ncs v3.1.1 SLM on nrf9151, how to change cipher list preference?

> It seems nrf9151 by default uses AES_128_CBC_SHA256 even though on the server side, we have given a higher priority to AES_CCM_8, the modem doesn't follow it.

Well, let's sort it out:

In the DTLS handshake:

- the client sends a list of proposed cipher suites in the Client_Hello

- the server selects one cipher suite out of that list and sends that back in the Server_Hello

> even though on the server side, we have given a higher priority to AES_CCM_8

That maybe the case. But the "overall priority" the server used to select a cipher suite may be a mix of the client and server priorities. It's very common for implementations, to align with the client's priority.

Without knowing, which implementation is used on the server side, there are two ways to go:

- limit the client to send only "TLS-PSK-WITH-AES-128-CCM-8" and not "TLS-PSK-WITH-AES-128-CBC-SHA256". 

- limit the server to support only "TLS-PSK-WITH-AES-128-CCM-8" and not "TLS-PSK-WITH-AES-128-CBC-SHA256".

Hope that helps.

Hi Achim,

Thank you for your prompt reply.

I am working on the client side with an application such as slm_shell sending AT commands to V3.1.1 SLM on nrf9151.

However, #XSSOCKETOPT option AT_TLS_CIPHERSUITE_USED is get-only.

Is it possible the change the priority of cipher suites directly in V3.1.1 SLM firmware? If so, can you point to where in the code it should be applied?

Regards,

Hi Achim,

Thank you for your prompt reply.

I am working on the client side with an application such as slm_shell sending AT commands to V3.1.1 SLM on nrf9151.

However, #XSSOCKETOPT option AT_TLS_CIPHERSUITE_USED is get-only.

Is it possible the change the priority of cipher suites directly in V3.1.1 SLM firmware? If so, can you point to where in the code it should be applied?

Regards,

Unfortunately, I'm not common with the SLM.

Hi Achim,

Can you please refer this case to a colleague familiar with SLM?

Regards,

I'm not even an Nordic employee, I'm just an other user.

Oh, got it, thank you for your time and comments.

Just as general remark for the nRF91 and not for SLM:

The TLS_CIPHERSUITE_USED options returns the negotiated cipher suite, and therefore it doesn't make sense to set that from the application. It's set during the handshake. 

To set the peers list of supported cipher suites, the TLS_CIPHERSUITE_LIST is used. samples/cellular/tls_ciphersuites shows how to use it.

I'm not sure, but if you able to add that snippet to the SLM, you may have a chance to get TLS-PSK-WITH-AES-128-CCM-8.