The address configurations introduced by the <ADDRESS> tag are children of the <INTERFACE> tag and define the local network addresses listening on the port defined by the interface configuration.

The port defined by the INTERFACE configuration and the network addresses defined by the ADDRESS configuration specify the inbound channel that requests are received on.

With this if a server has multiple network addresses the listener can be restricted to specific addresses.

ALL will establish listener ports on all network interfaces available on the server.

Multiple addresses can be specified.

<ADDRESS>ALL</ADDRESS>
		

If a ALL address is specified all other address tags are ignored.

The except configurations introduced by the <EXCEPT> tag are children of the <INTERFACE> tag and define the local network addresses that should be ignored. Multiple addresses can be specified.

This entry can be used in combination to the ADRESS ALL configuration. To ignore listening on IPv6 interface add the following

<EXCEPT>::1</EXCEPT>
		

The secure context configuration introduced by the <SECURECONTEXT> tag is a child of the <INTERFACE> tag and defines the ssl server certificate, the key and the ssl configuration to use for establishing secure connections via this interface.

The server certificate can be specified by the <SSLCERT> tag.

It should point to a PEM-encoded X.509 certificate file. It must contain at least a leaf certificate but may also include intermediate CA certificates, sorted from leaf to root and obsoletes.

This file must have read access by the underprivileged user that the worker process is started with.

The certificate key file can be specified by the <SSLCERTKEY> tag.

It should point to a PEM-encoded private key file for the server.

The key file should have read-only access for the user that starts the ics control process, but not for the underprivileged or other users.

Specifying SSL protocols within the <SSLDISABLEPROT> tag disable their usage.

Within the <SSLCIPHERS> tag the ciphers to be used for establishing secure connections can be specified.

The ciphers can be specified separated by colon applying the following prefixes:

• no prefix will add cipher to list
• + prefix will move matching ciphers to the current location in list
• - prefix will remove cipher from list (can be added later again)
• ! prefix will remove a cipher completly from the list (can not be added later again)

You can use

openssl ciphers -v

to build up the SSLCIPHERS directive. The default depends on the version of the OpenSSL libraries used.

USESERVERCIPHERS

The attribute USESERVERCIPHERS set to YES specifies that the server's ciphers should be prefered when choosing a cipher during an SSLv3 or TLSv1 handshake. Normally the client's preference is used.

The following displays an example of a secure context configuration.

<SECURECONTEXT>
<SSLCERT>/etc/cert/server.crt</SSLCERT>
<SSLCERTKEY>/etc/cert/yasiserver.pem</SSLCERTKEY>
<SSLDISABLEPROT>sslv2</SSLDISABLEPROT>
<SSLCIPHERS USESERVERCIPHERS="YES">ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS</SSLCIPHERS>
</SECURECONTEXT>
		

When using ciphers utilizing the Diffie-Hellman key exchange it is recommended to perform the general secure socket configuration.

Note:The implementation switches off SSLCompression by default as it mostly causes security issues.