ubxlib: Problems selecting cipher suites
Hello, we are using a SARA-R422S modem. When connecting to a server we need to modify the supported cipher suites on the modem as our server doesn’t support the default ones by the modem. Unfortunately we can’t get it to work.
First we created our own default security TLS settings based on U_SECURITY_TLS_SETTINGS_DEFAULT from ubxlib:
#define EXTENDED_U_SECURITY_TLS_SETTINGS_DEFAULT {U_SECURITY_TLS_VERSION_ANY, /* tlsVersion */ \
NULL, /* Root CA name */ \
NULL, /* Client CA name */ \
NULL, /* Private key name */ \
U_SECURITY_TLS_CERTIFICATE_CHECK_NONE, \
NULL, /* Private key PW */ \
{/* Cipher suites */ \
35, /* Number of cipher suites in list */ \
{ \
U_SECURITY_TLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, \
U_SECURITY_TLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \
U_SECURITY_TLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_AES_128_CCM, \
U_SECURITY_TLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_AES_256_CCM, \
U_SECURITY_TLS_CIPHER_SUITE_ECDHE_RSA_WITH_AES_128_CBC_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \
U_SECURITY_TLS_CIPHER_SUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384, \
U_SECURITY_TLS_CIPHER_SUITE_ECDHE_PSK_WITH_AES_128_CBC_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_ECDHE_PSK_WITH_AES_256_CBC_SHA384, \
U_SECURITY_TLS_CIPHER_SUITE_DHE_DSS_WITH_AES_128_CBC_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_DHE_RSA_WITH_AES_128_CBC_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_DHE_RSA_WITH_AES_256_CBC_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_DHE_RSA_WITH_AES_128_GCM_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_DHE_RSA_WITH_AES_256_GCM_SHA384, \
U_SECURITY_TLS_CIPHER_SUITE_DHE_PSK_WITH_AES_128_CBC_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_DHE_PSK_WITH_AES_256_CBC_SHA384, \
U_SECURITY_TLS_CIPHER_SUITE_DHE_PSK_WITH_AES_128_GCM_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_DHE_PSK_WITH_AES_256_GCM_SHA384, \
U_SECURITY_TLS_CIPHER_SUITE_DHE_PSK_WITH_AES_128_CCM, \
U_SECURITY_TLS_CIPHER_SUITE_DHE_PSK_WITH_AES_256_CCM, \
U_SECURITY_TLS_CIPHER_SUITE_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, \
U_SECURITY_TLS_CIPHER_SUITE_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, \
U_SECURITY_TLS_CIPHER_SUITE_ECDH_RSA_WITH_AES_128_CBC_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_ECDH_RSA_WITH_AES_256_CBC_SHA384, \
U_SECURITY_TLS_CIPHER_SUITE_ECDH_RSA_WITH_AES_128_GCM_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_ECDH_RSA_WITH_AES_256_GCM_SHA384, \
U_SECURITY_TLS_CIPHER_SUITE_RSA_PSK_WITH_AES_128_CBC_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_RSA_PSK_WITH_AES_256_CBC_SHA384, \
U_SECURITY_TLS_CIPHER_SUITE_RSA_PSK_WITH_AES_128_GCM_SHA256, \
U_SECURITY_TLS_CIPHER_SUITE_RSA_PSK_WITH_AES_256_GCM_SHA384, \
}}, \
{NULL, 0}, /* PSK */ \
{NULL, 0}, /* PSK ID */ \
false, /* pskGeneratedByRoT */ \
NULL, /* Expected server URL */ \
NULL, /* SNI */ \
false, /* Session resumption */ \
false, /* use device certificate */ \
false}; /* include CA certificates */
To increase the array of uSecurityTlsCipherSuiteIana_t in uSecurityTlsCipherSuites_t we increased the define U_SECURITY_TLS_MAX_NUM_CIPHER_SUITES accordingly.
Based on our custom default tls settings we now try to connect to a server: (Simplified code snipped)
int Socket = socket(AF_INET, U_SOCK_TYPE_STREAM, U_SOCK_PROTOCOL_TCP);
if (Socket >= 0)
{
UBXLIB_fcntlSetFlags(F_SETFL, O_NONBLOCK)
uSecurityTlsSettings_t TlsSettings = EXTENDED_U_SECURITY_TLS_SETTINGS_DEFAULT;
TlsSettings.tlsVersionMin = U_SECURITY_TLS_VERSION_1_2;
TlsSettings.certificateCheck = U_SECURITY_TLS_CERTIFICATE_CHECK_ROOT_CA_URL_DATE;
TlsSettings.pExpectedServerUrl = HostName;
TlsSettings.pSni = HostName;
TlsSettings.pClientPrivateKeyName = ClientSecret;
TlsSettings.pClientCertificateName = ClientCertificate;
int32_t SockSecurityResult = uSockSecurity(Socket, &TlsSettings);
int ConnectResult = connect(Socket, SockAddr, SockAddrLen);
AT log for uSockSecurity():
U_SOCK: socket created, descriptor 0, network handle 0x20013BA0, socket handle 0.
AT+USECPRF=0
+CREG: 5,"67B7","01DF8A07",7
+CEREG: 5,"67B7","1DF8A07",7,,,,
OK
AT+USECPRF=0,1,3
OK
AT+USECPRF=0,5,"User"
OK
AT+USECPRF=0,6,"User secret"
OK
AT+USECPRF=0,2,99,"c0","23"
OK
AT+USECPRF=0,2,99,"c0","24"
OK
AT+USECPRF=0,2,99,"c0","2b"
OK
AT+USECPRF=0,2,99,"c0","2c"
OK
AT+USECPRF=0,2,99,"c0","ac"
OK
AT+USECPRF=0,2,99,"c0","ad"
OK
AT+USECPRF=0,2,99,"c0","27"
OK
AT+USECPRF=0,2,99,"c0","28"
OK
AT+USECPRF=0,2,99,"c0","2f"
OK
AT+USECPRF=0,2,99,"c0","30"
OK
AT+USECPRF=0,2,99,"c0","37"
OK
AT+USECPRF=0,2,99,"c0","38"
OK
AT+USECPRF=0,2,99,"00","40"
OK
AT+USECPRF=0,2,99,"00","67"
OK
AT+USECPRF=0,2,99,"00","6b"
OK
AT+USECPRF=0,2,99,"00","9e"
OK
AT+USECPRF=0,2,99,"00","9f"
OK
AT+USECPRF=0,2,99,"00","b2"
OK
AT+USECPRF=0,2,99,"00","b3"
OK
AT+USECPRF=0,2,99,"00","aa"
OK
AT+USECPRF=0,2,99,"00","ab"
OK
AT+USECPRF=0,2,99,"c0","a6"
OK
AT+USECPRF=0,2,99,"c0","a7"
OK
AT+USECPRF=0,2,99,"c0","25"
OK
AT+USECPRF=0,2,99,"c0","26"
OK
AT+USECPRF=0,2,99,"c0","2d"
OK
AT+USECPRF=0,2,99,"c0","2e"
OK
AT+USECPRF=0,2,99,"c0","29"
OK
AT+USECPRF=0,2,99,"c0","2a"
OK
AT+USECPRF=0,2,99,"c0","31"
OK
AT+USECPRF=0,2,99,"c0","32"
OK
AT+USECPRF=0,2,99,"00","b6"
OK
AT+USECPRF=0,2,99,"00","b7"
OK
AT+USECPRF=0,2,99,"00","ac"
OK
AT+USECPRF=0,2,99,"00","ad"
OK
AT+USECPRF=0,4,"REMOVED"
OK
AT+USECPRF=0,0,3
OK
AT+USECPRF=0,10,"REMOVED"
OK
AT+USOSEC=0,1,0
OK
When sniffing our connection with wireshark we noticed the client hello only includes the last cipher suite in the list U_SECURITY_TLS_CIPHER_SUITE_RSA_PSK_WITH_AES_256_GCM_SHA384 and not the whole list:
How do we properly setup the cipher suite list on our modem? Thank you very much in advance for the help.
About this issue
- Original URL
- State: closed
- Created 4 months ago
- Comments: 16 (9 by maintainers)
That was fast 😀 I will close this issue as I know how to proceed and thanks again for your effort