beautypg.com

Zilog EZ80F91AZA User Manual

Page 47

background image

UM020107-1211

SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

41

process continues until the client obtains a certificate from a trusted issuer, or until a certif-
icate is presented that was signed by the same entity presenting the certificate (called a
self-signed certificate). In this circumstance, the subject of the certificate is vouching for
itself.

When a self-signed certificate is presented to a client, it must determine whether to accept
the certificate or not, and whether or not to allow the SSL session to be established. Many
computer programs executing with user interfaces will typically force the human user to
make the decision. The ZTP Network Security SSL Plug-In uses a callback routine to
make this decision (see the

Certificate Verification

section on page 48).

After the client is satisfied with the server’s identity, it uses the public key in the certificate
to arrive at a shared secret between the client and the server, which in turn is used to
encrypt all data transferred between them. This encryption occurs via the execution of a
public key algorithm. If the server actually possesses the private key that corresponds to
the public key in the certificate, then both the client and the server will arrive at the same
secret. Otherwise, the secrets will not match, and data encrypted by one party will not be
understood by the other party. The SSL handshake protocols are able to detect this condi-
tion and will immediately sever the SSL connection.

Certificate Chains

The previous section explained basic certificate concepts and indicated that certificate
trust relationships are hierarchical in nature. Consequently, TLSv3 and SSLv1 servers are
able to present the client with a list of certificates called a certificate chain. The first chain
in the certificate belongs to the server presenting the list. The next certificate in the chain
belongs to the issuer that signed the server’s certificate. The next certificate belongs to the
issuer that signed the issuer of the subject’s certificate, etc.

SSL certificate chains can (but are not required to) end with a self-signed certificate (i.e.,
the one in which the certificate is issued to and issued by the same entity).

SSLv2 servers are only permitted to supply the client with a single certificate, often a self-
signed certificate. For the client to accept the server’s certificate, it must trust one of the
certificates in the server’s chain. This trust can be developed as the result of having the pre-
viously stored issuer’s certificate or simply prompting the user to accept the certificate.

When one of the SSL server handshake protocols in the ZTP Network Security SSL Plug-
In is initialized (see the

SSL Handshake Protocol Initialization

section on page 22), the

first parameter must be a pointer to the

CERT_CHAIN

data structure. This data structure

accommodates a maximum of four X.509 certificates. The following code fragment shows
an initialized variable of type

CERT_CHAIN

that contains a chain of two certificates:

CERT_CHAIN

CertChain =

Note:

This manual is related to the following products:
See also other documents in the category Zilog Sensors: