If the method succeeds, rc is 0 else rc > 0. Values above 0x8000 indicate Warnings.

If the method succeeds, message is NULL else message contains Error/Warning message.

List of sslparameters

Amount of data to collect before the data is pushed to the crypto hardware for encryption. For large downloads, a larger quantum size better utilizes the crypto resources.

Maximum memory size to use for certificate revocation lists (CRLs). This parameter reserves memory for a CRL but sets a limit to the maximum memory that the CRLs loaded on the appliance can consume.

Memory size to use for CRLs

Encryption trigger timer. Set the encryption trigger timeout for transactions, which are not trackable by Citrix ADC. Citrix ADC will use this setting to accumulate data received from the server for the configured time period before pushing it to the crypto hardware for encryption.

Send an SSL Close-Notify message to the client at the end of a transaction.

Maximum number of queued packets after which encryption is triggered. Use this setting for SSL transactions that send small packets from server to Citrix ADC.

SSL Renegotiation setting

Encoding method used to insert the subject or issuer's name in HTTP requests to servers.

Size, per packet engine, in megabytes of the OCSP cache

Insert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is set to a value other than 0, the buffered records are forwarded on the basis of the value of the PUSH flag. Available settings function as follows: 0 - Auto (PUSH flag is not set.) 1 - Insert PUSH flag into every decrypted record. 2 -Insert PUSH flag into every encrypted record. 3 - Insert PUSH flag into every decrypted and encrypted record.

Host header check for SNI enabled sessions. If this check is enabled and the HTTP request does not contain the host header for SNI enabled sessions(i.e vserver or profile bound to vserver has SNI enabled and 'Client Hello' arrived with SNI extension), the request is dropped.

Controls how the HTTP 'Host' header value is validated. These checks are performed only if the session is SNI enabled (i.e when vserver or profile bound to vserver has SNI enabled and 'Client Hello' arrived with SNI extension) and HTTP request contains 'Host' header. Available settings function as follows: CERT - Request is forwarded if the 'Host' value is covered by the certificate used to establish this SSL session. Note: 'CERT' matching mode cannot be applied in TLS 1.3 connections established by resuming from a previous TLS 1.3 session. On these connections, 'STRICT' matching mode will be used instead. STRICT - Request is forwarded only if value of 'Host' header in HTTP is identical to the 'Server name' value passed in 'Client Hello' of the SSL connection. NO - No validation is performed on the HTTP 'Host' header value.

PUSH encryption trigger timeout value. The timeout value is applied only if you set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings.

Limit to the number of disabled SSL chips after which the ADC restarts. A value of zero implies that the ADC does not automatically restart.

Global undef action for SSL control policies

Global undef action for SSL data policies

Global parameter used to enable default profile feature.

Disable TLS 1.1 and 1.2 for dynamic and VPN created services.

Disable TLS 1.1 and 1.2 for secure (https) monitors bound to SSL_BRIDGE services.

CPU quota (%) to be allocated for crypto acceleration in software. Once the CPU utilization reaches or crosses this limit, CPU won't be used for driving crypto in software.

When this mode is enabled, system will use additional crypto hardware to accelerate symmetric crypto operations.

Signature Digest Algorithms that are supported by appliance. Default value is "ALL" and it will enable the following algorithms depending on the platform. On VPX: ECDSA-SHA1 ECDSA-SHA224 ECDSA-SHA256 ECDSA-SHA384 ECDSA-SHA512 RSA-SHA1 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512 DSA-SHA1 DSA-SHA224 DSA-SHA256 DSA-SHA384 DSA-SHA512 On MPX with Nitrox-III and coleto cards: RSA-SHA1 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512 ECDSA-SHA1 ECDSA-SHA224 ECDSA-SHA256 ECDSA-SHA384 ECDSA-SHA512 Others: RSA-SHA1 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512. Note:ALL doesnot include RSA-MD5 for any platform.

Enable or disable dynamically learning and caching the learned information to make the subsequent interception or bypass decision. When enabled, NS does the lookup of this cached data to do early bypass.

Specify the maximum memory that can be used for caching the learned data. This memory is used as a LRU cache so that the old entries gets replaced with new entry once the set memory limit is fully utilised. A value of 0 decides the limit automatically.

To insert space between lines in the certificate header of request

Determines whether or not additional checks are carried out during a TLS handshake when validating an X.509 certificate received from the peer. Settings apply as follows: YES - (1) During certificate verification, ignore the Common Name field (inside the subject name) if Subject Alternative Name X.509 extension is present in the certificate for backend connection. (2) Verify the Extended Key Usage X.509 extension server/client leaf certificate received over the wire is consistent with the peer's role. (applicable for frontend and backend connections) (3) Verify the Basic Constraint CA field set to TRUE for non-leaf certificates. (applicable for frontend, backend connections and CAs bound to the Citrix ADC. NO - (1) Verify the Common Name field (inside the subject name) irrespective of Subject Alternative Name X.509 extension. (2) Ignore the Extended Key Usage X.509 extension for server/client leaf certificate. (3) Do not verify the Basic Constraint CA true flag for non-leaf certificates.

To support both cavium and coleto based platforms in cluster environment, this mode has to be enabled.

Limit in percentage of capacity of the crypto operations queue beyond which new SSL connections are not accepted until the queue is reduced.