Table of Contents
Advertisement
symmetric algorithm is used to encrypt the bulk of data transmitted across the SSL/TLS
connection. The hash algorithm is used to protect transmitted data against modification during
transmission. The length of the keys used in both the symmetric and asymmetric algorithms must
also be specified.
When a client makes an SSL/TLS connection to a server, it sends a list of the cipher suites
that it is capable of and willing to use. The server compares this list with its own supported cipher
suites and chooses the first cipher suite proposed by the client that it is capable of and willing to
use. Both the client and server then use this cipher suite to secure the connection.
Choice of cipher suite(s) depends on environment and security requirements. The RSA-
based cipher suites are the most widely used and may also give some advantages in terms of
speed.
The STS Series support various cipher suites and user can select each cipher suite by
enabling or disabling corresponding cipher suite.
Verify client (server mode only)
If user selects Verify client option as Yes, STS Series will request the client's certificate while in
SSL handshaking process (Step 2). On the contrary, if user selects Verify client option as No, STS
Series does not request the client's certificate while in SSL handshaking process (Step 2).
Verify certificate chain depth
A certificate chain is a sequence of certificates, where each certificate in the chain is signed by
the subsequent certificate. The purpose of certificate chain is to establish a chain of trust from a
its own(peer) certificate to a trusted CA certificate. The CA vouches for the identity in the peer
certificate by signing it. If the CA is one that user trusts (indicated by the presence of a copy of the
CA certificate in user's root certificate directory), this implies user can trust the signed peer
certificate as well. In STS Series, user can restrict number of certificate chain depth so that STS
Series does not search a trusted CA certificate infinitely in a certificate chain.
Check the certificate CN
If user selects Check the certificate CN option as Yes, STS Series will check whether the host
name is matched with Common Name(CN) in the certificate, and if they do not matched, STS
Series will close connection request to the remote host. On the contrary, if user selects Check the
certificate CN option as No, STS Series does not check whether the host name is matched with
Common Name(CN) in the certificate.
STS Series checks Common Name(CN) only if it acts as SSL/TLS client.
54
Hide quick links:
Advertisement
Table of Contents
