-- This file is corresponding to Release 9.1.10.101 from 2014/08/11 00:00:00 -- $RCSfile: mib-stunnel,v $ -- $Revision: 1.15 $ -- $Date: 2014-02-07 10:37:50 $ -------------------------------------------------------------------------- BINTEC-STUNNEL-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, Unsigned32, Counter32, Counter64, IpAddress, TimeTicks, mib-2, enterprises FROM SNMPv2-SMI DisplayString, TimeStamp FROM SNMPv2-TC security, Date, BitValue, HexValue FROM BINTEC-MIB MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF; sTunnelMIB MODULE-IDENTITY LAST-UPDATED "2007061100Z" ORGANIZATION "bintec elmeg GmbH" CONTACT-INFO "EMail: info@bintec-elmeg.com Web: www.bintec-elmeg.com " DESCRIPTION "MIB for STunnel daemon" REVISION "2007061100Z" DESCRIPTION "STunnel MIB." ::= { security 12 } sTunnel OBJECT IDENTIFIER ::= { sTunnelMIB 1 } sTunnelAdm OBJECT IDENTIFIER ::= { sTunnel 1 } sTunnelAdmStatus OBJECT-TYPE SYNTAX INTEGER { up(1), down(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "The AdminStatus of STunnel overall. This means if this Status is set to 'down' no tunnel will be established. So it doesn't matter if a single tunnel is set to AdminStatus 'down' or 'up'. In case of 'up' it depends on the single tunnel whether it is established or not. " DEFVAL { down } ::= { sTunnelAdm 1 } sTunnelAdmMaxTunnels OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum of RUNNING tunnels in the system. " DEFVAL { 10 } ::= { sTunnelAdm 2 } sTunnelAdmRunningTunnels OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The number of running tunnels at the moment. " DEFVAL { 0 } ::= { sTunnelAdm 3 } sTunnelAdmKeepAliveRetries OBJECT-TYPE SYNTAX INTEGER (0..255) MAX-ACCESS read-write STATUS current DESCRIPTION "The maximum number of TCP keepalive retries sent before the (SSL) TCP connection is closed as it is suggested that the remote side isn't reachable anymore. The default value is 0 which takes the default number of retries of TCP. " DEFVAL { 0 } ::= { sTunnelAdm 4 } sTunnelAdmKeepAliveTimeout OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "The timeout (in seconds) of a TCP keepalive try. If no answer is received within this time another retry will be sent. The default value is 0 which takes the default keepalive retry timeout of TCP. " DEFVAL { 0 } ::= { sTunnelAdm 5 } sTunnelTable OBJECT-TYPE SYNTAX SEQUENCE OF STunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The StunnelTable holds single Stunnel peers. " ::= { sTunnel 2 } sTunnelEntry OBJECT-TYPE SYNTAX STunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A single Stunnel entry e.g. a Stunnel peer. " INDEX { sTunnelIndex } ::= { sTunnelTable 1 } STunnelEntry ::= SEQUENCE { sTunnelIndex INTEGER, sTunnelAdminStatus INTEGER, sTunnelDescription DisplayString, sTunnelExternalIp IpAddress, sTunnelExternalPort INTEGER, sTunnelExternalMode INTEGER, sTunnelInternalIp IpAddress, sTunnelInternalPort INTEGER, sTunnelInternalMode INTEGER, sTunnelPrivateToken OCTET STRING, sTunnelVerifyPeer INTEGER, sTunnelCertificateIdx INTEGER, sTunnelCACertificateIdx INTEGER, sTunnelRemoteCertSubject DisplayString, sTunnelRemoteCertSerialNo DisplayString, sTunnelRemoteCertDns DisplayString, sTunnelCertificateStatus INTEGER, sTunnelRetries INTEGER, sTunnelRetryTime INTEGER, sTunnelMaxRetries INTEGER, sTunnelReopenDelay INTEGER, sTunnelShortHold INTEGER, sTunnelDebug INTEGER, sTunnelLastStatusChange TimeTicks, sTunnelRxBytes Counter32, sTunnelTxBytes Counter32, sTunnelTCPConnections INTEGER, sTunnelStatus INTEGER } sTunnelIndex OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "The Index gives (should give) an unique ID for the STunnel. " DEFVAL { 0 } ::= { sTunnelEntry 1 } sTunnelAdminStatus OBJECT-TYPE SYNTAX INTEGER { up(1), down(2), delete(3) } MAX-ACCESS read-write STATUS current DESCRIPTION "The AdminStatus of one entry declares whether this peer should be established (up) or not (down). In case of setting the AdminStatus to 'delete' the entry will be deleted. " DEFVAL { up } ::= { sTunnelEntry 2 } sTunnelDescription OBJECT-TYPE SYNTAX DisplayString (SIZE (0..32)) MAX-ACCESS read-write STATUS current DESCRIPTION "The description of the Stunnel. Is only for giving each tunnel a name but has no further meaning e.g. function. " ::= { sTunnelEntry 3 } sTunnelExternalIp OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "This field holds the IP to or from which the SSL connection will be established. If it is set (not 0) in ExternalMode_server the remote IP (incoming connection) is checked against ExternalIp. The default value is 0.0.0.0 . " DEFVAL { '00000000'H } ::= { sTunnelEntry 4 } sTunnelExternalPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "The port of the external connection. In ExternalMode client it defines the port it is connected to and in ExternalMode server it defines the port it is listened on for incoming connections. " ::= { sTunnelEntry 5 } sTunnelExternalMode OBJECT-TYPE SYNTAX INTEGER { client(1), server(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "The ExternalMode declares whether the system is server or client to the outside e.g. SSL connection. " DEFVAL { client } ::= { sTunnelEntry 6 } sTunnelInternalIp OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The InternalIp default value is 127.0.0.1 (localhost). That means that the internal stunnel endpoint is the system itself and connects to an internal service (telnet,snmp,syslog). In special cases it is possible to to tunnel a service from a host on the local subnet. Therefore it is necessary to define the IP of the local subnet host here. If the InternalMode is server and InternalIp is set (not 0) it is checked whether InternalIp matches the remote IP (incoming connection). " DEFVAL { '7f000001'H } ::= { sTunnelEntry 7 } sTunnelInternalPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "The port on which will be connected internally in InternalMode client or on which will be listened on for an incoming connection. " ::= { sTunnelEntry 8 } sTunnelInternalMode OBJECT-TYPE SYNTAX INTEGER { client(1), server(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "The InternalMode declares whether the system is server or client to the inside connection (NON-SSL connection). " DEFVAL { client } ::= { sTunnelEntry 9 } sTunnelPrivateToken OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..16)) MAX-ACCESS read-write STATUS current DESCRIPTION "The PrivateToken is sent with the first packet as soon as the connection is established. It is used if the remote side wants to receive several connections on the same port and therefore needs a token to associate the connection. " ::= { sTunnelEntry 10 } sTunnelVerifyPeer OBJECT-TYPE SYNTAX INTEGER { none(1), normal(2), high(3), very-high(4), accept-self-signed(5) } MAX-ACCESS read-write STATUS current DESCRIPTION "If VerifyPeer is set to 'none'(1) no SSL verification is done. Setting VerifyPeer to 'normal'(2) a normal SSL verification is done (certificates are checked). If it is set to 'high'(3) also the subjectname of the remote side's certificate will be checked and SSL connection will be cancelled if it doesn't match to RemoteCertSubject. In case of VerifyPeer is set to 'very_high' beside the RemoteCertSubject also the SerialNumber of the certificate is checked to be equal or greater than RemoteCertSerialNo and the DNS attribute (withing the subject alternative names) is checked to be equal against RemoteCertDns (if it is configured else no check against this variable is done). If VerifyPeer is set to 'accept-self-signed'(5) a 'normal' verification is done but self signed certificates will be accepted, too. " DEFVAL { normal } ::= { sTunnelEntry 11 } sTunnelCertificateIdx OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "The (row) index of the CertTable holding the wanted peer certificate for the connection. " ::= { sTunnelEntry 12 } sTunnelCACertificateIdx OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "The (row) index of the CertTable holding the wanted/needed CA certificate for the connection. " ::= { sTunnelEntry 13 } sTunnelRemoteCertSubject OBJECT-TYPE SYNTAX DisplayString (SIZE (0..64)) MAX-ACCESS read-write STATUS current DESCRIPTION "when VerifyPeer set to 'high' the string in this field is compared with the subjectname of the remote peer certificate. " ::= { sTunnelEntry 14 } sTunnelRemoteCertSerialNo OBJECT-TYPE SYNTAX DisplayString (SIZE (0..32)) MAX-ACCESS read-write STATUS current DESCRIPTION "when VerifyPeer set to 'very_high' the string in this field is compared with the serial number of the remote peer certificate. " ::= { sTunnelEntry 15 } sTunnelRemoteCertDns OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) MAX-ACCESS read-write STATUS current DESCRIPTION "when VerifyPeer set to 'very_high' the string in this field is compared with the DNS attribute within the subject alternative names of the remote peer certificate. But if this variable is left blank no comparison is done and it is continued (accepted) without! " ::= { sTunnelEntry 16 } sTunnelCertificateStatus OBJECT-TYPE SYNTAX INTEGER { initial(1),cert-ok(2), invalid-cert-untrusted(3), invalid-cert-expired(4), invalid-cert-wrong-id-or-type(5), invalid-cert-revoked(6), no-cert-available(7), undefined-ssl-error(8)} MAX-ACCESS read-only STATUS current DESCRIPTION "The certificatestatus displays if and which error occured during the certificate validation. If no error occured it is ok(2). The four possible errors are the cert is untrusted(3), the cert has expired(4), the cert has a wrong id or type or the cert has been revoked(5). If no cert is available the status is no_cert_available(7). In any other (certificate) error situation the status is set to undefined_ssl_error(8). " DEFVAL { initial } ::= { sTunnelEntry 17 } sTunnelRetries OBJECT-TYPE SYNTAX INTEGER (0..50) MAX-ACCESS read-only STATUS current DESCRIPTION "The number of retries which were already done during the actual e.g. last connection. " ::= { sTunnelEntry 18 } sTunnelRetryTime OBJECT-TYPE SYNTAX INTEGER (0..3600) MAX-ACCESS read-write STATUS current DESCRIPTION "The time in seconds which the system waits for a reconnection try if the last try failed. " DEFVAL { 60 } ::= { sTunnelEntry 19 } sTunnelMaxRetries OBJECT-TYPE SYNTAX INTEGER (-1..50) MAX-ACCESS read-write STATUS current DESCRIPTION "The maximum number of retries till the system declares the connection to failed. In case of '-1' infinite retries will take place. " DEFVAL { 3 } ::= { sTunnelEntry 20 } sTunnelReopenDelay OBJECT-TYPE SYNTAX INTEGER (-1..31536000) MAX-ACCESS read-write STATUS current DESCRIPTION "The time till the connection will be reopened. " DEFVAL { 0 } ::= { sTunnelEntry 21 } sTunnelShortHold OBJECT-TYPE SYNTAX INTEGER (-1 .. 3600) MAX-ACCESS read-write STATUS current DESCRIPTION "The ShortHold is the number of seconds after which an inactive connection is closed. Is the ShortHold set to -1 it is never closed for the reason of inactivity. " DEFVAL { -1 } ::= { sTunnelEntry 22 } sTunnelDebug OBJECT-TYPE SYNTAX INTEGER { disabled(1), enabled(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "enables(2) or disables(1) debug messages for this peer. " DEFVAL { disabled } ::= { sTunnelEntry 23 } sTunnelLastStatusChange OBJECT-TYPE SYNTAX TimeTicks MAX-ACCESS read-only STATUS current DESCRIPTION "This value shows the time since the last sTunnelStatus change. " ::= { sTunnelEntry 24 } sTunnelRxBytes OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of received (data) bytes from the external connection. Only the real data bytes (without any header or encryption/hash are counted). " DEFVAL { 0 } ::= { sTunnelEntry 25 } sTunnelTxBytes OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of transmitted bytes towards the external connection. Only the real data bytes (without any header or encryption/hash are counted). " DEFVAL { 0 } ::= { sTunnelEntry 26 } sTunnelTCPConnections OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the SSL-TCP-Connections of this tunnel. " ::= { sTunnelEntry 27 } sTunnelStatus OBJECT-TYPE SYNTAX INTEGER { up(1), down(2), wait-for-retry(3), wait-for-connection(4), failed(5), wait-for-reopen(6), external-up(7), finished(8) } MAX-ACCESS read-only STATUS current DESCRIPTION "The (operational) status of the connection. 'up'(1) means the connection is fully established. 'down'(2) means the connection is (finally) down. 'wait-for-retry'(3) means the system waits RetryTime seconds before the next connection try will be performed. 'wait-for-connection'(4) means that the peer waits for a connect (if it is in server mode) or for accepting its own connection try (if it is in client mode). Only if both internal and external connection are established the status changes to 'up'. 'failed'(5) means that the connection finally failed, so no more retries will take place (in this case the peer's AdminStatus hast to be reset to retry to establish the connection). 'wait-for_reopen'(6) is indicating that the timer for a reopen is running and on expire a reopen is performed. 'external_up'(7) means the external connection is established the internal not yet. 'finished'(8) means the last TCP connection got quit and tunnel is temporalily down. " DEFVAL { down } ::= { sTunnelEntry 28 } END