Topic: Switching from TLS_AES_128_CCM_SHA256 to TLS_AES_128_CCM_8_SHA256
Firstly I am totally new to TLS.
We are switching from TLS_AES_128_CCM_SHA256 to TLS_AES_128_CCM_8_SHA256 for a little better performance.
We are using wolfssl 5.7.6, and not really using the whole code but cut down as required. and we are not building the library as such but using it directly by attaching it to a package.
I have done 2 things until now in my user_settings.h file, added the second line as I believe the first line was responsible for TLS_AES_128_CCM_8_SHA256 implementation
#define HAVE_AESCCM
#define HAVE_AESCCM_8 //(newly added by me, Not sure if this is a correct define for CCM_8 for this cipher).
and in my code I have Changed,
//ret = wolfSSL_CTX_set_cipher_list(ctx, "TLS_AES_128_CCM_SHA256");
ret = wolfSSL_CTX_set_cipher_list(ctx, "TLS_AES_128_CCM_8_SHA256");
I have turned the debugger of the wolfssl and its giving me that handshake is complete but my comms is restarting again after few seconds without throwing any errors.
Questions:-
1.What changes do I have to do for maybe auth, keyexchange and for cipher suite to get this worked.
2.In general Requirements for TLS_AES_128_CCM_8_SHA256
Again the current impl is working fine with TLS_AES_128_CCM_SHA256 need to do some tweaks for TLS_AES_128_CCM_8_SHA256
Please ask me as much questions as you want because I may not have added enough information to overview.
Code:-
int ret = 0;
int sz = 0;
int MAX_CONCURRENT_IO = 0;
ctx = NULL;
initializeSSL();
short unsigned int minDhKey = 128;
wolfSSL_CTX_SetMinDhKey_Sz(ctx, minDhKey);
WOLFSSL_METHOD* method;
/* Get encryption method based on TLS version */
method = wolfTLSv1_3_server_method();
/* Allocate wolfSSL_CTX, cipher list, cert and key */
if ( (ctx = wolfSSL_CTX_new(method)) == NULL)
{
// error loading ctx
PARA_LOG(LOG_ID_SC, "WolfSSL_CTX_new error\n");
}
//ret = wolfSSL_CTX_set_cipher_list(ctx, "TLS_AES_128_CCM_SHA256");
ret = wolfSSL_CTX_set_cipher_list(ctx, "TLS_AES_128_CCM_8_SHA256");
printf("-------------------------Loading Cipher onto ret---------------------------------------------");
if (ret != SSL_SUCCESS)
{
// error loading private key from buffer
printf("-------------------------1Error Loading Cipher onto ret---------------------------------------------");
PARA_LOG(LOG_ID_SC, "Error Cipher List: %i\n", ret);
}
wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
ret = wolfSSL_CTX_load_verify_buffer(ctx, serv_ecc_der_256,
sizeof_serv_ecc_der_256, SSL_FILETYPE_ASN1);
//printf(ret);
if (ret != SSL_SUCCESS)
{
// error loading certificate from buffer.
printf("-------------------------2 Error Loading Certificate onto ret---------------------------------------------");
PARA_LOG(LOG_ID_SC, "Error Loading client buffer.\n");
}
ret = wolfSSL_CTX_use_certificate_buffer(ctx, serv_ecc_der_256,
sizeof_serv_ecc_der_256, WOLFSSL_FILETYPE_ASN1);
if (ret != SSL_SUCCESS)
{
// error loading certificate from buffer
printf("-------------------------3 Error use Certificate onto ret---------------------------------------------");
PARA_LOG(LOG_ID_SC, "Error Loading Certificate buffer.\n");
}
ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, ecc_key_der_256,
sizeof_ecc_key_der_256, WOLFSSL_FILETYPE_ASN1);
if (ret != SSL_SUCCESS)
{
// error loading private key from buffer
printf("-------------------------3 Error use private key onto ret---------------------------------------------");
PARA_LOG(LOG_ID_SC, "Error Loading Private Key buffer: %i\n", ret);
}
createNewSession();
}
Thank you in advance!!