Further cipher suites with download client

RE: Further cipher suites with download client

Jared — Tue, 25 May 2021 14:03:57 GMT

Thanks Didrik Rokhaug

RE: Further cipher suites with download client

Didrik Rokhaug — Tue, 25 May 2021 13:41:36 GMT

Hi Jared,

I am not aware of any plans for adding support for new TLS cipher suites at the moment.

Best regards,

Didrik

RE: Further cipher suites with download client

Jared — Sat, 15 May 2021 14:36:00 GMT

On a related note, Didrik Rokhaug do you anticipate the MFW to supporting modern cipher suites? Looks like the CBC ciphers are deprecated in TLS 1.3 as samuel4 alluded to.

RE: Further cipher suites with download client

Didrik Rokhaug — Thu, 25 Mar 2021 15:51:00 GMT

Looking at the documentation for the Kconfig option, it looks like you should be able to do the same in code.

You can find the documentation for mbedtls_ssl_conf_dbg here: mbedTLS documentation.

RE: Further cipher suites with download client

samuel4 — Wed, 24 Mar 2021 10:53:34 GMT

Oh thanks, that worked. I have one more question. Do you have an idea how to enable the Debug output of mbedTLS? CONFIG_MBEDTLS_DEBUG is ignored. Meanwhile I figured out, that I have to set other options using CONFIG_CHOICE_VANILLA_MBEDTLS... But there is no VANILLA DEBUG option.

Thanks for efforts.

Kind regards
Samuel

RE: Further cipher suites with download client

Didrik Rokhaug — Wed, 24 Mar 2021 10:45:53 GMT

Hi, and sorry for the late answer.

You can use mbedTLS as a backend to the Nordic Security Module by setting CONFIG_MBEDTLS_VANILLA_BACKEND=y.

If I add that option to the overlay-native_tls.conf file, CONFIG_MBEDTLS_ECDSA_C is enabled automatically.

RE: Further cipher suites with download client

samuel4 — Fri, 19 Mar 2021 21:01:01 GMT

Thanks for that hint. I've tried it out and and it works, but I ran into configuration issues. I added following overlay from the Serial LTE Modem example

# TLS configuration
CONFIG_SLM_NATIVE_TLS=y
CONFIG_MODEM_KEY_MGMT=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_LIBRARY=y
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_PKCS1_V15=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_INSTALL_PATH="DUMMY"
# If larger TLS buffer is required for large CA chain,
# increase CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN to 4096
# and CONFIG_MBEDTLS_HEAP_SIZE to 32768
#CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=1280
#CONFIG_MBEDTLS_HEAP_SIZE=23040
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=4096
CONFIG_MBEDTLS_HEAP_SIZE=32768
CONFIG_NET_SOCKETS_OFFLOAD_TLS=n
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=2
# Increase extra FD entry for TLS contexts(2)
CONFIG_POSIX_MAX_FDS=10
CONFIG_NORDIC_SECURITY_BACKEND=y
CONFIG_NRF_SECURITY_ADVANCED=y

I can ovserve that mbedTLS is used, but lots of functions are glued to oberon and so on. I thaught I can configure mbedTLS further on by using CONFIG_MBEDTLS_ECDSA_C=y for example. However, that's not working. It seems that the configuration option is not compatible with the security backend:

warning: MBEDTLS_ECDSA_C was assigned the value 'y' but got the value 'n'. Check these unsatisfied dependencies:
MBEDTLS_ECP_C (=n), NRF_SECURITY_ANY_BACKEND (=n). See
docs.zephyrproject.org/.../CONFIG_MBEDTLS_ECDSA_C.html and/or look up
MBEDTLS_ECDSA_C in the menuconfig/guiconfig interface. The Application Development Primer, Setting
Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be helpful
too.

If I set
CONFIG_GENERATE_MBEDTLS_CFG_FILE=n
I get cmake errors. I guess I have to set up a config file as well, but I don't know how:

CMake Error at [...]/SWK_nRF_Connect_SDK/31_Source/nrfxlib/nrf_security/src/mbedtls/oberon/CMakeLists.txt:124 (configure_file_ifdef):
Unknown CMake command "configure_file_ifdef".

I don't care if I need to set up a custom mbedtls configuration. But actually I don't know how.

I've also tried to use the internal mbedtls library using CONFIG_MBEDTLS_BUILTIN=y. However, the integrated library lacks mbedtls_ssl_write and _read functions and we need this function in an other part of our software. And also the Serial LTE Modem uses the external mbedtls library.

Have you any ideas how I can change the mbedTLS confuration using the external mbedtls library?

Kind regards
Samuel

RE: Further cipher suites with download client

Didrik Rokhaug — Mon, 15 Mar 2021 17:07:40 GMT

Hi,

It is possible to implement the TLS stack on the application core, while still running the TCP stack on the modem.

This is supported in the Serial LTE Modem by using the overlay-native_tls.conf overlay configuration file.

You should be able to do something similar for your own application.

Best regards,

Didrik