SSL Tunnels

Configuration options for the SSL Tunnel functionality included in PowerShell Server are stored in the Windows registry in HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\PowerShell\Server\16\SSLTunnels. This location will hold a registry key for each SSL Tunnel that is created. The registry key for each tunnel can be configured with the following options:

TunnelEnabledDWORDCan be used to enable or disable the SSH Reverse Tunnel.

0 - Disabled.

1 - Enabled. (default)

TunnelForwardingHostStringIndicates the host that the tunneled traffic will be forwarded.
TunnelForwardingPortDWORDIndicates the port on which the tunneled traffic will be forwarded.
TunnelListeningAddressStringIndicates the interface on the remote SSH server where the tunnel will be listening.
TunnelListeningPortDWORDIndicates the port on which the remote SSH server should listen for traffic.
TunnelNameStringA Friendly name for the SSH Reverse Tunnel.
SSLEnabledDWORDWhether the tunnel will be secured with SSL, or simply a plaintext tunnel.

0 - Disabled.

1 - Enabled. (default)

SSLTunnelCertStoreTypeDWORDSpecifies the type of certificate store where the SSL certificate can be found. Can be one of the following values:

0 - User store

1 - Machine Store

2 - PFX File

4 - PEM File

SSLTunnelCertStoreStringThe certificate store where the SSL certificate can be found.

If SSLTunnelCertStoreType is either 0 or 1, this value defines the specific store where the certificate can be found. Otherwise, this value should be set to a path on disk.

Possible values when SSLTunnelCertStoreType is 0 or 1 include: My, Root, Trust, CA, TrustedPublisher, Disallowed, AuthRoot, TrustedPeople.

SSLTunnelCertStorePasswordStringThe password for the certificate store defined in SSLTunnelCertStore, if required.
SSLTunnelCertSubjectStringThe subject of the certificate used during SSL negotiation for incoming connections. Example: "CN=NEWTON".
SSLTunnelEnabledCipherSuitesStringThe enabled cipher suites to be used in SSL negotiation for incoming connections.

By default, the enabled cipher suites will include all available ciphers ("*").

The special value "*" means that the component will pick all of the supported cipher suites. If SSLTunnelEnabledCipherSuites is set to any other value, only the specified cipher suites will be considered.

Multiple cipher suites are separated by semicolons.

Example values when SSLTunnelUseInternalSecurityAPI is False (default) (one example per line):

*
CALG_AES_256
CALG_AES_256;CALG_3DES
Possible values when SSLTunnelUseInternalSecurityAPI is False (default) include:
  • CALG_3DES
  • CALG_3DES_112
  • CALG_AES
  • CALG_AES_128
  • CALG_AES_192
  • CALG_AES_256
  • CALG_AGREEDKEY_ANY
  • CALG_CYLINK_MEK
  • CALG_DES
  • CALG_DESX
  • CALG_DH_EPHEM
  • CALG_DH_SF
  • CALG_DSS_SIGN
  • CALG_ECDH
  • CALG_ECDH_EPHEM
  • CALG_ECDSA
  • CALG_ECMQV
  • CALG_HASH_REPLACE_OWF
  • CALG_HUGHES_MD5
  • CALG_HMAC
  • CALG_KEA_KEYX
  • CALG_MAC
  • CALG_MD2
  • CALG_MD4
  • CALG_MD5
  • CALG_NO_SIGN
  • CALG_OID_INFO_CNG_ONLY
  • CALG_OID_INFO_PARAMETERS
  • CALG_PCT1_MASTER
  • CALG_RC2
  • CALG_RC4
  • CALG_RC5
  • CALG_RSA_KEYX
  • CALG_RSA_SIGN
  • CALG_SCHANNEL_ENC_KEY
  • CALG_SCHANNEL_MAC_KEY
  • CALG_SCHANNEL_MASTER_HASH
  • CALG_SEAL
  • CALG_SHA
  • CALG_SHA1
  • CALG_SHA_256
  • CALG_SHA_384
  • CALG_SHA_512
  • CALG_SKIPJACK
  • CALG_SSL2_MASTER
  • CALG_SSL3_MASTER
  • CALG_SSL3_SHAMD5
  • CALG_TEK
  • CALG_TLS1_MASTER
  • CALG_TLS1PRF
Example values when SSLTunnelUseInternalSecurityAPI is True (one example per line):
*
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA;TLS_DH_ANON_WITH_AES_128_CBC_SHA
Possible values when SSLTunnelUseInternalSecurityAPI is True include:
  • TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA
  • TLS_DH_ANON_WITH_AES_128_CBC_SHA
  • TLS_DH_ANON_WITH_AES_128_CBC_SHA256
  • TLS_DH_ANON_WITH_AES_256_CBC_SHA
  • TLS_DH_ANON_WITH_AES_256_CBC_SHA256
  • TLS_DH_ANON_WITH_DES_CBC_SHA
  • TLS_DH_ANON_WITH_RC4_128_MD5
  • TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_DES_CBC_SHA
  • TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_RC4_128_SHA

SSLTunnelEnabledCipherSuites is used together with SSLTunnelCipherStrength.

SSLTunnelCipherStrengthDWORDThe minimum cipher strength used for bulk encryption.

This minimum cipher strength largely dependent on the security modules installed on the system. If the cipher strength specified is not supported, an error will be returned when connections are initiated.

Please note that this setting contains the minimum cipher strength requested from the security library.

Use this setting with caution. Requesting a lower cipher strength than necessary could potentially cause serious security vulnerabilities.

SSLTunnelEnabledProtocolsDWORDUsed to enable/disable the supported security protocols for incoming SSL connections.

Not all supported protocols are enabled by default (the value of this setting is 4032). If you want more granular control over the enabled protocols, you can set this property to the binary 'OR' of one or more of the following values:

TLS1.23072 (Hex C00) (Default)
TLS1.1768 (Hex 300) (Default)
TLS1 192 (Hex C0) (Default)
SSL3 48 (Hex 30)
SSL2 12 (Hex 0C)

SSLTunnelProviderStringThe name of the security provider to use for incoming SSL connections.

Change this setting to use security providers other than the system default.

Use this setting with caution. Disabling SSL security or pointing to the wrong provider could potentially cause serious security vulnerabilities in your application.

The special value "*" (default) picks the default SSL provider defined in the system.

The special value "Internal" picks the internal SSL implementation. This does not rely on any system libraries. This is equivalent to setting SSLTunnelUseInternalSecurityAPI to True.

SSLTunnelSecurityFlagsDWORDFlags that control certificate verification for incoming SSL connections.

The following flags are defined (specified in hexadecimal notation). They can be or-ed together to exclude multiple conditions:

0x00000001Ignore time validity status of certificate.
0x00000002Ignore time validity status of CTL.
0x00000004Ignore non-nested certificate times.
0x00000010Allow unknown Certificate Authority.
0x00000020Ignore wrong certificate usage.
0x00000100Ignore unknown certificate revocation status.
0x00000200Ignore unknown CTL signer revocation status.
0x00000400Ignore unknown Certificate Authority revocation status.
0x00000800Ignore unknown Root revocation status.
0x00008000Allow test Root certificate.
0x00004000Trust test Root certificate.
0x80000000Ignore non-matching CN (certificate CN not-matching server name).

SSLTunnelUseInternalSecurityAPIDWORDWhether to use the internal security implementation rather than system libraries for incoming SSL connections.

By default the component will use the system security libraries to perform cryptographic functions. When set to False, calls to unmanaged code will be made. In environments where this is not desirable, set this setting to True to use a completely managed security implementation.

TunnelFirewallTypeDWORDThe type of firewall for the SSL Tunnel to connect through. Applicable values include the following:

0 - No firewall (default setting)

1 - Connect through a tunneling proxy.

2 - Connect through a SOCKS4 proxy.

3 - Connect through a SOCKS5 proxy.

TunnelFirewallHostStringThe name or IP address of the firewall that the SSH Tunnel will connect through.
TunnelFirewallPortDWORDThe TCP port for the TunnelFirewallHost.
TunnelFirewallUserStringA user name if authentication is to be used when connecting through a firewall.
TunnelFirewallPasswordStringPassword to be used if authentication is to be used when connecting through a firewall.
TunnelForwardingEnableSSLDWORDWhether the tunnel's outgoing connection will be secured with SSL.

0 - Disabled. (default)

1 - Enabled.

TunnelForwardingAcceptAnyServerCertDWORDWhether to automatically trust any public certificate presented by the forwarding host during outgoing SSL connections.

This setting can be used as an alternative to specifying the particular public certificate presented by the forwarding host.

TunnelForwardingSSLCertStoreTypeDWORDSpecifies the type of certificate store where the forwarding hosts's public certificate can be found. Can be one of the following values:

0 - User store

1 - Machine Store

2 - PFX File

4 - PEM File

8 - Public Key File

9 - Public Key Blob

TunnelForwardingSSLCertStoreStringThe certificate store containing the forwarding host's public certificate.

If SSLTunnelCertStoreType is either 0 or 1, this value defines the specific store where the certificate can be found. Otherwise, this value should be set to a path on disk.

Possible values when TunnelForwardingSSLCertStoreType is 0 or 1 include: My, Root, Trust, CA, TrustedPublisher, Disallowed, AuthRoot, TrustedPeople.

TunnelForwardingSSLCertStorePasswordStringThe password for the certificate store defined in TunnelForwardingSSLCertStore, if required.
TunnelForwardingSSLCertSubjectStringThe subject of the forwarding host's public certificate. Example: "CN=NEWTON".
TunnelForwardingReuseSSLSessionDWORDWhether to reuse SSL sessions for outgoing connections.
TunnelForwardingSSLCipherStrengthDWORDThe minimum cipher strength used for bulk encryption.

This minimum cipher strength largely dependent on the security modules installed on the system. If the cipher strength specified is not supported, an error will be returned when connections are initiated.

Please note that this setting contains the minimum cipher strength requested from the security library.

Use this setting with caution. Requesting a lower cipher strength than necessary could potentially cause serious security vulnerabilities.

TunnelForwardingSSLEnabledProtocolsDWORDThe SSL/TLS protocols to use during outgoing SSL connections.

Not all supported protocols are enabled by default (the value of this setting is 4032). If you want more granular control over the enabled protocols, you can set this property to the binary 'OR' of one or more of the following values:

TLS1.23072 (Hex C00) (Default)
TLS1.1768 (Hex 300) (Default)
TLS1 192 (Hex C0) (Default)
SSL3 48 (Hex 30)
SSL2 12 (Hex 0C)

TunnelForwardingSSLProviderStringThe name of the security provider to use during outgoing SSL connections.

Change this setting to use security providers other than the system default.

Use this setting with caution. Disabling SSL security or pointing to the wrong provider could potentially cause serious security vulnerabilities in your application.

The special value "*" (default) picks the default SSL provider defined in the system.

The special value "Internal" picks the internal SSL implementation. This does not rely on any system libraries. This is equivalent to setting SSLTunnelUseInternalSecurityAPI to True.

TunnelForwardingSSLSecurityFlagsDWORDFlags that control certificate verification during outgoing SSL connections.

The following flags are defined (specified in hexadecimal notation). They can be or-ed together to exclude multiple conditions:

0x00000001Ignore time validity status of certificate.
0x00000002Ignore time validity status of CTL.
0x00000004Ignore non-nested certificate times.
0x00000010Allow unknown Certificate Authority.
0x00000020Ignore wrong certificate usage.
0x00000100Ignore unknown certificate revocation status.
0x00000200Ignore unknown CTL signer revocation status.
0x00000400Ignore unknown Certificate Authority revocation status.
0x00000800Ignore unknown Root revocation status.
0x00008000Allow test Root certificate.
0x00004000Trust test Root certificate.
0x80000000Ignore non-matching CN (certificate CN not-matching server name).

TunnelForwardingSSLEnabledCipherSuitesStringThe cipher suites to be used in the outgoing SSL negotiation.

By default, the enabled cipher suites will include all available ciphers ("*").

The special value "*" means that the component will pick all of the supported cipher suites. If SSLTunnelEnabledCipherSuites is set to any other value, only the specified cipher suites will be considered.

Multiple cipher suites are separated by semicolons.

Example values when TunnelForwardingSSLUseInternalSecurityAPI is False (default) (one example per line):

*
CALG_AES_256
CALG_AES_256;CALG_3DES
Possible values when TunnelForwardingSSLUseInternalSecurityAPI is False (default) include:
  • CALG_3DES
  • CALG_3DES_112
  • CALG_AES
  • CALG_AES_128
  • CALG_AES_192
  • CALG_AES_256
  • CALG_AGREEDKEY_ANY
  • CALG_CYLINK_MEK
  • CALG_DES
  • CALG_DESX
  • CALG_DH_EPHEM
  • CALG_DH_SF
  • CALG_DSS_SIGN
  • CALG_ECDH
  • CALG_ECDH_EPHEM
  • CALG_ECDSA
  • CALG_ECMQV
  • CALG_HASH_REPLACE_OWF
  • CALG_HUGHES_MD5
  • CALG_HMAC
  • CALG_KEA_KEYX
  • CALG_MAC
  • CALG_MD2
  • CALG_MD4
  • CALG_MD5
  • CALG_NO_SIGN
  • CALG_OID_INFO_CNG_ONLY
  • CALG_OID_INFO_PARAMETERS
  • CALG_PCT1_MASTER
  • CALG_RC2
  • CALG_RC4
  • CALG_RC5
  • CALG_RSA_KEYX
  • CALG_RSA_SIGN
  • CALG_SCHANNEL_ENC_KEY
  • CALG_SCHANNEL_MAC_KEY
  • CALG_SCHANNEL_MASTER_HASH
  • CALG_SEAL
  • CALG_SHA
  • CALG_SHA1
  • CALG_SHA_256
  • CALG_SHA_384
  • CALG_SHA_512
  • CALG_SKIPJACK
  • CALG_SSL2_MASTER
  • CALG_SSL3_MASTER
  • CALG_SSL3_SHAMD5
  • CALG_TEK
  • CALG_TLS1_MASTER
  • CALG_TLS1PRF
Example values when TunnelForwardingSSLUseInternalSecurityAPI is True (one example per line):
*
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA;TLS_DH_ANON_WITH_AES_128_CBC_SHA
Possible values when TunnelForwardingSSLUseInternalSecurityAPI is True include:
  • TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA
  • TLS_DH_ANON_WITH_AES_128_CBC_SHA
  • TLS_DH_ANON_WITH_AES_128_CBC_SHA256
  • TLS_DH_ANON_WITH_AES_256_CBC_SHA
  • TLS_DH_ANON_WITH_AES_256_CBC_SHA256
  • TLS_DH_ANON_WITH_DES_CBC_SHA
  • TLS_DH_ANON_WITH_RC4_128_MD5
  • TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_DES_CBC_SHA
  • TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_RC4_128_SHA

TunnelForwardingSSLEnabledCipherSuites is used together with TunnelForwardingSSLCipherStrength.

TunnelForwardingSSLUseInternalSecurityAPIDWORDWhether to use the internal security implementation rather than system libraries for outgoing SSL connections.

By default the component will use the system security libraries to perform cryptographic functions. When set to False, calls to unmanaged code will be made. In environments where this is not desirable, set this setting to True to use a completely managed security implementation.

Copyright (c) 2022 /n software inc. - All rights reserved.
PowerShell Server 2020 - Version 20.0 [Build 8318]