Zilog EZ80F91AZA User Manual download pdf (Page 37)

UM020107-1211 SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

When the ZTP Network Security SSL Plug-In is operating in client mode, it does not

know the type of certificate a server possesses. If the server presents a certificate using a

public key algorithm which is not included in the

PkiGen table, then the client will be

unable to establish a session with the server. The greatest flexibility is afforded by includ-

ing all possible algorithms in the

PkiGen array. However, such an inclusion comes at the

expense of increasing the code size of the application due to public key algorithms that are

rarely used. Due to the overwhelming popularity of the RSA algorithm, Zilog recom-

mends that the RSA algorithm always be included in the

PkiGen array.

Cipher Suite Configuration

During the establishment of an SSL session, the client and server determine a 3-tuple of

PKI algorithm, symmetric cipher algorithm and digest algorithm that is used to secure

communications. This 3-tuple is called a cipher suite. Because SSL supports different

PKI, cipher and digest algorithms, there are many possible combinations of cipher suites.

The

ssl_conf.c configuration file contains tables of SSL_CS_INFO structures that

define a set of cipher suites that can be supported by the ZTP Network Security SSL Plug-

In. Individual entries in these tables can be removed or disabled to prevent the cipher suite

from being selected during the establishment of a session. These tables also determine the

minimum set of PKI, cipher and digest algorithms that must be included in the

PkiGen,

CipherGen and HashGen arrays.

To understand these relationships, first understand the structure of a single cipher suite.

The

SSL_CS_INFO data structure is shown in the following code fragment.

typedef struct SSL_CS_INFO

{

SSL_WORD CipherSuite;

SSL_BYTE KeyAlg;

SSL_BYTE CipherAlg;

SSL_BYTE HashAlg;

SSL_BOOL IsExport;

SSL_BYTE KeySize;

SSL_BYTE IVSize;

SSL_BYTE MacSize;

SSL_BOOL IsValid;

} SSL_CS_INFO;

The CipherSuite entry is a two-byte code that the SSL specification defines to identify

the standard cipher suites. Each code also features a long mnemonic. The cipher suites that

the ZTP Network Security SSL Plug-In is capable of supporting can be found in the

CipherSuite.h header file; some examples are shown in the following code fragment.

#define TLS_RSA_WITH_RC4_128_MD5 0x0400

1 2 ... 32 33 34 35 36 37 38 39 40 41 42 ... 78 79

Comments to this Manuals

No comments

Zilog EZ80F91AZA User Manual Page 37

Comments to this Manuals

Related products and manuals for Sensors Zilog EZ80F91AZA