SSL Options

Accept all clients

Click this to allow all clients to communicate with the server without being checked for an SSL certificate.

Request client certificate, and verify if present

Click this to request the client for a certificate, and to verify the returned certificate. If the client does not return a certificate, communication continues between the client and server. If a certificate is returned and it fails to verify, communication stops.

If you check this, you must specify the CA root certificates file below.

Require client certificate and verify

Click this to always require a client certificate and to verify it. This ensures that the client is trusted. If a certificate is not returned or it cannot be verified, communication between the client and server is stopped.

If you check this, you must specify the CA root certificates file below.

CA root certificates file

This field is mandatory if you have chosen to request or require a client certificate.

Specify the path and filename of the file containing certificates of root CAs that you trust. This file must contain the CA root certificate of the CA that signed the client's certificate. For example, in the demoCA environment, this is CARootcert.pem in the private directory of the DemoCA area in the client system.

Note: Visual COBOL supports DER, CER, PKCS #7, PKCS #8, PKCS #12 and PEM certificate file formats and PKCS #8, PKCS #12 and PEM for key file formats.

TLS honor server cipher list

By default, the TLS honor server cipher list is checked. This forces clients to use the protocols and cipher suites specified in order of their priority.

Note: If the TLS protocols and Cipher suites list are not specified then it uses the default. See Configuring a TLS Protocols List and Configuring a Cipher Suites List for more information.

TLS protocols

Specifies the list of TLS protocols to be used in order of precedence listed.

Valid protocols are SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3 and TLS1.4, where TLS1.3 and TLS1.4 are placeholders to enable support for future versions. By default, only the TLS protocols are enabled. Each specified protocol is preceded by one of the following operators:

!

Exclude. Permanently exclude the protocol and ignore any subsequent attempt to add the protocol back in.

+

Add. Add the protocol to the existing collection.

-

Delete. Delete the protocol from the existing collection.

Note: You can use the special option ALL to specify all of the supported protocols. Use -ALL to empty the default options list followed by the new options you require.

For example, to only use TLS1.1 and TLS1.2, type the following:

-ALL+TLS1.1+TLS1.2

Cipher suites

Specifies the priority of cipher suites to be used.

The cipher suite priority is formed using a combination of keywords and keyword modifiers for a space-separated string:

!

Exclude. Permanently exclude the cipher suite and ignore any subsequent attempt to add the cipher suite back in.

+

Add. Add the cipher suite to the end of the collection.

-

Delete. Delete the cipher suite from the existing collection.

By default, the following cipher suite list is used:

kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM +3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP

To determine the cipher suites supported by your version of OpenSSL, type the following from a command prompt:

openssl ciphers -v 'ALL:COMPLEMENTOFALL'

DH minimum group size

Specifies the size in bits of the modulus length of the Diffie-Hellman group.

Note: Micro Focus recommends a minimum modulus size of 2048 bits.

ECC curve collection

Specifies the Elliptic Curve Cryptograph (ECC) curve collection to be used. By default, the collection used is:

secp521r1;secp384r1;prime256v1;secp256k1;secp224r1;secp224k1;prime192v1

See Configuring a Cipher Suites List in the product Help for more information.

For additional information on cipher suite configuration please refer to the OpenSSL documentation, click here.