Zilog EZ80F91AZA User Manual
Page 36
UM020107-1211
SSL Configuration
ZTP Network Security SSL Plug-In
User Manual
30
If an application does not use a particular PKI algorithm, its entry in the
PkiGen
array can
be replaced with the
NullPki_init
function pointer. This pointer has the effect of caus-
ing the linker to remove the PKI algorithm from the generated program image. For exam-
ple, if an application does not use the Diffie-Hellman key agreement algorithm, the
PkiGen
array is reconfigured, as shown in the following code fragment:
PKI_Init PkiGen[SSL_MAX_PKI]
=
{
NullPki_init,
rsa_init,
dsa_init,
NullPki_init
};
It is important to keep the
PkiGen
array synchronized with the tables of cipher suites ref-
erenced by the
pSSL2_CipherSuites
,
pSSL3_CipherSuites
, and
pTLS1_CipherSuites
pointers. For example, if the
rsa_init
function pointer is
replaced with
NullPki_init
, then the RSA algorithm will not be included in the appli-
cation. Therefore, if any of the cipher suite tables contains an entry which uses RSA, such
as
TLS_RSA_WITH_3DES_EDE_CBC_SHA
, these cipher suite must be disabled because
they do not function properly without the RSA algorithm. For more information about this
topic, see the Cipher Suite Configuration section that follows.
1. If the ZTP Network Security SSL Plug-In has been configured to verify signatures, it
could become necessary to include both RSA and DSA in the
PkiGen
array, because
these algorithms are required to verify signatures generated with the same algorithm.
2. The use of Diffie-Hellman certificates is extremely rare. Therefore, the
dh_init
function pointer is usually replaced with
NullPki_init
. This replacement will not
prevent the SSLv3 and TLSv1 protocols from using the Diffie-Hellman key agree-
ment algorithm with ephemeral parameters. Use of the Diffie-Hellman algorithm with
ephemeral parameters is controlled by the
pDheInit
function pointer in the
pki_conf.c
configuration file. Therefore, to completely remove Diffie-Hellman
from the application, the
dh_init
entry in the
PkiGen
array must be replaced with
NullPki_init
, and the
pDheInit
function pointer must be set to
NULLPTR
. For
more information about this topic, see the
Practical Considerations for SSL Servers and Clients
When the ZTP Network Security SSL Plug-In is operating in server mode, the server must
have a certificate indicating which public key algorithm is required. The corresponding
algorithm initialization function pointer must be in the
PkiGen
array.
Notes: