This page describes Easy-TLS Access levels

Easy-TLS Access Levels

The simplest level of access policy is the Easy-TLS disabled-list. Any TLS-Crypt-V2 key can be disabled/enabled immediately via this list.

Also, each key is created with a record of its creation date, so that keys can have an arbitrary life-time, defined my TLSKEY_MAX_AGE.

Now, there are seven levels of defence which the Server can be set to:

Note: Levels [0] - [3] allow all type of TLS key to connect.

• [0] Lowest - Allow all valid TLS-AUTH/Crypt/V2 keys to connect. Basic TLS-Crypt-V2 key tests are NOT performed. eg. disabled-list and TLSKEY_MAX_AGE Extended TLS-Crypt-V2 key tests are NOT performed.

• [1] Low - Functionally equivalent to [0] Lowest - Allow all.. Except, ALL TLS-Crypt-V2 key extended tests are performed. Same as [2] Default, except filter-address mismatches are IGNORED.

• [2] Default - Do not require clients to push a HWADDR. TLS-Crypt-V2 keys with a HWADDR mismatch will be disconnected. TLS-Crypt-V2 keys without a HWADDR can connect. TLS Auth and Crypt-v1 keys can connect.

• [3] Medium - Require all clients to push a HWADDR. TLS-Crypt-V2 keys with a HWADDR mismatch will be disconnected. TLS-Crypt-V2 keys without a HWADDR can connect but must push a HWADDR. TLS Auth and Crypt-v1 keys can connect but must push a HWADDR.

Note: Levels [4] - [6] allow only TLS-Crypt-V2 keys to connect.

• [4] Medium-High - Do not require clients to push a HWADDR. TLS-Crypt-V2 keys without a Hardware-address can connect.

• [5] High - Require all clients to push a HWADDR. TLS-Crypt-v2 keys without a HWADDR can connect but must push a HWADDR.

• [6] Highest - HWADDR verification is enforced on all clients. TLS-Crypt-V2 key must have a HWADDR and client must push a HWADDR.

Note:

• Currently, IP filter-addresses are automatically integrated. If a key contains IP filter-addresses then these are matched automatically, if option PEER_IP_MATCH is set. Otherwise, mismatches are ignored.