-- Copyright (C) 2018 Aricent Group . All Rights Reserved

-- $Id: fsssl.mib,v 1.11 2018/05/14 09:58:42 siva Exp $

-- SSL proprietary MIB Definition

ARICENT-SSL-MIB DEFINITIONS ::= BEGIN

IMPORTS 
   MODULE-IDENTITY, OBJECT-TYPE, 
   enterprises, IpAddress, Integer32   
   FROM SNMPv2-SMI 
   TruthValue, DisplayString 
   FROM SNMPv2-TC; 

   ssl MODULE-IDENTITY
      LAST-UPDATED "202308290000Z" 
      ORGANIZATION "CAMBIUM NETWORKS SOFTWARE" 
      CONTACT-INFO "support@cambiumnetworks.com" 
      DESCRIPTION
         "The proprietary MIB for SSL."
      REVISION "202308290000Z"
      DESCRIPTION
         "Add new value and set it as default for sslVersion.
          Add three new values and set the new values as default for sslCipherList"         
      REVISION "202307170000Z"
      DESCRIPTION
         "Add new parameters and deprecate old parameters to the object sslTrace"         
      REVISION "201904020000Z"
      DESCRIPTION 
         "The proprietary MIB for SSL." 
   ::= { enterprises futuresoftware (2076) 96 }


-- ----------------------------------------------------------------- --
-- groups in the MIB
-- ----------------------------------------------------------------- --
 
      sslGeneralGroup             OBJECT IDENTIFIER ::= { ssl 1 }
      sslCiphers                  OBJECT IDENTIFIER ::= { ssl 2 }
 
-- ---------------------------------------------------------------- --

-- General Group 

-- This object has been renamed as issHttpStatus and moved to fsiss.mib
--sslHttpStatus  OBJECT-TYPE
--   SYNTAX       INTEGER {
--                enable(1),
--                disable(2)
--               }
--   MAX-ACCESS  read-write 
--   STATUS      current 
--   DESCRIPTION 
--      "This object is used for enabling or disabling HTTP in the system."
--
--   DEFVAL  { enable } 
--   ::= { sslGeneralGroup 1 }

sslSecureHttpStatus OBJECT-TYPE 
   SYNTAX       INTEGER {
                enable(1),
                disable(2)
                }
   MAX-ACCESS  read-write 
   STATUS      current 
   DESCRIPTION 
      "This object is used for enabling or disabling secure HTTP in the system."

   DEFVAL  { enable } 
   ::= { sslGeneralGroup 2 }

sslPort      OBJECT-TYPE
   SYNTAX       Integer32 (1..65535)
   MAX-ACCESS   read-write 
   STATUS       current 
   DESCRIPTION 
      "This object is used to configure the SSL port."

   DEFVAL  { 443 } 
   ::= { sslGeneralGroup 3 }

sslTrace     OBJECT-TYPE
         SYNTAX        Integer32
         MAX-ACCESS    read-write
         STATUS        current
         DESCRIPTION
      "This object is used to set the trace level for SSL.
            BIT 0 - Initialisation and Shutdown Trace. (Deprecated)
            BIT 1 - Management trace. (Deprecated)
            BIT 2 - Data path trace. (Deprecated)
            BIT 3 - Control Plane trace. (Deprecated)
            BIT 4 - Packet Dump. (Deprecated)
            BIT 5 - OS Resource trace. (Deprecated)
            BIT 6 - All Failure trace (Deprecated)
            BIT 7 - Buffer Trace. (Deprecated)
            BIT 8 - Fatal trace.
            BIT 9 - Error trace.
            BIT 10 - Info trace.
            
            Setting all the bits will enable all the trace levels and 
            resetting them will disable all the trace levels."

         ::= { sslGeneralGroup 4 }

sslVersion  OBJECT-TYPE
    SYNTAX  INTEGER {
            tls12(5),
            tls13(6)
            }
    MAX-ACCESS  read-write
    STATUS  current
    DESCRIPTION
       "This object is used to configure the SSL version." 
    DEFVAL  { tls13 }
    ::= { sslGeneralGroup 5 }


-- Ciphers group

sslCipherList OBJECT-TYPE
      SYNTAX Integer32
      MAX-ACCESS read-write
      STATUS current
      DESCRIPTION
          "This object is used to configure the cipher-suites list.
	      This field is a bit mask, setting a bit indicates that the 
		  corresponding cipher-list will be involved in the server
          authentication.
          
          BIT 0 - RSA-NULL-MD5
          BIT 1 - RSA-NULL-SHA
          BIT 2 - RSA-DES-SHA
          BIT 3 - RSA-3DES-SHA
          BIT 4 - DH-RSA-DES-SHA
          BIT 5 - DH-RSA-3DES-SHA
          BIT 6 - RSA-EXP1024-DES-SHA
          BIT 7 - RSA-WITH-AES-128-CBC-SHA
          BIT 8 - RSA-WITH-AES-256-CBC-SHA
          BIT 9 - DHE-RSA-WITH-AES-128-CBC-SHA
          BIT 10 - DHE-RSA-WITH-AES-256-CBC-SHA
          BIT 11 - ECDHE_RSA_WITH_AES_256_GCM_SHA384
          BIT 12 - ECDHE_RSA_WITH_CHACHA20_POLY1305
          BIT 13 - ECDHE_RSA_WITH_AES_128_GCM_SHA256
          BIT 14 - ECDHE_RSA_WITH_AES_256_SHA384
          BIT 15 - ECDHE_RSA_WITH_AES_128_SHA256
          BIT 16 - TLS_AES_128_GCM_SHA256
          BIT 17 - TLS_AES_256_GCM_SHA384
          BIT 18 - TLS_CHACHA20_POLY1305_SHA256
                                       

          Note:BIT 0 - Least significant bit
               BIT 10 - Most significant bit

          For example,setting the cipher list to the value - 001 0101, 
          will include RSA-NULL-MD5, RSA-DES-SHAa and DH-RSA-DES-SHA as 
          cipher-list for authentication.
         
          In the FIPS (American Security Standard Mode) Mode,  
          Only the following cipher list should be supported.
                 TLS_RSA_3DES_SHA1 
                 TLS_ DHE_RSA_3DES_SHA1
                 TLS_RSA_WITH_AES_128_CBC_SHA 
                 TLS_RSA_WITH_AES_256_CBC_SHA 
                 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 
                 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 
          hence the default value in FIPS mode will be
                 TLS_RSA_3DES_SHA1 | TLS_ DHE_RSA_3DES_SHA1 | TLS_RSA_WITH_AES_128_CBC_SHA |
                 TLS_RSA_WITH_AES_256_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
                 TLS_DHE_RSA_WITH_AES_256_CBC_SHA.
         From 2.1, only the following ciphers are supported:
                 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
                 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
                 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
                 TLS_ECDHE_RSA_WITH_AES_256_SHA384
                 TLS_ECDHE_RSA_WITH_AES_128_SHA256
         From 5.1 the following ciphers were added:
                 TLS_AES_128_GCM_SHA256
                 TLS_AES_256_GCM_SHA384
                 TLS_CHACHA20_POLY1305_SHA256
         hence the default value will be
                 TLS_AES_128_GCM_SHA256 | TLS_AES_256_GCM_SHA384 |
                 TLS_CHACHA20_POLY1305_SHA256"

   DEFVAL  { 458752 }
   ::= { sslCiphers 1}


   sslDefaultCipherList OBJECT-TYPE
   SYNTAX TruthValue  
   MAX-ACCESS read-write
   STATUS current
   DESCRIPTION
      "This object is used to set the default cipher-suites list in 'sslCipherList'.
   Setting DefaultCipherList to TRUE would set the following cipher-list for 
   authentication:
   - TLS_AES_128_GCM_SHA256
   - TLS_AES_256_GCM_SHA384
   - TLS_CHACHA20_POLY1305_SHA256
   The version will also be set to the default tls13 because the default cipher-suites
   corresponds to the tls13 version.

   The value of this object reverts back to FALSE once the default cipher list is set."
   DEFVAL  { false }
   ::= { sslCiphers 2}

END
