[Networking][Mbedtls] Judicious use of cipher suites


Prabhu Vinod, Karthik
 

Hi

 

I wanted to check if there is a way to use cryptographic cipher suites without including following config options.

 

CONFIG_MBEDTLS=y

CONFIG_MBEDTLS_BUILTIN=y

 

CONFIG_MBEDTLS_ENABLE_HEAP=y

CONFIG_MBEDTLS_HEAP_SIZE=56240

CONFIG_MBEDTLS_USER_CONFIG_ENABLE=y

CONFIG_MBEDTLS_USER_CONFIG_FILE="user-tls.conf"

 

In most user space application clients like those of mqtt, co-ap https etc,  I have observed we associate a tls_config with a socket as a socket_opt. I wanted to know if we could use a very small set of cipher suites just by providing the list of cipher suites in tls_config->cipher_list  and skip enabling the CONFIG_MBEDTLS, CONFIG_MBEDTLS_BUILTIN. I don’t want to use config-tls-generic config file as the default as it contains almost all the cipher suites

 

At Application level we can do the below:

struct mqtt_sec_config *tls_config = &client->transport.tls.config;

 

tls_config->peer_verify = 2;

tls_config->cipher_list = NULL;

tls_config->sec_tag_list = m_sec_tags;

tls_config->sec_tag_count = ARRAY_SIZE(m_sec_tags);

tls_config->hostname = hostname;

 

 

Look forward to some suggestions here

 

 

Many Regards,

Karthik Prabhu Vinod

 

Help save the planet by choosing not to use single use plastics. Pick paper, bamboo or metal cutlery and carry your own bag to the grocery store. Every little thing you do makes an impact.

Join users@lists.zephyrproject.org to automatically receive all group messages.