This section describes the configuration blocks of Encryption policies and objects used in Encryption policies. Encryption policies were designed to be flexible, and make encryption settings easy to reuse in different services.
An Encryption policy is an object that has a unique name, and references a fully-configured encryption scenario.
Encryption scenarios are actually Python classes that describe how encryption is used in a particular connection, for example, both the server-side and the client-side connection is encrypted, or the connection uses a one-sided SSL connection, and so on. Encryption scenarios also reference other classes that contain the actual settings for the scenario. Depending on the scenario, the following classes can be set for the client-side, the server-side, or both.
Certificate generator: It creates or loads an X.509 certificate that Zorp shows to the peer. The certificate can be a simple certificate (Section 5.5.24, Class StaticCertificate), a dynamically generated certificate (for example, used in a keybridging scenario, Section 5.5.12, Class DynamicCertificate), or a list of certificates to support Server Name Indication (SNI, Section 5.5.18, Class SNIBasedCertificate).
The related parameters are:
client_certificate_generator,server_certificate_generatorCertificate verifier: The settings in this class determine if Zorp requests a certificate of the peer and the way to verify it. Zorp has separate built-in classes for the client-side and the server-side verification settings: Section 5.5.6, Class ClientCertificateVerifier and Section 5.5.20, Class ServerCertificateVerifier. For details and examples, see Section 3.2.5, Certificate verification options.
The related parameters are:
client_verify,server_verifyProtocol settings: The settings in this class determine the protocol-level settings of the SSL/TLS connection, for example, the permitted ciphers and protocol versions, session-reuse settings, and so on. Zorp has separate built-in classes for the client-side and the server-side SSL/TLS settings: Section 5.5.10, Class ClientSSLOptions and Section 5.5.23, Class ServerSSLOptions. For details and examples, see Section 3.2.6, Protocol-level TLS settings.
The related parameters are:
client_ssl_options,server_ssl_option
Zorp provides the following built-in encryption scenarios:
: Both the client-Zorp and the Zorp-server connections are encrypted. For details, see Section 5.5.25, Class TwoSidedEncryption.
: Only the client-Zorp connection is encrypted, the Zorp-server connection is not. For details, see Section 5.5.8, Class ClientOnlyEncryption.
: Only the Zorp-server connection is encrypted, the client-Zorp connection is not. For details, see Section 5.5.22, Class ServerOnlyEncryption.
: The client can optionally request STARTTLS encryption. For details, see Section 5.5.16, Class ForwardStartTLSEncryption.
: The client can optionally request STARTTLS encryption, but the server-side connection is always unencrypted. For details, see Section 5.5.9, Class ClientOnlyStartTLSEncryption.
: The client can optionally request STARTTLS encryption, but the server-side connection is always encrypted. For details, see Section 5.5.15, Class FakeStartTLSEncryption.
For example, on configuring Encryption policies, see How to configure SSL proxying in Zorp 7. For details on HTTPS-specific problems and the related solutions, see How to configure HTTPS proxying in Zorp 7.
Published on May 30, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu
