beautypg.com

Zilog EZ80F91AZA User Manual

Page 55

background image

UM020107-1211

SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

49

#define SSL_X509_SIGNATURE_VERIFIED 0x04

#define SSL_X509_SELF_SIGNED

0x08

#define SSL_X509_PERMANENT

0x10

#define SSL_X509_UNKNOWN_SIG_ALG

0x40

#define SSL_X509_TRUSTED

0x80

In general, certificates for which the

SSL_X509_PARSED_OK

flag is not set must never be

trusted.

If the

SSL_X509_DATE_VALID

flag is not set, an attempt is made to use the certificate

before or after its stated validity period. However, it could also be the case that the system
date has not been set correctly.

The

SSL_SIGNATURE_VERIFIED

flag indicates if the SSL library is able to verify the sig-

nature on the certificate. This verification is possible with a self-signed certificate, but it
will only be possible with other certificates if the SSL layer is in possession of the issuer’s
certificate (i.e., public key). Again, this verification is possible for all certificates in the
certificate chain except, perhaps, for the last certificate. If the last certificate in the chain is
self-signed, then its signature can be verified; if it is not, then your application must deter-
mine if the issuer should be trusted.

The

SSL_X509_SELF_SIGNED

flag indicates that the subject and issuer of the suspect

certificate are identical; i.e., an entity is vouching for itself. Because the SSL layer has no
way of determining if such a certificate is truly trustworthy, such certificates are always
passed to the

VerifyCertificate

callback routine. In some cases, the certificate should

be accepted without any question. For example, if a self-signed certificate is installed for a
ZTP Network Security SSL Plug-In server, the

VerifyCertificate

callback function

will be called. Clearly, this certificate must be accepted, because it is the one owned by
your application.

In those cases in which a remote SSL server presents a certificate chain that does not end
in a self-signed root certificate, it must be assumed that the client application is already in
possession of the trusted root certificate, or implicitly trusts the certificate’s issuer. In all
other cases, the certificate might not be trustworthy.

Generally, the only certificates that are marked

SSL_X509_PERMANENT

are the local

server certificates. However, your application is permitted to set this flag on any certificate
presented to the

VerifyCertificate

callback for which

SSL_SUCCESS

is being

returned. This allowance will prevent the SSL layer from releasing resources associated
with the certificate.

The

SSL_X509_UNKNOWN_SIG_ALG

flag indicates one possible reason why the signature

verified flag is not set (i.e., if the ZTP Network Security SSL Plug-In does not implement
or has been configured not to support the signature algorithm that the issuer used to sign
the certificate), then it will not be possible to verify the signature. In this case, the

SSL_X509_UNKNOWN_SIG_ALG

flag will be set and the

SSL_X509_SIGNATURE_VERIFIED

flag will be cleared.

This manual is related to the following products:
See also other documents in the category Zilog Sensors: