HttpsConnectorServlet
You can use all configuration attributes of the HttpConnectorServlet for the HttpsConnectorServlet as well. The additional TLS attributes must be configured.
Classname:
ch::nevis::isiweb4::servlet::connector::http::HttpsConnectorServlet
Library:
libHttpConnectorServlet.so.1
Configuration
Name | Type; Usage Constraints; Defaults | Description |
---|---|---|
SSLCACertificateFile | string; optional, basic connectivity | Specifies the file containing the CA certificate(s) that are used to check whether the peer’s node certificate is trusted. All the certificates in the file will be verified. PEM encoded files are supported. Nevis PKCS#11 URLs are not supported. If the SSLCACertificateFile attribute is not specified, the peer certificate will be trusted automatically. Mandatory to set if SSLCheckPeerHostname is enabled. |
SSLClientCertificateFile | string; optional, basic feature | The X509 node certificate that is sent to the application server if requested by a SSL/TLS CertificateRequest message. PEM encoded files, and Nevis PKCS#11 URLs are supported. For more information on how to use the GemEngine within the HttpsConnectorServlet, see chapter: "Gemalto GemEngine Support for the HttpsConnectorServlet". Client certificates are experimental when using TLSv1.3. |
SSLClientKeyFile | string; optional, basic feature | The key for an TLS client certificate may be provided either in the same file as the certificate (SSLClientCertificateFile), or it may be provided in a separate file specified with SSLClientKeyFile. Configure only SSLClientCertificate if both the certificate and the key are contained in the same file. See chapter: "Gemalto Gemengine Support for the HttpsConnectorServlet" for more information on how to use the Gemengine within the HttpsConnectorServlet. |
SSLCache | enum: on, session, off; optional, advanced; default: on | This attribute configures the client-side TLS cache. You can set it to one of the following values: - on: One TLS session to the content provider is established and used for all requests. - session: For every session, an individual TLS session to the content provider is established. That session is used only for requests that are associated with that session. If you are using the SSLCache in session mode, the TCP connection pooling configured by the KeepAlive attribute either has to be set false or set to be true, with KeepAlive.ByClient set to true as well. - off: For every request sent to the content provider, a new TLS session is established. |
SSLCipherSuites | string; required, troubleshooting; default and secure default: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256 | This attribute defines the SSL cipher suite to use. You can set all ciphers that are supported by OpenSSL. Note: TLSv1.3 support in the nevisProxy is experimental only. You cannot configure cipher suites for the TLSv1.3 protocol. |
SslConnectTimeout | integer; optional, scaling | Timeout in milliseconds to open the TLS connection after a successfully opened TCP-connection. The timeouts are related like this: - ConnectTimeout: The timeout to connect to the TCP-connection. - SslConnectTimeout: The timeout to connect to the TLS-connection once the TCP-connection has been established. - RequestTimeout: The timeout for a response from the server once the TLS-connection has been established. |
CrlFile | string; optional | The path to a Crl file (pem format). It will be automatically reloaded if the file is replaced by a newer one. The file modification will be checked in the interval configured under periodicity in the Timer section in the file navajo.xml. |
SSLCheckPeerHostname | boolean; optional, security/troubleshooting; default: false, secure default: true | If enabled, among other validations, the DNS name is checked against the CN/SAN of the certificate. Setting this parameter also requires setting the SSLCACertificateFile. |
SSLCheckPeerHostname.AllowWildcards | boolean: true, false; optional; default: false, secure default: false | If set to "true", the system will also accept certificates containing wildcards. This parameter is only evaluated if the attribute SSLCheckPeerHostname is set to "true". For security reasons, we recommend setting this parameter to "false" in production. |
SSLProtocol | enum: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3; optional; default: -all +TLSv1.2 +TLSv1.3, secure default: -all +TLSv1.2 +TLSv1.3 | Syntax: [all] [+/-][TLSv1] [+/-][TLSv1.1] [+/-][TLSv1.2][+/-][TLSv1.3] No sign means + . Separate each entry in the SSL protocol list by a blank. Some backends may not understand TLSv1.3 and thus will not be able to tell the proxy to downgrade. |
SSLDynamicClientCertificate | boolean: true, false; optional, advanced; default: false | If set to true, the client certificate used in the TLS handshake will be retrieved from the user session. Consult Enabling dynamic x.509 certificates on how to configure nevisAuth and nevisProxy for use with dynamic client certificates. Due to the fact that the client certificate is session-bound and not statically configured, the following configuration constraints apply: SSLCache must be set to either "off" or "session". - KeepAlive must be set to "false" or KeepAlive.ByClient must be true. - SSLClientCertificateFile must not be configured. |
UseSSL | boolean; optional; default: true | If set to false, the servlet will behave like a HttpConnectorServlet. |
SSLSNISupport | boolean; optional; default: true | Enables SNI support for this servlet. In case the backend has multiple name-based virtual servers configured with different certificates, the servlet can securely indicate, as part of the TLS handshake, to which one it intends to connect to. This indication happens at the beginning of the connection and (depending on the backend) it is continuously checked. Therefore, if you set up KeepAlive and dynamic HostNames it will most probably not work because the HostName might change when the connection is re-used. |
ConnectionRetries | integer; optional, advanced; min: 0, max: 100, default: 0 | Sometimes a TLS connection fails because of some unknown problem (network, etc.). With this parameter you can configure how many times the servlet should try to connect before giving up. |
SSLOpenSSLConfCmd | newline-separated string of name/value pairs; optional, advanced | This parameter exposes OpenSSL's SSL_CONF API to the proxy, allowing a flexible configuration of OpenSSL parameters without the need of implementing additional parameters when new features are added to OpenSSL. For a list of supported command names, see the section: Supported configuration file commands in the SSL_CONF_cmd(3) manual page for OpenSSL. Some of the SSLOpenSSLConfCmd commands can be used as an alternative to existing parameters (such as SSLCipherSuite or SSLProtocol), although the syntax / allowable values for the parameters may sometimes differ. First consider if your goal can be achieved using the other parameters available. Contact support before using this parameter. |
The behavior of many web servers depends on the protocol version and the HTTP header field UserAgent. Therefore, if connection-oriented problems occur, you have to adjust the HttpsConnectorServlet to the behavior of the content provider, which usually uses the attributes SSLProtocol, KeepAlive, Protocol and UserAgent.