The |mbedtls| client project I'm working on, is to also support the cipher suites: |TLS-ECDHE-ECDSA-WITH-AES-256-CCM| & |TLS-ECDHE-ECDSA-WITH-AES-128-CCM|. I have specified them like:
|const int ciphersuites[] = { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA384, MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, 0 }; mbedtls_ssl_conf_ciphersuites(&ctxt->conf,ciphersuites); |
and while I can see the GCM ciphers in the |Client Hello|, I cannot see the |CCM| ciphers. In |mbedtls/include/mbedtls/config.h|, the following are enabled:
|#define MBEDTLS_CCM_ALT #define MBEDTLS_CCM_C #define MBEDTLS_ECDH_GEN_PUBLIC_ALT #define MBEDTLS_ECDH_COMPUTE_SHARED_ALT #define MBEDTLS_ECDSA_SIGN_ALT |
What is still missing? While CCM is not listed under The following ciphers may be included https://tls.mbed.org/module-level-design-cipher, the ciphers i would like to add definitely show up under Supported SSL / TLS ciphersuites https://tls.mbed.org/supported-ssl-ciphersuites,
Can someone help out?
Hi Ron,
Enabling MBEDTLS_CCM_C should be enough to enable CCM ciphersuites. There are options to disable some ciphersuites even when all the crypto primitives are available, but I think the only one that treats GCM and CCM differently is MBEDTLS_SSL_CIPHERSUITES. Please check that you aren't setting MBEDTLS_SSL_CIPHERSUITES.
Please run `programs/ssl/ssl_client2 help` and check which ciphersuites it lists. If it lists CCM, the problem is the library configuration. If it doesn't, the problem is in the code.
If you enable debugging at level 3 (MBEDTLS_DEBUG_C and mbedtls_debug_set_threshold(3)), the client will print a message "client hello, add ciphersuite: …" for each ciphersuite that it sends. This should match the list set with |mbedtls_ssl_conf_ciphersuites|.
If you remove the call to |mbedtls_ssl_conf_ciphersuites|, what ciphersuites does the client advertise? It should default to advertising everything it can do.
Hope this helps,
Hi Gilles,
Thank you for the reply, it seems like the problem was that my MBEDTLS_CCM_C setting simply got overwritten and it didn't actually get set correctly. Once I fixed this, the ciphers appeared in Client Hello as expected.
Thank you! Ron
On 2021-09-29 12:33, Gilles Peskine via mbed-tls wrote:
Hi Ron,
Enabling MBEDTLS_CCM_C should be enough to enable CCM ciphersuites. There are options to disable some ciphersuites even when all the crypto primitives are available, but I think the only one that treats GCM and CCM differently is MBEDTLS_SSL_CIPHERSUITES. Please check that you aren't setting MBEDTLS_SSL_CIPHERSUITES.
Please run `programs/ssl/ssl_client2 help` and check which ciphersuites it lists. If it lists CCM, the problem is the library configuration. If it doesn't, the problem is in the code.
If you enable debugging at level 3 (MBEDTLS_DEBUG_C and mbedtls_debug_set_threshold(3)), the client will print a message "client hello, add ciphersuite: …" for each ciphersuite that it sends. This should match the list set with |mbedtls_ssl_conf_ciphersuites|.
If you remove the call to |mbedtls_ssl_conf_ciphersuites|, what ciphersuites does the client advertise? It should default to advertising everything it can do.
Hope this helps,
mbed-tls@lists.trustedfirmware.org
-
Gilles Peskine -
Ron Eggler