HTTP.SBX Enhancement

In HTTP.SBX, rename the certfile parameter to properties and revise its meaning/interpretation to:

Properties (string) [in]

An optional list of name=value clauses delimited by semicolons, e.g.: name1=value;name2=value2,value3;...;nameN=valueM

To maintain backwards compatibility, if there is no "=" character in the string, it will be intepreted as the certfile spec (as before), although this syntax is now deprecated and replaced with the cert=fspec clause).

The current list of property names and values is shown below. Note that the property names are case sensitive, but the values are not. For boolean values, anything starting with "T" or "1" is considered TRUE; everything else is considered false. Note the default values for the case where the property is not specified.

Name = Value

Default

Description

Cert=<fspec>

none

Specify cert file spec

AllowHeaderFolding

True

Disables MIME header folding

BasicAuth

False

Allows HTTP basic authentication; see Comments.

RequiresSslCertVerify

False

If true, verify server's SSL cert; if expired or invalid, abort connection.

SslAllowedCiphers

<all>

Specify comma-delimited list of allowed SSL/TLS ciphers See Comments.

AutoAddHostHeader

False

If true, the "Host" header will be added to the request header for XHTTPF_REQGET

MimicFireFox

False

If true, headers are added to XHTTPF_REQGET calls to mimic those used by FireFox

MimicIE

False

If true, headers are added XHTTPF_REQGET to mimic those used by Internet Explorer

ReadTimeout

75

Time in seconds to wait while reading the response from the server before timing out.

ConnectTimeout

30

Time in seconds to wait for the connection to be established before timing out

 

Table Comments

BasicAuth: Basic Authentication is one of many types of HTTP authentication, but it is often considered a security risk because the name and password are transmitted in plain text. For an SSL/TSL connection, this may be ok, but in any case, the default is set to False just to err on the safe side.

SslAllowedCiphers: To limit SSL/TLS connections to a more specific set of possible ciphers, specify one or more of the following (comma-delimited). You may also use the special value "best-practices" to request "current best practices". Currently this means the following, but may evolve over time:

•   Any RSA keys must be 1024 bits or more

•   All renegotiations must be secure

•   All ciphers using RC4, DES or 3DES are disallowed

Available ciphers

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_ECDHE_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_RC4_128_MD5

TLS_DHE_RSA_WITH_DES_CBC_SHA

TLS_RSA_WITH_DES_CBC_SHA