By default, each of these options is disabled.
The Client Authentication
option 1 is used to enable client
authentication on a SSL server session. It takes effect only if the
session is bound to an SSL server socket, in which case, upon receiving
the ClientHello message, the SSL server is going to send back a
CertificateRequest message along with its own Certificate, ServerHello
and ServerHelloDone messages.
The Server Proposals
option 2 is used to allow the SSL server to
have more control over which cipher suite is used. If this option is
disabled (default) on an SSL server session, upon receiving a ClientHello
message the SSL server just chooses the first supported cipher suite in
this ordered list received from the client. Therefore the client controls
the cipher preference. No use is made of the server's proposal list in
When the Server Proposals
option is enabled at the server,
then the server selects the first cipher from its own cipher suite
proposal list that matches a proposal in the ClientHello message.
For example, the Server Proposals
option is enabled and the
server's ordered cipher suites proposal list is 1,2,3,4. And the
client's cipher suites proposal ordered list found in the ClientHello
message is 4,3,2. Then the server will select cipher suite 2, based
on the server's preferences (and ignoring the client's preference).
Note that both the FTP server and WEB server operate with
option 2 selected.
The Skip Certificate Validation
option 3 may be used to avoid
attempting to trace a received certificate back to its root. A received
certificate will be accepted without this root verification when this
session option has been selected.