_PROTOCOL_SSLV3_OFF Disable SSL V3

GSK_PROTOCOL_TLSV10 Enable or disable the TLSV10 protocol. The numeric identifier is 436. ENUM_VALUE must specify one of the following operations (The default is on):

GSK_TRUE Enable TLSV10
GSK_FALSE Disable TLSV10

GSK_PROTOCOL_TLSV11 Enable or disable the TLSV11 protocol. The numeric identifier is 437. ENUM_VALUE must specify one of the following operations (The default is on):

GSK_TRUE Enable TLSV11
GSK_FALSE Disable TLSV11

GSK_PROTOCOL_TLSV12 Enable or disable the TLSV12 protocol. The numeric identifier is 438. ENUM_VALUE must specify one of the following operations (The default is on):

GSK_TRUE Enable TLSV12
GSK_FALSE Disable TLSV12

GSK_V2_CIPHER_SPECS If multiple connections occur under a SSL session the values set for this field may not be used. The cipher specification negotiated during the first SSL connection of a session will be used until that session expires. Here is the list of available cipher specs. The list contains the string values that can be used with the buf_value for this buffer ID. Any combination of these may be used; none may be used twice.

1-RC4 US
2-RC4 Export
3-RC2 US
4-RC2 Export
6-DES 56-Bit
7-Triple DES US

If a NULL string ("") is specified for the cipherspec list, SSL version 2 protocols will not be used. The default cipherspec is "713642". The numeric identifier is 205.
GSK_V3_CIPHER_SPECS_EX, GSK_TLSV10_CIPHER_SPECS_EX, GSK_TLSV11_CIPHER_SPECS_EX, GSK_TLSV12_CIPHER_SPECS_EX Allows the user to specify Cipher Specs for TLS protocol versions. The numeric identifiers are 240, 241, 242, and 243. Different TLS Protocols may have mutually exclusive Cipher Spec. The buffer cotains a list of comma delimted string values defined by RFC 2246, 4346, 5246, 4492, 5289. Example : Setting AES TLS Ciphersuite would require a buffer comtaining « TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA”

Numbers

GSK_LDAP_FAILOVER_RECONNECTION_PERIOD If multiple LDAP servers are specified for the failover function and the first LDAP server on the list is not available, the next one on the list will be queried until one is available or all the LDAP servers are tried. Periodically, an attempt will be made to retry the LDAP server query process. This attribute specifies the time period before the query retry is to begin. The value of int_value must be in the range of 0 - 86400 seconds. Defaults:

For a single LDAP server, 0 seconds.
When multiple LDAP servers are specified, 300 seconds.

The numeric identifier is 307.
GSK_V2_SIDCACHE_SIZE The number of entries in the SID (Session ID) cache used for SSLV2, range 0-2047 (default=256). The numeric identifier is 304.
GSK_V3_SIDCACHE_SIZE The number of entries in the SID (Session ID) cache used for SSLV3 and TLSV1, range 0-MAXINT (default=512). This setting does not impose an upper limit, however GSKit internally imposes a limit that may be reviewed over time. Currently the internal limit is 655360. Very large cache sizes could have adverse impacts on process performance due to the large memory usage. The cache memory allocation is dynamic in that memory is not allocated for cache entries until they are required, thus the memory usage may in fact be far less than the maximum number of cache entries specified. It is suggested that application consider these aspects when setting the cache size. The numeric identifier is 305.
GSK_OCSP_TIMEOUT Timeout in seconds that we will wait for a response from the server. The default is 30. The numeric identifier is 318.
GSK_HTTP_CDP_MAX_RESPONSE_SIZE Set the maximum size in bytes that GSKit will accept as a response from a HTTP Server when retrieving a CRL. This may help protect against a denial of service attack. The default is 204800 (200K). The numeric identifier is 316.
GSK_HTTP_CDP_TIMEOUT Timeout in seconds that we will wait for a response from the server. The default is 30. The numeric identifier is 319.
GSK_MAX_SSL_MESSAGE_SIZE Set the maximum message size that can be received by GSKit. This setting is design to protect against certain Denial of Service attack where very lare message can be used to exhust memory on a system. The default is 128K bytes. The numeric identifier is 320.
GSK_HTTP_PROXY_SERVER_PORT Sets the http proxy server port for http CDP CRL retrieval if needed. The numeric identifier is 317.
GSK_LDAP_SERVER_VERSION LDAP protocol version to be used. This should be set to 2 or 3. The numeric identifier is 314.
GSK_V2_SESSION_TIMEOUT SSL V2 session time-out. int_value must be in the range 0-100 seconds (default=100). The numeric identifier is 301.
GSK_V3_SESSION_TIMEOUT SSL V3 session time-out. int_value must be in the range 0-86400 seconds (default=86400, 24 hours). The numeric identifier is 302.
GSK_ALLOW_ONLY_EXTENDED_RENEGOTIATION The numeric identifier is 447. Default is GSK_TRUE. This setting can only be used in the [ssl] section.

GSK_TRUE Only RFC5746 Renegotiation Allowed. The numeric identifier is 1.
GSK_FALSE All TLS Renegotiation disabled . The numeric identifier is 0.

Parent topic: Stanza reference

GSK_HTTP_PROXY_SERVER_NAME	Set the http proxy server for http CDP CRL retrieval if required. The numeric identifier is 225.
GSK_SSL_EXTN_SERVERNAME_REQUEST	Server name to be requested. The numeric identifier is 230.
GSK_SSL_EXTN_SERVERNAME_CRITICAL_REQUEST	Server name to be requested. This request must be satisfied. If this request is not satisfied, an error is returned. The numeric identifier is 231.
GSK_HTTP_CRL_CACHE_SIZE	CRL cache size for the HTTP server. The value must be equal or more than zero. If the value is greater than zero enables HTTP CRL caching and sets the number of cached CRL’s to be kept in cache to the value specified. The lifetime and validity of cache entries are maintained internally using the nextUpdate and max-age caching directives. The cache size is maintained by replacing entries in a LRU manner. Keep the value small (32 or less) as CRLs can be large and therefore, consume large amounts of memory to remain in cache.