lwip-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-users] mbedtls port: Changing SSL config parameters

From: Gary Metalle
Subject: [lwip-users] mbedtls port: Changing SSL config parameters
Date: Thu, 14 Apr 2022 16:34:37 +0000

Hi

 

I’m using LWIP 2.2.0 on an ARM imx.rt platform along with mbedtls version 2.27.0.

 

Specifically I’m using the altcp_tls ‘app’ wrapper that makes it easy to switch between TCP and TLS for my connection to an MQTT broker using mbedtls for the encryption.

 

I have just had need to configure a couple of options for the SSL config within MBEDTLS but couldn’t find a way without modifying the source code in lwpip/src/apps/altcp_tls/altcp_tls_mbedtls.c.

 

I noticed that within the mbedtls_ssl_context struct there is a private mbedtls_ssl_config pointer that is the one that would normally be used to fiddle with certain parameters such the following mbedtls function to set the desired list of cipher suites:

 

void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, const int *ciphersuites )

 

My specific case was to not use certs but only to restrict the only supported cipher suite to:

 

MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256

 

The altcp_tls_create_config function in altcp_tls_mbedtls.c allocates space for the conf ssl config parameter and does a good job of setting up various defaults, but it adds its own list of cipher suites presumably based from the #defines enabled in the mbedtls config.h header file. For cases where a PSK is used it doesn’t allow setup for defining the private key and the identity and I couldn’t find a way to access the conf mbedtls_ssl_config  pointer from the mbedtls_ssl_context  pointer (which I do have access to).

 

I have worked around this by defining the following two prototypes in altcp_tls.h:

 

/** @ingroup altcp_tls

* Configure ALTCP_TLS client configuration for user-defined list of cipher suites.

*/

void altcp_tls_configure_client_ciphersuites(struct altcp_tls_config *conf, const int* ciphersuites);

 

/** @ingroup altcp_tls

* Configure ALTCP_TLS client configuration for PSK cipher with user-defined key and identity.

*/

int altcp_tls_configure_client_psk(struct altcp_tls_config *conf,

                const unsigned char *psk, size_t psk_len,

                const unsigned char *psk_identity, size_t psk_identity_len );

 

with corresponding implementations in altcp_tls_mbedtls.c:

 

void

altcp_tls_configure_client_ciphersuites(struct altcp_tls_config *conf, const int* ciphersuites)

{

       mbedtls_ssl_conf_ciphersuites(&conf->conf, ciphersuites);

}

 

int

altcp_tls_configure_client_psk(struct altcp_tls_config *conf,

                const unsigned char *psk, size_t psk_len,

                const unsigned char *psk_identity, size_t psk_identity_len )

{

       return mbedtls_ssl_conf_psk(&conf->conf, psk, psk_len, psk_identity, psk_identity_len);

}

 

Anyone suggest a better way of doing this without modifying the source, or is this something that might be useful generally?

 

Regards.

 

Gary Metalle

 

reply via email to
[Prev in Thread] Current Thread [Next in Thread]