beautypg.com

Cipher suite configuration, Topic, see the cipher suite configuration section – Zilog EZ80F91AZA User Manual

Page 37

background image

UM020107-1211

SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

31

When the ZTP Network Security SSL Plug-In is operating in client mode, it does not
know the type of certificate a server possesses. If the server presents a certificate using a
public key algorithm which is not included in the

PkiGen

table, then the client will be

unable to establish a session with the server. The greatest flexibility is afforded by includ-
ing all possible algorithms in the

PkiGen

array. However, such an inclusion comes at the

expense of increasing the code size of the application due to public key algorithms that are
rarely used. Due to the overwhelming popularity of the RSA algorithm, Zilog recom-
mends that the RSA algorithm always be included in the

PkiGen

array.

Cipher Suite Configuration

During the establishment of an SSL session, the client and server determine a 3-tuple of
PKI algorithm, symmetric cipher algorithm and digest algorithm that is used to secure
communications. This 3-tuple is called a cipher suite. Because SSL supports different
PKI, cipher and digest algorithms, there are many possible combinations of cipher suites.

The

ssl_conf.c

configuration file contains tables of

SSL_CS_INFO

structures that

define a set of cipher suites that can be supported by the ZTP Network Security SSL Plug-
In. Individual entries in these tables can be removed or disabled to prevent the cipher suite
from being selected during the establishment of a session. These tables also determine the
minimum set of PKI, cipher and digest algorithms that must be included in the

PkiGen

,

CipherGen

and

HashGen

arrays.

To understand these relationships, first understand the structure of a single cipher suite.
The

SSL_CS_INFO

data structure is shown in the following code fragment.

typedef struct SSL_CS_INFO

{

SSL_WORD

CipherSuite;

SSL_BYTE

KeyAlg;

SSL_BYTE

CipherAlg;

SSL_BYTE

HashAlg;

SSL_BOOL

IsExport;

SSL_BYTE

KeySize;

SSL_BYTE

IVSize;

SSL_BYTE

MacSize;

SSL_BOOL

IsValid;

} SSL_CS_INFO;

The

CipherSuite

entry is a two-byte code that the SSL specification defines to identify

the standard cipher suites. Each code also features a long mnemonic. The cipher suites that
the ZTP Network Security SSL Plug-In is capable of supporting can be found in the

CipherSuite.h

header file; some examples are shown in the following code fragment.

#define TLS_RSA_WITH_RC4_128_MD5

0x0400

This manual is related to the following products:
See also other documents in the category Zilog Sensors: