The SSL framework starts its operation by inspecting the values set in the ssl.handshake_seq attribute. When this attribute is set to SSL_HSO_CLIENT_SERVER the client side, otherwise (SSL_HSO_SERVER_CLIENT) the server side handshake is performed first.

As part of the handshake process the proxy checks if SSL is enabled on the given side (ssl.client_connection_security and ssl.server_connection_security attributes). It is not necessary for SSL to be enabled on both sides - Zorp can handle one-sided SSL connections as well (e.g., the firewall communicates in an unencrypted channel with the client, but in a secure channel with the server). If SSL is not enabled, the handshake is skipped for that side.

When SSL is needed, the proxy will cooperate with the policy layer to have all required parameters (keys, certificates, etc.) set up. This is achieved using decision points in the hash named ssl.handshake_hash which is explained later in detail.

The SSL handshake is slightly different for the client (in this case Zorp behaves as an SSL server) and the server (when Zorp behaves as an SSL client).