Home > Configuration > SSL > setsslparameter_ndcppcompliancecertcheck

setsslparameter_ndcppcompliancecertcheck

Use this method to set determines whether or not additional checks are carried out during a TLS handshake when validating an X.509 certificate received from the peer.
Settings apply as follows:
YES - (1) During certificate verification, ignore the
Common Name field (inside the subject name) if
Subject Alternative Name X.509 extension is present
in the certificate for backend connection.
(2) Verify the Extended Key Usage X.509 extension
server/client leaf certificate received over the wire
is consistent with the peer's role.
(applicable for frontend and backend connections)
(3) Verify the Basic Constraint CA field set to TRUE
for non-leaf certificates. (applicable for frontend,
backend connections and CAs bound to the Citrix ADC.
NO - (1) Verify the Common Name field (inside the subject name)
irrespective of Subject Alternative Name X.509
extension.
(2) Ignore the Extended Key Usage X.509 extension
for server/client leaf certificate.
(3) Do not verify the Basic Constraint CA true flag
for non-leaf certificates.

Syntax



Parameters

ndcppcompliancecertcheck

Determines whether or not additional checks are carried out during a TLS handshake when validating an X.509 certificate received from the peer. Settings apply as follows: YES - (1) During certificate verification, ignore the Common Name field (inside the subject name) if Subject Alternative Name X.509 extension is present in the certificate for backend connection. (2) Verify the Extended Key Usage X.509 extension server/client leaf certificate received over the wire is consistent with the peer's role. (applicable for frontend and backend connections) (3) Verify the Basic Constraint CA field set to TRUE for non-leaf certificates. (applicable for frontend, backend connections and CAs bound to the Citrix ADC. NO - (1) Verify the Common Name field (inside the subject name) irrespective of Subject Alternative Name X.509 extension. (2) Ignore the Extended Key Usage X.509 extension for server/client leaf certificate. (3) Do not verify the Basic Constraint CA true flag for non-leaf certificates.
Default value = NO.
Possible Values : YES, NO.

Return Value

Returns simpleResult

See Also

getsslparameter

setsslparameter_crlmemorysizemb

setsslparameter_cryptodevdisablelimit

setsslparameter_defaultprofile

setsslparameter_denysslreneg

setsslparameter_dropreqwithnohostheader

setsslparameter_encrypttriggerpktcount

setsslparameter_heterogeneoussslhw

setsslparameter_hybridfipsmode

setsslparameter_insertcertspace

setsslparameter_insertionencoding

setsslparameter_ocspcachesize

setsslparameter_operationqueuelimit

setsslparameter_pushenctriggertimeout

setsslparameter_pushflag

setsslparameter_quantumsize

setsslparameter_sendclosenotify

setsslparameter_sigdigesttype

setsslparameter_snihttphostmatch

setsslparameter_softwarecryptothreshold

setsslparameter_sslierrorcache

setsslparameter_sslimaxerrorcachemem

setsslparameter_ssltriggertimeout

setsslparameter_strictcachecks

setsslparameter_undefactioncontrol

setsslparameter_undefactiondata

unsetsslparameter_crlmemorysizemb

unsetsslparameter_cryptodevdisablelimit

unsetsslparameter_defaultprofile

unsetsslparameter_denysslreneg

unsetsslparameter_dropreqwithnohostheader

unsetsslparameter_encrypttriggerpktcount

unsetsslparameter_heterogeneoussslhw

unsetsslparameter_hybridfipsmode

unsetsslparameter_insertcertspace

unsetsslparameter_insertionencoding

unsetsslparameter_ndcppcompliancecertcheck

unsetsslparameter_ocspcachesize

unsetsslparameter_operationqueuelimit

unsetsslparameter_pushenctriggertimeout

unsetsslparameter_pushflag

unsetsslparameter_quantumsize

unsetsslparameter_sendclosenotify

unsetsslparameter_sigdigesttype

unsetsslparameter_snihttphostmatch

unsetsslparameter_softwarecryptothreshold

unsetsslparameter_sslierrorcache

unsetsslparameter_sslimaxerrorcachemem

unsetsslparameter_ssltriggertimeout

unsetsslparameter_strictcachecks

unsetsslparameter_undefactioncontrol

unsetsslparameter_undefactiondata