SSL Tunnels
Configuration options for the SSL Tunnel functionality included in PowerShell Server are stored in the Windows registry in HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\PowerShell\Server\16\SSLTunnels. This location will hold a registry key for each SSL Tunnel that is created. The registry key for each tunnel can be configured with the following options:
TunnelEnabled | DWORD | Can be used to enable or disable the SSH Reverse Tunnel.
0 - Disabled. 1 - Enabled. (default) | ||||||||||||||||||||||||
TunnelForwardingHost | String | Indicates the host that the tunneled traffic will be forwarded. | ||||||||||||||||||||||||
TunnelForwardingPort | DWORD | Indicates the port on which the tunneled traffic will be forwarded. | ||||||||||||||||||||||||
TunnelListeningAddress | String | Indicates the interface on the remote SSH server where the tunnel will be listening. | ||||||||||||||||||||||||
TunnelListeningPort | DWORD | Indicates the port on which the remote SSH server should listen for traffic. | ||||||||||||||||||||||||
TunnelName | String | A Friendly name for the SSH Reverse Tunnel. | ||||||||||||||||||||||||
SSLEnabled | DWORD | Whether the tunnel will be secured with SSL, or simply a plaintext tunnel.
0 - Disabled. 1 - Enabled. (default) | ||||||||||||||||||||||||
SSLTunnelCertStoreType | DWORD | Specifies the type of certificate store where the SSL certificate can be found. Can be one of the following values:
0 - User store 1 - Machine Store 2 - PFX File 4 - PEM File | ||||||||||||||||||||||||
SSLTunnelCertStore | String | The certificate store where the SSL certificate can be found.
If SSLTunnelCertStoreType is either 0 or 1, this value defines the specific store where the certificate can be found. Otherwise, this value should be set to a path on disk. Possible values when SSLTunnelCertStoreType is 0 or 1 include: My, Root, Trust, CA, TrustedPublisher, Disallowed, AuthRoot, TrustedPeople. | ||||||||||||||||||||||||
SSLTunnelCertStorePassword | String | The password for the certificate store defined in SSLTunnelCertStore, if required. | ||||||||||||||||||||||||
SSLTunnelCertSubject | String | The subject of the certificate used during SSL negotiation for incoming connections. Example: "CN=NEWTON". | ||||||||||||||||||||||||
SSLTunnelEnabledCipherSuites | String | The enabled cipher suites to be used in SSL negotiation for incoming connections.
By default, the enabled cipher suites will include all available ciphers ("*"). The special value "*" means that the component will pick all of the supported cipher suites. If SSLTunnelEnabledCipherSuites is set to any other value, only the specified cipher suites will be considered. Multiple cipher suites are separated by semicolons. Example values when SSLTunnelUseInternalSecurityAPI is False (default) (one example per line):
* CALG_AES_256 CALG_AES_256;CALG_3DESPossible values when SSLTunnelUseInternalSecurityAPI is False (default) include:
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA;TLS_DH_ANON_WITH_AES_128_CBC_SHAPossible values when SSLTunnelUseInternalSecurityAPI is True include:
SSLTunnelEnabledCipherSuites is used together with SSLTunnelCipherStrength. | ||||||||||||||||||||||||
SSLTunnelCipherStrength | DWORD | The minimum cipher strength used for bulk encryption.
This minimum cipher strength largely dependent on the security modules installed on the system. If the cipher strength specified is not supported, an error will be returned when connections are initiated. Please note that this setting contains the minimum cipher strength requested from the security library. Use this setting with caution. Requesting a lower cipher strength than necessary could potentially cause serious security vulnerabilities. | ||||||||||||||||||||||||
SSLTunnelEnabledProtocols | DWORD | Used to enable/disable the supported security protocols for incoming SSL connections.
Not all supported protocols are enabled by default (the value of this setting is 4032). If you want more granular control over the enabled protocols, you can set this property to the binary 'OR' of one or more of the following values:
| ||||||||||||||||||||||||
SSLTunnelProvider | String | The name of the security provider to use for incoming SSL connections.
Change this setting to use security providers other than the system default. Use this setting with caution. Disabling SSL security or pointing to the wrong provider could potentially cause serious security vulnerabilities in your application. The special value "*" (default) picks the default SSL provider defined in the system. The special value "Internal" picks the internal SSL implementation. This does not rely on any system libraries. This is equivalent to setting SSLTunnelUseInternalSecurityAPI to True. | ||||||||||||||||||||||||
SSLTunnelSecurityFlags | DWORD | Flags that control certificate verification for incoming SSL connections.
The following flags are defined (specified in hexadecimal notation). They can be or-ed together to exclude multiple conditions:
| ||||||||||||||||||||||||
SSLTunnelUseInternalSecurityAPI | DWORD | Whether to use the internal security implementation rather than system libraries for incoming SSL connections.
By default the component will use the system security libraries to perform cryptographic functions. When set to False, calls to unmanaged code will be made. In environments where this is not desirable, set this setting to True to use a completely managed security implementation. | ||||||||||||||||||||||||
TunnelFirewallType | DWORD | The type of firewall for the SSL Tunnel to connect through. Applicable values include the following:
0 - No firewall (default setting) 1 - Connect through a tunneling proxy. 2 - Connect through a SOCKS4 proxy. 3 - Connect through a SOCKS5 proxy. | ||||||||||||||||||||||||
TunnelFirewallHost | String | The name or IP address of the firewall that the SSH Tunnel will connect through. | ||||||||||||||||||||||||
TunnelFirewallPort | DWORD | The TCP port for the TunnelFirewallHost. | ||||||||||||||||||||||||
TunnelFirewallUser | String | A user name if authentication is to be used when connecting through a firewall. | ||||||||||||||||||||||||
TunnelFirewallPassword | String | Password to be used if authentication is to be used when connecting through a firewall. | ||||||||||||||||||||||||
TunnelForwardingEnableSSL | DWORD | Whether the tunnel's outgoing connection will be secured with SSL.
0 - Disabled. (default) 1 - Enabled. | ||||||||||||||||||||||||
TunnelForwardingAcceptAnyServerCert | DWORD | Whether to automatically trust any public certificate presented by the forwarding host during outgoing SSL connections.
This setting can be used as an alternative to specifying the particular public certificate presented by the forwarding host. | ||||||||||||||||||||||||
TunnelForwardingSSLCertStoreType | DWORD | Specifies the type of certificate store where the forwarding hosts's public certificate can be found. Can be one of the following values:
0 - User store 1 - Machine Store 2 - PFX File 4 - PEM File 8 - Public Key File 9 - Public Key Blob | ||||||||||||||||||||||||
TunnelForwardingSSLCertStore | String | The certificate store containing the forwarding host's public certificate.
If SSLTunnelCertStoreType is either 0 or 1, this value defines the specific store where the certificate can be found. Otherwise, this value should be set to a path on disk. Possible values when TunnelForwardingSSLCertStoreType is 0 or 1 include: My, Root, Trust, CA, TrustedPublisher, Disallowed, AuthRoot, TrustedPeople. | ||||||||||||||||||||||||
TunnelForwardingSSLCertStorePassword | String | The password for the certificate store defined in TunnelForwardingSSLCertStore, if required. | ||||||||||||||||||||||||
TunnelForwardingSSLCertSubject | String | The subject of the forwarding host's public certificate. Example: "CN=NEWTON". | ||||||||||||||||||||||||
TunnelForwardingReuseSSLSession | DWORD | Whether to reuse SSL sessions for outgoing connections. | ||||||||||||||||||||||||
TunnelForwardingSSLCipherStrength | DWORD | The minimum cipher strength used for bulk encryption.
This minimum cipher strength largely dependent on the security modules installed on the system. If the cipher strength specified is not supported, an error will be returned when connections are initiated. Please note that this setting contains the minimum cipher strength requested from the security library. Use this setting with caution. Requesting a lower cipher strength than necessary could potentially cause serious security vulnerabilities. | ||||||||||||||||||||||||
TunnelForwardingSSLEnabledProtocols | DWORD | The SSL/TLS protocols to use during outgoing SSL connections.
Not all supported protocols are enabled by default (the value of this setting is 4032). If you want more granular control over the enabled protocols, you can set this property to the binary 'OR' of one or more of the following values:
| ||||||||||||||||||||||||
TunnelForwardingSSLProvider | String | The name of the security provider to use during outgoing SSL connections.
Change this setting to use security providers other than the system default. Use this setting with caution. Disabling SSL security or pointing to the wrong provider could potentially cause serious security vulnerabilities in your application. The special value "*" (default) picks the default SSL provider defined in the system. The special value "Internal" picks the internal SSL implementation. This does not rely on any system libraries. This is equivalent to setting SSLTunnelUseInternalSecurityAPI to True. | ||||||||||||||||||||||||
TunnelForwardingSSLSecurityFlags | DWORD | Flags that control certificate verification during outgoing SSL connections.
The following flags are defined (specified in hexadecimal notation). They can be or-ed together to exclude multiple conditions:
| ||||||||||||||||||||||||
TunnelForwardingSSLEnabledCipherSuites | String | The cipher suites to be used in the outgoing SSL negotiation.
By default, the enabled cipher suites will include all available ciphers ("*"). The special value "*" means that the component will pick all of the supported cipher suites. If SSLTunnelEnabledCipherSuites is set to any other value, only the specified cipher suites will be considered. Multiple cipher suites are separated by semicolons. Example values when TunnelForwardingSSLUseInternalSecurityAPI is False (default) (one example per line):
* CALG_AES_256 CALG_AES_256;CALG_3DESPossible values when TunnelForwardingSSLUseInternalSecurityAPI is False (default) include:
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA;TLS_DH_ANON_WITH_AES_128_CBC_SHAPossible values when TunnelForwardingSSLUseInternalSecurityAPI is True include:
TunnelForwardingSSLEnabledCipherSuites is used together with TunnelForwardingSSLCipherStrength.
| ||||||||||||||||||||||||
TunnelForwardingSSLUseInternalSecurityAPI | DWORD | Whether to use the internal security implementation rather than system libraries for outgoing SSL connections.
By default the component will use the system security libraries to perform cryptographic functions. When set to False, calls to unmanaged code will be made. In environments where this is not desirable, set this setting to True to use a completely managed security implementation. |