- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I want to specify the Cipher Suite supported by WICED.
[Background]
In order to analyze the TLS packet contents with WireShark, I hope to specify cipher suites.
With the default settings of WICED,
the server returns TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, because 21 types of Cipher Suite are transmitted.
So I cannot decode the packet with WireShark.
I want to use Cipher Suite with TLS_RSA_WITH_AES_128_CBC_SHA.
In this case, I will able to decrypt with WireShark.
[Question]
How can WICED support Cipher Suite be TLS_RSA_WITH_AES_128_CBC_SHA only ?
*********************************************************************
*********************************************************************
As an example, I tried to make the following changes:
However,the server still returns TLS_DHE_RSA_WITH_AES_256_CBC_SHA256.
I can not decrypt the packet.
[Changes is as follows]
1.Changed definition "mbedtls_cipher_type_t" to NONE and MBEDTLS_CIPHER_AES_128_CBC .
WICED\security\BESL\mbedtls_open\include\mbedtls\cipher.h
2.TLS define value is only the following
#define TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
WICED\security\BESL\mbedtls_open\include\mbedtls\compat-1.3.h
3.Modified the source for error measures at the time of building.
WICED\security\BESL\mbedtls_open\library\cipher_wrap.c
WICED\security\BESL\mbedtls_open\library\ssl_ciphersuites.c
:
4.The part related to RSA was left.
mbedtls_ssl_sig_hash_set_find
mbedtls_ssl_sig_hash_set_add
mbedtls_ssl_sig_hash_set_const_hash
WICED\security\BESL\mbedtls_open\library\ssl_tls.c
Best Regards,
Sakagami
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When the TLS client sends a client hello to the server, it basically presents the cipher suites listed in MBEDTLS_SSL_CIPHERSUITES. The server would select a cipher suite which contains the strongest security but is also compatible with the server. By modifying it to include only MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, this will force the server to select this cipher suite after server hello. This modification is fine if you only want to test a particular cipher suite. We will not recommend this approach for production as this is not scalable.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I tried to make the following changes.
The server returned "TLS_RSA_WITH_AES_128_CBC_SHA" which I wanted.
Is this modification the right method ?
1.Changed definition "MBEDTLS_SSL_CIPHERSUITES" to MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA .
43xxx_Wi-Fi\WICED\security\BESL\mbedtls_open\include\mbedtls\config.h
Best Regards,
Sakagami
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When the TLS client sends a client hello to the server, it basically presents the cipher suites listed in MBEDTLS_SSL_CIPHERSUITES. The server would select a cipher suite which contains the strongest security but is also compatible with the server. By modifying it to include only MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, this will force the server to select this cipher suite after server hello. This modification is fine if you only want to test a particular cipher suite. We will not recommend this approach for production as this is not scalable.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Gaurav san,
Thank you for your advice.
>This modification is fine if you only want to test a particular cipher suite.
>We will not recommend this approach for production as this is not scalable.
I understand it.
Best Regards,
Sakagami