Configuration options for the SSL Tunnel functionality included in PowerShell Server are stored in the Windows registry in HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\PowerShell\Server\16\SSLTunnels. This location will hold a registry key for each SSL Tunnel that is created. The registry key for each tunnel can be configured with the following options:
|TunnelEnabled||DWORD||Can be used to enable or disable the SSH Reverse Tunnel.
0 - Disabled.
1 - Enabled. (default)
|TunnelForwardingHost||String||Indicates the host that the tunneled traffic will be forwarded.|
|TunnelForwardingPort||DWORD||Indicates the port on which the tunneled traffic will be forwarded.|
|TunnelListeningAddress||String||Indicates the interface on the remote SSH server where the tunnel will be listening.|
|TunnelListeningPort||DWORD||Indicates the port on which the remote SSH server should listen for traffic.|
|TunnelName||String||A Friendly name for the SSH Reverse Tunnel.|
|SSLEnabled||DWORD||Whether the tunnel will be secured with SSL, or simply a plaintext tunnel.
0 - Disabled.
1 - Enabled. (default)
|SSLTunnelCertStore||String||The certificate store where the SSL certificate can be found.
If SSLTunnelCertStoreType is either 0 or 1, this value defines the specific store where the certificate can be found. Otherwise, this value should be set to a path on disk.
Possible values when SSHReverseTunnelCertStoreType is 0 or 1 include: My, Root, Trust, CA, TrustedPublisher, Disallowed, AuthRoot, TrustedPeople.
|SSLTunnelCertStorePassword||String||The password for the certificate store defined in SSLTunnelCertStore, if required.|
|SSLTunnelCertStoreType||DWORD||Specifies the type of certificate store where the SSL certificate can be found. Can be one of the following values:
0 - User store
1 - Machine Store
2 - PFX File
4 - PEM File
|SSLTunnelCertSubject||String||The subject of the certificate used during SSL negotiation. Example: "CN=NEWTON".|
|SSLTunnelEnabledCipherSuites||String||The enabled cipher suites to be used in SSL negotiation.
By default, the enabled cipher suites will include all available ciphers ("*").
The special value "*" means that the component will pick all of the supported cipher suites. If SSLTunnelEnabledCipherSuites is set to any other value, only the specified cipher suites will be considered.
Multiple cipher suites are separated by semicolons.
Example values (one example per line):
* SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_SHA; SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHAPossible values when SSLTunnelUseInternalSecurityAPI is False (default) include:
Possible values when SSLTunnelUseInternalSecurityAPI is True include:
* CALG_AES_256 CALG_AES_256;CALG_3DESPossible values when SSLTunnelUseInternalSecurityAPI is False (default) include:
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA;TLS_DH_ANON_WITH_AES_128_CBC_SHAPossible values when SSLTunnelUseInternalSecurityAPI is True include:
SSLTunnelEnabledCipherSuites is used together with SSLTunnelCipherStrength.
|SSLTunnelCipherStrength||DWORD||The minimum cipher strength used for bulk encryption.
This minimum cipher strength largely dependent on the security modules installed on the system. If the cipher strength specified is not supported, an error will be returned when connections are initiated.
Please note that this setting contains the minimum cipher strength requested from the security library.
Use this setting with caution. Requesting a lower cipher strength than necessary could potentially cause serious security vulnerabilities.
|SSLTunnelEnabledProtocols||DWORD||Used to enable/disable the supported security protocols.
Not all supported protocols are enabled by default (the value of this setting is 4032). If you want more granular control over the enabled protocols, you can set this property to the binary 'OR' of one or more of the following values:
|SSLTunnelProvider||String||The name of the security provider to use.
Change this setting to use security providers other than the system default.
Use this setting with caution. Disabling SSL security or pointing to the wrong provider could potentially cause serious security vulnerabilities in your application.
The special value "*" (default) picks the default SSL provider defined in the system.
The special value "Internal" picks the internal SSL implementation. This does not rely on any system libraries. This is equivalent to setting SSLTunnelUseInternalSecurityAPI to True.
|SSLTunnelSecurityFlags||DWORD||Flags that control certificate verification
The following flags are defined (specified in hexadecimal notation). They can be or-ed together to exclude multiple conditions:
|TunnelFirewallType||DWORD||The type of firewall for the SSL Tunnel to connect through. Applicable values include the following:
0 - No firewall (default setting)
1 - Connect through a tunneling proxy.
2 - Connect through a SOCKS4 proxy.
3 - Connect through a SOCKS5 proxy.
|TunnelFirewallHost||String||The name or IP address of the firewall that the SSH Tunnel will connect through.|
|TunnelFirewallPort||DWORD||The TCP port for the TunnelFirewallHost.|
|TunnelFirewallUser||String||A user name if authentication is to be used when connecting through a firewall.|
|TunnelFirewallPassword||String||Password to be used if authentication is to be used when connecting through a firewall.|