This section describes the configuration blocks of Encryption policies and objects used in Encryption policies. Encryption policies were designed to be flexible, and make encryption settings easy to reuse in different services.
An Encryption policy is an object that has a unique name, and references a fully-configured encryption scenario.
Encryption scenarios are actually Python classes that describe how encryption is used in a particular connection, for example, both the server-side and the client-side connection is encrypted, or the connection uses a one-sided SSL connection, and so on. Encryption scenarios also reference other classes that contain the actual settings for the scenario. Depending on the scenario, the following classes can be set for the client-side, the server-side, or both.
Certificate generator: It creates or loads an X.509 certificate that Zorp shows to the peer. The certificate can be a simple certificate (Section 5.5.24, Class StaticCertificate in Zorp Professional 7 Reference Guide), a dynamically generated certificate (for example, used in a keybridging scenario, Section 5.5.12, Class DynamicCertificate in Zorp Professional 7 Reference Guide), or a list of certificates to support Server Name Indication (SNI, Section 5.5.18, Class SNIBasedCertificate in Zorp Professional 7 Reference Guide).
The related parameters are:
client_certificate_generator,server_certificate_generatorCertificate verifier: The settings in this class determine if Zorp requests a certificate of the peer and the way to verify it. Zorp has separate built-in classes for the client-side and the server-side verification settings: Section 5.5.6, Class ClientCertificateVerifier in Zorp Professional 7 Reference Guide and Section 5.5.20, Class ServerCertificateVerifier in Zorp Professional 7 Reference Guide. For details and examples, see Section 3.2.5, Certificate verification options in Zorp Professional 7 Reference Guide.
The related parameters are:
client_verify,server_verifyProtocol settings: The settings in this class determine the protocol-level settings of the SSL/TLS connection, for example, the permitted ciphers and protocol versions, session-reuse settings, and so on. Zorp has separate built-in classes for the client-side and the server-side SSL/TLS settings: Section 5.5.10, Class ClientSSLOptions in Zorp Professional 7 Reference Guide and Section 5.5.23, Class ServerSSLOptions in Zorp Professional 7 Reference Guide. For details and examples, see Section 3.2.6, Protocol-level TLS settings in Zorp Professional 7 Reference Guide.
The related parameters are:
client_ssl_options,server_ssl_option
Zorp provides the following built-in encryption scenarios:
: Both the client-Zorp and the Zorp-server connections are encrypted. For details, see Section 5.5.25, Class TwoSidedEncryption in Zorp Professional 7 Reference Guide.
: Only the client-Zorp connection is encrypted, the Zorp-server connection is not. For details, see Section 5.5.8, Class ClientOnlyEncryption in Zorp Professional 7 Reference Guide.
: Only the Zorp-server connection is encrypted, the client-Zorp connection is not. For details, see Section 5.5.22, Class ServerOnlyEncryption in Zorp Professional 7 Reference Guide.
: The client can optionally request STARTTLS encryption. For details, see Section 5.5.16, Class ForwardStartTLSEncryption in Zorp Professional 7 Reference Guide.
: The client can optionally request STARTTLS encryption, but the server-side connection is always unencrypted. For details, see Section 5.5.9, Class ClientOnlyStartTLSEncryption in Zorp Professional 7 Reference Guide.
: The client can optionally request STARTTLS encryption, but the server-side connection is always encrypted. For details, see Section 5.5.15, Class FakeStartTLSEncryption in Zorp Professional 7 Reference Guide.
For example, on configuring Encryption policies, see How to configure SSL proxying in Zorp 7. For details on HTTPS-specific problems and the related solutions, see How to configure HTTPS proxying in Zorp 7.
Published on May 30, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu
