PowerShell Server 2016
PowerShell Server 2016
Questions / Feedback?

SSL Tunnels

Configuration options for the SSL Tunnel functionality included in PowerShell Server are stored in the Windows registry in HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\PowerShell\Server\16\SSLTunnels. This location will hold a registry key for each SSL Tunnel that is created. The registry key for each tunnel can be configured with the following options:

TunnelEnabledDWORDCan be used to enable or disable the SSH Reverse Tunnel.

0 - Disabled.

1 - Enabled. (default)

TunnelForwardingHostStringIndicates the host that the tunneled traffic will be forwarded.
TunnelForwardingPortDWORDIndicates the port on which the tunneled traffic will be forwarded.
TunnelListeningAddressStringIndicates the interface on the remote SSH server where the tunnel will be listening.
TunnelListeningPortDWORDIndicates the port on which the remote SSH server should listen for traffic.
TunnelNameStringA Friendly name for the SSH Reverse Tunnel.
SSLEnabledDWORDWhether the tunnel will be secured with SSL, or simply a plaintext tunnel.

0 - Disabled.

1 - Enabled. (default)

SSLTunnelCertStoreStringThe certificate store where the SSL certificate can be found.

If SSLTunnelCertStoreType is either 0 or 1, this value defines the specific store where the certificate can be found. Otherwise, this value should be set to a path on disk.

Possible values when SSHReverseTunnelCertStoreType is 0 or 1 include: My, Root, Trust, CA, TrustedPublisher, Disallowed, AuthRoot, TrustedPeople.

SSLTunnelCertStorePasswordStringThe password for the certificate store defined in SSLTunnelCertStore, if required.
SSLTunnelCertStoreTypeDWORDSpecifies the type of certificate store where the SSL certificate can be found. Can be one of the following values:

0 - User store

1 - Machine Store

2 - PFX File

4 - PEM File

SSLTunnelCertSubjectStringThe subject of the certificate used during SSL negotiation. Example: "CN=NEWTON".
SSLTunnelEnabledCipherSuitesStringThe enabled cipher suites to be used in SSL negotiation.

By default, the enabled cipher suites will include all available ciphers ("*").

The special value "*" means that the component will pick all of the supported cipher suites. If SSLTunnelEnabledCipherSuites is set to any other value, only the specified cipher suites will be considered.

Multiple cipher suites are separated by semicolons.

Example values (one example per line):

*
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_SHA; SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Possible values when SSLTunnelUseInternalSecurityAPI is False (default) include:
  • SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_WITH_RC4_128_SHA
  • SSL_RSA_WITH_DES_CBC_SHA
  • SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  • SSL_DH_anon_WITH_DES_CBC_SHA
  • SSL_RSA_EXPORT_WITH_RC4_40_MD5
  • SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  • SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
  • SSL_DHE_DSS_WITH_DES_CBC_SHA
  • SSL_RSA_WITH_NULL_MD5
  • SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_RSA_WITH_DES_CBC_SHA
  • SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
  • SSL_RSA_WITH_NULL_SHA
  • SSL_DH_anon_WITH_RC4_128_MD5
  • SSL_RSA_WITH_RC4_128_MD5
  • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_NULL_SHA
  • TLS_DH_anon_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_anon_WITH_RC4_128_SHA
  • TLS_DH_anon_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_KRB5_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_KRB5_EXPORT_WITH_RC4_40_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDH_anon_WITH_NULL_SHA
  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_NULL_SHA256
  • TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
  • TLS_KRB5_WITH_RC4_128_MD5
  • TLS_ECDHE_ECDSA_WITH_NULL_SHA
  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_RSA_WITH_RC4_128_SHA
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV
  • TLS_KRB5_WITH_3DES_EDE_CBC_MD5
  • TLS_KRB5_WITH_RC4_128_SHA
  • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_RSA_WITH_NULL_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_KRB5_WITH_DES_CBC_MD5
  • TLS_KRB5_EXPORT_WITH_RC4_40_MD5
  • TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
  • TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_KRB5_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_NULL_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA

Possible values when SSLTunnelUseInternalSecurityAPI is True include:

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_DES_CBC_SHA
  • TLS_DHE_DSS_WITH_DES_CBC_SHA
  • TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DH_ANON_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_DH_ANON_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DH_ANON_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_DH_ANON_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_DH_ANON_WITH_DES_CBC_SHA
  • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_DH_anon_WITH_RC4_128_MD5
Example values when SSLTunnelUseInternalSecurityAPI is False (default) (one example per line):
*
CALG_AES_256
CALG_AES_256;CALG_3DES
Possible values when SSLTunnelUseInternalSecurityAPI is False (default) include:
  • CALG_3DES
  • CALG_3DES_112
  • CALG_AES
  • CALG_AES_128
  • CALG_AES_192
  • CALG_AES_256
  • CALG_AGREEDKEY_ANY
  • CALG_CYLINK_MEK
  • CALG_DES
  • CALG_DESX
  • CALG_DH_EPHEM
  • CALG_DH_SF
  • CALG_DSS_SIGN
  • CALG_ECDH
  • CALG_ECDH_EPHEM
  • CALG_ECDSA
  • CALG_ECMQV
  • CALG_HASH_REPLACE_OWF
  • CALG_HUGHES_MD5
  • CALG_HMAC
  • CALG_KEA_KEYX
  • CALG_MAC
  • CALG_MD2
  • CALG_MD4
  • CALG_MD5
  • CALG_NO_SIGN
  • CALG_OID_INFO_CNG_ONLY
  • CALG_OID_INFO_PARAMETERS
  • CALG_PCT1_MASTER
  • CALG_RC2
  • CALG_RC4
  • CALG_RC5
  • CALG_RSA_KEYX
  • CALG_RSA_SIGN
  • CALG_SCHANNEL_ENC_KEY
  • CALG_SCHANNEL_MAC_KEY
  • CALG_SCHANNEL_MASTER_HASH
  • CALG_SEAL
  • CALG_SHA
  • CALG_SHA1
  • CALG_SHA_256
  • CALG_SHA_384
  • CALG_SHA_512
  • CALG_SKIPJACK
  • CALG_SSL2_MASTER
  • CALG_SSL3_MASTER
  • CALG_SSL3_SHAMD5
  • CALG_TEK
  • CALG_TLS1_MASTER
  • CALG_TLS1PRF
Example values when SSLTunnelUseInternalSecurityAPI is True (one example per line):
*
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA;TLS_DH_ANON_WITH_AES_128_CBC_SHA
Possible values when SSLTunnelUseInternalSecurityAPI is True include:
  • TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA
  • TLS_DH_ANON_WITH_AES_128_CBC_SHA
  • TLS_DH_ANON_WITH_AES_128_CBC_SHA256
  • TLS_DH_ANON_WITH_AES_256_CBC_SHA
  • TLS_DH_ANON_WITH_AES_256_CBC_SHA256
  • TLS_DH_ANON_WITH_DES_CBC_SHA
  • TLS_DH_ANON_WITH_RC4_128_MD5
  • TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_DES_CBC_SHA
  • TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_RC4_128_SHA

SSLTunnelEnabledCipherSuites is used together with SSLTunnelCipherStrength.

SSLTunnelCipherStrengthDWORDThe minimum cipher strength used for bulk encryption.

This minimum cipher strength largely dependent on the security modules installed on the system. If the cipher strength specified is not supported, an error will be returned when connections are initiated.

Please note that this setting contains the minimum cipher strength requested from the security library.

Use this setting with caution. Requesting a lower cipher strength than necessary could potentially cause serious security vulnerabilities.

SSLTunnelEnabledProtocolsDWORDUsed to enable/disable the supported security protocols.

Not all supported protocols are enabled by default (the value of this setting is 4032). If you want more granular control over the enabled protocols, you can set this property to the binary 'OR' of one or more of the following values:

TLS1.23072 (Hex C00) (Default)
TLS1.1768 (Hex 300) (Default)
TLS1 192 (Hex C0) (Default)
SSL3 48 (Hex 30)
SSL2 12 (Hex 0C)

SSLTunnelProviderStringThe name of the security provider to use.

Change this setting to use security providers other than the system default.

Use this setting with caution. Disabling SSL security or pointing to the wrong provider could potentially cause serious security vulnerabilities in your application.

The special value "*" (default) picks the default SSL provider defined in the system.

The special value "Internal" picks the internal SSL implementation. This does not rely on any system libraries. This is equivalent to setting SSLTunnelUseInternalSecurityAPI to True.

SSLTunnelSecurityFlagsDWORDFlags that control certificate verification

The following flags are defined (specified in hexadecimal notation). They can be or-ed together to exclude multiple conditions:

0x00000001Ignore time validity status of certificate.
0x00000002Ignore time validity status of CTL.
0x00000004Ignore non-nested certificate times.
0x00000010Allow unknown Certificate Authority.
0x00000020Ignore wrong certificate usage.
0x00000100Ignore unknown certificate revocation status.
0x00000200Ignore unknown CTL signer revocation status.
0x00000400Ignore unknown Certificate Authority revocation status.
0x00000800Ignore unknown Root revocation status.
0x00008000Allow test Root certificate.
0x00004000Trust test Root certificate.
0x80000000Ignore non-matching CN (certificate CN not-matching server name).

TunnelFirewallTypeDWORDThe type of firewall for the SSL Tunnel to connect through. Applicable values include the following:

0 - No firewall (default setting)

1 - Connect through a tunneling proxy.

2 - Connect through a SOCKS4 proxy.

3 - Connect through a SOCKS5 proxy.

TunnelFirewallHostStringThe name or IP address of the firewall that the SSH Tunnel will connect through.
TunnelFirewallPortDWORDThe TCP port for the TunnelFirewallHost.
TunnelFirewallUserStringA user name if authentication is to be used when connecting through a firewall.
TunnelFirewallPasswordStringPassword to be used if authentication is to be used when connecting through a firewall.

 
 
Copyright (c) 2017 /n software inc. - All rights reserved.
PowerShell Server 2016 - Version 16.0 [Build 6240]