• State Verified Answer
  • Replies 8 replies
  • Subscribers 75 subscribers
  • Views 2172 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 266357
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Further cipher suites with download client

samuel4

Hello

In our application we're using the download client. Here are the cipher suites the modem supports in hardware: https://www.nordicsemi.com/Products/Low-power-cellular-IoT/nRF9160/Download#infotabs

Unfortunately at least the non PSK cipher suites are considered weak. We're looking for a way to add stronger cipher suites.

I am not absolutely sure about the glue layer. Can it be used to add cipher suites using software implementations, e.g. mbedtls? I tried some configuration options, but the device still offers the cipher suites mentioned above.

My question: Is it possible to use the download client with other cipher suites? Since the download client uses the sockets, it seems hard to bind it to an external crypto library like a mbedtls. But maybe there's a zephyr configuration, that uses mbedtls/oberon/arm cryptocell interally and extends the cipher suite list.

SDK version: 1.5.0

King regards
Samuel

Parents Reply Children
  • 0 in reply to Didrik Rokhaug

    Hi

    Thanks for that hint. I've tried it out and and it works, but I ran into configuration issues. I added following overlay from the Serial LTE Modem example

    # TLS configuration
    CONFIG_SLM_NATIVE_TLS=y
    CONFIG_MODEM_KEY_MGMT=y
    CONFIG_MBEDTLS=y
    CONFIG_MBEDTLS_LIBRARY=y
    CONFIG_MBEDTLS_TLS_LIBRARY=y
    CONFIG_MBEDTLS_PKCS1_V15=y
    CONFIG_MBEDTLS_ENABLE_HEAP=y
    CONFIG_MBEDTLS_INSTALL_PATH="DUMMY"
    # If larger TLS buffer is required for large CA chain,
    # increase CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN to 4096
    # and CONFIG_MBEDTLS_HEAP_SIZE to 32768
    #CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=1280
    #CONFIG_MBEDTLS_HEAP_SIZE=23040
    CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=4096
    CONFIG_MBEDTLS_HEAP_SIZE=32768
    CONFIG_NET_SOCKETS_OFFLOAD_TLS=n
    CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
    CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=2
    # Increase extra FD entry for TLS contexts(2)
    CONFIG_POSIX_MAX_FDS=10
    CONFIG_NORDIC_SECURITY_BACKEND=y
    CONFIG_NRF_SECURITY_ADVANCED=y

    I can ovserve that mbedTLS is used, but lots of functions are glued to oberon and so on. I thaught I can configure mbedTLS further on by using  CONFIG_MBEDTLS_ECDSA_C=y for example. However, that's not working. It seems that the configuration option is not compatible with the security backend:

    warning: MBEDTLS_ECDSA_C was assigned the value 'y' but got the value 'n'. Check these unsatisfied dependencies:
    MBEDTLS_ECP_C (=n), NRF_SECURITY_ANY_BACKEND (=n). See
    docs.zephyrproject.org/.../CONFIG_MBEDTLS_ECDSA_C.html and/or look up
    MBEDTLS_ECDSA_C in the menuconfig/guiconfig interface. The Application Development Primer, Setting
    Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be helpful
    too.

    If I set
    CONFIG_GENERATE_MBEDTLS_CFG_FILE=n
    I get cmake errors. I guess I have to set up a config file as well, but I don't know how:

    CMake Error at [...]/SWK_nRF_Connect_SDK/31_Source/nrfxlib/nrf_security/src/mbedtls/oberon/CMakeLists.txt:124 (configure_file_ifdef):
    Unknown CMake command "configure_file_ifdef".

    I don't care if I need to set up a custom mbedtls configuration. But actually I don't know how.

    I've also tried to use the internal mbedtls library using CONFIG_MBEDTLS_BUILTIN=y. However, the integrated library lacks mbedtls_ssl_write and _read functions and we need this function in an other part of our software. And also the Serial LTE Modem uses the external mbedtls library.

    Have you any ideas how I can change the mbedTLS confuration using the external mbedtls library?

    Kind regards
    Samuel

  • +1 in reply to samuel4

    Hi, and sorry for the late answer.

    You can use mbedTLS as a backend to the Nordic Security Module by setting CONFIG_MBEDTLS_VANILLA_BACKEND=y.

    If I add that option to the overlay-native_tls.conf file, CONFIG_MBEDTLS_ECDSA_C is enabled automatically.

  • 0 in reply to Didrik Rokhaug

    Hi

    Oh thanks, that worked. I have one more question. Do you have an idea how to enable the Debug output of mbedTLS? CONFIG_MBEDTLS_DEBUG is ignored. Meanwhile I figured out, that I have to set other options using CONFIG_CHOICE_VANILLA_MBEDTLS... But there is no VANILLA DEBUG option.

    Thanks for efforts.

    Kind regards
    Samuel

  • 0 in reply to samuel4

    Looking at the documentation for the Kconfig option, it looks like you should be able to do the same in code.

    You can find the documentation for mbedtls_ssl_conf_dbg here: mbedTLS documentation.

  • 0 in reply to Didrik Rokhaug

    On a related note, do you anticipate the MFW to supporting modern cipher suites? Looks like the CBC ciphers are deprecated in TLS 1.3 as alluded to.

Related
Terms of service