Hi Ron,
Enabling MBEDTLS_CCM_C should be enough to enable CCM ciphersuites.
There are options to disable some ciphersuites even when all the crypto
primitives are available, but I think the only one that treats GCM and
CCM differently is MBEDTLS_SSL_CIPHERSUITES. Please check that you
aren't setting MBEDTLS_SSL_CIPHERSUITES.
Please run `programs/ssl/ssl_client2 help` and check which ciphersuites
it lists. If it lists CCM, the problem is the library configuration. If
it doesn't, the problem is in the code.
If you enable debugging at level 3 (MBEDTLS_DEBUG_C and
mbedtls_debug_set_threshold(3)), the client will print a message "client
hello, add ciphersuite: …" for each ciphersuite that it sends. This
should match the list set with |mbedtls_ssl_conf_ciphersuites|.
If you remove the call to |mbedtls_ssl_conf_ciphersuites|, what
ciphersuites does the client advertise? It should default to advertising
everything it can do.
Hope this helps,
--
Gilles Peskine
Mbed TLS developer
On 26/09/2021 23:34, Ron Eggler via mbed-tls wrote:
>
> The |mbedtls| client project I'm working on, is to also support the
> cipher suites: |TLS-ECDHE-ECDSA-WITH-AES-256-CCM| &
> |TLS-ECDHE-ECDSA-WITH-AES-128-CCM|. I have specified them like:
>
> |const int ciphersuites[] = {
> MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA384,
> MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
> MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, 0 };
> mbedtls_ssl_conf_ciphersuites(&ctxt->conf,ciphersuites); |
>
> and while I can see the GCM ciphers in the |Client Hello|, I cannot
> see the |CCM| ciphers.
> In |mbedtls/include/mbedtls/config.h|, the following are enabled:
>
> |#define MBEDTLS_CCM_ALT #define MBEDTLS_CCM_C #define
> MBEDTLS_ECDH_GEN_PUBLIC_ALT #define MBEDTLS_ECDH_COMPUTE_SHARED_ALT
> #define MBEDTLS_ECDSA_SIGN_ALT |
>
> What is still missing?
> While CCM is not listed under The following ciphers may be included
>
https://tls.mbed.org/module-level-design-cipher, the ciphers i would
> like to add definitely show up under Supported SSL / TLS ciphersuites
>
https://tls.mbed.org/supported-ssl-ciphersuites,
>
> Can someone help out?
>
>
