The Secure Socket Layer Port (SSL)

Revised for CPX 4.7.0.

Terminology

Configuration of the Secure Socket Layer Port (SSL)
Statistics of the Secure Socket Layer Port (SSL)

The Secure Sockets Layer (SSL) protocol is a security protocol that provides privacy over the Internet.
It is designed to provide privacy between client/server applications.

SSL requires a reliable transport protocol (e.g.TCP) for data transmission and reception.
The advantage of the SSL Protocol is that it is application protocol independent. A "higher level" application protocol (e.g. HTTP, FTP, TELNET, etc.) can layer on top of the SSL protocol transparently.
The SSL Protocol can negotiate an encryption algorithm and session key as well as authenticate a server before the application protocol transmits or receives its first byte of data.
All of the application protocol data is transmitted encrypted, ensuring privacy.

The SSL protocol provides "channel security" which has three basic properties:

The channel is private. Encryption is used for all messages after a simple handshake is used to define a secret key.
The channel is authenticated. The server endpoint of the conversation is always authenticated, while the client endpoint is optionally authenticated.
The channel is reliable. The message transport includes a message integrity check (using a MAC).

Terminology

Application Protocol: An application protocol is a protocol that normally layers directly on top of TCP/IP. For example: HTTP, TELNET, FTP, and SMTP.
Authentication: Authentication is the ability of one entity to determine the identity of another entity. Identity is defined by this document to mean the binding between a public key and a name and the implicit ownership of the corresponding private key.
Bulk Cipher: This term is used to describe a cryptographic technique with certain performance properties. Bulk ciphers are used when large quantities of data are to be encrypted/decrypted in a timely manner. Examples include RC2, RC4, and IDEA.
Client: In this document client refers to the application entity that is initiates a connection to a server.
CLIENT-READ-KEY: The session key that the client uses to initialize the client read cipher. This key has the same value as the SERVER-WRITE-KEY.
CLIENT-WRITE-KEY: The session key that the client uses to initialize the client write cipher. This key has the same value as the SERVER-WRITE-KEY.
MASTER-KEY: The master key that the client and server use for all session keys generation. The CLIENT-READ-KEY, CLIENT-WRITE-KEY, SERVER-WRITE-KEY and SERVER-WRITE-KEY are generated from the MASTER-KEY.
MD2: MD2 is a hashing function that converts an arbitrarily long data stream into a digest of fixed size. This function predates MD5, which is viewed as a more robust hash function.
MD5: MD5 is a hashing function that converts an arbitrarily long data stream into a digest of fixed size. The function has certain properties that make it useful for security, the most important of which is it is inability to be reversed.
Nonce: A randomly generated value used to defeat "playback" attacks. One party randomly generates a nonce and sends it to the other party. The receiver encrypts it using the agreed upon secret key and returns it to the sender. Because the nonce was randomly generated by the sender this defeats playback attacks because the replayer can't know in advance the nonce the sender will generate. The receiver denies connections that do not have the correctly encrypted nonce.
Non-repudiable Information Exchange: When two entities exchange information it is sometimes valuable to have a record of the communication that is non-repudiable. Neither party can then deny that the information exchange occurred. Version 2 of the SSL protocol does not support Non-repudiable information exchange.
Public Key Encryption: Public key encryption is a technique that leverages asymmetric ciphers. A public key system consists of two keys: a public key and a private key. Messages encrypted with the public key can only be decrypted with the associated private key. Conversely, messages encrypted with the private key can only be decrypted with the public key. Public key encryption tends to be extremely compute intensive and so is not suitable as a bulk cipher.
Privacy: Privacy is the ability of two entities to communicate without fear of eavesdropping. Privacy is often implemented by encrypting the communications stream between the two entities.
RC2, RC4: Proprietary bulk ciphers invented by RSA. RC2 is block cipher and RC4 is a stream cipher.
Server: The server is the application entity that responds to requests for connections from clients. The server is passive, waiting for requests from clients.
Session cipher: A session cipher is a bulk cipher that is capable of encrypting or decrypting arbitrarily large amounts of data. Session ciphers are used primarily for performance reasons. The session ciphers used by this protocol are symmetric. Symmetric ciphers have the property of using a single key for encryption and decryption.
Session identifier: A session identifier is a random value generated by a client that identifies itself to a particular server. The session identifier can be thought of as a handle that both parties use to access a recorded secret key (in our case a session key). If both parties remember the session identifier then the implication is that the secret key is already known and need not be negotiated.
Session key: The key to the session cipher. In SSL there are four keys that are called session keys: CLIENT-READ-KEY, CLIENT-WRITE-KEY, SERVER-READ-KEY, and SERVER-WRITE-KEY.
SERVER-READ-KEY: The session key that the server uses to initialize the server read cipher. This key has the same value as the CLIENT-WRITE-KEY.
SERVER-WRITE-KEY: The session key that the server uses to initialize the server write cipher. This key has the same value as the CLIENT-READ-KEY.
Symmetric Cipher: A symmetric cipher has the property that the same key can be used for decryption and encryption. An asymmetric cipher does not have this behavior. Some examples of symmetric ciphers: IDEA, RC2, RC4.
SSL 2.0: Secure Sockets Layer (SSL) protocol version 2.0.
SSL 3.0: Secure Sockets Layer (SSL) protocol version 3.0.
TLS: Transport Layer Security (TLS) protocol.

Configuration of the Secure Socket Layer Port (SSL)

The Secure Socket Layer (SSL) ports is identified by the mnemonic "SSL" and it is provided with the parameters described in this section.

Here are examples on how to display the SSL port parameters. Displayed values are the defaults ones:

[11:47:16] ABILIS_CPX: D P PO:SSL

PO:917 - Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------
SSL    ------------------------------------------------------------------------
       LOG:NO        ACT:NO            max-cli:0           max-srv:4          
       mpxs:2048     SEND-TOUT:20      CACH-TOUT:300       AUTH-CLI:NO    
       PWDKEY-CLI:DFT                  PWDKEY-SRV:DFT             
       CERT-PATH:SYS (C:\1506\)

To activate changes made on the parameters displayed by low case characters, it is needed to restart the system; on the contrary for activating changes made on upper case parameters it is enough to execute the initialization command INIT PO:.
Changes made on LOG: parameter are immediately active.

The "Not Saved (SAVE CONF)" message is displayed every time the port configuration is modified but not saved with the SAVE CONF command.

The "Not Refreshed (INIT)" message is displayed every time the port configuration is modified but not refreshed with the INIT PO: command.

Detail of the SSL port parameters

LOG:	Events logging activation and generation of alarm signals
DS	NO, D, S, A, L, T, ALL, +E

Usually this parameter makes possible to activate/deactivate logging functionalities of meaningful events of the port as well as the detection and signalling of alarms in case of critical events.

The following table shows the available options and the related functionalities usable by the parameter:

Option	Meaning
D	Recording of the driver state changes and/or the meaningful events in Debug Log
S	Recording of the driver state changes and/or the meaningful events in the System Log
A	Periodic detection of possible alarms. The detected alarms can be displayed the command ALARM VIEW or by the analogous command available on the UTILITY of the LCD display on the front panel
L	On alarm detection, acoustic signal generation plus a message on the LCD display. This function depends on activation of alarms detection by the "A" option
T	Generation by the Agent SNMP of Abilis CPX of SNMP traps corresponding to any change of the driver state and/or occurring of meaningful events

Beside the already described options the following values are also allowed:

Option	Meaning
NO	It means that all the logging functionalities, alarms detection and generation, above mentioned, are disabled.
ALL	It means that all the logging functionalities, alarms detection and generation, above mentioned, are enabled.
+E	This option added to one or more of the previous ones, extends its (their) set of meaningful events. The value "ALL+E" activates all the options and extends the set of meaningful events. The value "NO+E" is meaningless so it is ignored.

Options can be combined together.

Some examples:

setting "LOG:DS+E", activates the extended logging functions for Events Log and System Log
setting "LOG:STA", activates the extended logging functions for System Log, SNMP traps generation and periodic detection of alarm states;

By using the characters "+" and "-" as prefix of one or more options is possible to add or delete one or more functionalities without setting from the scratch the value of the parameters.

Some examples:

Suppose the current value of the parameter is "LOG:DSTA", by setting "LOG:-A", the periodic detection of eventual alarm states is removed, leaving unchanged all the remaining options; in such way the final value of the parameter will be "LOG:DST";
Suppose the current value of the parameter is "LOG:ST", by setting "LOG:+DA", the logging function of the events on the Events Log and the periodic alarm detection are added to the already activated options; in such way the final value of the parameter will be "LOG:DSTA".

The changes made on this parameter are immediately activated, without the need of initialization commands.

ACT:	Runtime activation/deactivation of SSL
NO	NO, YES

This parameter allows to run-time activate/deactive SSL functionalities.

When it is set to "YES:", the port is configured, active, and the SSL driver performs its activities.

When it is set to "NO", the port is configured, active, but the SSL driver does not execute any action.

max-cli:	Number of SSL clients
0	0..100

This parameter sets the number of SSL clients.

max-srv:	Number of SSL servers
4	0..100

This parameter sets the number of SSL servers.

mxps:	Maximum length of SSL packet
2048	2048..4096 (bytes)

This parameter sets the maximum length of SSL packet (in bytes).

SEND-TOUT:	Send time-out for SSL handshake protocol
20	10..600 (sec.)

This parameter specifies sending inactivity time-out for SSL handshake protocol (in seconds). On time-out expiration, a SSL connection will be forced to close.

CACH-TOUT:	SSL Session cache time out
300	60..7200 (sec.)

This parameter specifies how long a used SSL session will be cached (in seconds).

AUTH-CLI:	Enable/disable authentication of SSL client
NO	NO, YES

This parameter enables/disables the authentication of SSL client.
When it is set to "YES", the SSL server authenticates SSL client by sending certificate message request.

PWDKEY-CLI:	Password for decoding encrypted private RSA key file of SSL client
DFT	from 4 up to 64 ASCII extended characters [32..255], DFT

This parameter sets the password for decoding encrypted private RSA key file of SSL client.

Accepted values are strings from 4 up to 64 ASCII extended characters in the range [33..255]. Spaces are allowed and strings holding spaces must be written between quotation marks (E.g.: "may key"). The case of the entered string is preserved.

The "DFT" value corresponds to select to decode default key files provided by Abilis.

PWDKEY-SRV:	Password for decoding encrypted private RSA key file of SSL server
DFT	from 4 up to 64 ASCII extended characters [32..255], DFT

This parameter sets the password for decoding encrypted private RSA key file of SSL server.

The "DFT" value corresponds to select to decode default key files provided by Abilis.

CERT-PATH:	Directory where SSL certificate and key files are stored
SYS	from 1 up to 128 ASCII extended characters [32..255], SYS

This parameter selects the directory where SSL certificate and key files are stored.

The "SYS" value corresponds to select the current system working directory.

Alternatively the user can enters the physical full path of another directory in DOS notation, i.e. starting with a drive letter in the range ['A'..'Z'] and ending with the '\' character. Accepted values are strings of up to 128 ASCII extended characters in the range [32..255]. Spaces are allowed and strings holding spaces must be written between quotation marks (E.g.: "C:\My dir\"). The case of the entered string is preserved.

Statistics of the Secure Socket Layer Port (SSL)

Example on how to show state and statistics of the SSL port through the command D S:

[11:10:58] ABILIS_CPX: D S PO:SSL

PO:917 ------------------------------------------------------------------------
SSL    STATE:INACTIVE         MAX-SRV:4               MAX-CLI:0   
       ------------------------------------------------------------------------
       -----------------------+---CHAN----+-CHAN-EST--+-CHAN-PEAK-+-SESS-CACH-|
       SERVER                 |0          |0          |0          |0          |
       CLIENT                 |0          |0          |0          |0          |
       ------------------------------------------------------------------------
       -----------------------+--HNDSHK---+-HNDSHK-OK-+----HIT----+--SESS-TO--|
       SERVER                 |0          |0          |0          |0          |
       CLIENT                 |0          |0          |0          |0          |
       ------------------------------------------------------------------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       CHR        |          0|          0|PCK        |          0|          0|
       LONG       |          0|          0|BAD        |          0|           |
       ------------------------------------------------------------------------
       - Channels -------------------------------------------------------------
       +---+----+-------------+-----------+-----------+-----------+-----------+
       |CH |MODE|    STATE    |  CHAR-IN  |  PCK-IN   | CHAR-OUT  |  PCK-OUT  |
       +---+----+-------------+-----------+-----------+-----------+-----------+
       |  1|SRV |INACT        |          0|          0|          0|          0|
       |  2|SRV |INACT        |          0|          0|          0|          0|
       |  3|SRV |INACT        |          0|          0|          0|          0|
       |  4|SRV |INACT        |          0|          0|          0|          0|
       +---+----+-------------+-----------*-----------+-----------+-----------+

Example on how to show extended statistics of the SSL port through the command D SE:

[11:11:13] ABILIS_CPX: D SE PO:SSL

PO:917 ------------------------------------------------------------------------
SSL    --- Cleared 000:01:17:37 ago, on 25/03/2004 at 09:54:16 ----------------
       +---+----+-------------+-----------+-----------+-----------+-----------+
       |CH |MODE|    STATE    |  CHAR-IN  |  PCK-IN   | CHAR-OUT  |  PCK-OUT  |
       +---+----+-------------+-----------+-----------+-----------+-----------+
       |  1|SRV |INACT        |          0|          0|          0|          0|
       |  2|SRV |INACT        |          0|          0|          0|          0|
       |  3|SRV |INACT        |          0|          0|          0|          0|
       |  4|SRV |INACT        |          0|          0|          0|          0|
       +---+----+-------------+-----------*-----------+-----------+-----------+

It also possible to inspect extended statistics of the single SSL channel, by executing the command "D SE PO:xxx CH:yyy", where "xxx" is the SSSL port number and the "yyy" is a value in the range [1..100] corresponding to the channel identifier.

[11:13:55] ABILIS_CPX: D SE PO:917 CH:3

PO:917 ------------------------------------------------------------------------
SSL    --- Cleared 000:01:21:03 ago, on 25/03/2004 at 09:54:15 ----------------
       +---+----+-------------+-----------+-----------+-----------+-----------+
       |CH |MODE|    STATE    |  CHAR-IN  |  PCK-IN   | CHAR-OUT  |  PCK-OUT  |
       +---+----+-------------+-----------+-----------+-----------+-----------+
       |  3|SRV |INACT        |          0|          0|          0|          0|
       +---+----+-------------+-----------*-----------+-----------+-----------+

The information "Cleared DDD:HH:MM:SS ago, at DD/MM/YYYY HH:MM:SS", referred by the extended statistics, shows the elapsed time from the last reset of the statistics (by the format "days:hours:minutes:seconds") and date/time of its execution (by the format "day/month/year" and "hours:minutes:seconds").

Details of the state fields and statistics of the SSL port

STATE:	Current state of the SSL port
	INACTIVE, ACTIVE, ERR

It shows the current state of the SSL port driver.

Driver	States	Description	Values shown in:
Driver	States	Description	System Log	Events Log	Display LCD
SSL	INACTIVE	SSL port is running, but the ACT: parameter is set to "NO".			dn
	ACTIVE	SSL port is fully ready to work.			RD
	ERR	Software error. Contact Abilis CPX assistance.			NA

MAX-SRV:	Maximum number of SSL server channels
	0 - 100

It shows how many SSL server channels can be served simultaneously, that is given by the number configured in the max-srv: parameter.

MAX-CLI:	Maximum number of SSL client channels
	0 - 100

It shows how many SSL client channels can be served simultaneously, that is given by the number configured in the max-cli: parameter.

CHAN	Number of SSL server/client channels which are connected
	0 - 4.294.967.295

It shows the number of SSL server/client channels which are currently connected, even not established.

CHAN-EST	Number of connected and established SSL server/client channels
	0 - 4.294.967.295

It shows the number of SSL server/client channels which are currently connected, AND established.

CHAN-PEAK	Maximum number of SSL server/client channels that went connected simultaneously
	0 - 4.294.967.295

It shows the peak value of SSL server/client channels that went connected at the same time, including those not established. This counter is currently the maximum value ever reached by CHAN counter.

SESS-CACH	Number of SSL server/client sessions currently cached
	0 - 4.294.967.295

It shows number of SSL server/client sessions currently cached after using.

HNDSHK	Total number of new SSL server/client connections
	0 - 4.294.967.295

The SERVER counter is incremented every time any SSL server channel receives first SSL handshake protocol packet from peer client.

The CLIENT counter is incremented every time any SSL client channel initiates SSL handshake protocol.

HNDSHK-OK	Total number of SSL successful server/client connections
	0 - 4.294.967.295

The SERVER counter is incremented every time any SSL server channel receives first SSL handshake protocol packet from peer client and SSL session is successfully established.

The CLIENT counter is incremented every time any SSL client channel initiates SSL handshake protocol and SSL session is successfully established.

HIT	Total number of reused SSL server/client sessions
	0 - 4.294.967.295

The SERVER counter is incremented every time any SSL server channel reuses SSL session from cache.

The CLIENT counter is incremented every time any SSL client channel reuses SSL session from cache.

SESS-TO	Total number of time-out expired cached server/client sessions
	0 - 4.294.967.295

The SERVER counter is incremented every time when time-out of cached server session is expired and session is removed from cache.

The CLIENT counter is incremented every time when time-out of cached client session is expired and session is removed from cache.

CHR	Total number of characters received/sent by all SSL channels from/to TCP
	0 - 4.294.967.295

The INPUT counter is incremented every time any SSL channel receives a packet from TCP.

The OUTPUT counter is incremented every time any SSL channel sends a packet to TCP.

PCK	Total Number of packets received/sent by all SSL channels from/to TCP
	0 - 4.294.967.295

The INPUT counter is incremented every time any SSL channel receives a packet from TCP.

The OUTPUT counter is incremented every time any SSL channel sends a packet to TCP.

LONG	Total number of incoming/outgoing SSL packets too long
	0 - 4.294.967.295

The INPUT counter is incremented every time any SSL channel receives a too long packet from TCP.

The OUPUT counter is incremented every time any SSL channel tries to send a too long packet to TCP.

BAD	Total number of incoming/outgoing SSL packets which have bad format
	0 - 4.294.967.295

The INPUT counter is incremented every time any SSL channel receives a packet with bad format.

Details of the state fields and statistics of the SSL channel

CH	SSL channel identifier
	0 - (max-cli: + max-srv:)

It represents the channel identifier. The maximum number of the available channels is given by the number of SSL Server processes (configuration parameter max-srv:) summed to the number of SSL Client ones (configuration parameter max-cli:).

MODE	SSL channel working mode
	SRV, CLI

It shows the type of the process active on the channel: the "SRV" abbreviation identifies the SSL Server process, while the "CLI" abbreviation identifies the SSL Client process.

STATE	SSL channel working state
	see table below

It shows the current state of the SSL channel.

States	Description
DOWN	SSL channel is in down state.
INACT	SSL channel is in inactive state. ACT parameter is set to "NO".
STOPPED	SSL channel is stopped. Only SERVER channels can be in this state. It means that SSL server X509 certificate and/or private RSA key file are bad, not loaded or private key is not corresponded public key from X509 certificate.
READY	SSL channel is ready to work.
CLOSING	SSL channel is in a closing state.
W-S-HELLO	SSL client channel is in a handshake protocol state. Channel awaits SERVER-HELLO message from SSL server.
W-S-VERIFY	SSL client channel is in a handshake protocol state. Channel awaits SERVER-VERIFY message from SSL server.
W-S-FINISHED	SSL client channel is in a handshake protocol state. Channel awaits SERVER-FINISHED or REQUEST-CERTIFICATE messages from SSL server.
W-C-HELLO	SSL server channel is in a handshake protocol state. Channel awaits CLIENT-HELLO message from SSL client.
W-C-M-KEY	SSL server channel is in a handshake protocol state. Channel awaits CLIENT-MASTER-KEY message from SSL client.
W-C-CERT	SSL server channel is in a handshake protocol state. Channel awaits CLIENT-CERTIFICATE message from SSL client.
W-C-FINISHED	SSL server channel is in a handshake protocol state. Channel awaits CLIENT-FINISHED message from SSL client.
ESTABLISHED	SSL connection is established.

CHAR-IN	Number of characters received by SSL channel from TCP, since the SSL connection was started
	0 - 4.294.967.295

The CHAR-IN counter is incremented every time a packet is received from TCP.

PCK-IN	Number of SSL packets received by SSL channel from TCP, since the SSL connection was started
	0 - 4.294.967.295

The PCK-IN counter is incremented every time a packet is received from TCP.

CHAR-OUT	Number of characters sent by SSL channel to TCP, since the SSL connection was started
	0 - 4.294.967.295

The CHAR-OUT counter is incremented every time a packet is sent to TCP.

PCK-OUT	Number of SSL packets sent by SSL channel to TCP, since the SSL connection was started
	0 - 4.294.967.295

The PCK-OUT counter is incremented every time a packet is sent to TCP.

Print this page