beautypg.com

Zilog EZ80F91AZA User Manual

Page 57

background image

UM020107-1211

SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

51

asymmetric key exchange/agreement algorithm) that the subject of the certificate is in pos-
session of the private key corresponding to the public key in the certificate, then the certif-
icate recipient can be relatively certain that it is communicating with the entity to which
the certificate was issued.

When the SSL client and the server establish a session using Ephemeral Diffie-Hellman
parameters (or temporary RSA keys), these parameters are also digitally signed by the
SSL server. If the client verifies the signature on these parameters, it can be relatively cer-
tain that the parameters were created by the SSL server and not an attacker attempting to
trick the client to use bogus parameters which the attacker can decode.

By default, the ZTP Network Security SSL Plug-In will attempt to verify all digital signa-
tures. However, this verification can require the execution of many public key algorithms
which take considerable CPU bandwidth. At the customer’s discretion, verification of dig-
ital signatures can be disabled. The customer is advised that doing so will lower the over-
all security of the system. However, in applications requiring faster session establishment
times, disabling the verification of digital signatures could be a viable option.

Disabling Signature Verification

Digital signature verification is controlled by the value of the

SSL_VerifySignatures

configuration variable located in the

ssl_conf.c

configuration file. The default setting

is shown in the following code fragment:

SSL_BOOL SSL_VerifySignatures = TRUE;

Disabling signature verification is useful only for SSL clients. SSL servers in the ZTP Net-
work Security SSL Plug-In will always generate signatures when required, regardless of
the setting of the

SSL_VerifySignatures

variable. In addition, because client authenti-

cation is not supported, SSL servers in this implementation will never verify a client signa-
ture.

Limitations

Because the ZTP Network Security SSL Plug-In only supports a limited set of crypto-
graphic operations, it can only verify (and generate) digital signatures that use these sup-
ported algorithms. A digital signature requires the use of a digest algorithm and a public
key signature algorithm. This implementation supports two digest algorithms (MD5 and
SHA1) and two signature algorithms (RSA and DSA). Therefore, the only digital signa-
ture algorithms that can be supported are:

MD5 with RSA encryption

SHA1 with RSA encryption

SHA1 with DSA

Note:

This manual is related to the following products: