Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 21.1
    • Fix Version/s: 22.0
    • Component/s: ssl
    • Labels:

      Description

      Hi,

      I am using DTLS with PSK (on OTP-21.1), but I can not find the correct cipher suites from the supported cipher list:
      ==============================
      3> rp(ssl:cipher_suites(all)).
      [

      {ecdhe_ecdsa,aes_256_gcm,aead,sha384}

      ,

      {ecdhe_rsa,aes_256_gcm,aead,sha384}

      ,

      {ecdhe_ecdsa,aes_256_cbc,sha384,sha384}

      ,

      {ecdhe_rsa,aes_256_cbc,sha384,sha384}

      ,

      {ecdh_ecdsa,aes_256_gcm,aead,sha384}

      ,

      {ecdh_rsa,aes_256_gcm,aead,sha384}

      ,

      {ecdh_ecdsa,aes_256_cbc,sha384,sha384}

      ,

      {ecdh_rsa,aes_256_cbc,sha384,sha384}

      ,

      {dhe_rsa,aes_256_gcm,aead,sha384}

      ,

      {dhe_dss,aes_256_gcm,aead,sha384}

      ,

      {dhe_rsa,aes_256_cbc,sha256}

      ,

      {dhe_dss,aes_256_cbc,sha256}

      ,

      {ecdhe_ecdsa,aes_128_gcm,aead,sha256}

      ,

      {ecdhe_rsa,aes_128_gcm,aead,sha256}

      ,

      {ecdhe_ecdsa,aes_128_cbc,sha256,sha256}

      ,

      {ecdhe_rsa,aes_128_cbc,sha256,sha256}

      ,

      {ecdh_ecdsa,aes_128_gcm,aead,sha256}

      ,

      {ecdh_rsa,aes_128_gcm,aead,sha256}

      ,

      {ecdh_ecdsa,aes_128_cbc,sha256,sha256}

      ,

      {ecdh_rsa,aes_128_cbc,sha256,sha256}

      ,

      {dhe_rsa,aes_128_gcm,aead,sha256}

      ,

      {dhe_dss,aes_128_gcm,aead,sha256}

      ,

      {dhe_rsa,aes_128_cbc,sha256}

      ,

      {dhe_dss,aes_128_cbc,sha256}

      ,

      {ecdhe_ecdsa,aes_256_cbc,sha}

      ,

      {ecdhe_rsa,aes_256_cbc,sha}

      ,

      {dhe_rsa,aes_256_cbc,sha}

      ,

      {dhe_dss,aes_256_cbc,sha}

      ,

      {ecdh_ecdsa,aes_256_cbc,sha}

      ,

      {ecdh_rsa,aes_256_cbc,sha}

      ,

      {ecdhe_ecdsa,aes_128_cbc,sha}

      ,

      {ecdhe_rsa,aes_128_cbc,sha}

      ,

      {dhe_rsa,aes_128_cbc,sha}

      ,

      {dhe_dss,aes_128_cbc,sha}

      ,

      {ecdh_ecdsa,aes_128_cbc,sha}

      ,

      {ecdh_rsa,aes_128_cbc,sha}

      ,

      {rsa_psk,aes_256_gcm,aead,sha384}

      ,

      {rsa_psk,aes_256_cbc,sha384}

      ,

      {rsa_psk,aes_128_gcm,aead,sha256}

      ,

      {rsa_psk,aes_128_cbc,sha256}

      ,

      {rsa_psk,aes_256_cbc,sha}

      ,

      {rsa_psk,aes_128_cbc,sha}

      ,

      {rsa_psk,'3des_ede_cbc',sha}

      ,

      {rsa_psk,rc4_128,sha}

      ,

      {srp_rsa,'3des_ede_cbc',sha}

      ,

      {srp_dss,'3des_ede_cbc',sha}

      ,

      {srp_rsa,aes_128_cbc,sha}

      ,

      {srp_dss,aes_128_cbc,sha}

      ,

      {srp_rsa,aes_256_cbc,sha}

      ,

      {srp_dss,aes_256_cbc,sha}

      ,

      {ecdhe_ecdsa,rc4_128,sha}

      ,

      {ecdhe_rsa,rc4_128,sha}

      ,

      {ecdh_ecdsa,rc4_128,sha}

      ,

      {ecdh_rsa,rc4_128,sha}

      ,

      {rsa,rc4_128,sha}

      ,

      {rsa,rc4_128,md5}

      ,

      {dhe_rsa,des_cbc,sha}

      ,

      {rsa,des_cbc,sha}

      ,

      {ecdhe_ecdsa,'3des_ede_cbc',sha}

      ,

      {ecdhe_rsa,'3des_ede_cbc',sha}

      ,

      {dhe_rsa,'3des_ede_cbc',sha}

      ,

      {dhe_dss,'3des_ede_cbc',sha}

      ,

      {ecdh_ecdsa,'3des_ede_cbc',sha}

      ,

      {ecdh_rsa,'3des_ede_cbc',sha}

      ,

      {rsa,aes_256_gcm,aead,sha384}

      ,

      {rsa,aes_256_cbc,sha256}

      ,

      {rsa,aes_128_gcm,aead,sha256}

      ,

      {rsa,aes_128_cbc,sha256}

      ,

      {rsa,aes_256_cbc,sha}

      ,

      {rsa,aes_128_cbc,sha}

      ,

      {rsa,'3des_ede_cbc',sha}

      ]
      ==============================

      What I am looking for is `TLS_PSK_WITH_AES_128_CBC_SHA256` and `TLS_PSK_WITH_AES_128_CCM_8`. I think they might be supported by OTP-21.1, but I am not sure as they are not listed in the output of `ssl:cipher_suites(all)`.

      I found a [wiki](https://github.com/erlang/otp/wiki/Cipher-suite-correspondence-table) about this, but it seems to be outdated.
      Could you confirm this? Can I use following SSL config in my application?

      ==============================
      {ciphers, [

      {psk, aes_128_cbc, sha256}

      ,

      {psk, aes_128_ccm, 8}

      ]}
      ==============================

      Best Regards,
      //Shawn

        Activity

        Hide
        ingela Ingela Anderton Andin added a comment -

        ssl:cipher_suites(anonymous, 'tlsv1.2'). Will show among other

        #

        {cipher => aes_128_cbc,key_exchange => ecdhe_psk, mac => sha256,prf => default_prf}

        ,

        CCM is currently not supported, but probably will be in a future release.

        As for the table it was not created by the OTP team.

        Show
        ingela Ingela Anderton Andin added a comment - ssl:cipher_suites(anonymous, 'tlsv1.2'). Will show among other # {cipher => aes_128_cbc,key_exchange => ecdhe_psk, mac => sha256,prf => default_prf} , CCM is currently not supported, but probably will be in a future release. As for the table it was not created by the OTP team.
        Hide
        terry-xiaoyu terry-xiaoyu added a comment -

        I've changed this issue to 'New Feature', requiring the 'CCM' ciphers.

        Show
        terry-xiaoyu terry-xiaoyu added a comment - I've changed this issue to 'New Feature', requiring the 'CCM' ciphers.
        Hide
        terry-xiaoyu terry-xiaoyu added a comment -

        Hi, is there any way to add my own CCM ciphers? Do I have to make the changes and rebuild my own OTP?

        Show
        terry-xiaoyu terry-xiaoyu added a comment - Hi, is there any way to add my own CCM ciphers? Do I have to make the changes and rebuild my own OTP?
        Hide
        ingela Ingela Anderton Andin added a comment -

        Needed support in the crypto application was recently added. So now the ssl application needs to be updated to handle CCM cipher suites. You can always create a PR to add it.

        Show
        ingela Ingela Anderton Andin added a comment - Needed support in the crypto application was recently added. So now the ssl application needs to be updated to handle CCM cipher suites. You can always create a PR to add it.
        Hide
        ingela Ingela Anderton Andin added a comment -

        It is in the backlog for OTP 22, but not promising it will make it.

        Show
        ingela Ingela Anderton Andin added a comment - It is in the backlog for OTP 22, but not promising it will make it.

          People

          • Assignee:
            otp_team_ps Team PS
            Reporter:
            terry-xiaoyu terry-xiaoyu
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development