Product Documentation

ssl parameter

Sep 12, 2016

The following operations can be performed on "ssl parameter":

set ssl parameter

Synopsys

set ssl parameter [-quantumSize <quantumSize>] [-crlMemorySizeMB <positive_integer>] [-strictCAChecks ( YES | NO )] [-sslTriggerTimeout <positive_integer>] [-sendCloseNotify ( YES | NO )] [-encryptTriggerPktCount <positive_integer>] [-denySSLReneg <denySSLReneg>] [-insertionEncoding ( Unicode | UTF-8 )] [-ocspCacheSize <positive_integer>] [-pushFlag <positive_integer>] [-dropReqWithNoHostHeader ( YES | NO )] [-pushEncTriggerTimeout <positive_integer>] [-cryptodevDisableLimit <positive_integer>] [-undefActionControl <string>] [-undefActionData <string>] [-defaultProfile ( ENABLED | DISABLED )]

Arguments

quantumSize

Amount of data to collect before the data is pushed to the crypto hardware for encryption. For large downloads, a larger quantum size better utilizes the crypto resources.

Possible values: 4096, 8192, 16384

Default value: 8192

crlMemorySizeMB

Maximum memory size to use for certificate revocation lists (CRLs). This parameter reserves memory for a CRL but sets a limit to the maximum memory that the CRLs loaded on the appliance can consume.

Default value: 256

Minimum value: 10

Maximum value: 1024

strictCAChecks

Enable strict CA certificate checks on the appliance.

Possible values: YES, NO

Default value: NO

sslTriggerTimeout

Time, in milliseconds, after which encryption is triggered for transactions that are not tracked on the NetScaler appliance because their length is not known. There can be a delay of up to 10ms from the specified timeout value before the packet is pushed into the queue.

Default value: 100

Minimum value: 1

Maximum value: 200

sendCloseNotify

Send an SSL Close-Notify message to the client at the end of a transaction.

Possible values: YES, NO

Default value: YES

encryptTriggerPktCount

Maximum number of queued packets after which encryption is triggered. Use this setting for SSL transactions that send small packets from server to NetScaler.

Default value: 45

Minimum value: 10

Maximum value: 50

denySSLReneg

Deny renegotiation in specified circumstances. Available settings function as follows:

* NO - Allow SSL renegotiation.

* FRONTEND_CLIENT - Deny secure and nonsecure SSL renegotiation initiated by the client.

* FRONTEND_CLIENTSERVER - Deny secure and nonsecure SSL renegotiation initiated by the client or the NetScaler during policy-based client authentication.

* ALL - Deny all secure and nonsecure SSL renegotiation.

* NONSECURE - Deny nonsecure SSL renegotiation. Allows only clients that support RFC 5746.

Possible values: NO, FRONTEND_CLIENT, FRONTEND_CLIENTSERVER, ALL, NONSECURE

Default value: ALL

insertionEncoding

Encoding method used to insert the subject or issuer's name in HTTP requests to servers.

Possible values: Unicode, UTF-8

Default value: Unicode

ocspCacheSize

Size, per packet engine, in megabytes, of the OCSP cache. A maximum of 10% of the packet engine memory can be assigned. Because the maximum allowed packet engine memory is 4GB, the maximum value that can be assigned to the OCSP cache is approximately 410 MB.

Default value: 10

Minimum value: 0

Maximum value: 512

pushFlag

Insert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is set to a value other than 0, the buffered records are forwarded on the basis of the value of the PUSH flag. Available settings function as follows:

0 - Auto (PUSH flag is not set.)

1 - Insert PUSH flag into every decrypted record.

2 -Insert PUSH flag into every encrypted record.

3 - Insert PUSH flag into every decrypted and encrypted record.

Minimum value: 0

Maximum value: 3

dropReqWithNoHostHeader

Host header check for SNI enabled sessions. If this check is enabled and the HTTP request does not contain the host header for SNI enabled sessions, the request is dropped.

Possible values: YES, NO

Default value: NO

pushEncTriggerTimeout

PUSH encryption trigger timeout value. The timeout value is applied only if you set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings.

Default value: 1

Minimum value: 1

Maximum value: 200

cryptodevDisableLimit

Limit to the number of disabled SSL chips after which the ADC restarts. A value of zero implies that the ADC does not automatically restart.

Default value: 0

Minimum value: 0

undefActionControl

Name of the undefined built-in control action: CLIENTAUTH, NOCLIENTAUTH, NOOP, RESET, or DROP.

Default value: "CLIENTAUTH"

undefActionData

Name of the undefined built-in data action: NOOP, RESET or DROP.

Default value: "NOOP"

defaultProfile

Global parameter used to enable default profile feature.

Possible values: ENABLED, DISABLED

Default value: DISABLED

unset ssl parameter

Use this command to remove ssl parameter settings.Refer to the set ssl parameter command for meanings of the arguments.

Synopsys

unset ssl parameter [-quantumSize] [-crlMemorySizeMB] [-strictCAChecks] [-sslTriggerTimeout] [-sendCloseNotify] [-encryptTriggerPktCount] [-denySSLReneg] [-insertionEncoding] [-ocspCacheSize] [-pushFlag] [-dropReqWithNoHostHeader] [-pushEncTriggerTimeout] [-cryptodevDisableLimit] [-undefActionControl] [-undefActionData] [-defaultProfile]

show ssl parameter

Displays information about advanced SSL parameters.

Synopsys

show ssl parameter

Outputs

quantumSize

Amount of data to collect before the data is pushed to the crypto hardware for encryption. For large downloads, a larger quantum size better utilizes the crypto resources.

crlMemorySizeMB

Maximum memory size to use for certificate revocation lists (CRLs). This parameter reserves memory for a CRL but sets a limit to the maximum memory that the CRLs loaded on the appliance can consume.

strictCAChecks

Memory size to use for CRLs

sslTriggerTimeout

Encryption trigger timer. Set the encryption trigger timeout for transactions, which are not trackable by Netscaler. NetScaler will use this setting to accumulate data received from the server for the configured time period before pushing it to the crypto hardware for encryption.

sendCloseNotify

Send an SSL Close-Notify message to the client at the end of a transaction.

encryptTriggerPktCount

Maximum number of queued packets after which encryption is triggered. Use this setting for SSL transactions that send small packets from server to NetScaler.

denySSLReneg

SSL Renegotiation setting

insertionEncoding

Encoding method used to insert the subject or issuer's name in HTTP requests to servers.

ocspCacheSize

Size, per packet engine, in megabytes of the OCSP cache

pushFlag

Insert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is set to a value other than 0, the buffered records are forwarded on the basis of the value of the PUSH flag. Available settings function as follows:

0 - Auto (PUSH flag is not set.)

1 - Insert PUSH flag into every decrypted record.

2 -Insert PUSH flag into every encrypted record.

3 - Insert PUSH flag into every decrypted and encrypted record.

dropReqWithNoHostHeader

Host header check for SNI enabled sessions. If this check is enabled and the HTTP request does not contain the host header for SNI enabled sessions, the request is dropped.

pushEncTriggerTimeout

PUSH encryption trigger timeout value. The timeout value is applied only if you set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings.

cryptodevDisableLimit

Limit to the number of disabled SSL chips after which the ADC restarts. A value of zero implies that the ADC does not automatically restart.

undefActionControl

Global undef action for SSL control policies

undefActionData

Global undef action for SSL data policies

defaultProfile

Global parameter used to enable default profile feature.

svctls1112disable

Disable TLS 1.1 and 1.2 for dynamic and VPN created services.

montls1112disable

Disable TLS 1.1 and 1.2 for secure (https) monitors bound to SSL_BRIDGE services.