User's Manual 116 Document #: LTRT-10532
Mediant 500L Gateway & E-SBC
Parameter Description
[TLSContexts_ClientCipherString]
The default is DEFAULT. For possible values and additional
details, visit the OpenSSL website at
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html.
Strict Certificate Extension Validation
require-strict-cert
[TLSContexts_RequireStrictCert]
Enables the validation of the extensions (keyUsage and
extentedKeyUsage) of peer certificates. The validation
ensures that the signing CA is authorized to sign certificates
and that the end-entity certificate is authorized to negotiate a
secure TLS connection.
[0] Disable (default)
[1] Enable
DH Key Size
dh-key-size
[TLSContexts_DHKeySize]
Defines the Diffie-Hellman (DH) key size (in bits). DH is an
algorithm used chiefly for exchanging cryptography keys
used in symmetric encryption algorithms such as AES.
[1024] 1024 (default)
[2048] 2048
OCSP
OCSP Server
ocsp-server
[TLSContexts_OcspEnable]
Enables or disables certificate checking using OCSP.
[0] Disable (default)
[1] Enable
Primary OCSP Server
ocsp-server-primary
[TLSContexts_OcspServerPrimary]
Defines the IP address (in dotted-decimal notation) of the
primary OCSP server.
The default is 0.0.0.0.
Secondary OCSP Server
ocsp-server-secondary
[TLSContexts_OcspServerSecondary]
Defines the IP address (in dotted-decimal notation) of the
secondary OCSP server (optional).
The default is 0.0.0.0.
OCSP Port
ocsp-port
[TLSContexts_OcspServerPort]
Defines the OCSP server's TCP port number.
The default port is 2560.
OCSP Default Response
ocsp-default-response
[TLSContexts_OcspDefaultResponse]
Determines whether the device allows or rejects peer
certificates if it cannot connect to the OCSP server.
[0] Reject (default)
[1] Allow
10.2 Assigning CSR-based Certificates to TLS Contexts
The following procedure describes how to request a digitally signed certificate from a
Certification Authority (CA) for a TLS Context. This process is referred to as a certificate
signing request (CSR) and is required if your organization employs a Public Key
Infrastructure (PKI) system. The CSR contains information identifying the device such as a
distinguished name in the case of an X.509 certificate.
To assign a CSR-based certificate to a TLS Context:
1. Your network administrator should allocate a unique DNS name for the device (e.g.,
dns_name.corp.customer.com). The DNS name is used to access the device and
therefore, must be listed in the server certificate.
2. Open the TLS Contexts table (see ''Configuring TLS Certificate Contexts'' on page
To Next Page
Loading...
