If the method succeeds, rc is 0 else rc > 0. Values above 0x8000 indicate Warnings.

If the method succeeds, message is NULL else message contains Error/Warning message.

List of sslvservers

Name of the SSL virtual server for which to show detailed information.

The clearTextPort settings.

The state of Diffie-Hellman (DH) key exchange support.

The file name and path for the DH parameter.

The refresh count for the re-generation of DH public-key and private-key from the DH parameter.

This option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.

The state of Ephemeral RSA key exchange support.Ephemeral RSA is used for export ciphers

The refresh count for the re-generation of RSA public-key and private-key pair.

The state of session re-use support.

The Session timeout value in seconds.

The state of Cipher Redirect feature.Cipher Redirect feature can be used to provide more readable information to SSL clients about mismatch in ciphers between the client and the SSL vserver.

The state of the CRL check parameter. (Mandatory/Optional)

The redirect URL to be used with the Cipher Redirect feature.

The state of SSLv2 Redirect feature. SSLv2 Redirect feature can be used to provide more readable information to SSL client about non-support of SSLv2 protocol on the SSL vserver.

The redirect URL to be used with SSLv2 Redirect feature.

The state of Client-Authentication support.

The rule for client certificate requirement in client authentication.

The state of HTTPS redirect feature support.

The priority of the policies bound to this SSL service

Bind point to which to bind the policy. Possible Values: REQUEST, INTERCEPT_REQ, CLIENTHELLO_REQ and CLIENT_AUTH_VAL_REQ. These bindpoints mean: 1. REQUEST: Policy evaluation will be done at appplication above SSL. This bindpoint is default and is used for actions based on clientauth and client cert. 2. INTERCEPT_REQ: Policy evaluation will be done during SSL handshake to decide whether to intercept or not. Actions allowed with this type are: INTERCEPT, BYPASS and RESET. 3. CLIENTHELLO_REQ: Policy evaluation will be done during handling of Client Hello Request. Action allowed with this type is: RESET, FORWARD, PICKCACERTGRP and OCSPSTAPLING. 4. CLIENT_AUTH_VAL_REQ: Policy evaluation will be performed during the verification of the client certificate. Action allowed with this type is: OCSPCERTVALIDATION.

Whether the bound policy is a inherited policy or not

The state of port rewrite feature support.

The state of usage of non FIPS approved ciphers.

The state of SSLv2 protocol support.

The state of SSLv3 protocol support.

The state of TLSv1.0 protocol support.

The state of TLSv1.1 protocol support.

The state of TLSv1.2 protocol support.

The state of TLSv1.3 protocol support.

The state of DTLSv1.0 protocol support.

The state of DTLSv1.2 protocol support.

The state of SNI extension.Server Name Indication (SNI) helps to enable SSL encryption on multiple subdomains if the domains are controlled by the same organization and share the same second-level domain name. State of SNI feature on service

State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values: ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake. DISABLED: The appliance does not check the status of the server certificate.

The name of the cipher group/alias/individual cipheri bindings.

The cipher group/alias/individual cipher configuration

The cipher suite description.

Service

The name of the certificate key pair binding.

Certkeybundle name bound to the vserver.

CA certbundle name bound to the vserver.

The name of the SSL policy binding.

Invoke flag. This attribute is relevant only for ADVANCED policies

Type of policy label invocation.

Name of the label to invoke if the current policy rule evaluates to TRUE.

Service name.
NOTE: This attribute is deprecated.

The state of the OCSP check parameter. (Mandatory/Optional)

PUSH packet triggering encryption: Always, Ignore, Merge

Expression specifying the priority of the next policy which will get evaluated if the current policy rule evaluates to TRUE.

CA certificate.

The name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.

Use this option to bind certkeybundle which will be used in SNI processing.

Named ECC curve bound to vserver/service.

The flag is used to indicate whether this particular CA certificate's CA_Name needs to be sent to the SSL client while requesting for client certificate in a SSL handshake

Enable sending SSL Close-Notify at the end of a transaction

Name of the DTLS profile whose settings are to be applied to the virtual server.

The flag is used to indicate whether DTLS is set or not

This flag is used to indicate the use of the QUIC transport protocol by an SSL virtual server or service.

Name of the SSL profile that contains SSL settings for the virtual server.

State of HSTS protocol support for the SSL Virtual Server. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client

Set the maximum time, in seconds, in the strict transport security (STS) header during which the client must send only HTTPS requests to the server

Enable HSTS for subdomains. If set to Yes, a client must send only HTTPS requests for subdomains.

Flag indicates the consent of the site owner to have their domain preloaded.

Parameter indicating to check whether peer entity certificate during TLS1.2 handshake is signed with one of signature-hash combination supported by Citrix ADC.

State of TLS 1.3 0-RTT early data support for the SSL Virtual Server. This setting only has an effect if resumption is enabled, as early data cannot be sent along with an initial handshake. Early application data has significantly different security properties - in particular there is no guarantee that the data cannot be replayed.

Number of tickets the SSL Virtual Server will issue anytime TLS 1.3 is negotiated, ticket-based resumption is enabled, and either (1) a handshake completes or (2) post-handhsake client auth completes. This value can be increased to enable clients to open multiple parallel connections using a fresh ticket for each connection. No tickets are sent if resumption is disabled.

Whether or not the SSL Virtual Server will require a DHE key exchange to occur when a PSK is accepted during a TLS 1.3 resumption handshake. A DHE key exchange ensures forward secrecy even in the event that ticket keys are compromised, at the expense of an additional round trip and resources required to carry out the DHE key exchange. If disabled, a DHE key exchange will be performed when a PSK is accepted but only if requested by the client. If enabled, the server will require a DHE key exchange when a PSK is accepted regardless of whether the client supports combined PSK-DHE key exchange. This setting only has an effect when resumption is enabled.

Name of the configured vault where certificate and/or private-key is placed.

The flag is used to indicate whether this particular CA certificate's CA_Name needs to be sent to the SSL client while requesting for client certificate in a SSL handshake

Default domain name supported by the SSL virtual server. The parameter is effective, when zero touch certificate management is active for the SSL virtual server i.e. no manual SNI cert or default server cert is bound to the v-server. For SSL transactions, when SNI is not presented by the client, server-certificate corresponding to the default SNI, if available in the cert-store, is selected else connection is terminated.

This parameter is used to enable or disable the logging of additional information, such as the Session ID and SNI names, from SSL handshakes to the audit logs.