|
From: | Gary Metalle |
Subject: | [lwip-users] mbedtls port: Changing SSL config parameters |
Date: | Thu, 14 Apr 2022 16:34:37 +0000 |
Hi I’m using LWIP 2.2.0 on an ARM imx.rt platform along with mbedtls version 2.27.0. Specifically I’m using the altcp_tls ‘app’ wrapper that makes it easy to switch between TCP and TLS for my connection to an MQTT broker using mbedtls for the encryption. I have just had need to configure a couple of options for the SSL config within MBEDTLS but couldn’t find a way without modifying the source code in
lwpip/src/apps/altcp_tls/altcp_tls_mbedtls.c. I noticed that within the
mbedtls_ssl_context struct there is a private
mbedtls_ssl_config pointer that is the one that would normally be used to fiddle with certain parameters such the following mbedtls function to set the desired list of cipher suites: void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
const
int *ciphersuites ) My specific case was to not use certs but only to restrict the only supported cipher suite to: MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 The altcp_tls_create_config function in altcp_tls_mbedtls.c allocates space for the
conf ssl config parameter and does a good job of setting up various defaults, but it adds its own list of cipher suites presumably based from the #defines enabled in the mbedtls config.h header file. For cases where a PSK is used it doesn’t allow setup
for defining the private key and the identity and I couldn’t find a way to access the
conf
mbedtls_ssl_config pointer from the
mbedtls_ssl_context pointer (which I do have access to). I have worked around this by defining the following two prototypes in altcp_tls.h: /**
@ingroup altcp_tls * Configure ALTCP_TLS client configuration for user-defined list of cipher suites. */ void
altcp_tls_configure_client_ciphersuites(struct
altcp_tls_config *conf,
const
int* ciphersuites); /**
@ingroup altcp_tls * Configure ALTCP_TLS client configuration for PSK cipher with user-defined key and identity. */ int
altcp_tls_configure_client_psk(struct
altcp_tls_config *conf,
const
unsigned
char *psk,
size_t psk_len,
const
unsigned
char *psk_identity,
size_t psk_identity_len ); with corresponding implementations in altcp_tls_mbedtls.c: void altcp_tls_configure_client_ciphersuites(struct
altcp_tls_config *conf,
const
int* ciphersuites) { mbedtls_ssl_conf_ciphersuites(&conf->conf,
ciphersuites); } int altcp_tls_configure_client_psk(struct
altcp_tls_config *conf,
const
unsigned
char *psk,
size_t psk_len,
const
unsigned
char *psk_identity,
size_t psk_identity_len ) {
return mbedtls_ssl_conf_psk(&conf->conf,
psk, psk_len, psk_identity, psk_identity_len); } Anyone suggest a better way of doing this without modifying the source, or is this something that might be useful generally? Regards. Gary Metalle |
[Prev in Thread] | Current Thread | [Next in Thread] |