globus_gssapi_gsi: gsi.conf.h Source File

00001 static char *globus_l_gsi_conf_string  =
00002 "# As of August 2018, TLSv1.2 is the default TLS protocol version.\n"
00003 "# Minimum TLS protocol version. One of TLS1_2_VERSION, TLS1_VERSION_DEPRECATED, \n"
00004 "# TLS1_1_VERSION_DEPRECATED, or 0 for the default. Invalid values will use \n"
00005 "# the default. SSLv3 and below are disabled.\n"
00006 "MIN_TLS_PROTOCOL=TLS1_VERSION_DEPRECATED\n"
00007 "# Maximum TLS protocol version. One of TLS1_2_VERSION, TLS1_VERSION_DEPRECATED,\n"
00008 "# TLS1_1_VERSION_DEPRECATED, or 0 for the highest supported version. Invalid \n"
00009 "# values will use the highest supported version. SSLv3 and below are disabled.\n"
00010 "MAX_TLS_PROTOCOL=0\n"
00011 "# GSSAPI Name compatibility mode when trying to determine\n"
00012 "# if a host certificate is legitimate. GSI predates RFC2818,\n"
00013 "# so there are some old, less-secure, practices by default.\n"
00014 "# The different modes are:\n"
00015 "# STRICT_GT2:\n"
00016 "#     Strictly backward-compatible with GT 2.0 name matching. \n"
00017 "#     X.509 subjectAltName values are ignored. Names with\n"
00018 "#     hyphens are treated as wildcarded such that \n"
00019 "#     host-ANYTHING.example.com will match a certificate named\n"
00020 "#     host.example.com. The name matching will rely on canonical\n"
00021 "#     host (as resolved via getnameinfo) name associated with\n"
00022 "#     a connection's IP addresses.\n"
00023 "# STRICT_RFC2818:\n"
00024 "#     Support RFC 2818 server identity processing. Hyphen \n"
00025 "#     characters are treated as normal part of a host name. \n"
00026 "#     dnsName and ipAddress subjectAltName extensions are matched\n"
00027 "#     against the host and port passed to GSSAPI. If subjectAltName \n"
00028 "#     is present, X.509 SubjectName is ignored. \n"
00029 "# HYBRID:\n"
00030 "#     Support a hybrid of the two previous name matching algorithms,\n"
00031 "#     liberally matching both hyphen wildcards, canonical names\n"
00032 "#     associated with IP addresses, and subjectAltName extensions.\n"
00033 "#     This has been the default since GT 4.2\n"
00034 "NAME_COMPATIBILITY=STRICT_RFC2818\n"
00035 "# OpenSSL Cipher List. This is a preference-ordered list of OpenSSL cipher\n"
00036 "# names in CIPHER LIST FORMAT specified in ciphers(1). Disregarded and\n"
00037 "# 'eNULL:ALL:!COMPLEMENTOFDEFAULT' used instead, if GSS_C_CONF_FLAG not set\n"
00038 "# by the application.\n"
00039 "CIPHERS=HIGH\n"
00040 "# If true, when choosing a cipher, a server will use its own preferred\n"
00041 "# order instead of the cipher order presented by the client. When not set, the\n"
00042 "# SSL server will always follow the clients preferences.\n"
00043 "SERVER_CIPHER_ORDER=true\n"
00044 "# If true, when computing a message integrity check, use the original\n"
00045 "# implementation, which inspects internal OpenSSL structures. Otherwise,\n"
00046 "# use keying material and sequence counters in the GSSAPI structures only.\n"
00047 "# The true setting is only available for OpenSSL < 1.1.0\n"
00048 "BACKWARD_COMPATIBLE_MIC=true\n"
00049 "# If true, when verifying a message integrity check, accept MICs generated\n"
00050 "# using the original implementation, which inspects internal OpenSSL\n"
00051 "# structures. Otherwise, only use the new code which relies on use keying\n"
00052 "# material and sequence counters in the GSSAPI structures only.\n"
00053 "# The true setting is only available for OpenSSL < 1.1.0\n"
00054 "ACCEPT_BACKWARD_COMPATIBLE_MIC=true\n"
00055 "# If set to a non-root username, then files owned by that user are allowed\n"
00056 "# to own credentials used by the root user\n"
00057 "VHOST_CRED_OWNER=root\n"
00058 ;