Options
Examples¶
SecurityOptions¶
Options of the addon can be accessed through the static SecurityOptions
class:
- UseServerSentIntermediateCertificates: If false, only certificates stored in the trusted intermediates database are used to reconstruct the certificate chain. When set to true (default), it improves compatibility but the addon going to use/accept certificates that not stored in its trusted database.
- FolderAndFileOptions: Folder, file and extension options.
- OCSP: OCSP and OCSP cache options.
- TrustedRootsOptions: Database options of the Trusted CAs database.
- TrustedIntermediatesOptions: Database options of the Trusted Intermediate Certifications database
- Database options of the Client Credentials database: Database options of the Client Credentials database
OCSP Options¶
- ShortLifeSpanThreshold: The addon not going to check revocation status for short lifespan certificates.
- EnableOCSPQueries: Enable or disable sending out OCSP requests for revocation checking.
- FailHard: Treat unknown revocation statuses (unknown OCSP status or unreachable servers) as revoked and abort the TLS negotiation.
- FailOnMissingCertStatusWhenMustStaplePresent: Treat the TLS connection failed if the leaf certificate has the must-staple flag, but the server doesn't send certificate status.
- OCSPCache: OCSP Cache Options as detailed below
OCSP Cache Options¶
OCSP request caching related options.
- MaxWaitTime: Maximum wait time to receive an OCSP response. Depending on the OCSP Options'
FailHard
value if no response is received in the given time the TLS negotiation might fail. - RetryUnknownAfter: Wait time to retry to get a new OCSP response when the previous response's status is unknown.
- FolderName: OCSP cache's folder name.
- DatabaseOptions: Options for the OCSP cache database.
- HTTPRequestOptions: Customization options for the OCSP requests.
OCSP Cache's HTTPRequest Options¶
OCSP requests are plain old HTTPRequest
s and every BestHTTP/2 global settings affecting them, but through this options OCSP requests can be further customized.
- DataLengthThreshold: A threshold in bytes to switch to a POST request instead of GET. Setting it to
0
all requests are sent as POST. - UseKeepAlive: Whether to try to keep the connection alive to the OCSP server.
- UseCache: Whether to cache responses if possible.
- ConnectTimeout: Time limit to establish a connection to the server.
- Timeout: Time limit to send and receive an OCSP response from the server.
Database Options¶
- Name: Name of the database. This name is used to create the database files.
- UseHashFile Whether to calculate a hash from the database and write it to a file. It has a useage only if the file is created 'offline' and bundled with the application.
- DiskManager: Options for the database's DiskManager instance.
DiskManager Options¶
- MaxCacheSizeInBytes: This limits the maximum database rows kept in memory.
- HashDigest: Hash digest algorithm name to generate the database's hash.