beautypg.com

Zilog EZ80F91AZA User Manual

Page 41

background image

UM020107-1211

SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

35

The first entry in every cipher suite table must indicate a NULL cipher suite; i.e., one that
uses the NULL PKI algorithm, the NULL cipher algorithm and the NULL digest algo-
rithm. This cipher suite must never be enabled (i.e.,

IsValid

is set to FALSE). It is

included in the cipher suite because it describes the session’s initial state (operation on a
completely unsecured channel).

The ordering of cipher suites within each table is significant. Entries appearing higher in
the table are preferred over entries appearing lower in the table. For example, in the sam-
ple cipher suite table above, it is possible that both the client and server support both
cipher suites; however, because the

TLS_RSA_WITH_RC4_128_MD5

entry appears before

TLS_RSA_WITH_DES_CBC_SHA

, preference will be given to the

TLS_RSA_WITH_RC4_128_MD5

cipher suite. When the corresponding ZTP Network

Security SSL Plug-In SSL handshake protocol is operating as a server, it selects the first
matching entry in the cipher suite table that matches the list of cipher suites supplied by
the client. When the corresponding SSL protocol is operating in client mode, it orders its
list of supported cipher suites in the same order as they appear in the cipher suite table,
thus indicating the order of preference to the server. In either situation, all cipher suites in
the table for which the

IsValid

flag is FALSE are ignored.

Synchronizing PKI, Cipher and Digest Configurations

After the cipher suite tables are created, it is easy to determine the minimal set of PKI
algorithms, cipher algorithms and digest algorithms that must be configured in the

Pki-

Gen

,

CipherGen

, and

HashGen

arrays. For example, to determine what entries must exist

in the

CipherGen

array to support all cipher suites for which the

IsValid

flag is set to

TRUE, note each unique entry in the

CipherAlg

field. Suppose the cipher suites all used

SSL_CIPHER_NULL

,

SSL_CIPHER_RC4

or

SSL_CIPHER_DES

. As a result, the

Cipher-

Gen

array could be modified, as shown in the following code fragment, because the 3DES

and AES cipher algorithms will not be required.

CIPHER_NEW

CipherGen[ SSL_MAX_CIPHERS ] =

{

NullCipher_New,

RC4_New,

DES_New,

NullCipher_New,

// 3DES not required

NullCipher_New

// AES not required

};

Configuring the

HashGen

array is slightly more complicated, because the

HMAC_MD5

and

HMAC_SHA1

hashes are always used by TLSv1 – even though they never appear in the

Note:

This manual is related to the following products:
See also other documents in the category Zilog Sensors: