Setup

Attention

We recommend using the latest config file as a starting point and moving changes from your old config file into the new one.

Configuration values are defined by nested XML elements in the scyld-cloud-workstation.xml config file. In Linux this can be found at /opt/scyld-cloud-workstation/bin/scyld-cloud-workstation.xml and in Windows this can be found at C:\Program Files\Penguin Computing\Scyld Cloud Workstation\scyld-cloud-workstation.xml. This section describes properties in the config file.

For the purpose of this document, we refer to properties by using dot notation. For example, config.Server.LogLevel indicates that LogLevel is a property within Server, which is a property within config. Since all properties begin with ‘config’, for brevity we ignore it. Properties are case-sensitive.

Warning

The config file and private key files contains sensitive information that can compromise security if an attacker can read it. We strongly recommend limiting read and write access to the root / system administrator account.

Warning

Scyld Cloud Workstation includes a default private key, certificate file, username, and password that are not secure and should be changed.

Applying Config File Changes

Saved changes to the config file are only applicable once the service restarts. The Server.Auth.ShadowPassword setting is the one exception to this rule - saved changes to it are applicable immediately.

In Linux you can restart the service using the systemctl restart command:

systemctl restart scyld-cloud-workstation.service

In Windows you can restart the service using the Services tool. First open the Task Manager by right-clicking on the Task Bar and select Start Task Manager. At the Task Manager, go to the Services tab and click on Services. Right-click on scyld-cloud-workstation in the the list of services and select Restart from the dropdown of actions.

In MacOS you can restart the service by calling the application with the --service restart flag. For example:

# Change to the application directory
cd /Applications/scyld-cloud-workstation.app/Contents/MacOS

# Restart the service
sudo ./scyld-cloud-workstation --service restart

The Scyld Cloud Workstation sign-in page should return after a few seconds.

Config File Settings

Attention

We recommend using the latest config file as a starting point and moving changes from your old config file into the new one.

The default config file comes with appropriate values for nearly all of the server settings.

In this section we discuss config settings that are commonly changed from the default config file.

License Management

For more information on license management, please see: Flexera License Management.

Server Authentication

User’s are authenticated using credentials defined by the config file or by the ScyldCloudAuth web service. To disable any of these, simply comment out these elements by wrapping them with <!-- and -->.

Authentication is enabled by default and in should not be disabled in production systems. Server.Auth.Enabled should always be set to true.

There are several authentication schemes supported by Scyld Cloud Workstation. Each system is independent and can be enabled in parallel.

  • Config File Authentication

  • ScyldCloudAuth Authentication

  • OS Credential Authentication

Config File Authentication

Config File Authentication uses credentials stored in the config file. The following settings control Config File Authentication:

The ShadowPassword is set by calling scyld-cloud-workstation.sh --passwd in Linux with sudo privileges, scyld-cloud-workstation.exe /passwd in Windows as an Administrator, or sudo scyld-cloud-workstation --passwd.

Config File Authentication can be disabled by commenting or removing Server.Auth.Username and Server.Auth.ShadowPassword.

ScyldCloudAuth Authentication

ScyldCloudAuth Authentication uses the ScyldCloudAuth proxy service for authentication. To enable ScyldCloudAuth for authentication, set:

ScyldCloudAuth can be disabled by commenting or removing Server.Auth.ScyldCloudAuth.URL.

OS Credential Authentication

The credentials accepted by your remote Linux, Windows, or MacOS host can be used to sign into Scyld Cloud Workstation. This supports ActiveDirectory for Windows, and LDAP / PAM for Linux.

Important

While config file or ScyldCloudAuth usernames can be used to sign in to Scyld Cloud Workstation at any time, only a single set of OS credentials can only be used to sign-in at a time. This prevents different OS credentials from signing in at the same time.

This feature can be disabled by setting Server.Auth.OSAuthEnabled to false or removing it from the config file.

External Sign-In Pages

If your organization wants to use an external webpage for signing into Scyld Cloud Workstation, you can set the Server.Auth.ExternalSignInPage setting to the URL. The Scyld Cloud Workstation sign in page will show a link to the external sign-in page instead of the default sign-in interface.

Server Security

The cipher list will determine what ciphers are used to encrypt communication between your clients and your server. It is always a good idea to keep your server’s OpenSSL updated to the latest version.

We recommend using the default values for openSSL.server.cipherList.

Firewall

Your server host’s firewall needs to allows incoming connections to the server over port 443 if you are using use HTTPS or port 80 if you are using HTTP.

In Linux, you will have to update your firewall using iptables. In most cases, adding the following line to your rules file (CentOS/RHEL: /etc/sysconfig/iptables) and restarting the iptables service will allow incoming HTTPS traffic.

# Allow all https
-A INPUT -p tcp --dport 443 -j ACCEPT

Change 443 to 80 in the line above to accept incoming HTTP traffic over port 80 instead.

In Windows these rules are automatically set by the installer and removed by the uninstaller.

HTTPS / SSL Certificates

HTTPS and trusted SSL certificates are required to make all of your interactions with the server secure.

To ensure that connections are using the latest TLS protocol (as of 2015), set openSSL.server.requireTLSv1_2 to true and enable HTTPS by setting Server.Secure to true.

Set openSSL.server.privateKeyFile and openSSL.server.certificateFile to the appropriate private key and SSL certificate paths.

If you have set a passphrase for your private key you will need to set openSSL.server.privateKeyPassphraseHandler.options.password.

An SSL certificate signed by a trusted certificate authority (CA) is used to encrypt and authenticate communication between a browser and server. To obtain an SSL certificate from a CA, you need to generate a certificate signing request (CSR) and submit it to the CA. A list of popular CA’s is given below:

Linux users need to install OpenSSL on the server to complete setup. For example:

# CentOS and Rocky Linux
sudo yum install openssl

# Ubuntu
sudo apt-get install openssl

The following sections describe how to use the openSSL command to create a new private key and CSR, a new CSR from an existing private key, and a self-signed SSL certificate (not recommended).

Create a Private Key and a CSR

Use the openssl command to creates a 2048-bit private key (domain.key) and a CSR (domain.csr). If your CA supports SHA-2, add the -sha256 option to sign the CSR with SHA-2.

openssl req -newkey rsa:2048 -nodes -sha256 -keyout domain.key -out domain.csr

Fill out the prompted questions to complete the CSR.

Warning

The contents of your private key should never be shared with anyone.

Create a CSR from an Existing Private Key

To create a CSR from an existing private key:

openssl req -key domain.key -new -out domain.csr

Fill out the prompted questions to complete the CSR.

Create a Private Key and Self-Signed SSL Certificate

You can create a self-signed SSL certificate instead of having one signed by a CA. The disadvantage to this is that in order to establish trust between the browser and the server, you must make a security exception for this certificate when you visit the page or install it in every browser.

openssl req \
        -newkey rsa:2048 -nodes -sha256 -keyout domain.key \
        -x509 -days 365 -out domain.crt

Fill out the prompted questions to complete the CSR.

Warning

The contents of your private key should never be shared with anyone.

Create a Self-Signed SSL Certificate from an Existing Private Key

To create a self-signed certificate from an existing private key:

openssl req \
        -key domain.key -new \
        -x509 -sha256 -days 365 -out domain.crt

Fill out the prompted questions to complete the CSR.

Settings Glossary

In this section we describe all of the settings available in the config file.

Note

All changes to Scyld.Auth settings except Scyld.Auth.Enabled take effect without a service restart.

Server.LogLevel

The verbosity of output in the log file.

The LogLevel value can be any one of the following (ordered least-to-most verbose): ‘none’, ‘fatal’, ‘critical’, ‘error’, ‘warning’, ‘notice’, ‘information’, ‘debug’, and ‘trace’.

Server.LogFormat

Format of the output. Defaults to: %Y-%m-%d %H:%M:%S.%i:%q%q:%t

The format pattern is used as a template to format the message and is copied character by character except for the following special characters, which are replaced by the corresponding value.

Log Format Special Characters

Pattern

Description

%s

message source

%t

message text

%l

priority level (1 .. 7)

%p

priority (Fatal, Critical, Error, Warning, Notice, Information, Debug, Trace)

%q

abbreviated message priority (F, C, E, W, N, I, D, T)

%P

process identifier

%T

thread name

%I

thread identifier (numeric)

%N

node or host name

%U

source file path (empty string if not set)

%u

source line number (0 if not set)

%w

date/time abbreviated weekday (Mon, Tue, …)

%W

date/time full weekday (Monday, Tuesday, …)

%b

date/time abbreviated month (Jan, Feb, …)

%B

date/time full month (January, February, …)

%d

date/time zero-padded day of month (01 .. 31)

%e

date/time day of month (1 .. 31)

%f

date/time space-padded day of month ( 1 .. 31)

%m

date/time zero-padded month (01 .. 12)

%n

date/time month (1 .. 12)

%o

date/time space-padded month ( 1 .. 12)

%y

date/time year without century (70)

%Y

date/time year with century (1970)

%H

date/time hour (00 .. 23)

%h

date/time hour (00 .. 12)

%a

date/time am/pm

%A

date/time AM/PM

%M

date/time minute (00 .. 59)

%S

date/time second (00 .. 59)

%i

date/time millisecond (000 .. 999)

%c

date/time centisecond (0 .. 9)

%F

date/time fractional seconds/microseconds (000000 - 999999)

%z

time zone differential in ISO 8601 format (Z or +NN.NN)

%Z

time zone differential in RFC format (GMT or +NNNN)

%L

convert time to local time (must be specified before any date/time specifier; does not itself output anything)

%E

epoch time (UTC, seconds since midnight, January 1, 1970)

%v[width]

the message source (%s) but text length is padded/cropped to ‘width’

%[name]

the value of the message parameter with the given name

%%

percent sign

Server.LogFile

A path to the log file of the Scyld Cloud Workstation server. By default this can be found in the directory of the Scyld Cloud Workstation executable and is named scyld-cloud-workstation.log. For more information on log output, see Log Output.

Changed in v5.0.0. Default value changed.

Server.LogViewer.Enabled

Set to true to show links to the server and service log files in the Settings menu. Defaults to false.

Server.BootLogFile

Windows only. A path to the log file of the Scyld Cloud Workstation meta-server. By default this can be found in the directory of the Scyld Cloud Workstation executable and is named service.log. For more information on log output, see Log Output.

Changed in v5.0.0. Previously named Server.ServiceLogFile in v2.2.0. Default value changed

Server.LocalCursor

Determines if the client’s local cursor should be shown instead of the remote cursor. Enabling local cursor typically improves the user experience. Defaults to true.

Added in v2.2.0.

Server.AutoLock

Determines if Scyld Cloud Workstation calls on the OS to lock the desktop upon disconnecting from the web page. Experimental. Defaults to false.

Warning

NOTE: In Linux, screen locking is achieved by entering Ctrl+Alt+l on behalf of the user. While this will lock the screen for most, this feature is not guaranteed to work on all Linux systems.

Updated in v5.0.0.

Server.IdleUserTimeout

The length of time (in minutes) that users must be inactive before all users are disconnected. This feature is disabled if value is 0.0 or less. Defaults to 120.

Added in v5.0.0.

Server.Port

The port number used by the server. Defaults to 443 if Server.Secure is true or 80 if Server.Secure is false.

Server.Secure

Determines if the server operates over HTTPS (recommended). Defaults to true.

Server.LicenseFile

Specifies a license file path or a port@host address where a Scyld FlexLM license server is hosted. If the default license server port is being used (27002), then @host is also acceptable. Defaults to scyld-cloud-workstation.lic.

For more information on installing license files, see Flexera License Management

Added in v5.0.0.

Server.StartDelay

Specifies a sleep time to delay the start-up of Scyld Cloud Workstation in seconds. Defaults to 0.

Added in v5.0.0.

Server.Auth.Enabled

Determines if authentication is enabled and valid credentials are required to sign-in (recommended). Defaults to true.

If false, then all authentication is disabled and any credentials can be used to sign-in. Guest invites are also disabled in this case.

Note

Changing this value only takes effect after a service restart.

Server.Auth.ExternalSignInPage

A URL to your organization’s custom sign-in page. When this value is set to a non-empty string the normal sign-in user interface is replaced with a link to the custom sign-in page.

Note

Setting this value does not enable or disable any authentication protocols. Users may still be able to sign in using ajax calls even if the normal sign-in user interface is disabled.

Added in v9.1.

Server.Auth.Username

Declares a username to be used in combination with the password defined by Server.Auth.ShadowPassword at the Scyld Cloud Workstation sign in page.

Config File Authentication can be disabled by commenting or removing Server.Auth.Username and Server.Auth.ShadowPassword. To This must be specified with Server.Auth.ShadowPassword and is not necessarily the same as the username used by the remote operating system.

Note

Changing this value takes effect without a service restart.

Changed in v5.0.0.

Server.Auth.ShadowPassword

A shadowed password used to sign in to the Scyld Cloud Workstation sign in page. Config File Authentication can be disabled by commenting or removing Server.Auth.Username and Server.Auth.ShadowPassword. The format is as follows:

$6$<salt>$<hash>

The initial 6 value should never be changed and signals that SHA-512 should be used. The <salt> and the plain text password are used to create the hashed password using the UNIX crypt method. See http://linux.die.net/man/3/crypt for more information on UNIX crypt.

Warning

Even though the ShadowPassword value encrypts your password, its contents should remain private. If you suspect that any part of the ShadowPassword has been compromised, please change your password immediately using our password update utility:

  • Linux: sudo scyld-cloud-workstation.sh --passwd

  • Windows: scyld-cloud-workstation.exe /passwd

  • MacOS: sudo scyld-cloud-workstation --passwd

Note

Changing this value takes effect without a service restart.

Changed in v11.1.0.

Server.Auth.MinPasswordLength

The built-in password updater uses this value to require a minimum password length for Server.Auth.ShadowPassword and Server.Broker.ShadowPassword. This defaults to 6.

Note

Changing this value takes effect without a service restart.

Changed in v11.1.0.

Server.Auth.FailAttempts

The number of unsuccessful sign in attempts a client is allowed before the server temporarily rejects future requests from that client for a time period specified by Server.Auth.FailDelay. This helps reduce brute force attacks.

Note

Changing this value takes effect without a service restart.

Changed in v5.0.0.

Server.Auth.FailDelay

The length of time that the server will reject sign in requests from clients that repeatedly fail to sign in. See Server.Auth.FailAttempts for more information.

Note

Changing this value takes effect without a service restart.

Changed in v5.0.0.

Server.Auth.ScyldCloudAuth.URL

The URL to the Scyld Cloud Auth authentication web service. Only applies to Scyld Cloud Manager products.

Note

Changing this value takes effect without a service restart.

Changed in v5.0.0.

Server.Auth.ScyldCloudAuth.Allow

A list of <Username></Username> elements. Case insensitive. Each <Username> element enables a username to be authenticated by ScyldCloudAuth. Usernames elements can use asterisk wildcard characters (i.e. *@penguincomputing.com will enable all usernames that end in @penguincomputing.com).

Note

Changing this value takes effect without a service restart.

Changed in v11.0.0.

Server.Auth.ScyldCloudAuth.Deny

A list of <Username></Username> elements. Case insensitive. Each <Username> element disables a username to be authenticated by ScyldCloudAuth. Usernames that are mentioned by both the Deny and Allow list are denied.

Usernames elements can use asterisk wildcard characters (i.e. *@penguincomputing.com will enable all usernames that end in @penguincomputing.com).

Note

Changing this value takes effect without a service restart.

Changed in v11.0.0.

Server.Auth.ScyldCloudAuth.ApiKey

A string that uniquely identifies the server. This is required to making priviledged Scyld Cloud Auth web service calls.

Added in v9.1.

Server.Auth.ScyldCloudAuth.ApiSecret

A string that represents a shared secret between Scyld Cloud Workstation and the Scyld Cloud Auth server. This is required to make priviledged Scyld Cloud Auth web service calls.

Added in v9.1.

Server.Auth.Session.DefaultTimeout

The lifetime (in seconds) of a session token that starts upon successfully signing in. Session tokens let you access protected resources from the server such as creating a new remote-visualization connection. Increasing this value means a longer period of time you can access the resources without signing in again.

Existing remote-visualization connections are unaffected by session token timeouts. Defaults to 60 seconds.

Note

Changing this value takes effect without a service restart.

Changed in v5.0.0.

Server.Auth.OSAuthEnabled

Determines if authentication using OS credentials is enabled. Defaults to true.

Important

While config file or ScyldCloudAuth usernames can be used to sign in to Scyld Cloud Workstation at any time, only a single set of OS credentials can only be used to sign-in at a time. This prevents different OS credentials from signing in at the same time.

Note

Changing this value takes effect after a service restart.

Added in v6.1.0.

Server.Auth.Session.OnSignIn

The path of a script to execute immediately after signing in. The script is passed the system account name of the user as an argument. By default this is not set, but it can be used for custom sign-in initialization.

Note

Changing this value takes effect without a service restart.

Changed in v5.0.0.

Server.Auth.PAM.Service

The name of the PAM (Pluggable Authentication Module) service. Defaults to login.

Added in v8.0.0.

Server.Broker.Username

Declares a username to be used in combination with the password defined by Server.Broker.ShadowPassword for accessing API calls only.

Config File Authentication can be disabled by commenting or removing Server.Broker.Username and Server.Broker.ShadowPassword. This must be specified with Server.Broker.ShadowPassword and is not necessarily the same as the username used by the remote operating system.

Note

Changing this value takes effect without a service restart.

Changed in v11.0.0.

Server.Broker.ShadowPassword

A shadowed password used to sign in to the Scyld Cloud Workstation sign in page. Config File Authentication can be disabled by commenting or removing Server.Broker.Username and Server.Broker.ShadowPassword. The format is as follows:

$6$<salt>$<hash>

The initial 6 value should never be changed and signals that SHA-512 should be used. The <salt> and the plain text password are used to create the hashed password using the UNIX crypt method. See http://linux.die.net/man/3/crypt for more information on UNIX crypt.

Warning

Even though the ShadowPassword value encrypts your password, its contents should remain private. If you suspect that any part of the ShadowPassword has been compromised, please change your password immediately using our password update utility:

  • Linux: sudo scyld-cloud-workstation.sh --broker-passwd

  • Windows: scyld-cloud-workstation.exe /broker-passwd

  • MacOS: sudo scyld-cloud-workstation --broker-passwd

Note

Changing this value takes effect without a service restart.

Changed in v11.1.0.

Server.Audio.Enabled

Determines if fetching the remote server’s audio is allowed. Defaults to true.

If true, the remote server’s audio can be streamed.

If false, the remote server’s audio can not be streamed.

Added in v10.0.0.

Server.Audio.Output.BufferTime

The buffering time (in seconds) for the audio output stream.

Lowering the time improves synchronization with the video stream, but may result in more playback skipping.

Increasing the time results in a more stable playback, but adds latency to audio playback and causes it to be less synchronized with the video stream.

Note

If you are using devices that add additional latency (such as bluetooth speakers) then lowering this value may be beneficial.

Defaults to 0.020.

Changed in v10.2.0.

Server.Audio.Output.SampleRate

Determines the audio sample rate in Hz. Higher sample rates lead to better audio quality, but consumes more bandwidth. Supported values are 96000, 48000, 44100, and 22050.

Note

CD audio quality can be achieved with a sample rate of 44100 Hz and a format of s16le.

Defaults to 44100.

Updated in v11.3.0. Added new supported values.

Server.Audio.Output.Stream.Format

Determines the audio output format. Note that audio bit depth (i.e., bits per sample) differs for each of the supported PCM formats below. Higher bit depth may improve audio quality, but will consume more bandwidth.

Note

CD audio quality can be achieved with a sample rate of 44100 Hz and a format of s16le.

Format

Description

s8

PCM 8-bit signed integer little endian

s16le

PCM 16-bit signed integer little endian

s24le

PCM 24-bit signed integer little endian

f32le

PCM 32-bit floating point little endian

Defaults to s16le.

Added in v10.2.0.

Server.Audio.Output.Stream.Device

Linux Only. Determines the pulseaudio monitor sink to fetch audio from on the server. These names must end with .monitor. Usually this value is automatically detected and updated to reflect the operating system’s default audio device.

To force the system to use a specific device, use the command: pactl list short sinks to see a list of the device names. In the example below, there are two available sinks:

[root@server ~]# pactl list short sinks
0   alsa_output.pci-0000_00_04.0.analog-stereo  ...(additional text)...
1   alsa_output.pci-0000_00_05.0.analog-stereo  ...(additional text)...

To select the first device, set the value of this setting to: alsa_output.pci-0000_00_04.0.analog-stereo.monitor.

Defaults to auto.

Added in v10.0.0.

Server.Keyboard.LocalhostAutoAssign

When set to ‘true’, host users that connect to a ‘localhost’ server are eligible to be automatically assigned control of the keyboard and mouse. This may be useful for certain VPN solutions that map remote addresses to ‘localhost’ addresses.

When set to ‘false’, host users that connect to a local machine can only receive control of the keyboard and mouse if it is assigned through the user interface.

Defaults to false.

Added in v12.3.0.

Server.VideoSource

The video capture mechanism. Scyld Cloud Workstation currently supports these video sources: x11, nvfbc, stream, windda, and auto (default).

The x11 video source uses software encoding and only works for Linux systems. It supports a max frame rate of up to 60 fps.

The nvfbc video source is for Linux systems with an NVIDIA GPU and driver that support NVIDIA GRID or NVIDIA NvFBC. It supports a max frame rate of up to 60 fps.

The windda video source is optimized for Windows and supports a max frame rate of up to 60 fps.

The stream video source uses software encoding and is available on all operating systems. This video source supports a max frame rate of up to 60 fps on ARM-based Macs, and 30 fps on all other systems.

The auto video source will try to select the best video source for your system based on what is supported. On Windows systems, windda is selected. On Linux systems that support NVIDIA GRID or NVIDIA NvFBC, nvfbc is selected (otherwise x11 is selected). On MacOS systems, stream is selected.

Changed in v12.2.0. Added nvfbc.

Server.Video.MaxWidth

Any server-side video that exceeds this width is scaled down to this value. This is primarily used to prevent clients from receiving video with resolutions so high that the client can not process them fast enough.

A value of -1 disables this threshold.

Defaults to 2560.

Updated in v5.0.0. Changed default.

Server.Video.MaxHeight

Any server-side video that exceeds this height is scaled down to this value. This is primarily used to prevent clients from receiving video with resolutions so high that the client can not process them fast enough.

A value of -1 disables this threshold.

Defaults to 1440.

Updated in v5.0.0. Changed default.

Server.MultiUser.MaxClientCount

The maximum number of clients that can be connected at a time. Defaults to 6.

Added in v3.0.0.

Server.Video.Encoding.H264.AvgBitRate

This setting can be used to improve image quality at the cost of using more bandwidth.

The average video bit-rate is calculated by using a linear regression of two values based on the resolution of the screen and the number of bits per second, respectively. For more information, please see: Configure Video Bit-Rate

Defaults to 1280x720=3000k,1920x1080=6000k.

Updated in v9.1.9. Increased defaults.

Server.Video.Encoding.H264.StartFrameRate

Initial frame rate. Measured in frames per second. Defaults to 24.

Added in v2.2.0.

Server.Video.Encoding.H264.MinFrameRate

The lowest valid frame rate for a connection. Measured in frames per second. Defaults to 2.

Added in v2.2.0.

Server.Video.Encoding.H264.MaxFrameRate

The highest allowable frame rate for a connection. Measured in frames per second. Defaults to 30.

Windows using the default ‘windda’ video source and ARM-based Mac servers can support frame rates up to 60.

Server.VirtualHere.AllowedUsbDevices

A comma-separated list of USB device names (or parts of device names) that the server will match against to allow USB forwarding from clients. When this list is empty, all USB devices are allowed to be forwarded.

For example, the following setting in the configuration file would allow the server to only accept USB devices that have the word Wacom or Speedline in their name:

<AllowedUsbDevices>Wacom,Speedline</AllowedUsbDevices>

Server.QoS.Enabled

Enables the automatic adjustment of frame rate to adapt to current performance conditions. Frame rate will start at Server.Video.Encoding.H264.StartFrameRate and jump between Server.Video.Encoding.H264.MinFrameRate and Server.Video.Encoding.H264.MaxFrameRate.

Setting this to false will cause the server to send a constant frame rate specified by Server.Video.Encoding.H264.StartFrameRate. Server.Video.Encoding.H264.MinFrameRate and Server.Video.Encoding.H264.MaxFrameRate are ignored in this case.

Defaults to true.

openSSL

All elements within the openSSL tag are described in the Poco SSLManager documentation.

openSSL.server.privateKeyFile

The path to the file containing the private key for the certificate in PEM format (or containing both the private key and the certificate). This path can be absolute or relative to the xml config file. Required for HTTPS support.

openSSL.server.certificateFile

The path to the file containing the server’s or client’s certificate in PEM format. Can be omitted if the the file given in privateKeyFile contains the certificate as well. This path can be absolute or relative to the xml config file.

openSSL.server.verificationMode

Specifies whether and how peer certificates are validated (see the Poco Context class for details). Valid values are none, relaxed, strict, and once. Defaults to none.

Changed in v3.0.0. Default value changed.

openSSL.server.loadDefaultCAFile

Boolean value. Specifies wheter the builtin CA certificates from OpenSSL are used. Defaults to true.

openSSL.server.cipherList

Specifies the supported ciphers in OpenSSL notation.

Changed in v3.0.0. Default value changed.

openSSL.server.privateKeyPassphraseHandler.name

Defaults to KeyFileHandler. The name of the Poco class used for obtaining the passphrase for accessing the private key. If your private key does not use a passphrase, this value is ignored.

Added in v2.2.0. Default value changed.

openSSL.server.privateKeyPassphraseHandler.options.password

The private key passphrase (ignored if there is no passphrase for the private key).

openSSL.server.invalidCertificateHandler.name

This should be set to ConsoleCertificateHandler. The name of the class used for confirming invalid certificates. Defaults to RejectCertificateHandler.

Added in v2.2.0. Default value changed.

openSSL.server.cacheSessions

This should be set to false. Enables or disables session caching.

openSSL.server.extendedVerification

Enable or disable the automatic post-connection extended certificate verification.

openSSL.server.requireTLSv1_2

Require a TLSv1.2 connection. Defaults to true.

Added in v2.2.0. Default value changed.

openSSL.client.verificationMode

Specifies whether and how peer certificates are validated when the server acts as a client to a third-party host (see the Poco Context class for details). Valid values are none, relaxed, strict, and once. Defaults to relaxed. Setting this value to none is not recommended.

Added in v3.0.0.

openSSL.fips

Enable or disable OpenSSL FIPS mode. Only supported if the OpenSSL version that this library is built against supports FIPS mode.

Client Settings

Clients and browsers that meet the requirements listed in Client Requirements support TLS 1.2, WebGL, and WebSockets by default and require no further setup.

Attention

Contact your system administrator if TLS 1.2, WebGL, or WebSockets are disabled.