Require BLE 4.2 key exchange but not MITM

If ECDH key agreement is used the connection will be in security level 4. Security mode 2 is legacy pairing using just works, which doesn't provide protection against passive eavesdroppers if there is an attack during the pairing process.

Why are you checking the LESC field? I don't get what you want to achieve.

BLE_GATTS_EVT_RW_AUTHORIZE_REQUEST is related to authorization, is that what you want to do? It does not protect against passive eavesdroppers.

My application sets I/O capabilities to None. Even with ECDH key exchange, I only get security mode 1 level 2. This level is acceptable for my application, but I need to distinguish it from a legacy key exchange mode 1 level 2.

You will not get security level 2 with ECDH key exchange, you will get security level 4. If you end up in security level 2 you are doing legacy pairing (with just works). If you don't have any I/O capabilites you can use LESC Just Works, it protects against passive eavesdropping.

Ok, then I guess my question becomes: why am I not getting mode 1 level 4? I'm using nRF Connect as the central node. I perform a pair with the "Enable LE Secure Connection pairing" option checked. The resulting security level is 2.

I've integrated LESC support from the ble_app_multirole_lesc example. I can see from the nRF logs that the LESC key is generated. I get a PM_EVT_CONN_SEC_SUCCEEDED with a procedure of 2. Then I get a BLE_GAP_EVT_AUTH_STATUS with mode 1 level 2. Would the nRF Connect log be helpful?

The SDK macro to require level 4 is named BLE_GAP_CONN_SEC_MODE_SET_LESC_ENC_WITH_MITM, and there is no corresponding macro for LESC_ENC_NO_MITM.