1 (edited by miglesias 2016-04-08 00:17:25)

Topic: [SOLVED] Enable cipher suites

Hello,

First of all, I'm new to criptography and security, so please, go easy on me  smile

I'm doing some research on IoT protocols. I've a working tinydtls+libcoap example, and I'm trying to change the tinydtls part to wolfssl. To do that, first I want to connect a tinydtls client with a wolfssl server and vice versa. For that, I need to enable TLS_PSK_WITH_AES_128_CCM_8 and/or TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 suites, as they are the only ones that tinydtls support for now.

In the manual, https://www.wolfssl.com/wolfSSL/Docs-wo … tures.html, it says that both of them are supported in the AES-CCM cipher suites part.
        AES-CCM cipher suites
        TLS_RSA_WITH_AES_128_CCM_8_SHA256
        TLS_RSA_WITH_AES_256_CCM_8_SHA384
        TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
        TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
        TLS_PSK_WITH_AES_128_CCM
        TLS_PSK_WITH_AES_256_CCM
        TLS_PSK_WITH_AES_128_CCM_8
        TLS_PSK_WITH_AES_256_CCM_8

I'm using version 3.8.1 of wolfssl and I don't se how can I enable these suites. If I configure (probably enabling more features than needed)

./configure  --enable-dtls --enable-debug --enable-psk --enable-aesccm --enable-sslv3 --enable-ecc --enable-pwdbased --enable-tlsx

and after compiling I run

 ./examples/client/client -e

I get that the available suites are:
    DHE-RSA-AES128-SHA
    DHE-RSA-AES256-SHA
    DHE-PSK-AES128-GCM-SHA256
    DHE-PSK-AES128-CBC-SHA256
    DHE-PSK-AES128-CCM
    DHE-PSK-AES256-CCM
    ECDHE-ECDSA-AES128-CCM-8
    ECDHE-ECDSA-AES256-CCM-8
    ECDHE-RSA-AES128-SHA
    ECDHE-RSA-AES256-SHA
    ECDHE-ECDSA-AES128-SHA
    ECDHE-ECDSA-AES256-SHA
    ECDHE-RSA-DES-CBC3-SHA
    ECDHE-ECDSA-DES-CBC3-SHA
    DHE-RSA-AES128-SHA256
    DHE-RSA-AES256-SHA256
    DHE-RSA-AES128-GCM-SHA256
    ECDHE-RSA-AES128-GCM-SHA256
    ECDHE-ECDSA-AES128-GCM-SHA256
    ECDHE-RSA-AES128-SHA256
    ECDHE-ECDSA-AES128-SHA256
    ECDHE-RSA-CHACHA20-POLY1305
    ECDHE-ECDSA-CHACHA20-POLY1305
    DHE-RSA-CHACHA20-POLY1305
    ECDHE-RSA-CHACHA20-POLY1305-OLD
    ECDHE-ECDSA-CHACHA20-POLY1305-OLD
    DHE-RSA-CHACHA20-POLY1305-OLD
    ECDHE-PSK-AES128-CBC-SHA256
    PSK-CHACHA20-POLY1305
    ECDHE-PSK-CHACHA20-POLY1305
    DHE-PSK-CHACHA20-POLY1305

In the README file of the source, it says:
    wolfSSL as of 3.6.6 no longer enables SSLv3 by default.  wolfSSL also no
longer supports static key cipher suites with PSK, RSA, or ECDH.
       
Does that mean that I can't use TLS_PSK_WITH_AES_128_CCM_8 and/or TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 with the 3.8.1 version or am I missing something?

Thank you in advance,

Markel

Share

Re: [SOLVED] Enable cipher suites

Hi,

The TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 cipher suite is enabled in your above configuration (ECDHE-ECDSA-AES128-CCM-8).

As you found in our README, we did disable static key cipher suites for security reasons.  You can re-enable them by defining one or more of WOLFSSL_STATIC_RSA, WOLFSSL_STATIC_DH, and WOLFSSL_STATIC_PSK.  To gain access to the "TLS_PSK_WITH_AES_128_CCM_8" cipher suite, you will need to define WOLFSSL_STATIC_PSK when compiling wolfSSL.  You can do that like so through C_EXTRA_FLAGS:

./configure <options> C_EXTRA_FLAGS="-DWOLFSSL_STATIC_PSK"

Are you doing research in conjunction with a university?

Best Regards,
Chris

3 (edited by miglesias 2016-04-11 01:16:49)

Re: [SOLVED] Enable cipher suites

Thank you for your answer.

I'm working on this for my master's thesis.

I enabled PSK like you told me and when I run the example client I get both PSK-AES128-CCM-8 and ECDHE-ECDSA-AES128-CCM-8 are available.

I run the server

./examples/server/server -u -v 3 -i

and the client

./examples/client/client -u -v 3

and it works just fine, but with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 suite. If I try to force the use of a certain cipher with -l option

./examples/client/client -u -v 3 -l PSK-AES128-CCM-8

or

./examples/client/client -u -v 3 -l ECDHE-ECDSA-AES128-CCM-8

I get an error on the server side.

error = -501, can't match cipher suite
wolfSSL error: SSL_accept failed

Even if I add the same option on the server

./examples/server/server -u -v 3 -i -l PSK-AES128-CCM-8:ECDHE-ECDSA-AES128-CCM-8

Share

Re: [SOLVED] Enable cipher suites

Hi,

If you have wolfSSL compiled with ECC, PSK, CCM-8, and static PSK support:

./configure --enable-ecc --enable-psk --enable-aesccm C_EXTRA_FLAGS="-DWOLFSSL_STATIC_PSK"

You should be able to make a connection between the wolfSSL example client and server using ECDHE-ECDSA-AES128-CCM-8 using:

./examples/server/server -l ECDHE-ECDSA-AES128-CCM-8 -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem
./examples/client/client -l ECDHE-ECDSA-AES128-CCM-8 -A ./certs/server-ecc.pem

And a connection using PSK-AES128-CCM-8 using:

./examples/server/server -s -l PSK-AES128-CCM-8
./examples/client/client -s -l PSK-AES128-CCM-8

Can you try those?

Thanks,
Chris

Re: [SOLVED] Enable cipher suites

Thank you, that worked  smile

I just assumed that forcing PSK-AES128-CCM-8 would activate the use of pre shared keys (-s) and ECDHE-ECDSA-AES128-CCM-8 would load the certificates from the default location with no need to add the options to the execute command (-c -A -k).

Share

Re: [SOLVED] Enable cipher suites

Hello, please help me to enable TLS-PSK-AES128 CBCSHA and any TLS-RSA cipher suite.
I also want to enable cipher suite other than AES128 ciphersuite.

Share