search

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
https://www.trustedfirmware.org/projects/mbed-tls/
Other
5.51k stars 2.6k forks source link

Add TLS 1.2 cipher suite inspection functions #9424

Open JZimnol opened 3 months ago

JZimnol commented 3 months ago

With mbedtls3.6 some changes breaking the public API have been introduced. While some of them can be solved by user's workarounds, some of them are quite necessary for some applications. Apart from changes related to #9223 (e.g. #7075 which disables the VERIFY_NONE/OPTIONAL and may have some workarounds for self-signed certificates like clearing the result flag), some APIs can be reverted to public.

Suggested enhancement

Make the mbedtls_ssl_ciphersuite_uses_psk and mbedtls_ssl_ciphersuite_uses_srv_cert public again (broken public API).

Justification

There is no reason why this API can't be public (probably?). Mbed TLS needs this because of e.g. the resource-constraint applications. Right now my Team has found a workaround for that (just by implementing this as an static inline in our code) but it would require us to follow the changes in your private code just to be up-to-date all the time.

Usecase

Our application implements the LwM2M Client and we want to be able to filter reported ciphersuites when connecting to the server (according to some security configuration) so not all of them are reported in the Client Hello message. This reduces the data usage of the device.

gilles-peskine-arm commented 2 months ago

mbedtls_ssl_ciphersuite_uses_psk and mbedtls_ssl_ciphersuite_uses_srv_cert have never been part of the Mbed TLS API. They've been internal functions since the PolarSSL days.

We can make them public. We'd just need to document and test them.