You will find a general overview of TLS/SSL in the interNet Services User Guide.
As TLS is a term introduced since quite some time and the versions of the SSL/TLS protocol named with 'SSL' are no longer supported, in the interNet Services Guides mostly only TLS instead TLS/SSL is used. Only in option names and the like 'SSL' remains.
TLS support on the TELNET server offers a wide range of setting options. You can make these settings as follows:
With the aid of options which are stored in one or more option files and are interpreted when the TELNET server is started (see the section “Configuring TELNET using an option file”).
With the aid of the installation command parameters SET-FTP-TELNET-PARAMETERS (see the section “Configuring TELNET using an option file”).
Parameterization of TLS support on the TELNET server
Below you will find an overview of the possible settings for TLS support on the TELNET server using the options. The individual options correspond to equivalent parameters in the SET-FTP-TELNET-PARAMETERS command.
The following options are available for setting parameters for TLS support on the TELNET server:
START-TLS option (-Z tls-required, see "-Z tls-required")
This option allows you to control TLS support on the TELNET server. A raft of additional options (-Z options) is provided here (see the table on "TLS/SSL support on the TELNET server"). Provisions for authentication are negotiated by TLS to free TELNET of this load.
AUTHENTICATION option (-B, see "-B option - Enable/disable the AUTHENTICATION option")
You use this option to negotiate the provisions for authentication. In BS2000 the AUTHENTICATION option is currently only implemented for TLS.
You can control TLS support on the TELNET server using the AUTHENTICATION option implemented for TLS. To do this you use the same -Z options as in the START-TLS option (see the table on "TLS/SSL support on the TELNET server").
ENCRYPTION option (-H, "-H option - Enable/disable the ENCRYPTION option")
You use this option to negotiate the encryption method and the key used. In TELENET, currently only DES64 variants DES_CFB64 and DES_OFB64 are supported.
The START-TLS option and AUTHENTICATION option may not be enabled simultaneously. The following table lists the options with which you can control TLS support on the TELNET server in conjunction with the START-TLS / AUTHENTICATION option.
Option | Description |
Choose TLS protocol versions selectively | |
Specify cipher suite preference list | |
Specify file which contains the RSA-based X.509 server certificate in PEM format | |
Specify file which contains the private RSA server key in PEM format | |
Specify file which contains the DSA-based X.509 server certificate in PEM format | |
Specify file which contains the private DSA server key in PEM format | |
Specify file in which all the certificates required for verification of the server certificate can be stored | |
Specify file which contains the certificates required for authentication of the TELNET client in PEM format | |
Specify file from which the names of the CAs that the server accepts as signatories of client certificates can be obtained | |
Specify file which contains the CRLs of the CAs | |
Define whether the TELNET client must provide a certificate for server access | |
Define verification depth | |
Specify file from which the data for initializing the PRNG is read when the server is started | |
Define the LMS file from which the OpenSSL library should be dynamically loaded |