1 Topic by Scotty2541 (edited by Scotty2541 2024-10-16 10:42:59)

  • From: Texas
  • Registered: 2020-08-17
  • Posts: 63

Topic: How to Disable Ciphers (Enable only specific Ciphers)

This is not working, even though it used to work.  Now with 7-5-2  is seems to have stopped working.

   ListCiphers();            //  WHAT ARE THEY TO BEGIN WITH
    ctx = wolfSSL_CTX_new(method); 
    wolfSSL_CTX_set_cipher_list(ctx, cipherList);      //  CHANGE THEM
    ListCiphers();                //  WHAT ARE THEY NOW

Where "ListCiphers()" is simply:

void ListCiphers() {
    int len;
    char *list, *ptr;
    list = (char *) malloc(4096);
    len = wolfSSL_get_ciphers(list, 4096);

    ptr = strtok(list, ": \n\r");
    puts("CIPHERS");
    while (ptr) {
        printf("%s\n", ptr);
        ptr = strtok(NULL, ": \n\r");
    }
    free(list);
}

THEY DO NOT CHANGE.  Even though "cipherList" is a list of 17 of them.

What the list gives me BOTH TIMES are these 23 ciphers:

CIPHERS
TLS13-AES128-GCM-SHA256
TLS13-AES256-GCM-SHA384
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
EDH-RSA-DES-CBC3-SHA

What I am setting it to is this:

static const char cipherList[768] =
    "TLS13-AES128-GCM-SHA256:"
    "TLS13-AES256-GCM-SHA384:"
    "DHE-PSK-AES256-GCM-SHA384:"
    "DHE-PSK-AES128-GCM-SHA256:"
    "DHE-PSK-AES256-CBC-SHA384:"
    "DHE-PSK-AES128-CBC-SHA256:"
    "DHE-RSA-AES128-GCM-SHA256:"
    "DHE-RSA-AES256-GCM-SHA384:"
    "ECDHE-RSA-AES128-GCM-SHA256:"
    "ECDHE-RSA-AES256-GCM-SHA384:"
    "ECDHE-ECDSA-AES128-GCM-SHA256:"
    "ECDHE-ECDSA-AES256-GCM-SHA384:"
    "ECDHE-RSA-AES128-SHA256:"
    "ECDHE-ECDSA-AES128-SHA256:"
    "ECDHE-RSA-AES256-SHA384:"
    "ECDHE-ECDSA-AES256-SHA384:"
    "ECDHE-PSK-AES128-CBC-SHA256";

Furthermore...

The TLS13 ciphers are in the list (both of them: the one that is enabled. and the one I am trying to set but is ignored anyway.)

And yet, when I tried to connect to the device using those ciphers, it fails.

By the way...
The example has a major defect in it.

https://www.wolfssl.com/documentation/m … et_ciphers

static void ShowCiphers(void) {
char* ciphers;
int ret = wolfSSL_get_ciphers(ciphers, (int)sizeof(ciphers));

if(ret == SSL_SUCCES){
        printf(“%s\n”, ciphers);
    }
}

Size of ciphers is the size of the POINTER.  not the size of the buffer that the pointer refers to.

-Scott
<Code shown is not to scale>

Share

  • Registered: 2021-07-06
  • Posts: 139

Re: How to Disable Ciphers (Enable only specific Ciphers)

Hi Scott,

wolfSSL_get_ciphers gets the entire cipher list compiled into the library, it is not getting the currently enabled cipher list.  To get that, you can call wolfSSL_get_cipher_list_ex(ssl, priority).  You will need to make the WOLFSSL object from the WOLFSSL_CTX after you call wolfSSL_CTX_set_cipher_list for it to reflect the cipher list you've set.

Thanks,
Kareem

Share