beautypg.com

Zilog EZ80F91AZA User Manual

Page 29

background image

UM020107-1211

SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

23

Each of the

xxxs_ClientInit

APIs is a null function returning a variable of type

SSL_STATUS

. The

TLS1_ClientInit

API is shown in the following code fragment; the

SSL2_ClientInit

and

SSL3_ClientInit

APIs have the same format.

SSL_STATUS TLS1_ClientInit( void );

Each server initialization function takes two parameters and returns a status code. To illus-
trate these parameters, the function prototype for the

TLS1_ServerInit

API is shown in

the following code fragment. The same syntax also applies to the

SSL2_ServerInit

and

SSL3_ServerInit

functions.

SSL_STATUS

TLS1_ServerInit

(

CERT_CHAIN

* pCertChain,

ASN1_ENC_DATA * pDheParams

);

The first of these parameters is a reference to the server’s certificate chain, which is a list
of X.509 certificates beginning with the server’s certificate and followed by the certificate
of each intermediate certificate authority that signed the previous certificate. The certifi-
cate chain ends with a self-signed root certificate issued by the certificate authority.

The second parameter is a pointer to the Diffie-Hellman parameters (the prime modulus, p
and the generator, g) that the server will use for Ephemeral Diffie-Hellman (EDH) cipher
suites. SSL clients will receive their Ephemeral Diffie-Hellman parameters from the
server to which they are attempting to establish a connection. If support for Ephemeral
Diffie-Hellman parameters is not required for either the TLS1 or SSL3 server, then this
parameter is set to

NULLPTR

on the corresponding

xxxx_ServerInit

function call.

SSL version 2 does not support Ephemeral Diffie-Hellman cipher suites; therefore this
parameter should always be

NULLPTR

when calling the

SSL2_ServerInit

API.

It is permissible to use different certificate chains and Ephemeral Diffie-Hellman parame-
ters on each of the handshake protocol initialization calls. In some cases, this usage is
mandatory. For example, if the TLSv1 server has been issued a DSA certificate, this server
will only be able to SSL sessions using EDH cipher suites. But if an SSLv2 server is also
initialized, then that server must have an RSA certificate. Therefore, in this example, the
SSLv2 and TLSv1 servers must use different certificate chains.

The SSL demo project included with the ZTP Network Security SSL Plug-In contains a
file

dh_params.c

containing the Ephemeral Diffie-Hellman parameters used on the calls

to

TLS1_ServerInit

and

SSL3_ServerInit

. The certificate chains shared by these

server is contained in a file named

Certificate.c

.

Note:

This manual is related to the following products:
See also other documents in the category Zilog Sensors: