My mbedtls client has been working for 2 years. It did what I required and
has been stable.
However, I now need to force a new server to use my preferred cipher suite.
I found the helper function to force the cipher suite here:
https://github.com/Mbed-TLS/mbedtls/blob/de4d5b78558666d2e258d95e6c5875f9c7…
I added mbedtls_ssl_conf_preference_order(conf,
MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) to the end of the function to
force the server to choose my ciphersuite.
Prior to this change I called the mbedtls functions in this chronological
order:
mbedtls_ssl_init(&_ssl);
mbedtls_ssl_config_init(&_conf);
mbedtls_ctr_drbg_init(&_ctr_drbg);
mbedtls_entropy_init(&_entropy);
mbedtls_x509_crt_init(&_cacert);
mbedtls_pk_init(&_pkey);
mbedtls_ctr_drbg_seed
mbedtls_ssl_config_defaults
mbedtls_ssl_conf_rng
mbedtls_ssl_conf_authmode
mbedtls_x509_crt_parse_file
mbedtls_ssl_conf_ca_chain
mbedtls_ssl_setup
mbedtls_ssl_set_hostname
and then proceed to call:
mbedtls_ssl_set_bio
mbedtls_ssl_handshake
Now:
If I call mbedtls_ssl_conf_ciphersuites BEFORE mbedtls_ssl_config_defaults,
the ciphersuite list is ignored/seems to get overriden.
If I call mbedtls_ssl_conf_ciphersuites AFTER mbedtls_ssl_config_defaults,
my ciphersuite list changes are accepted and transmitted (I can see in
Wireshark). The server then responds agreeing to use my chosen cipher suite.
However, mbedtls_ssl_handshake returns with value -26112, which I have
looked up to be MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER.
Unfortunately I have no clue what is causing this.
Could somebody please advise how this should be done? I can see Client2
example but there are functions I have which are not in there. Client1
seems too simple for me but Client2 seems beyond what I require.
I am using MbedTLS client code based on this:
https://github.com/machinezone/IXWebSocket/blob/master/ixwebsocket/IXSocket…
I am connecting to a server via it's URL. However, I would like to connect directly using an IP address returned from running the traceroute command on the URL.
So I replaced the URL with the IP address. However, MBedTLS fails on the handshake:
https://github.com/machinezone/IXWebSocket/blob/master/ixwebsocket/IXSocket…
I get the error:
"error in handshake : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed"
If I revert back to URL, it works. The IP address does exist.
How can I connect using the IP address, instead of the URL?
Micron Confidential
Hi,
I find that mbed-tls already support LMS, could you please Point to some reference and starting from which version mbedTLS lib version supports LMS?
Best Regards,
Raunak
Get Outlook for iOS<https://aka.ms/o0ukef>
Micron Confidential
Micron Confidential
Dear MbedTLS,
Can you please help to provide some references for LMS stateful signatures schemes support in MbedTLS,
May be something like documentation and github repo link?
Unfortunately I am not able to find it online?
Thanks,
Raunak
Get Outlook for iOS<https://aka.ms/o0ukef>
Micron Confidential
________________________________
From: Shebu Varghese Kuriakose <Shebu.VargheseKuriakose(a)arm.com>
Sent: Tuesday, September 3, 2024 8:48 PM
To: Raunak Gupta <raunakgupta(a)micron.com>; enquiries(a)trustedfirmware.org <enquiries(a)trustedfirmware.org>
Cc: nd <nd(a)arm.com>
Subject: [EXT] RE: Inquiry About PQC Cryptos in embedTLS Library
Micron Confidential
CAUTION: EXTERNAL EMAIL. Do not click links or open attachments unless you recognize the sender and were expecting this message.
Hi Raunak,
Mbed TLS today supports LMS stateful hash-based signature scheme. While supporting other PQC algorithms is in the Mbed TLS project roadmap, the team isn’t actively working on it. The focus for the team now is preparing for Mbed TLS 4.0.
Feel free to ask any further technical questions in the Mbed TLS public mailing list - mbed-tls(a)lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org> (https://lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirm…)
Regards,
Shebu
Micron Confidential
From: 'Raunak Gupta' via TFenquiries <enquiries(a)trustedfirmware.org>
Sent: Tuesday, September 3, 2024 2:34 AM
To: enquiries(a)trustedfirmware.org
Subject: Inquiry About PQC Cryptos in embedTLS Library
Micron Confidential
Dear Trusted Firmware Team,
I hope this message finds you well. My name is Raunak, and I am a Security Engineer at Micron Technology.
I would like to inquire whether the embedTLS library has been updated to include Post-Quantum Cryptography (PQC) algorithms such as LMS, HSS, and XMSS.
Additionally, is the embedTLS team actively working on integrating these PQC algorithms?
Thank you for your assistance.
Best regards,
Raunak
Micron Confidential
To unsubscribe from this group and stop receiving emails from it, send an email to enquiries+unsubscribe(a)trustedfirmware.org<mailto:enquiries+unsubscribe@trustedfirmware.org>.