Brocade Communications Systems 12.4.00a Manual De Usuario
ServerIron ADX Security Guide
135
53-1002440-03
Chapter
6
Secure Socket Layer (SSL) Acceleration
ServerIron ADX supports integrated hardware-based SSL acceleration. This chapter describes how
to configure a ServerIron ADX for SSL acceleration in SSL Termination or SSL Proxy mode.
to configure a ServerIron ADX for SSL acceleration in SSL Termination or SSL Proxy mode.
SSL support on the ServerIron ADX includes support for SSLv2, SSLv3, and TLS1.0.
SSL overview
The Secure Sockets Layer (SSL) protocol was developed by Netscape to provide security and
privacy between client and server over the Internet. SSL supports server and client certificate
verification, allowing protocols such as HTTP, FTP, and Telnet to be run on top of the verification
process. SSL negotiates encryption keys and authenticates the server before data is exchanged by
higher-level applications.
privacy between client and server over the Internet. SSL supports server and client certificate
verification, allowing protocols such as HTTP, FTP, and Telnet to be run on top of the verification
process. SSL negotiates encryption keys and authenticates the server before data is exchanged by
higher-level applications.
The SSL "handshake" is a key concept in this protocol. The handshake consists of two phases:
server authentication, and an optional client certificate verification. In server authentication, the
server sends its certificate and cipher preferences to a client that has made a request. The client
then generates a master key, encrypts it with the public key of the server, and returns the
encrypted master key to the server.
server authentication, and an optional client certificate verification. In server authentication, the
server sends its certificate and cipher preferences to a client that has made a request. The client
then generates a master key, encrypts it with the public key of the server, and returns the
encrypted master key to the server.
The server recovers the master key and authenticates itself to the client by returning a message
encrypted with the master key. Subsequent data is encrypted and authenticated with keys derived
from this master key. In the client certificate verification phase (which is optional), the server sends
a challenge to the client, who authenticates itself to the server by returning a digital signature with
its public-key certificate.
encrypted with the master key. Subsequent data is encrypted and authenticated with keys derived
from this master key. In the client certificate verification phase (which is optional), the server sends
a challenge to the client, who authenticates itself to the server by returning a digital signature with
its public-key certificate.
A variety of cryptographic algorithms are supported by SSL. During the "handshaking" process, the
DSA public-key cryptosystem is used. After the exchange of keys, a number of ciphers are used that
include RC4 and triple-DES for data encryption, and the SHA-1 and MD5 digest algorithm for
message authentication.
DSA public-key cryptosystem is used. After the exchange of keys, a number of ciphers are used that
include RC4 and triple-DES for data encryption, and the SHA-1 and MD5 digest algorithm for
message authentication.
Public Key Infrastructure (PKI)
In cryptography, a public key infrastructure (PKI) is an arrangement that provides for trusted third
party vetting of, and vouching for, user identities. It also allows binding of public keys to users. This
is usually carried out by software at a central location, together with other coordinated software at
distributed locations. The public keys are typically in certificates.
party vetting of, and vouching for, user identities. It also allows binding of public keys to users. This
is usually carried out by software at a central location, together with other coordinated software at
distributed locations. The public keys are typically in certificates.
The term PKI may mean both the certificate authority and related arrangements as well as, more
broadly (which can sometimes be confusing), the use of public key algorithms in electronic
communications. The latter meaning is erroneous since PKI methods are not required to use public
key algorithms.
broadly (which can sometimes be confusing), the use of public key algorithms in electronic
communications. The latter meaning is erroneous since PKI methods are not required to use public
key algorithms.