
UM020107-1211 SSL Configuration
ZTP Network Security SSL Plug-In
User Manual
23
Each of the xxxs_ClientInit APIs is a null function returning a variable of type
SSL_STATUS. The TLS1_ClientInit API is shown in the following code fragment; the
SSL2_ClientInit and SSL3_ClientInit APIs have the same format.
SSL_STATUS TLS1_ClientInit( void );
Each server initialization function takes two parameters and returns a status code. To illus-
trate these parameters, the function prototype for the
TLS1_ServerInit API is shown in
the following code fragment. The same syntax also applies to the
SSL2_ServerInit and
SSL3_ServerInit functions.
SSL_STATUS
TLS1_ServerInit
(
CERT_CHAIN * pCertChain,
ASN1_ENC_DATA * pDheParams
);
The first of these parameters is a reference to the server’s certificate chain, which is a list
of X.509 certificates beginning with the server’s certificate and followed by the certificate
of each intermediate certificate authority that signed the previous certificate. The certifi-
cate chain ends with a self-signed root certificate issued by the certificate authority.
The second parameter is a pointer to the Diffie-Hellman parameters (the prime modulus, p
and the generator, g) that the server will use for Ephemeral Diffie-Hellman (EDH) cipher
suites. SSL clients will receive their Ephemeral Diffie-Hellman parameters from the
server to which they are attempting to establish a connection. If support for Ephemeral
Diffie-Hellman parameters is not required for either the TLS1 or SSL3 server, then this
parameter is set to
NULLPTR on the corresponding xxxx_ServerInit function call.
SSL version 2 does not support Ephemeral Diffie-Hellman cipher suites; therefore this
parameter should always be NULLPTR when calling the SSL2_ServerInit API.
It is permissible to use different certificate chains and Ephemeral Diffie-Hellman parame-
ters on each of the handshake protocol initialization calls. In some cases, this usage is
mandatory. For example, if the TLSv1 server has been issued a DSA certificate, this server
will only be able to SSL sessions using EDH cipher suites. But if an SSLv2 server is also
initialized, then that server must have an RSA certificate. Therefore, in this example, the
SSLv2 and TLSv1 servers must use different certificate chains.
The SSL demo project included with the ZTP Network Security SSL Plug-In contains a
file
dh_params.c containing the Ephemeral Diffie-Hellman parameters used on the calls
to
TLS1_ServerInit and SSL3_ServerInit. The certificate chains shared by these
server is contained in a file named
Certificate.c.
Kommentare zu diesen Handbüchern