NetXDuo on STM32F429, missing cipher suites for TLS 1.3

Kirsten Jens 1 Reputation point
2022-11-22T14:35:33.467+00:00

We implement an NetXDuo TLS 1.3 connection using STM32F429.

TLS 1.3 is enabled, but it is disabled in code line 684 in nx_secure_tls_session_create_ext.c

if (NX_SECURE_TLS_TLS_1_3_ENABLED)

tls_session->nx_secure_tls_1_3_supported = NX_FALSE;  

endif

and not enabled again, when the cipher suites are not detected:

if (NX_SECURE_TLS_TLS_1_3_ENABLED)

    if ((ciphersuite_table[i].nx_secure_tls_ciphersuite >> 8) == 0x13)  
    {  

        /* Enable TLS 1.3 only if the ciphersuite required by RFC 8446 is provided. */  
        tls_session->nx_secure_tls_1_3_supported = NX_TRUE;  
    }  

endif

Our server would accept ciphersuites as:
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)

Can you specify what cipher suites are implemented for RFC 8446 (TLS1.3) ?
Is there a list somewhere in documentation or otherwise available?

If our needed cipher suites are not implemented, how would we get on with this?
? https://learn.microsoft.com/en-us/azure/rtos/netx-duo/netx-secure-tls/chapter3#cryptographic-methods

Thank you.

Azure RTOS
Azure RTOS
An Azure embedded development suite including a small but powerful operating system for resource-constrained devices.
319 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Tiejun Zhou 1,126 Reputation points Microsoft Employee
    2022-12-01T01:09:53.537+00:00

    Hi @Kirsten Jens , the following ciphersuites for TLS 1.3 are supported.

    • TLS_AES_128_GCM_SHA256
    • TLS_AES_128_CCM_SHA256
    • TLS_AES_128_CCM_8_SHA256

    Those are all ECC based ciphersuites. Make sure you have passed nx_crypto_tls_ciphers_ecc into nx_secure_tls_session_create().

    0 comments No comments

  2. Kirsten Jens 1 Reputation point
    2022-12-05T12:07:10.007+00:00

    Thank you.
    There are two questions coming up now:

    1. ECC ciphersuites are enabled and now are provided in Client Hello, Extensions Supported Groups.
      If ECC ciphersuites are used, do the certificates and keys are always to be generated in ECC format or can they still be in format RSA?
    2. We still do not see TLS1.3 in outgoing protocols, the mentioned ciphersuites are not showing up though we set NX_SECURE_TLS_TLS_1_3_ENABLED. We also do not see the extension supported_versions in Client Hello. What possible other defines might be missing?

  3. Kirsten Jens 1 Reputation point
    2022-12-19T10:06:06.533+00:00

    Thank you for your answer, which helped a lot. But also leading to a next question.

    The local certificates including client key, required for mutual authentication, what format can or should the hexdump for the header files be made from:

    • der/crt and/or
    • pem.

    In other words, does it matter, if the format is in ASCII or binary?
    Thanks a lot.