The cipher suites should be set after the default settings are done,
otherwise the settings will be overwritten with the defaults later on
again.
Also make the list of supported cipher suites match what Chrome tries to
use.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
}
#define TLS_DEFAULT_CIPHERS \
}
#define TLS_DEFAULT_CIPHERS \
- TLS_CIPHER(AES_256_CBC_SHA256) \
- TLS_CIPHER(AES_256_GCM_SHA384) \
- TLS_CIPHER(AES_256_CBC_SHA) \
- TLS_CIPHER(CAMELLIA_256_CBC_SHA256) \
- TLS_CIPHER(CAMELLIA_256_CBC_SHA) \
- TLS_CIPHER(AES_128_CBC_SHA256) \
TLS_CIPHER(AES_128_GCM_SHA256) \
TLS_CIPHER(AES_128_GCM_SHA256) \
+ TLS_CIPHER(AES_256_GCM_SHA384) \
TLS_CIPHER(AES_128_CBC_SHA) \
TLS_CIPHER(AES_128_CBC_SHA) \
- TLS_CIPHER(CAMELLIA_128_CBC_SHA256) \
- TLS_CIPHER(CAMELLIA_128_CBC_SHA) \
+ TLS_CIPHER(AES_256_CBC_SHA) \
TLS_CIPHER(3DES_EDE_CBC_SHA)
static const int default_ciphersuites_nodhe[] =
{
#define TLS_CIPHER(v) \
TLS_CIPHER(3DES_EDE_CBC_SHA)
static const int default_ciphersuites_nodhe[] =
{
#define TLS_CIPHER(v) \
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v, \
+ MBEDTLS_TLS_ECDHE_RSA_WITH_##v, \
MBEDTLS_TLS_RSA_WITH_##v,
TLS_DEFAULT_CIPHERS
#undef TLS_CIPHER
MBEDTLS_TLS_RSA_WITH_##v,
TLS_DEFAULT_CIPHERS
#undef TLS_CIPHER
static const int default_ciphersuites[] =
{
#define TLS_CIPHER(v) \
static const int default_ciphersuites[] =
{
#define TLS_CIPHER(v) \
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v, \
+ MBEDTLS_TLS_ECDHE_RSA_WITH_##v, \
MBEDTLS_TLS_DHE_RSA_WITH_##v, \
MBEDTLS_TLS_RSA_WITH_##v,
TLS_DEFAULT_CIPHERS
MBEDTLS_TLS_DHE_RSA_WITH_##v, \
MBEDTLS_TLS_RSA_WITH_##v,
TLS_DEFAULT_CIPHERS
conf = &ctx->conf;
mbedtls_ssl_config_init(conf);
conf = &ctx->conf;
mbedtls_ssl_config_init(conf);
- if (server) {
- mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_nodhe);
- ep = MBEDTLS_SSL_IS_SERVER;
- } else {
- mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites);
- ep = MBEDTLS_SSL_IS_CLIENT;
- }
+ ep = server ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT;
mbedtls_ssl_config_defaults(conf, ep, MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_rng(conf, _urandom, NULL);
mbedtls_ssl_config_defaults(conf, ep, MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_rng(conf, _urandom, NULL);
+ if (server)
+ mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_nodhe);
+ else
+ mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites);
+
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_conf_session_cache(conf, &ctx->cache,
mbedtls_ssl_cache_get,
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_conf_session_cache(conf, &ctx->cache,
mbedtls_ssl_cache_get,