When rejecting a file from within the AcceptFile event if this setting is set to True the component will send a retry indicator value to the client to specify the file may be retried later. This should be set from within the AcceptFile event. For instance:

component.Config("AllowRetry[" + e.ConnectionId + "]");

By default the component will send a CD command after sending an asynchronous EERP and getting back a RTR (Ready to Receive) response. This gives control of the connection back to the client. If sending multiple asynchronous EERPs set this to False. After sending all of the EERPs use the ChangeDirection method to explicitly change the speaker for the connection if desired.

The name of the certificate store. This is used when specifying an alternative Certificate for the specified connection.

The CertificateStoreType specifies the type of the certificate store specified by CertificateStore. If the store is password protected, specify the password in CertificateStorePassword.

CertificateStore is used in conjunction with the CertificateSubject field in order to specify the certificate.

Designations of certificate stores are platform-dependent.

The following are designations of the most common User and Machine certificate stores in Windows:

In Java, the certificate store normally is a file containing certificates and optional private keys.

When the certificate store type is PFXFile, this property must be set to the name of the file. When the type is PFXBlob, the property must be set to the binary contents of a PFX file (i.e. PKCS12 certificate store).

If the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store. This is used when specifying an alternative Certificate for the specified connection.

This specifies the type of certificate store. This is used when specifying an alternative Certificate for the specified connection. Possible values are:

The subject of the certificate. This is used when specifying an alternative Certificate for the specified connection.

The special value "*" picks a random certificate in the certificate store.

The certificate subject is a comma separated list of distinguished name fields and values. For instance "CN=www.server.com, OU=test, C=US, E=support@nsoftware.com". Common fields and their meanings are displayed below.

If a field value contains a comma it must be quoted.

By default the component will use the certificate set in the Certificate property for all operations that require a certificate. This setting allows for different certificates to be set for specific operations. First, specify the CertificateType via this setting and then set the Certificate property. For instance:

component.Config("CertificateType=3");
component.Certificate = mySigningCertificate;

By default the component will use the alternate certificate specified by the CertificateSubject setting for all operations that require a certificate. This setting allows for different certificates to be set for specific operations. First, specify the CertificateType via this setting and then set the Certificate* configuration settings. For instance:

component.Config("CertificateType[ConnectionId]=3");
component.Config("CertificateStoreType[ConnectionId]=2");
component.Config("CertificateStore[ConnectionId]=C:\\mycert.pfx");
component.Config("CertificateStorePassword[ConnectionId]=password");
component.Config("CertificateSubject[ConnectionId]=*");

Specifies the type of connection that is created. The default value is 0 (Both) in which the component can both send and receive files. However you can limit the component to only be able to send or receive files by specifying a value of 1 (Send Only) or 2 (Receive Only).

This may be set within the AcceptConnection event. It only applies to the connection parameters sent by the server to the client. It does not return the value sent by the client to the server. Valid values are:

For instance:

component.Config("ConnectionType[" + e.ConnectionId + "]=1");

This setting defines the maximum credit value to be sent in the initial connection (SSID command). The default value is 99 and the maximum value is 999. This setting may be used within the AcceptConnection event. Querying this setting inside the event will return the value provided by the connecting client. You may set this value within the event to specify the credit count that will be sent to the client.

When establishing a connection the smaller of the two values provided by the client and the server will be used. This setting may also be queried after a connection is established to determine the negotiated value.

For instance:

string receivedCreditCount = component.Config("CreditCount[" + e.ConnectionId + "]");
component.Config("CreditCount[" + e.ConnectionId + "]=55");

This property specifies the idle timeout (in seconds) for clients. When set to a positive value the component will disconnect idle clients after the specified timeout.

This only applies to clients that have not sent or received data within DefaultIdleTimeout seconds.

If set to 0 (default) no idle timeout is applied.

Note: DoEvents must be called in order for the component to check existing connections.

The receipt hash algorithm specified in this setting is sent to the receiving party when a file is sent, and the receiving party should use this value when calculating the hash returned in the EERP or NERP receipt. Possible values are:

By default this value is True. When set to False and receiving a file, if the file is encrypted, signed, or compressed the file will be decrypted, verified, or decompressed. If there is an error during processing the original unprocessed file will be placed in DownloadDirectory. In that case you may choose what to do with the file based on the error reported during processing.

When this is set to True (default) and there is an error during processing the original unprocessed file will be deleted and no files will be placed in DownloadDirectory.

By default when Logoff is called the component will close the TCP connection after ending the session (the ESID command is sent). To let the other side close the connection after it has received the end session command (ESID), set this to False.

This setting defines the data exchange buffer size to be sent in the initial connection (SSID command) in bytes. The default value is 2048. This setting may be used within the AcceptConnection event. Querying this setting inside the event will return the value provided by the connecting client. You may set this value within the event to specify the data exchange buffer size that will be sent to the client.

When establishing a connection the smaller of the two values provided by the client and the server will be used. This setting may also be queried after a connection is established to determine the negotiated value.

For instance:

string receivedExchangeBufferSize = component.Config("ExchangeBufferSize[" + e.ConnectionId + "]");
component.Config("ExchangeBufferSize[" + e.ConnectionId + "]=1024");

This specifies the certificate store type when loading a certificate that will be sent to the remote party. This is only applicable when calling ExchangeCertificate. The default value is "8" which indicates the certificate will be loaded from a file on disk. When the certificate is not in a .cer format or is located in the Windows certificate store this setting should be set to the appropriate value before calling ExchangeCertificate.

For a list of possible values please see StoreType. Also see ExchangeCertSubject.

This specifies the subject of the certificate being exchanged. This will be used to load the appropriate certificate when ExchangeCertificate is called. This is used in conjunction with ExchangeCertStoreType and is only necessary when loading a certificate from a store that may hold more than one certificate (such as a Windows certificate store).

When TrustedCerts is populated the component will validate that loaded certificates were issued by a trusted CA in TrustedCerts. This setting controls the behavior when an untrusted certificate is found. By default this value is True and the component will throw an exception. If this is set to False the component will fire the Error event but the error will not be fatal and the operation will be allowed to continue.

When sending a file this setting may be set to specify additional information. There is no restriction on the type of data supplied here. It may be set to a longer filename, or simply additional text data that you wish to pass to the receiver. The data supplied will be UTF-8 encoded by the component. The maximum length is 999 bytes (after UTF-8 encoding). This setting is only applicable when sending files.

For instance:

component.Config("FileDescription[myConnectionId]=My File Description");

The file hash algorithm specified in this setting is used to calculate the hash sent along with an outgoing file. Possible values are:

If set to True (default) the component will fire the EndResponse event for both sent and received end responses. If set to False the EndResponse event will fire only for received (incoming) end responses. The Direction parameter of EndResponse determines if the end response is being sent or received. The default value is True.

When TrustedCertsData holds a URL and ImportTrustedCerts is called the component makes a HTTP request to obtain the trusted certificates. If the server returns a HTTP redirect this setting specifies how the component will handle it. Possible values are:

This setting effects the content of the Data parameter of the PITrail event. By default this setting is true and a format designed to be more easily read is used. If set to false the Data parameter will hold the raw unformatted protocol level content.

This field is similar to DefaultIdleTimeout but may be set on a per-connection basis to override DefaultIdleTimeout. This field specifies the idle timeout (in seconds) for the connected client. When set to a positive value the component will disconnect idle clients after the specified timeout. This only applies to clients that have not send to received data within the specified number of seconds. If set to 0 (default) no idle timeout is applied.

For instance:

component.Config("IdleTimeout[" + e.ConnectionId + "]=1");

The default value is False. When True, KEEPALIVE packets are enabled (for long connections).

Please note that system TCP/IP stack implementations are not required to support SO_KEEPALIVE.

This property is shared among incoming connections. When the property is set, the corresponding value is set for incoming connections as they are accepted. Existing connections are not modified.

When set to True, connections are terminated gracefully.

The default behavior (which is also the default mode for stream sockets) might result in an indefinite delay in closing the connection. Although the component returns control immediately, the system might indefinitely hold system resources until all pending data is sent (even after your application closes). This means that valuable system resources might be wasted.

Setting this property to False forces an immediate disconnection. If you know that the other side has received all the data you have sent (by a client acknowledgment, for example), setting this property to False might be the appropriate course of action.

This property is shared among incoming connections. When the property is set, the corresponding value is set for incoming connections as they are accepted. Existing connections are not modified.

This setting returns the connection type specified by the client. It may be queried to determine the type of connection requested by the client.

This setting returns the type of connection being created. This may be queried within the AcceptConnection event or any time after. It only applies to the connection parameters sent by the client to the server. Valid values are:

For instance:

string receivedConnectionType = component.Config("ReceivedConnectionType[" + e.ConnectionId + "]");

This setting may be queried to obtain the datetime of the received file.

Query this setting after receiving a file to obtain any additional information provided by the client. The data will be UTF-8 decoded by the component.

For instance:

string receivedFileDescription = component.Config("ReceivedFileDescription[" + e.ConnectionId + "]");

This setting may be queried inside the AcceptFile or EndTransfer events to obtain the encryption algorithm used by the client for encryption of the file being received. The possible values are:

This setting may be queried inside the EndTransfer event to obtain the name of the received file on disk. This includes the full path to the file on disk.

This setting specifies the format used when determining the local filename of a received file. The use of macros is supported to provide flexibility. This setting may include one or more of the following values:

• %VirtualFileName%
• %VirtualFileDate%
• %Originator%
• %Destination%
• %UserData%
• %CurrentTime%
• %GUID%

The '%VirtualFileDate%' macro also supports date formatting through the use of an optional DateTime format string. The format of the macro with the date format string included is:

• %VirtualFileDate:CustomFormat%

This setting specifies the format used when determining the local filename of a received file. The use of macros is supported to provide flexibility. This setting may include one or more of the following values:

• %VirtualFileName%
• %VirtualFileDate%
• %Originator%
• %Destination%
• %UserData%
• %CurrentTime%
• %GUID%

The '%VirtualFileDate%' macro also supports date formatting through the use of an optional DateTime format string. The format of the macro with the date format string included is:

• %VirtualFileDate:CustomFormat%

By default the component will use the certificate set in the RecipientCert property for all operations that require a certificate. This setting allows for different certificates to be set for specific operations. First, specify the RecipientCertificateType via this setting and then set the RecipientCert property. For instance:

component.Config("RecipientCertificateType=3");
component.RecipientCert = mySignatureVerificationCertificate;

When sending files the recipient may reject the file for a number of reasons. The recipient may indicate that the operation can be re-attempted later. Query this setting after a send attempt was rejected to determine if the recipient allows retries. This setting will return either True or False.

This setting specifies the secure authentication requirements for connecting clients. Secure auth can be allowed, required, or disallowed. Possible values are:

When sending a file the recipient will respond with an EFPA once the file is received. Within this response is an indicator which tells the sender whether to issue a CD (Change Direction) command. The indicator is read by the component and a CD command is sent if requested. If a CD is not requested then no CD is sent.

When set to True, this overrides the default behavior and will always send a CD command regardless of whether the indicator is set in the EFPA.

This should only be set if there is a specific reason to do so. In most cases it is not necessary.

This setting may be used to override the default ServerPassword. This allows for different ServerPasswords to be used for different connected clients. This can be changed at any time, for instance within the AcceptConnection.

This setting may be used to override the default ServerSFIDCode when calling SendFile. This allows for different ServerSFIDCodes to be used for different connected clients. This can be changed at any time prior to calling SendFile. When receiving files this will be populated with the ServerSFIDCode received from the client.

This setting may be used to override the default ServerSSIDCode. This allows for different ServerSSIDCodes to be used for different connected clients. This can be set from within the AcceptConnection event.

Under certain conditions, the component will create temporary files before processing a file. The location of the temporary files is determined by this setting. Temporary files are created when sending a file to the client if any of the following conditions are true.

• Compress is true
• VirtualFileSecurityLevel is set to slEncrypted
• VirtualFileSecurityLevel is set to slSigned
• VirtualFileSecurityLevel is set to slEncryptedAndSigned

Note that VirtualFileSecurityLevel is only applicable when Version is set to oftpVer20.

This configuration setting can be set with or without a ConnectionId specified. When the ConnectionId is specified, this will cause temporary files for that connection to be written to the specified directory. Otherwise, if no ConnectionId is specified, temporary files for all connections will be written to the given folder.

When ImportTrustedCerts is called it will attempt to import certificates from the location specified here. By default this is the URL provided by Odette (http://www.odette.org/TSL/TSL_OFTP2.XML). This is the live list of CA certificates hosted by Odette. This may also be set to an absolute file path to load certificates from an offline source, or a string value containing the trusted CA certificates.

This setting specifies the DateTime format used by the component when reporting the VirtualFileDate of received files. The default format is "MM/dd/yyyy HH:mm:ss".

When using OFTP v2.0 If the component is configured to respond to EERP and NERP messages asynchronously this should be set to the value "yyyyMMddHHmmssffff" or a similar format that includes the same level of accuracy. This is required to ensure that when calling SendEndResponse the value saved from within the EndTransfer event has the necessary data when sending a response.

This setting defines a comma-separated list of host names or IPv4 addresses that may access the component. The wildcard character "*" is supported. The default value is "*" and all connections are accepted.

When a client connects, the client's address is checked against the list defined here. If there is no match, the ConnectionRequest event fires with an Accept value set to False. If no action is taken within the ConnectionRequest event, the client will be disconnected.

If this is true (default), the component will bind to the local port with the ExclusiveAddressUse option set, meaning that nothing else can bind to the same port. Also the component will not be able to bind to local ports that are already in use by some other instance and attempts to do so will result in failure.

This setting determines whether the input or output stream is closed after the transfer completes. When set to True (default), all streams will be closed after a transfer is completed. In order to keep streams open after the transfer of data, set this to False. the default value is True.

This setting specifies the inactivity (in seconds) to apply to incoming SSL connections. When set to a positive value if the other end is unresponsive for the specified number of seconds the connection will timeout. This is not applicable to the entire handshake, only the inactivity of the connecting client during the handshake if a response is expected and none is received within the timeout window. The default value is 0 and no connection specific timeout is applied.

Note: This is only applicable to incoming SSL connections. This should only be set if there is a specific reason to do so.

This is the size of an internal queue in the TCP/IP stack. You can increase or decrease its size depending on the amount of data that you will be receiving. Increasing the value of the InBufferSize setting can provide significant improvements in performance in some cases.

Some TCP/IP implementations do not support variable buffer sizes. If that is the case, when the component is activated the InBufferSize reverts to its defined size. The same happens if you attempt to make it too large or too small.

InBufferSize is shared among incoming connections. When the property is set, the corresponding value is set for incoming connections as they are accepted. Existing connections are not modified.

A TCP keep-alive packet will be sent after a period of inactivity as defined by KeepAliveTime. If no acknowledgement is received from the remote host the keep-alive packet will be re-sent. This setting specifies the interval at which the successive keep-alive packets are sent in milliseconds. This system default if this value is not specified here is 1 second. This setting is applicable to all connections.

Note: This value is not applicable in Java or MAC.

By default the operating system will determine the time a connection is idle before a TCP keep-alive packet is sent. This system default if this value is not specified here is 2 hours. In many cases a shorter interval is more useful. Set this value to the desired interval in milliseconds. This setting is applicable to all connections.

Note: This value is not applicable in Java.

The maximum number of connections available. This property must be set before Listening is set to True, and once set, it can no longer be changed for the current instance of the component. The maximum value for this setting is 100,000 connections. Use this setting with caution. Extremely large values may impact performance.

This is the size of an internal queue in the TCP/IP stack. You can increase or decrease its size depending on the amount of data that you will be sending. Increasing the value of the OutBufferSize setting can provide significant improvements in performance in some cases.

Some TCP/IP implementations do not support variable buffer sizes. If that is the case, when the component is activated the OutBufferSize reverts to its defined size. The same happens if you attempt to make it too large or too small.

OutBufferSize is shared among incoming connections. When the property is set, the corresponding value is set for incoming connections as they are accepted. Existing connections are not modified.

When true, the socket will send all data that is ready to send at once. When false, the socket will send smaller buffered packets of data at small intervals. This is known as the Nagle algorithm.

By default, this config is set to false.

When set to 0 (default), the component will use IPv4 exclusively. When set to 1, the component will use IPv6 exclusively. When set to 2, the component will listen for both IPv4 and IPv6 connections. If IPv6 is not available on the system, only IPv4 will be used. The default value is 0. Possible values are:

When the UseInternalSecurityAPI configuration setting is True, this setting controls whether SSL packets should be logged. By default, this setting is False, as it is only useful for debugging purposes.

When enabled, SSL packet logs are output using the SSLStatus event, which will fire each time an SSL packet is sent or received.

Enabling this setting has no effect if UseInternalSecurityAPI is False.

If set to true, the component will reuse the context if and only if the following criteria are met:

• The target host name is the same.
• The system cache entry has not expired (default timeout is 10 hours).
• The application process that calls the function is the same.
• The logon session is the same.
• The instance of the component is the same.

This setting specifies one or more CA certificates to be included in the request when performing SSL client authentication. Some servers require the entire chain, including CA certificates, to be presented when performing SSL client authentication. The value of this setting is a newline (CrLf) separated list of certificates. For instance:

-----BEGIN CERTIFICATE-----
MIIEKzCCAxOgAwIBAgIRANTET4LIkxdH6P+CFIiHvTowDQYJKoZIhvcNAQELBQAw
...
eWHV5OW1K53o/atv59sOiW5K3crjFhsBOd5Q+cJJnU+SWinPKtANXMht+EDvYY2w
F0I1XhM+pKj7FjDr+XNj
-----END CERTIFICATE-----
\r \n
-----BEGIN CERTIFICATE-----
MIIEFjCCAv6gAwIBAgIQetu1SMxpnENAnnOz1P+PtTANBgkqhkiG9w0BAQUFADBp
..
d8q23djXZbVYiIfE9ebr4g3152BlVCHZ2GyPdjhIuLeH21VbT/dyEHHA
-----END CERTIFICATE-----

This setting specifies whether the component will check the Certificate Revocation List specified by the server certificate. If set to true the component will first obtain the list of CRL URLs from the server certificate's CRL distribution points extension. The component will then make HTTP requests to each CRL endpoint to check the validity of the server's certificate. If the certificate has been revoked or any other issues are found during validation the component throws an exception.

When set to false (default) the CRL check will not be performed by the component.

This minimum cipher strength largely dependent on the security modules installed on the system. If the cipher strength specified is not supported, an error will be returned when connections are initiated.

Please note that this setting contains the minimum cipher strength requested from the security library. The actual cipher strength used for the connection is shown by the SSLStatus event.

Use this setting with caution. Requesting a lower cipher strength than necessary could potentially cause serious security vulnerabilities in your application.

When the provider is OpenSSL, SSLCipherStrength is currently not supported. This functionality is instead made available through the OpenSSLCipherList config setting.

Possible values are SSL, SSLv2, SSLv3, TLS and TLSv1. Use it only in case your security provider does not support TLS. This is the parameter "protocol" inside the SSLContext.getInstance(protocol) call.

The enabled cipher suites to be used in SSL negotiation.

By default, the enabled cipher suites will include all available ciphers ("*").

The special value "*" means that the component will pick all of the supported cipher suites. If SSLEnabledCipherSuites is set to any other value, only the specified cipher suites will be considered.

Multiple cipher suites are separated by semicolons.

Note: This value must be set after UseInternalSecurityAPI is set.

Example values:

obj.config("SSLEnabledCipherSuites=*");
obj.config("SSLEnabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA");
obj.config("SSLEnabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA; SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA");

• SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
• SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
• SSL_RSA_WITH_RC4_128_SHA
• SSL_RSA_WITH_DES_CBC_SHA
• SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
• SSL_DH_anon_WITH_DES_CBC_SHA
• SSL_RSA_EXPORT_WITH_RC4_40_MD5
• SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
• SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
• SSL_DHE_DSS_WITH_DES_CBC_SHA
• SSL_RSA_WITH_NULL_MD5
• SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
• SSL_DHE_RSA_WITH_DES_CBC_SHA
• SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
• SSL_RSA_WITH_NULL_SHA
• SSL_DH_anon_WITH_RC4_128_MD5
• SSL_RSA_WITH_RC4_128_MD5
• SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
• SSL_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_ECDH_ECDSA_WITH_NULL_SHA
• TLS_DH_anon_WITH_AES_128_CBC_SHA256
• TLS_ECDH_anon_WITH_RC4_128_SHA
• TLS_DH_anon_WITH_AES_128_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
• TLS_KRB5_WITH_3DES_EDE_CBC_SHA
• TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
• TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_KRB5_EXPORT_WITH_RC4_40_SHA
• TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_RC4_128_SHA
• TLS_ECDH_ECDSA_WITH_RC4_128_SHA
• TLS_ECDH_anon_WITH_NULL_SHA
• TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_NULL_SHA256
• TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
• TLS_KRB5_WITH_RC4_128_MD5
• TLS_ECDHE_ECDSA_WITH_NULL_SHA
• TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
• TLS_ECDH_RSA_WITH_RC4_128_SHA
• TLS_EMPTY_RENEGOTIATION_INFO_SCSV
• TLS_KRB5_WITH_3DES_EDE_CBC_MD5
• TLS_KRB5_WITH_RC4_128_SHA
• TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_ECDH_RSA_WITH_NULL_SHA
• TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
• TLS_KRB5_WITH_DES_CBC_MD5
• TLS_KRB5_EXPORT_WITH_RC4_40_MD5
• TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
• TLS_ECDH_anon_WITH_AES_128_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_KRB5_WITH_DES_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_NULL_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_DHE_DSS_WITH_AES_128_CBC_SHA

Possible values when UseInternalSecurityAPI is True include:

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
• TLS_DH_RSA_WITH_AES_128_GCM_SHA256
• TLS_DH_RSA_WITH_AES_256_GCM_SHA384
• TLS_DH_DSS_WITH_AES_128_GCM_SHA256
• TLS_DH_DSS_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
• TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
• TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
• TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_DSS_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS_DHE_DSS_WITH_AES_128_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
• TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
• TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
• TLS_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_RSA_WITH_DES_CBC_SHA
• TLS_DHE_RSA_WITH_DES_CBC_SHA
• TLS_DHE_DSS_WITH_DES_CBC_SHA
• TLS_RSA_WITH_RC4_128_MD5
• TLS_RSA_WITH_RC4_128_SHA

When TLS 1.3 is negotiated (see SSLEnabledProtocols) only the following cipher suites are supported:

• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256
• TLS_AES_128_GCM_SHA256

SSLEnabledCipherSuites is used together with SSLCipherStrength.

Used to enable/disable the supported security protocols.

Not all supported protocols are enabled by default (the value of this setting is 4032). If you want more granular control over the enabled protocols, you can set this property to the binary 'OR' of one or more of the following values:

When the provider is OpenSSL, SSLCipherStrength is currently not supported. This functionality is instead made available through the OpenSSLCipherList setting.

Note: TLS 1.1 and TLS1.2 support are only available starting with Windows 7.

Note: Enabling TLS 1.3 will automatically set UseInternalSecurityAPI to True.

This setting specifies whether the renegotiation_info SSL extension will be used in the request when using the internal security API. This setting is true by default, but can be set to false to disable the extension.

This setting is only applicable when UseInternalSecurityAPI is set to true.

This setting specifies whether the Encoded parameter of the SSLServerAuthentication event contains the full certificate chain. By default this value is False and only the leaf certificate will be present in the Encoded parameter of the SSLServerAuthentication event.

If set to True all certificates returned by the server will be present in the Encoded parameter of the SSLServerAuthentication event. This includes the leaf certificate, any intermediate certificate, and the root certificate.

Note: When UseInternalSecurityAPI is set to True this value is automatically set to True. This is needed for proper validation when using the internal provider.

Returns the ciphersuite negotiated during the SSL handshake.

Note: For server components (e.g. IPDaemon) this is a per-connection setting accessed by passing the ConnectionId. For example:

server.Config("SSLNegotiatedCipher[connId]");

Returns the strength of the ciphersuite negotiated during the SSL handshake.

Note: For server components (e.g. IPDaemon) this is a per-connection setting accessed by passing the ConnectionId. For example:

server.Config("SSLNegotiatedCipherStrength[connId]");

Returns the ciphersuite negotiated during the SSL handshake represented as a single string.

Note: For server components (e.g. IPDaemon) this is a per-connection setting accessed by passing the ConnectionId. For example:

server.Config("SSLNegotiatedCipherSuite[connId]");

Returns the key exchange algorithm negotiated during the SSL handshake.

Note: For server components (e.g. IPDaemon) this is a per-connection setting accessed by passing the ConnectionId. For example:

server.Config("SSLNegotiatedKeyExchange[connId]");

Returns the strenghth of the key exchange algorithm negotiated during the SSL handshake.

Note: For server components (e.g. IPDaemon) this is a per-connection setting accessed by passing the ConnectionId. For example:

server.Config("SSLNegotiatedKeyExchangeStrength[connId]");

Returns the protocol version negotiated during the SSL handshake.

Note: For server components (e.g. IPDaemon) this is a per-connection setting accessed by passing the ConnectionId. For example:

server.Config("SSLNegotiatedProtocol[connId]");

Change this setting to use security providers other than the system default.

Use this setting with caution. Disabling SSL security or pointing to the wrong provider could potentially cause serious security vulnerabilities in your application.

The special value "*" (default) picks the default SSL provider defined in the system.

The special value "Internal" picks the internal SSL implementation. This does not rely on any system libraries. This is equivalent to setting UseInternalSecurityAPI to True.

Note: On Windows systems, the default SSL Provider is "Microsoft Unified Security Protocol Provider" and cannot be changed except to a value of "Internal".

This setting optionally specifies one or more CA certificates to be used when verifying the server certificate. When verifying the server's certificate the certificates trusted by the system will be used as part of the verification process. If the server's CA certificates are not installed to the trusted system store, they may be specified here so they are included when performing the verification process. This setting should only be set if the server's CA certificates are not already trusted on the system and cannot be installed to the trusted system store.

The value of this setting is a newline (CrLf) separated list of certificates. For instance:

-----BEGIN CERTIFICATE-----
MIIEKzCCAxOgAwIBAgIRANTET4LIkxdH6P+CFIiHvTowDQYJKoZIhvcNAQELBQAw
...
eWHV5OW1K53o/atv59sOiW5K3crjFhsBOd5Q+cJJnU+SWinPKtANXMht+EDvYY2w
F0I1XhM+pKj7FjDr+XNj
-----END CERTIFICATE-----
\r \n
-----BEGIN CERTIFICATE-----
MIIEFjCCAv6gAwIBAgIQetu1SMxpnENAnnOz1P+PtTANBgkqhkiG9w0BAQUFADBp
..
d8q23djXZbVYiIfE9ebr4g3152BlVCHZ2GyPdjhIuLeH21VbT/dyEHHA
-----END CERTIFICATE-----

Possible values include SunX509. This is the parameter "algorithm" inside the TrustManagerFactory.getInstance(algorithm) call.

This setting specifies the allowed server certificate signature algorithms when UseInternalSecurityAPI is True and SSLEnabledProtocols is set to allow TLS 1.2.

When specified the component will verify that the server certificate signature algorithm is among the values specified in this setting. If the server certificate signature algorithm is unsupported the component throws an exception.

The format of this value is a comma separated list of hash-signature combinations. For instance:

IPPort.Config("UseInternalSecurityAPI=true");
IPPort.Config("SSLEnabledProtocols=3072"); //TLS 1.2
IPPort.Config("TLS12SignatureAlgorithms=sha256-rsa,sha256-dsa,sha1-rsa,sha1-dsa");

In order to not restrict the server's certificate signature algorithm, specify an empty string as the value for this setting, which will cause the signature_algorithms TLS 1.2 extension to not be sent.

This setting specifies a comma separated list of named groups used in TLS 1.2 for ECC.

The default value is ecdhe_secp256r1,ecdhe_secp384r1,ecdhe_secp521r1.

When using TLS 1.2 and UseInternalSecurityAPI is set to True, the values refer to the supported groups for ECC. The following values are supported:

• "ecdhe_secp256r1" (default)
• "ecdhe_secp384r1" (default)
• "ecdhe_secp521r1" (default)

This setting specifies a comma separated list of named groups used in TLS 1.3 for key exchange. The groups specified here will have key share data pregenerated locally before establishing a connection. This can prevent an additional round trip during the handshake if the group is supported by the server.

The default value is set to balance common supported groups and the computational resources required to generate key shares. As a result only some groups are included by default in this setting.

Note: All supported groups can always be used during the handshake even if not listed here, but if a group is used which is not present in this list it will incur an additional round trip and time to generate the key share for that group.

In most cases this setting does not need to be modified. This should only be modified if there is a specific reason to do so.

The default value is ecdhe_x25519,ecdhe_secp256r1,ecdhe_secp384r1,ffdhe_2048,ffdhe_3072

The values are ordered from most preferred to least preferred. The following values are supported:

• "ecdhe_x25519" (default)
• "ecdhe_x448"
• "ecdhe_secp256r1" (default)
• "ecdhe_secp384r1" (default)
• "ecdhe_secp521r1"
• "ffdhe_2048" (default)
• "ffdhe_3072" (default)
• "ffdhe_4096"
• "ffdhe_6144"
• "ffdhe_8192"

This setting holds a comma separated list of allowed signature algorithms. Possible values are:

• "ed25519" (default)
• "ed448" (default)
• "ecdsa_secp256r1_sha256" (default)
• "ecdsa_secp384r1_sha384" (default)
• "ecdsa_secp521r1_sha512" (default)
• "rsa_pkcs1_sha256" (default)
• "rsa_pkcs1_sha384" (default)
• "rsa_pkcs1_sha512" (default)
• "rsa_pss_sha256" (default)
• "rsa_pss_sha384" (default)
• "rsa_pss_sha512" (default)

This setting specifies a comma separated list of named groups used in TLS 1.3 for key exchange. This setting should only be modified if there is a specific reason to do so.

The default value is ecdhe_x25519,ecdhe_x448,ecdhe_secp256r1,ecdhe_secp384r1,ecdhe_secp521r1,ffdhe_2048,ffdhe_3072,ffdhe_4096,ffdhe_6144,ffdhe_8192

The values are ordered from most preferred to least preferred. The following values are supported:

• "ecdhe_x25519" (default)
• "ecdhe_x448" (default)
• "ecdhe_secp256r1" (default)
• "ecdhe_secp384r1" (default)
• "ecdhe_secp521r1" (default)
• "ffdhe_2048" (default)
• "ffdhe_3072" (default)
• "ffdhe_4096" (default)
• "ffdhe_6144" (default)
• "ffdhe_8192" (default)

When queried, this setting will return a string containing information about the product's build.

In a GUI-based application, long-running blocking operations may cause the application to stop responding to input until the operation returns. The component will attempt to discover whether or not the application has a message loop and, if one is discovered, it will process events in that message loop during any such blocking operation.

In some non-GUI applications an invalid message loop may be discovered that will result in errant behavior. In these cases, setting GUIAvailable to false will ensure that the component does not attempt to process external events.

When queried, this setting will return a string containing information about the license this instance of a component is using. It will return the following information:

• Product: The product the license is for.
• Product Key: The key the license was generated from.
• License Source: Where the license was found (e.g. RuntimeLicense, License File).
• License Type: The type of license installed (e.g. Royalty Free, Single Server).

If set to True (default), when the component creates a thread the thread's Daemon property will be explicitly set to True. When set to False the component will not set the Daemon property on the created thread. The default value is True.

By default the component will use the system security libraries to perform cryptographic functions. Setting this to True tells the component to use the internal implementation instead of using the system's security API.