How can I specify Cipher Suites ?

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
KoSa_1909416
Level 5
Level 5
Distributor - Marubun (Japan)
250 sign-ins 25 replies posted First solution authored

Hi All,

I want to specify the Cipher Suite supported by WICED.

[Background]
In order to analyze the TLS packet contents with WireShark, I hope to specify cipher suites.
With the default settings of WICED,
the server returns TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, because 21 types of Cipher Suite are transmitted.
So I cannot decode the packet with WireShark.


I want to use Cipher Suite with TLS_RSA_WITH_AES_128_CBC_SHA.
In this case, I will able to decrypt with WireShark.

[Question]
How can WICED support Cipher Suite be TLS_RSA_WITH_AES_128_CBC_SHA  only ?

*********************************************************************

*********************************************************************


As an example, I tried to make the following changes:
However,the server still returns TLS_DHE_RSA_WITH_AES_256_CBC_SHA256.
I can not decrypt the packet.

[Changes is as follows]
1.Changed definition "mbedtls_cipher_type_t" to NONE and MBEDTLS_CIPHER_AES_128_CBC .
WICED\security\BESL\mbedtls_open\include\mbedtls\cipher.h

2.TLS define value is only the following
#define TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
WICED\security\BESL\mbedtls_open\include\mbedtls\compat-1.3.h

3.Modified the source for error measures at the time of building.
WICED\security\BESL\mbedtls_open\library\cipher_wrap.c
WICED\security\BESL\mbedtls_open\library\ssl_ciphersuites.c
:

4.The part related to RSA was left.
mbedtls_ssl_sig_hash_set_find
mbedtls_ssl_sig_hash_set_add
mbedtls_ssl_sig_hash_set_const_hash
WICED\security\BESL\mbedtls_open\library\ssl_tls.c

Best Regards,
       Sakagami

0 Likes
1 Solution

When the TLS client sends a client hello to the server, it basically presents the cipher suites listed in MBEDTLS_SSL_CIPHERSUITES. The server would select a cipher suite which contains the strongest security but is also compatible with the server. By modifying it to include only MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, this will force the server to select this cipher suite after server hello. This modification is fine if you only want to test a particular cipher suite. We will not recommend this approach for production as this is not scalable.

View solution in original post

3 Replies
KoSa_1909416
Level 5
Level 5
Distributor - Marubun (Japan)
250 sign-ins 25 replies posted First solution authored

Hi All,
I tried to make the following changes.


The server returned "TLS_RSA_WITH_AES_128_CBC_SHA" which I wanted.


Is this modification the right method ?

1.Changed definition "MBEDTLS_SSL_CIPHERSUITES" to MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA .

        43xxx_Wi-Fi\WICED\security\BESL\mbedtls_open\include\mbedtls\config.h

Best Regards,
       Sakagami

0 Likes

When the TLS client sends a client hello to the server, it basically presents the cipher suites listed in MBEDTLS_SSL_CIPHERSUITES. The server would select a cipher suite which contains the strongest security but is also compatible with the server. By modifying it to include only MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, this will force the server to select this cipher suite after server hello. This modification is fine if you only want to test a particular cipher suite. We will not recommend this approach for production as this is not scalable.

KoSa_1909416
Level 5
Level 5
Distributor - Marubun (Japan)
250 sign-ins 25 replies posted First solution authored

Dear Gaurav san,

    Thank you for your advice.

>This modification is fine if you only want to test a particular cipher suite.

>We will not recommend this approach for production as this is not scalable.

I understand it.

Best Regards,

       Sakagami

0 Likes