TLS Profile |
Profile Name |
The descriptive name used to identify this profile. |
Certificate |
The certificate presented when requested by a peer. |
SNI Options |
Indicates whether the SNI group is required or not. The options are:
None: SNI functionality does not have any effect on the client server handshake process. The Avaya SBC server approves the handshake between the client and the server with and without the SNI request. Optional: If there is an SNI request from the client and server_name extension in the client handshake packet matches with the CN or SAN fields of the TLS certificate. The Avaya SBC server approves the handshake between the client and server, otherwise TLS handshake is rejected. If there is no SNI request from the client, the TLS profile associated with the Signaling Interface will be used for communication. Mandatory: If there is an SNI request from client and server_name extension in the client handshake packet matches with the CN or SAN fields of the TLS certificate. The Avaya SBC server approves the handshake between the client and server, otherwise handshake is rejected. If there is no SNI request from client, then also the Avaya SBC server rejects the TLS handshake. |
SNI Group |
Specifies the configured SNI groups. SNI Group field is accessible only if SNI Options is either Optional or Mandatory. |
Certificate Verification |
Peer Verification |
One of three check boxes indicating whether peer verification is required:
Required: The incoming connection must provide a certificate, the certificate must be signed by one of the Peer Certificate Authorities, and not be contained in a Peer Certificate Revocation List. In a client profile configuration screen, the Required check box is a locked setting and cannot be deselected. Optional: The incoming connection may optionally provide a certificate. If a certificate is provided, but is not contained in the Peer Certificate Authority list, or is contained in a Peer Certificate Revocation List, the connection will be rejected. None: No peer verification will be performed.
Note:
Peer Verification is always required for TLS Client Profiles, therefore the Peer Certificate Authorities, Peer Certificate Revocation Lists, and Verification Depth fields will be active.
|
Peer Certificate Authorities |
The CA certificates to be used to verify the remote entity identity certificate, if one has been provided.
Note:
Using Ctrl or Ctrl+Shift, any combination of selections can be made from this list.
Using Ctrl+Shift , the user can drag to select multiple lines, and using Ctrl, the user can click to toggle individual lines.
|
Peer Certificate Revocation Lists |
Revocation lists that are to be used to verify whether or not a peer certificate is valid.
Note:
Using Ctrl or Ctrl+Shift, any combination of selections can be made from this list.
Using Ctrl+Shift , the user can drag to select multiple lines, and using Ctrl, the user can click to toggle individual lines.
|
Verification Depth |
The maximum depth used for the certificate trust chain verification. Each CA certificate might also have its own depth setting, referred to as the path length constraint. If both are set, the lower of these two values is used. |
Renegotiation Parameters |
Renegotiation Time |
The amount of time after which the TLS connection must be renegotiated. This field is optional and must be set to 0 to disable. |
Renegotiation Byte Count |
The amount of bytes after which the TLS connection must be renegotiated. This field is optional and must be set to 0 to disable. |
Handshake Options |
Version |
The TLS versions that the client or servers accepts or offers. For Release 10.1.0, the options are:
For Release 10.1.2, the options are
The default value for this field is TLS 1.2. Ensure that you select an appropriate TLS version according to the TLS version that the server supports. |
Ciphers |
The level of security to be used for encrypting data. The options are:
Default: The cipher suite recommended by Avaya. FIPS: The cipher suite recommended by Avaya for FIPS 140–2 compatibility. Custom: Selecting the Custom radio button enables a user-defined level of encryption that can be configured by using the Value field described below. |
Value |
A field provided to contain a textual representation of the ciphers settings used by OpenSSL.
Note:
The Value field is an advanced setting that must not be changed without an understanding of how OpenSSL handles ciphers. Invalid or incorrect settings in this field can cause insecure communications or even catastrophic failure.
For a full list of possible values, see the OpenSSL ciphers documentation at https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html. To get the list of cipher suites supported by Avaya SBC, run the following command: openssl ciphers -s -v -<TLS version> '<cipher string>', where <cipher string> is DEFAULT:!SHA for Default ciphers and FIPS:!ECDH:!ADH:!3DES:!KRB5 for FIPS ciphers. For example, run the following command to get the list of cipher suites supported by Avaya SBC for Default ciphers when using TLS version 1.2: openssl ciphers -s -v -tls1_2 'DEFAULT:!SHA' |
