3.3.1 Abstract Data Model

This section describes a model of possible data organization that a client-side implementation maintains to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This specification does not mandate that an implementation adhere to this model as long as the external behavior of the implementation is consistent with what is described in this specification.

When an SSTP server accepts connections from an SSTP client, the server goes through the state transitions that are described in the state machine diagram in section

The server maintains a table of connections where each row in the table contains the following variables.

  1. CurrentState: This integer variable represents the current state for a specified connection. It is initialized when a new HTTPS connection arrives and remains valid while the SSTP connection remains active. At any point in time, the CurrentState variable can have one of the following integer values. Each value represents a state of the server state machine.

    • Server_Call_Disconnected

    • Server_Connect_Request_Pending

    • Server_Call_Connected_Pending

    • Server_Call_Connected

    Additional state values common to both the client and server state machines are defined in section 3.1.1.

  2. ServerBypassHLAuth: In this Boolean variable, the SSTP layer stores a flag that will be used to request the higher layer to bypass authentication ( for this connection. This variable is initialized by the management layer after the HTTPS connection is accepted (

  3. ServerHTTPCookie: In this string variable, the SSTP layer stores the HTTP cookie that will be passed to the management layer after the HTTPS connection is accepted ( This variable is initialized by the SSTP layer while accepting an HTTPS connection ( This variable stores name-value pairs (section 3.2.2 of [RFC2965]) from the HTTP cookie sent by the client. The SSTP layer does not interpret the name-value pairs associated with ServerHTTPCookie. The SSTP layer will pass ServerHTTPCookie to the management layer using the abstract interface defined in section during the Accept New Connection event.<9>

  4. ServerHLAKKey: In this multi-octet variable of 32 bytes, the server stores the higher-layer authentication key that will be used during crypto binding validation ( This variable is initialized when higher-layer authentication is completed or bypassed (

Additionally, the following global variables are maintained by the SSTP server:

ServerCertificateHash: In this multi-octet variable, the server stores the SHA1 hash or the SHA256 hash of the server certificate that is configured by the server administrator. The server administrator populates this variable with the server certificate hash (see section 3.3.3). This variable stores a 20-byte SHA1 hash or a 32-byte SHA256 hash. The purpose of this variable is to validate the Crypto Binding attribute when the server receives an SSTP_MSG_CALL_CONNECTED message (see section

ServerHashProtocolSupported: A 1-byte variable that the server administrator uses to configure a bitmask representing the list of hashing methods that can be used to validate the Compound MAC in the Crypto Binding attribute (section 2.2.7). The format of this bitmask is specified in the description of the Hash Protocol Bitmask field of the Call Connect Acknowledge Message.

ServerVersion: A 1-byte variable that initializes the SSTP server with the version of the SSTP protocol that is supported. The format of this field is specified in the description of the Version field in the SSTP packet (section 2.2.1). The SSTP server inserts the value of the ServerVersion field into the Version field of all SSTP messages that it sends, and it uses the ServerVersion value to validate the value of the Version field in all SSTP messages that it receives.

ServerBypassHLAuthConfigured: This Boolean variable is a flag that enables the server administrator to indicate whether bypass of higher-layer authentication is enabled on this server machine. This variable will be used by the SSTP layer to pass the HTTP cookie that was read while accepting the HTTP connection to the management layer (see