Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

Wi-Fi Combo Forum Discussions

BeOl_4470266
Level 3
25 replies posted 10 replies posted 10 sign-ins
Level 3

Hello,

In order to respect our cybersecurity requirements, I need to disable the support for TLS 1.0 and TLS 1.1, only keeping TLS 1.2.

I've noticed that this configuration is made from wiced_default.h

However it comes with a comment 

 

/* Note: Please don't try to change TLS MINOR VERSION MIN & MAX values,
 * as few  wiced prebuilts are compiled using below values changing the values can cause issues
 * */
/* TLS major version is assumed to be 1 */
#define WICED_TLS_MINOR_VERSION_MIN           (0)   /* Refers to TLS version 1.2. Values for TLS Versions: 0 ==> TLS v1.0, 1 ==> TLS v1.1, 2 ==> TLS v1.2 */
#define WICED_TLS_MINOR_VERSION_MAX           (2)   /* Refers to TLS version 1.2. Values for TLS Versions: 0 ==> TLS v1.0, 1 ==> TLS v1.1, 2 ==> TLS v1.2 */

 

What would be the correct approach to disable TLS versions that are under 1.2?

Best regards,

Ben

0 Likes
1 Solution
GauravS_31
Moderator
Moderator 250 sign-ins First comment on KBA 5 questions asked
Moderator

I checked the closed source BESL supplicant library and i did see that the TLS min and max version was used. Since the library is statically compiled, it would mean that the TLS versions used in the library would retain the default values. In other words, if you are planning to use enterprise security with TLS min and max values changed, this would require a new statically compiled BESL library file.

@AxLi_1746341 My bad, the versions are used for mbedTLS

View solution in original post

0 Likes
12 Replies
GauravS_31
Moderator
Moderator 250 sign-ins First comment on KBA 5 questions asked
Moderator

Are you planning to use enterprise security (PEAP, EAP-TLS, EAP-TTLS) from WICED? The prebuilt BESL library contains functions related to enterprise security.

0 Likes
BeOl_4470266
Level 3
25 replies posted 10 replies posted 10 sign-ins
Level 3

Hi,

Thanks for your answer.  We are not using enterprise wifi security just now but it is not excluded that we integrate it in the near future.

What would happen if we were to restrict TLS to 1.2 using those configuration headers?

 

0 Likes
GauravS_31
Moderator
Moderator 250 sign-ins First comment on KBA 5 questions asked
Moderator

The TLS version numbers are processed in wiced_tls.c as shown below:

#if (WICED_TLS_MINOR_VERSION_MIN == 0)
min_ver = MBEDTLS_SSL_MINOR_VERSION_1;
#elif (WICED_TLS_MINOR_VERSION_MIN == 1)
min_ver = MBEDTLS_SSL_MINOR_VERSION_2;
#elif (WICED_TLS_MINOR_VERSION_MIN == 2)
min_ver = MBEDTLS_SSL_MINOR_VERSION_3;
#endif
#if (WICED_TLS_MINOR_VERSION_MAX == 0)
max_ver = MBEDTLS_SSL_MINOR_VERSION_1;
#elif (WICED_TLS_MINOR_VERSION_MAX == 1)
max_ver = MBEDTLS_SSL_MINOR_VERSION_2;
#elif (WICED_TLS_MINOR_VERSION_MAX == 2)
max_ver = MBEDTLS_SSL_MINOR_VERSION_3;
#endif
opt_config.min_version = min_ver;
opt_config.max_version = max_ver;

And further in the code, you will find if conditions to assign ciphersuite_info->min_minor_ver and ciphersuite_info->max_minor_ver.

The above alogrithm is part of the function definition of wiced_generic_start_tls_with_ciphers(). And the TLS handshakes are processed in the mbedtls library which is available to all. So, for applications such as HTTPS, MQTT and other such applications that directly use TLS, there is no dependence of pre-built library. So, for such scenarios, there should be no problem in forcing TLS 1.2.

Regarding enterprise, let me check further and find out whether the prebuilt BESL library containing supplicant code processes the TLS version. The enterprise security calls wiced_supplicant_start_tls() which again calls wiced_generic_start_tls_with_ciphers() to process the TLS versions.

I think the comment mentioned in the initial description would have been true in the older versions of WICED <5.1 when the closed source BESL library was used for performing TLS handshakes.

0 Likes
BeOl_4470266
Level 3
25 replies posted 10 replies posted 10 sign-ins
Level 3

Hi,

Many thanks for your answer.

Indeed, at the moment we only use TLS for MQTT (and soon HTTPS too) and this is where we want to restrict it to 1.2.

I'll await for the confirmation regarding pre-built libraries in case the restriction might introduce any issue for us.

Thanks,

Ben

0 Likes
AxLi_1746341
Level 7
10 comments on KBA 5 comments on KBA First comment on KBA
Level 7

@GauravS_31 wrote:

I think the comment mentioned in the initial description would have been true in the older versions of WICED <5.1 when the closed source BESL library was used for performing TLS handshakes.


Are you sure? Older versions of WICED <5.1 do not have above defines in wiced_defaults.h.
The WICED_TLS_MINOR_VERSION_MIN/WICED_TLS_MINOR_VERSION_MAX is clearly for mbedtls in wiced.

0 Likes
BeOl_4470266
Level 3
25 replies posted 10 replies posted 10 sign-ins
Level 3

@GauravS_31 


@GauravS_31 wrote:

Regarding enterprise, let me check further and find out whether the prebuilt BESL library containing supplicant code processes the TLS version. The enterprise security calls wiced_supplicant_start_tls() which again calls wiced_generic_start_tls_with_ciphers() to process the TLS versions.


Hi, can you share the result of the check you did?

Thanks for your support,

Best regards,

Ben

0 Likes
GauravS_31
Moderator
Moderator 250 sign-ins First comment on KBA 5 questions asked
Moderator

I checked the closed source BESL supplicant library and i did see that the TLS min and max version was used. Since the library is statically compiled, it would mean that the TLS versions used in the library would retain the default values. In other words, if you are planning to use enterprise security with TLS min and max values changed, this would require a new statically compiled BESL library file.

@AxLi_1746341 My bad, the versions are used for mbedTLS

0 Likes
AxLi_1746341
Level 7
10 comments on KBA 5 comments on KBA First comment on KBA
Level 7

@GauravS_31 wrote:

I checked the closed source BESL supplicant library and i did see that the TLS min and max version was used. Since the library is statically compiled, it would mean that the TLS versions used in the library would retain the default values. In other words, if you are planning to use enterprise security with TLS min and max values changed, this would require a new statically compiled BESL library file.


The TLS min /max values should be configurable.
You need to decouple the static library with the TLS min/max configs.

jusadams
Level 1
10 sign-ins 5 replies posted 5 sign-ins
Level 1

@GauravS_31 I've been asked to do the same thing @BeOl_4470266 was trying to do. How do I request the statically compiled BESL libraries with TLS min set to 2 for WICED-Studio-6.2/43xxx_Wi-Fi?

#define WICED_TLS_MINOR_VERSION_MIN           (2)   /* Refers to TLS version 1.2. Values for TLS Versions: 0 ==> TLS v1.0, 1 ==> TLS v1.1, 2 ==> TLS v1.2 */

 

0 Likes
jusadams
Level 1
10 sign-ins 5 replies posted 5 sign-ins
Level 1

After poking around more, it looks like mbedtls is licensed in a way that it could be shared instead of private. https://tls.mbed.org/how-to-get Feel free to point me to the correct version and have me build the libraries instead. https://community.infineon.com/t5/Wi-Fi-Combo/Open-source-SSL-TLS-Library-support-for-WICED-SDK-3-1-...
A stated above, I'm using WICED-Studio-6.2 at the moment. 

0 Likes
GauravS_31
Moderator
Moderator 250 sign-ins First comment on KBA 5 questions asked
Moderator

@jusadams Am I correct in assuming that you would require enterprise security in your project? As I had stated earlier, the BESL library change is not required if you are using mbedTLS only for TLS connection using HTTP and other application protocols. For enterprise security, if BESL library change is required, kindly create a new thread.

0 Likes
jusadams
Level 1
10 sign-ins 5 replies posted 5 sign-ins
Level 1

I must have missed that piece when first reading through this thread. I do not requiring enterprise security in our project at this time, so I will just change the MIN/MAX and verify it seems to be working properly. Thank you for taking the time to clarify (again) and doing it so quickly.

0 Likes