Announcements
IMPORTANT: Cypress Developer Community is transitioning on October 20th. To learn more and be prepared for this change, check out our latest announcement.
cancel
Showing results for 
Search instead for 
Did you mean: 

WICED Studio Wi-Fi Combo

BeOl_4470266
New Contributor II

Hello,

In order to respect our cybersecurity requirements, I need to disable the support for TLS 1.0 and TLS 1.1, only keeping TLS 1.2.

I've noticed that this configuration is made from wiced_default.h

However it comes with a comment 

 

/* Note: Please don't try to change TLS MINOR VERSION MIN & MAX values,
 * as few  wiced prebuilts are compiled using below values changing the values can cause issues
 * */
/* TLS major version is assumed to be 1 */
#define WICED_TLS_MINOR_VERSION_MIN           (0)   /* Refers to TLS version 1.2. Values for TLS Versions: 0 ==> TLS v1.0, 1 ==> TLS v1.1, 2 ==> TLS v1.2 */
#define WICED_TLS_MINOR_VERSION_MAX           (2)   /* Refers to TLS version 1.2. Values for TLS Versions: 0 ==> TLS v1.0, 1 ==> TLS v1.1, 2 ==> TLS v1.2 */

 

What would be the correct approach to disable TLS versions that are under 1.2?

Best regards,

Ben

0 Likes
1 Solution
GauravS_31
Moderator
Moderator

I checked the closed source BESL supplicant library and i did see that the TLS min and max version was used. Since the library is statically compiled, it would mean that the TLS versions used in the library would retain the default values. In other words, if you are planning to use enterprise security with TLS min and max values changed, this would require a new statically compiled BESL library file.

@AxLi_1746341 My bad, the versions are used for mbedTLS

View solution in original post

0 Likes
8 Replies
GauravS_31
Moderator
Moderator

Are you planning to use enterprise security (PEAP, EAP-TLS, EAP-TTLS) from WICED? The prebuilt BESL library contains functions related to enterprise security.

0 Likes
BeOl_4470266
New Contributor II

Hi,

Thanks for your answer.  We are not using enterprise wifi security just now but it is not excluded that we integrate it in the near future.

What would happen if we were to restrict TLS to 1.2 using those configuration headers?

 

0 Likes
GauravS_31
Moderator
Moderator

The TLS version numbers are processed in wiced_tls.c as shown below:

#if (WICED_TLS_MINOR_VERSION_MIN == 0)
min_ver = MBEDTLS_SSL_MINOR_VERSION_1;
#elif (WICED_TLS_MINOR_VERSION_MIN == 1)
min_ver = MBEDTLS_SSL_MINOR_VERSION_2;
#elif (WICED_TLS_MINOR_VERSION_MIN == 2)
min_ver = MBEDTLS_SSL_MINOR_VERSION_3;
#endif
#if (WICED_TLS_MINOR_VERSION_MAX == 0)
max_ver = MBEDTLS_SSL_MINOR_VERSION_1;
#elif (WICED_TLS_MINOR_VERSION_MAX == 1)
max_ver = MBEDTLS_SSL_MINOR_VERSION_2;
#elif (WICED_TLS_MINOR_VERSION_MAX == 2)
max_ver = MBEDTLS_SSL_MINOR_VERSION_3;
#endif
opt_config.min_version = min_ver;
opt_config.max_version = max_ver;

And further in the code, you will find if conditions to assign ciphersuite_info->min_minor_ver and ciphersuite_info->max_minor_ver.

The above alogrithm is part of the function definition of wiced_generic_start_tls_with_ciphers(). And the TLS handshakes are processed in the mbedtls library which is available to all. So, for applications such as HTTPS, MQTT and other such applications that directly use TLS, there is no dependence of pre-built library. So, for such scenarios, there should be no problem in forcing TLS 1.2.

Regarding enterprise, let me check further and find out whether the prebuilt BESL library containing supplicant code processes the TLS version. The enterprise security calls wiced_supplicant_start_tls() which again calls wiced_generic_start_tls_with_ciphers() to process the TLS versions.

I think the comment mentioned in the initial description would have been true in the older versions of WICED <5.1 when the closed source BESL library was used for performing TLS handshakes.

0 Likes
BeOl_4470266
New Contributor II

Hi,

Many thanks for your answer.

Indeed, at the moment we only use TLS for MQTT (and soon HTTPS too) and this is where we want to restrict it to 1.2.

I'll await for the confirmation regarding pre-built libraries in case the restriction might introduce any issue for us.

Thanks,

Ben

0 Likes
AxLi_1746341
Honored Contributor

@GauravS_31 wrote:

I think the comment mentioned in the initial description would have been true in the older versions of WICED <5.1 when the closed source BESL library was used for performing TLS handshakes.


Are you sure? Older versions of WICED <5.1 do not have above defines in wiced_defaults.h.
The WICED_TLS_MINOR_VERSION_MIN/WICED_TLS_MINOR_VERSION_MAX is clearly for mbedtls in wiced.

0 Likes
BeOl_4470266
New Contributor II

@GauravS_31 


@GauravS_31 wrote:

Regarding enterprise, let me check further and find out whether the prebuilt BESL library containing supplicant code processes the TLS version. The enterprise security calls wiced_supplicant_start_tls() which again calls wiced_generic_start_tls_with_ciphers() to process the TLS versions.


Hi, can you share the result of the check you did?

Thanks for your support,

Best regards,

Ben

0 Likes
GauravS_31
Moderator
Moderator

I checked the closed source BESL supplicant library and i did see that the TLS min and max version was used. Since the library is statically compiled, it would mean that the TLS versions used in the library would retain the default values. In other words, if you are planning to use enterprise security with TLS min and max values changed, this would require a new statically compiled BESL library file.

@AxLi_1746341 My bad, the versions are used for mbedTLS

View solution in original post

0 Likes
AxLi_1746341
Honored Contributor

@GauravS_31 wrote:

I checked the closed source BESL supplicant library and i did see that the TLS min and max version was used. Since the library is statically compiled, it would mean that the TLS versions used in the library would retain the default values. In other words, if you are planning to use enterprise security with TLS min and max values changed, this would require a new statically compiled BESL library file.


The TLS min /max values should be configurable.
You need to decouple the static library with the TLS min/max configs.

0 Likes