3 Replies Latest reply on Feb 2, 2020 11:49 PM by KoSa_1909416

    How can I specify Cipher Suites ?

    KoSa_1909416

      Hi All,

       

      I want to specify the Cipher Suite supported by WICED.

       

      [Background]
      In order to analyze the TLS packet contents with WireShark, I hope to specify cipher suites.
      With the default settings of WICED,
      the server returns TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, because 21 types of Cipher Suite are transmitted.
      So I cannot decode the packet with WireShark.


      I want to use Cipher Suite with TLS_RSA_WITH_AES_128_CBC_SHA.
      In this case, I will able to decrypt with WireShark.

       

      [Question]
      How can WICED support Cipher Suite be TLS_RSA_WITH_AES_128_CBC_SHA  only ?

       

      *********************************************************************

      *********************************************************************


      As an example, I tried to make the following changes:
      However,the server still returns TLS_DHE_RSA_WITH_AES_256_CBC_SHA256.
      I can not decrypt the packet.

       

      [Changes is as follows]
      1.Changed definition "mbedtls_cipher_type_t" to NONE and MBEDTLS_CIPHER_AES_128_CBC .
      WICED\security\BESL\mbedtls_open\include\mbedtls\cipher.h

       

      2.TLS define value is only the following
      #define TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
      WICED\security\BESL\mbedtls_open\include\mbedtls\compat-1.3.h

       

      3.Modified the source for error measures at the time of building.
      WICED\security\BESL\mbedtls_open\library\cipher_wrap.c
      WICED\security\BESL\mbedtls_open\library\ssl_ciphersuites.c
      :

      4.The part related to RSA was left.
      mbedtls_ssl_sig_hash_set_find
      mbedtls_ssl_sig_hash_set_add
      mbedtls_ssl_sig_hash_set_const_hash
      WICED\security\BESL\mbedtls_open\library\ssl_tls.c

       

      Best Regards,
             Sakagami

        • 1. Re: How can I specify Cipher Suites ?
          KoSa_1909416

          Hi All,
          I tried to make the following changes.


          The server returned "TLS_RSA_WITH_AES_128_CBC_SHA" which I wanted.


          Is this modification the right method ?

           

          1.Changed definition "MBEDTLS_SSL_CIPHERSUITES" to MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA .

                  43xxx_Wi-Fi\WICED\security\BESL\mbedtls_open\include\mbedtls\config.h

           

           

          Best Regards,
                 Sakagami

          • 2. Re: How can I specify Cipher Suites ?
            GauravS_31

            When the TLS client sends a client hello to the server, it basically presents the cipher suites listed in MBEDTLS_SSL_CIPHERSUITES. The server would select a cipher suite which contains the strongest security but is also compatible with the server. By modifying it to include only MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, this will force the server to select this cipher suite after server hello. This modification is fine if you only want to test a particular cipher suite. We will not recommend this approach for production as this is not scalable.

            2 of 2 people found this helpful
            • 3. Re: How can I specify Cipher Suites ?
              KoSa_1909416

              Dear Gaurav san,

                  Thank you for your advice.

               

              >This modification is fine if you only want to test a particular cipher suite.

              >We will not recommend this approach for production as this is not scalable.

               

              I understand it.

               

              Best Regards,

                     Sakagami