TLS Profile |
Profile Name |
A descriptive name used to identify this profile. |
Certificate |
The certificate presented when requested by a peer. |
SNI |
A check box to enable the SNI feature. |
Certificate Verification |
Peer Verification |
The incoming connection must provide a certificate, the certificate must be signed by one of the Peer Certificate Authorities, and not be contained in a Peer Certificate Revocation List. In a client profile configuration screen, the Required is selected for this field.
Note:
Peer Verification is always required for TLS Client Profiles, therefore the Peer Certificate Authorities, Peer Certificate Revocation Lists, and Verification Depth fields will be active.
|
Peer Certificate Authorities |
The CA certificates to be used to verify the remote entity identity certificate, if one has been provided.
Note:
Using Ctrl or Ctrl+Shift, any combination of selections can be made from this list.
Using Ctrl+Shift , the user can drag to select multiple lines, and using Ctrl, the user can click to toggle individual lines.
|
Peer Certificate Revocation Lists |
Revocation lists that are to be used to verify whether a peer certificate is valid.
Note:
Using Ctrl or Ctrl+Shift, any combination of selections can be made from this list.
Using Ctrl+Shift , the user can drag to select multiple lines, and using Ctrl, the user can click to toggle individual lines.
|
Verification Depth |
The maximum depth used for the certificate trust chain verification. Each CA certificate might also have its own depth setting, referred to as the path length constraint. If both are set, the lower of these two values is used. |
Extended Hostname Verification |
Determines whether or not server certificates will be verified only by the DNS entry in the Common Name or Subject Alt Name of the certificate served by the remote server. |
Server Hostname |
Permits the user to define a custom hostname that will be accepted if served by the remote server. This is primarily intended for use with legacy Avaya products. You must configure Server Hostname field for:
Non SIP traffic Non HTTP traffic PPM traffic Server Hostname field is accessible only if either Extended Hostname Verification or SNI or both of these check boxes are selected. |
Renegotiation Parameters |
Renegotiation Time |
The amount of time after which the TLS connection must be renegotiated. This field is optional and must be set to 0 to disable. |
Renegotiation Byte Count |
The number of bytes after which the TLS connection must be renegotiated. This field is optional and must be set to 0 to disable. |
Handshake Options |
Version |
The TLS versions that the client or servers accepts or offers. For Release 10.1.0, the options are:
For Release 10.1.2, the options are
The default value for this field is TLS 1.2. Ensure that you select an appropriate TLS version according to the TLS version that the client supports. |
Ciphers |
The level of security to be used for encrypting data. The options are:
Default: The cipher suite recommended by Avaya. FIPS: The cipher suite recommended by Avaya for FIPS 140–2 compatibility. Custom: Selecting the Custom radio button enables a user-defined level of encryption that can be configured by using the Value field described below. |
Value |
A field provided to contain a textual representation of the ciphers settings used by OpenSSL. For a full list of possible values, see the OpenSSL ciphers documentation at http://www.openssl.org/docs/apps/ciphers.html.
Note:
The Value field is an advanced setting that must not be changed without an understanding of how OpenSSL handles ciphers. Invalid or incorrect settings in this field can cause insecure communications or even catastrophic failure.
|
