1 (edited by Scotty2541 2020-10-30 12:33:26)

Topic: How to select the Protocol/Cipher on the server?

Hello,
Chapter 4 of the doc gives a selection of functions which can be used to set the cipher method on the server side.

Individually, there are SSL 3, TLS 1.0, 1.1, 1.2, 1.3,   or "wolfSSLv23_server_method()"  which says the highest up to TLS 1.2

How do a add TLS 1.3 to this, so I can pick ONLY between TLS 1.1, 1.2, 1.3 ?
(I know the SSL ones are disabled by default.  But this seems to include TLS 1.0, and does NOT include TLS 1.3)

These are structure pointers, so I can't just OR them together.

-Scott
<Code shown is not to scale>

Share

Re: How to select the Protocol/Cipher on the server?

Hi Scotty2541,

The manual is wrong/out of date. If WOLFSSL_TLS13 (--enable-tls13) is set then `wolfSSLv23_server_method` will try TLS v1.3 first and allow downgrade. If you want to disable SSLv3 and TLS 1.0 then make sure these are not defined `WOLFSSL_ALLOW_TLSV10` and `WOLFSSL_ALLOW_SSLV3`.

Thanks,
David Garske, wolfSSL

Share

Re: How to select the Protocol/Cipher on the server?

David,

I am not using the --{configure} options, as I am building this for AM335x (sitara).
So I have no idea how WOLFSSL_TLS13 should be enabled...  should I just define it in the user_settings.h?

As for WOLFSSL_ALLOW_TLSV10  (and WOLFSSL_ALLOW_SSLV3)...

The CCS environment has a nice highlight that shows if #defines are set... It is showing me that all the code IS ENABLED... and yet I can find nothing that indicates it is defined.

So right now, I *think*  TLS1.0 is enabled, but I have no way to prove it.
Nor do I have any indication of HOW it's being enabled, so I don't know where to go to disabled it.

(I did define NO_OLD_TLS in the user_settings.h )

Next up:  (Should I start a new question?)  How to select ciphers?
The NIST lists 34 approved ciphers.  The SSL.COM best practices it to only enable 'some' of them to minimize exposure.  How are they enabled/disabled?
For example, the first 1000 lines of "internal.h" have all of them listed...  do I just comment out the ones that I want to remove, and insure that the ones I want are enabled? 
(I want  ECDSA_WITH_AES_256_GCM_SHA384 , but I might want to remove BUILD_TLS_RSA_WITH_AES_128_CBC_SHA )

-Scott
<Code shown is not to scale>

Share

Re: How to select the Protocol/Cipher on the server?

The API to look out for is wolfSSL_CTX_set_cipher_list(). You call this once on the WOLFSSL_CTX, and all WOLFSSL sessions made with that CTX will have the preset list. If you only want to use ECDSA-AES256-GCM-SHA384, call it

ret = wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-AES256-GCM-SHA384");

Only that suite will be requested by the client to the server.

I think the following defines in user_settings.h will get you TLSv1.3 with support for the above cipher suite.

#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_HKDF
/* #define WC_RSA_PSS - not needed if only using ECC */
/* #define HAVE_FFDHE_2048 - not needed if only using ECC */

If TLSv1.3 is enabled, wolfSSLv23_client_method() will try to negotiate for TLSv1.3 and allow downgrades. (It looks like the manual needs an update.)

Re: How to select the Protocol/Cipher on the server?

John,
I examined the "wolfSSL_get_ciphers()" version of that call, and inspected the output (it doesn't describe how that data is returned in the buffer... yet something else that could be updated in the doc)

They are, in fact, a list of all those cipher names, separated by colons.

So, that "set" version of the call sets only one of them. What if I want to set about 10 or 12?
Do I feed it a list like it's partner call returns?

-Scott
<Code shown is not to scale>

Share

6 (edited by Scotty2541 2020-11-05 05:23:55)

Re: How to select the Protocol/Cipher on the server?

john wrote:

The API to look out for is wolfSSL_CTX_set_cipher_list(). You call this once on the WOLFSSL_CTX, and all WOLFSSL sessions made with that CTX will have the preset list. If you only want to use ECDSA-AES256-GCM-SHA384, call it

ret = wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-AES256-GCM-SHA384");

Only that suite will be requested by the client to the server.

I think the following defines in user_settings.h will get you TLSv1.3 with support for the above cipher suite.

#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_HKDF
/* #define WC_RSA_PSS - not needed if only using ECC */
/* #define HAVE_FFDHE_2048 - not needed if only using ECC */

If TLSv1.3 is enabled, wolfSSLv23_client_method() will try to negotiate for TLSv1.3 and allow downgrades. (It looks like the manual needs an update.)

John,
Apparently the answer is 'yes'.  Feed the function 'wolfSSL_CTX_set_cipher_list(...) a list that is colon separated.
Question:
For setting up a server, and telling the API which ciphers to use...
Is this any priority?  Or does the client have total control over which one is preferred and will be used?

For example, given this list (which I read from the API), after commenting out some, does it make any difference what order they are?  (I don't even know what they all are or which are stronger...  I still need to research that)

const char cipherList[768] =
        "TLS13-AES128-GCM-SHA256:"
        "TLS13-AES256-GCM-SHA384:"
//        "DHE-RSA-AES128-SHA:"
//        "DHE-RSA-AES256-SHA:"
//        "DHE-PSK-AES256-GCM-SHA384:"
//        "DHE-PSK-AES128-GCM-SHA256:"
        "DHE-PSK-AES256-CBC-SHA384:"
        "DHE-PSK-AES128-CBC-SHA256:"
        "ECDHE-RSA-AES128-SHA:"
        "ECDHE-RSA-AES256-SHA:"
        "ECDHE-ECDSA-AES128-SHA:"
        "ECDHE-ECDSA-AES256-SHA:"
        "ECDHE-RSA-RC4-SHA:"
        "ECDHE-ECDSA-RC4-SHA:"
//        "DHE-RSA-AES128-SHA256:"
        "DHE-RSA-AES256-SHA256:"
//        "DHE-RSA-AES128-GCM-SHA256:"
        "DHE-RSA-AES256-GCM-SHA384:"
//        "ECDHE-RSA-AES128-GCM-SHA256:"
        "ECDHE-RSA-AES256-GCM-SHA384:"
        "ECDHE-ECDSA-AES128-GCM-SHA256:"
        "ECDHE-ECDSA-AES256-GCM-SHA384:"
//        "ECDHE-RSA-AES128-SHA256:"
        "ECDHE-ECDSA-AES128-SHA256:"
        "ECDHE-RSA-AES256-SHA384:"
        "ECDHE-ECDSA-AES256-SHA384:"
        "ECDHE-PSK-AES128-CBC-SHA256";
-Scott
<Code shown is not to scale>

Share

Re: How to select the Protocol/Cipher on the server?

Scotty2541,

Is this any priority?  Or does the client have total control over which one is preferred and will be used?

The server ALWAYS gets to pick what it prefers based on what the client sends. The client only has contol in that it can LIMIT the options available to the server to pick from.

does it make any difference what order they are?

The order in which they arrive does not matter. The server is configured how it is configured.

In MOST cases a server will try to pick the STRONGEST cryptographic option but some might be configured to consider run-time resource requirements or some other governing factor in the decision making process for which cipher it selects from the client offered list.

Warm Regards,

- K

Re: How to select the Protocol/Cipher on the server?

Kaleb,
Thanks...

Kaleb J. Himes wrote:

Scotty2541,

The order in which they arrive does not matter. The server is configured how it is configured.

In MOST cases a server will try to pick the STRONGEST cryptographic option but some might be configured to consider run-time resource requirements or some other governing factor in the decision making process for which cipher it selects from the client offered list.

Warm Regards,

- K

In this case the server IS a WolfSSL based app...   So the server will try to negotiate that when? 
During the wolfSSL_acept() call?

   WOLFSSL*        ssl  = 0;
    WOLFSSL_CTX*    ctx    = (WOLFSSL_CTX*)sslCtx;
    int ret;
    ssl = wolfSSL_new(ctx);
    ret = wolfSSL_set_fd(ssl, socket);
    if (ret != 1)  {
        return (void *)0;
    }
    ret = wolfSSL_accept(ssl);

Or is there another call that should be made to tell it to do so?
Or is it automatic?

-Scott

-Scott
<Code shown is not to scale>

Share

Re: How to select the Protocol/Cipher on the server?

In this case the server IS a WolfSSL based app...   So the server will try to negotiate that when?

It will happen during the wolfSSL_accept call, that is correct.

Or is there another call that should be made to tell it to do so?
Or is it automatic?

Yes it will happen automatically.

We have an excellent (yet simple) basic server example here to show the process: https://github.com/wolfSSL/wolfssl-exam … rver-tls.c

Assuming somewhere prior in your code you configured your server with a cert and key etc.

Warm Regards,

K

Re: How to select the Protocol/Cipher on the server?

Kaleb,
Thanks.  I have the server and necessary certificates already.  That is all working fine.
I can see the connection specifics in the "security" tab of Chrome or Firefox.

Just wanted to be clear on how it decided the TLS version and picking the cipher.

A client wanted to use the elliptical ciphers  (TLS_ECDHE_* ) , but neither Chrome no Firefox is showing it as being selected. 
I do have it enabled.  I suppose to verify I would need to remove all the other ones and see if it connects.

-Scott
<Code shown is not to scale>

Share

Re: How to select the Protocol/Cipher on the server?

Scotty,

Just wanted to be clear on how it decided the TLS version and picking the cipher.
A client wanted to use the elliptical ciphers  (TLS_ECDHE_* ) , but neither Chrome no Firefox is showing it as being selected. 
I do have it enabled.  I suppose to verify I would need to remove all the other ones and see if it connects.

Understood. Also be aware that in the selection process the certs are part of the decision. If the server has both an ECC cert chain and an RSA cert chain it should be able to connect with either ECDHE_RSA or ECDHE_ECDSA. If the server has algorithmic support for ECC but only has RSA certificates it will only be able to negotiate ECDHE_RSA.

Yes a good test would be to limit the client ciphers to only one at a time and then test if each connects. If the client only presents a single option to the peer the peer will either have to select that option or tell the client it can't negotiate that option (by severing the connection). In this way you can determine what all would be supported, as I mentioned the only control the client has over the selection process is in what it presents to the server.

You can present a single cipher with:

wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-AES128-SHA");

OR

You can present two or more with a colon delimited list:

char cipherList[] = "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA256";
wolfSSL_CTX_set_cipher_list(ctx, cipherList);

OR

You can not use that API at all and wolfSSL will always send a list of all ciphers supported by the current build configuration.


Warm Regards,

K