Share via

Outdated cipher suites in example code from Azure RTOS for STM32H7

slime 31 Reputation points
2021-05-21T04:44:14.587+00:00

I am trying to implement an TLS HTTPS server based on this HTTP Web Server sample:

https://github.com/STMicroelectronics/x-cube-azrtos-h7/tree/main/Projects/STM32H735G-DK/Applications/NetXDuo/Nx_WebServer

I have been trying to convert the above sample to TLS HTTPS from this example code functions from the same GIT hub:

https://github.com/STMicroelectronics/x-cube-azrtos-h7/blob/main/Middlewares/ST/netxduo/samples/demo_netxduo_https.c

It only works with Internet Explorer, not Chrome, or Edge, or Firefox because the issue seems to be there are only 4 supported cipher suites on the Azure RTOS NetXDuo HTTPS server, and all updated browsers like Chrome, Edge, & Firefox don't have those 4 available. They are:

0xC023 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
0xC027 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
0x003d TLS_RSA_WITH_AES_256_CBC_SHA256
0x003c TLS_RSA_WITH_AES_128_CBC_SHA256

The remaining question is why only those 4 and is there a way to add updated cipher suites?

Azure Internet of Things
Accepted answer
  1. QuantumCache 20,366 Reputation points Moderator
    2021-05-22T03:08:40.237+00:00

    Hello @slime Please refer the below response form the Microsoft Product team on your initial query. I hope this helps.

    Azure RTOS TLS is a highly-optimized implementation of the protocol for deeply-embedded RTOS systems. As a result, there are some options that may not be available, and the default cipher suite list was chosen because it represents the mandatory cipher suites for TLS as per RFCs 5246 (TLS 1.2) and 8446 (TLS 1.3). Some browser manufacturers have decided that those cipher suites are obsolete and have unfortunately decided to remove them, breaking compatibility. Our primary focus for TLS is IoT cloud communications and keeping up to date with arbitrary web browser configurations is not a priority. Note that Chromium (the OSS foundation for Chrome which may differ in configuration) does support AES-GCM cipher suites and this is a mode that Azure RTOS TLS supports (the latest version of Azure RTOS on GitHub, https://github.com/azure-rtos , has GCM cipher suites - look for the macro "NX_SECURE_ENABLE_AEAD_CIPHER" within the NetX Duo directory).

    If you have a specific use-case you are interested in pursuing or a specific cipher suite you need implemented then we may be able to help - the Azure RTOS TLS documentation describes how cryptographic methods can be added (https://learn.microsoft.com/en-us/azure/rtos/netx-duo/netx-secure-tls/chapter3#cryptographic-methods). You will be on your own to find the cryptography routines you need, but we can help if you have questions about configuration once you have the appropriate crypto primitives.

    If the response is helpful, please click "Accept Answer" and upvote it. So that it is helpful to other community members as well.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kirsten Jens 1 Reputation point
    2022-11-22T14:20:22.217+00:00

    Can you specify what cipher suites are implemented for RFC 8446 (TLS1.3)?
    Is there a list somewhere in documentation or otherwise available?
    We could not find one so far.
    We would need ciphersuites as:
    Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
    Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
    Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
    We are using STM32F429, in case this is of some importance.
    Thank you.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.