beautypg.com

Certificate verification – Zilog EZ80F91AZA User Manual

Page 54

background image

UM020107-1211

SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

48

Certificate Verification

Prior to using X.509 certificates, SSL clients and servers will perform integrity checks on
the certificate to determine if it is authentic. For ZTP Network Security SSL Plug-In serv-
ers, these checks occur during the SSL handshake protocol’s initialization call (see the

SSL Handshake Protocol Initialization

section on page 22). For clients, these checks occur

when the server’s certificate chain is received during the establishment of a session.

In the ZTP Network Security SSL Plug-In implementation, the following items are veri-
fied for each certificate in the chain:

X.509 certificate structure

The certificate’s validity period is checked

Certificate Signature (can be disabled)

If the certificate is self-signed

By default, if the certificate contains all of the expected fields, is presented within its
validity period, its signature has been verified and the certificate is not self-signed, the
ZTP Network Security SSL Plug-In will implicitly trust the certificate. If any of these
checks fail, a user-modifiable callback function is called. This callback function is named

VerifyCertificate

, and the default implementation (as shown in the following code

fragment) is present in the

Certificate.c

configuration file.

SSL_STATUS VerifyCertificate

(

SSL_X509_S

* pCertificate

)

{

return( SSL_SUCCESS );

}

The purpose of this callback routine is to allow an application to examine information
regarding a suspect certificate. If the

VerifyCertificate

callback returns

SSL_SUCCESS

, the certificate will be trusted and used to complete the establishment of a

session. If the callback function returns

SSL_FAILURE

, the certificate will not be trusted;

this situation will prevent an SSL session from being established. The default implementa-
tion simply accepts all suspect certificates.

The

flags

member of the

SSL_X509_S

structure referenced by the

pCertificate

pointer contains a combination of one or more of the following values which indicate the
results of processing the certificate:

#define SSL_X509_PARSED_OK

0x01

#define SSL_X509_DATE_VALID

0x02

This manual is related to the following products:
See also other documents in the category Zilog Sensors: