SSL Configuration

SSL Endpoints

Given a hostname:

—server.endpoint tcp://hostname:port

Given an IPv4 address:

—server.endpoint tcp://ipv4-address:port

Given an IPv6 address:

—server.endpoint tcp://[ipv6-address]:port

Note: If you are using SSL-encrypted endpoints, you must also supply thepath to a server certificate using the —ssl.keyfile option.

Keyfile

—ssl.keyfile filename

If SSL encryption is used, this option must be used to specify the filename ofthe server private key. The file must be PEM formatted and contain both thecertificate and the server’s private key.

The file specified by filename can be generated using openssl:

  1. # create private key in file "server.key"
  2. openssl genrsa -des3 -out server.key 1024
  4. # create certificate signing request (csr) in file "server.csr"
  5. openssl req -new -key server.key -out server.csr
  7. # copy away original private key to "server.key.org"
  8. cp server.key server.key.org
  10. # remove passphrase from the private key
  11. openssl rsa -in server.key.org -out server.key
  13. # sign the csr with the key, creates certificate PEM file "server.crt"
  14. openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  16. # combine certificate and key into single PEM file "server.pem"
  17. cat server.crt server.key > server.pem

You may use certificates issued by a Certificate Authority or self-signedcertificates. Self-signed certificates can be created by a tool of yourchoice. When using OpenSSL for creating the self-signed certificate, thefollowing commands should create a valid keyfile:

  1. -----BEGIN CERTIFICATE-----
  3. (base64 encoded certificate)
  5. -----END CERTIFICATE-----
  6. -----BEGIN RSA PRIVATE KEY-----
  8. (base64 encoded private key)
  10. -----END RSA PRIVATE KEY-----

For further information please check the manuals of the tools you use to createthe certificate.

CA File

—ssl.cafile filename

This option can be used to specify a file with CA certificates that are sent tothe client whenever the server requests a client certificate. If the file isspecified, The server will only accept client requests with certificates issuedby these CAs. Do not specify this option if you want clients to be able toconnect without specific certificates.

The certificates in filename must be PEM formatted.

SSL protocol

—ssl.protocol value

Use this option to specify the default encryption protocol to be used. Thefollowing variants are available:

  • 1: SSLv2
  • 2: SSLv2 or SSLv3 (negotiated)
  • 3: SSLv3
  • 4: TLSv1
  • 5: TLSv1.2The default value is 5 (TLSv1.2).

SSL cache

—ssl.session-cache value

Set to true if SSL session caching should be used.

value has a default value of false (i.e. no caching).

SSL peer certificate

This feature is available in the Enterprise Edition.

—ssl.require-peer-certificate

Require a peer certificate from the client before connecting.

SSL options

—ssl.options value

This option can be used to set various SSL-related options. Individual optionvalues must be combined using bitwise OR.

Which options are available on your platform is determined by the OpenSSLversion you use. The list of options available on your platform might beretrieved by the following shell command:

  1.  > grep "#define SSL_OP_.*" /usr/include/openssl/ssl.h
  3.  #define SSL_OP_MICROSOFT_SESS_ID_BUG                    0x00000001L
  4.  #define SSL_OP_NETSCAPE_CHALLENGE_BUG                   0x00000002L
  5.  #define SSL_OP_LEGACY_SERVER_CONNECT                    0x00000004L
  6.  #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         0x00000008L
  7.  #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x00000010L
  8.  #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x00000020L
  9.  ...

A description of the options can be found online in theOpenSSL documentation

SSL cipher

—ssl.cipher-list cipher-list

This option can be used to restrict the server to certain SSL ciphers only, andto define the relative usage preference of SSL ciphers.

The format of cipher-list is documented in the OpenSSL documentation.

To check which ciphers are available on your platform, you may use thefollowing shell command:

  1. > openssl ciphers -v
  3. ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
  4. ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
  5. DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
  6. DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
  7. DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256)
  8. Mac=SHA1
  9. ...

The default value for cipher-list is “ALL”.