Startup parameters and environment variables are defined in the CMakeLists.txt file for the Einit program using the CMake command set_target_properties() in the EXTRA_ARGS and EXTRA_ENV properties. For more details, please refer to the section titled Adding TLS Terminator to a KasperskyOS-based solution.
Startup parameters
-c|--cacert} <FILE|DIR>Path to the root certificates.
-s|--cert} <FILE>Path to the client certificate.
-k|--key} <FILE>Path to the client private key.
-r|--crl} <FILE|DIR>Path to the list of revoked certificates.
-t|--timeout} <NUMBER>Timeout for socket read operations during the TLS handshake (in milliseconds).
-g|--log-level} <NUMBER>Event log level (see the table below). TLS Terminator logs its own events and the events of crypto libraries.
TLS Terminator log levels and their corresponding crypto library log levels
TLS Terminator log level |
Crypto libraries log level |
TLS Terminator log level description |
|---|---|---|
|
|
No logging. |
|
|
Errors are logged for TLS Terminator. |
|
|
Errors, warnings, and informational messages are logged for TLS Terminator. Errors are logged for crypto libraries. Default value. |
|
|
Full logging of TLS Terminator events. Errors, states, and informational messages are logged for crypto libraries. |
-e|--debug-if-file-exist} <FILE>Enables the maximum log level when a file with the specified name exists. The availability of this file is checked for each new TLS connection. If the file does not exist, the log level defined via the --log-level parameter or the NGLOG_ENV_LEVEL environment variable is used.
-d|--enable_dynamic_cert}Automatic definition of the type of TLS authentication based on available certificates:
--cacert) is available. The client verifies the server certificate but does not authenticate itself.--cacert), client certificate (--cert), and private key (--key) is available. In this mode, both sides of the TLS connection are mutually authenticated.-v|--cert_verify_required}Enables mandatory verification of certificates by means of crypto libraries.
-N|--server_cert_verify_disable}Disable certificate verification using the resources of crypto libraries on the server side.
-p|--plugin_path} <FILE>Path to the dynamic library that implements the plug-in for extending the functionality of TLS Terminator. This parameter is used if the TLS Terminator component is built using a toolchain that supports dynamic linking (the PLATFORM_SUPPORTS_DYNAMIC_LINKING variable has the value of true).
-o|--force_ocsp_stapling_check}Enables server certificate validation using OCSP Stapling for all client connections. When supported by the OCSP Stapling server, the client receives a signed Certificate Authority Response (OCSP Response) containing information about the status of the certificate. The client checks the received certificate status. If the value is good, the connection is established. If it is revoked or unknown, it is declined.
--tls-min-version <VERSION>Minimum version of the TLS protocol. Permissible values: TLS-1.2, TLS-latest.
--tls-max-version <VERSION>Maximum version of the TLS protocol. Permissible values: TLS-1.2, TLS-latest.
--ciphersuite <NAME>Adds a cipher suite to the list of supported ones.
--server_min_rsa_keys_size <ROOT:INTERMEDIATE:EE>Minimum length of RSA keys for server certificates (in bits).
--client_min_rsa_keys_size <ROOT:INTERMEDIATE:EE>Minimum length of RSA keys for client certificates (in bits).
Environment variables
NGLOG_LEVELLog level of the TLS Terminator component. Permissible values: from 0 to 4. This environment variable is used if the startup parameter --log-level is not specified.
VFS_NETWORK_BACKEND=<VFS backend name>:<name of the IPC channel to the VFS process>VFS backend for working with the network stack.
VFS_FILESYSTEM_BACKEND=<VFS backend name>:<name of the IPC channel to the VFS process>VFS backend for working with file systems.