NAME

Crypt::NSS::SSL - Generic SSL functions from NSS

DESCRIPTION

This package provides non-socket specific SSL functions from NSS such as setting cipher suites, default options etc.

INTERFACE

CLASS METHODS

set_option ( $option : integer, $value : integer )
get_option ( $option : integer ) : integer

Get or set defaults for SSL options on new sockets. Option should be one of the the following constants from NSS::SSL::Constants.

SSL_SECURITY

Enable or disable SSL security. If disabled the socket will not be an SSL session and thus not support encryption, certificates etc.

SSL_REQUEST_CERTIFICATE

Request the connected client to authenticate itself using client-side certificates. Server option only.

SSL_REQUIRE_CERTIFICATE

Require the connected client to authenticate itself using client-side certificates. Requires SSL_REQUEST_CERTIFICATE. Server option only.

SSL_HANDSHAKE_AS_CLIENT

Controls how accept on a listening socket should perform the SSL handshake. If false handshakes as server, otherwise handshakes as client even tho it's a server socket. Server option only.

SSL_HANDSHAKE_AS_SERVER

Controls how connect on a socket should perform the SSL handshake. If false handshakes as a client, otherwise handshakes client as a server. Client option only.

SSL_ENABLE_FDX

Tell NSS that application will use full-duplex on socket, ie do writes and reads simultaneously.

SSL_ENABLE_SSL3

Enables or disables the SSL v3 protocol which is on by default.

SSL_ENABLE_SSL2

Enables or disables the SSL v2 protocol which is off by default.

SSL_ENABLE_TLS

Enables or disables the TLS protocol.

SSL_V2_COMPATIBLE_HELLO

Tells wether to send v3 hello messages in a v2 compatible form or not. Default is on.

SSL_NO_CACHE

Disable the use of the session cache for sockets. If off a socket cannot resume the session started by another socket and thus must do the handshaking again. Default is off.

SSL_ROLLBACK_DETECTION

Enable or disable rollback attack detaction. Some older clients might not be able to connect if this is off.

set_cipher ( $cipher : integer, $enabled : boolean )
get_cipher ( $cipher ) : boolean

Get or set whether a cipher is enabled or not.

config_server_session_cache ( \%ARGS )

Configure the session cache if we're are a server. The option ARGS must be a hash reference and takes the following options:

max_cache_entries : integer

The maximum number of entries in the cache. If ommited or specified as 0 the default 10,000 is used.

ssl2_timeout : integer

The lifetime of an SSL2 session. Minimum is 5 seconds, maximum is 24 hours. Default is 100 seconds.

ssl3_timeout : integer

The lifetime of an SSL3 session. Minimum is 5 seconds, maximum is 24 hours. Default is 24 hours.

data_dir : string

The path to where to store the session cache. If omitted your systems temp dir is used.

shared : boolean

If your server is multithreaded or multiprocess (ie forks) you must specify this using this passing a true value in this option.

clear_session_cache ( )

Clear the session cache.

set_cipher_suite ( suite : string )

Regulates what cipher suite we want. By default all ciphers are disabled so you must call this before any cryptographic functions in NSS can work. Passing cipher_suite during Crypto::NSS import also does this. Currently there are three suites declared:

US (or Domestic)
France
International (or Export)