[ERL-745] Support more PSK ciphers - CCM - Erlang Programming Language

Details

Type: New Feature
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 21.1
Fix Version/s: 22.0
Component/s: ssl
Labels:
- docs
- ssl

Description

Hi,

I am using DTLS with PSK (on OTP-21.1), but I can not find the correct cipher suites from the supported cipher list:
==============================
3> rp(ssl:cipher_suites(all)).
[

{ecdhe_ecdsa,aes_256_gcm,aead,sha384}

{ecdhe_rsa,aes_256_gcm,aead,sha384}

{ecdhe_ecdsa,aes_256_cbc,sha384,sha384}

{ecdhe_rsa,aes_256_cbc,sha384,sha384}

{ecdh_ecdsa,aes_256_gcm,aead,sha384}

{ecdh_rsa,aes_256_gcm,aead,sha384}

{ecdh_ecdsa,aes_256_cbc,sha384,sha384}

{ecdh_rsa,aes_256_cbc,sha384,sha384}

{dhe_rsa,aes_256_gcm,aead,sha384}

{dhe_dss,aes_256_gcm,aead,sha384}

{dhe_rsa,aes_256_cbc,sha256}

{dhe_dss,aes_256_cbc,sha256}

{ecdhe_ecdsa,aes_128_gcm,aead,sha256}

{ecdhe_rsa,aes_128_gcm,aead,sha256}

{ecdhe_ecdsa,aes_128_cbc,sha256,sha256}

{ecdhe_rsa,aes_128_cbc,sha256,sha256}

{ecdh_ecdsa,aes_128_gcm,aead,sha256}

{ecdh_rsa,aes_128_gcm,aead,sha256}

{ecdh_ecdsa,aes_128_cbc,sha256,sha256}

{ecdh_rsa,aes_128_cbc,sha256,sha256}

{dhe_rsa,aes_128_gcm,aead,sha256}

{dhe_dss,aes_128_gcm,aead,sha256}

{dhe_rsa,aes_128_cbc,sha256}

{dhe_dss,aes_128_cbc,sha256}

{ecdhe_ecdsa,aes_256_cbc,sha}

{ecdhe_rsa,aes_256_cbc,sha}

{dhe_rsa,aes_256_cbc,sha}

{dhe_dss,aes_256_cbc,sha}

{ecdh_ecdsa,aes_256_cbc,sha}

{ecdh_rsa,aes_256_cbc,sha}

{ecdhe_ecdsa,aes_128_cbc,sha}

{ecdhe_rsa,aes_128_cbc,sha}

{dhe_rsa,aes_128_cbc,sha}

{dhe_dss,aes_128_cbc,sha}

{ecdh_ecdsa,aes_128_cbc,sha}

{ecdh_rsa,aes_128_cbc,sha}

{rsa_psk,aes_256_gcm,aead,sha384}

{rsa_psk,aes_256_cbc,sha384}

{rsa_psk,aes_128_gcm,aead,sha256}

{rsa_psk,aes_128_cbc,sha256}

{rsa_psk,aes_256_cbc,sha}

{rsa_psk,aes_128_cbc,sha}

{rsa_psk,'3des_ede_cbc',sha}

{rsa_psk,rc4_128,sha}

{srp_rsa,'3des_ede_cbc',sha}

{srp_dss,'3des_ede_cbc',sha}

{srp_rsa,aes_128_cbc,sha}

{srp_dss,aes_128_cbc,sha}

{srp_rsa,aes_256_cbc,sha}

{srp_dss,aes_256_cbc,sha}

{ecdhe_ecdsa,rc4_128,sha}

{ecdhe_rsa,rc4_128,sha}

{ecdh_ecdsa,rc4_128,sha}

{ecdh_rsa,rc4_128,sha}

{rsa,rc4_128,sha}

{rsa,rc4_128,md5}

{dhe_rsa,des_cbc,sha}

{rsa,des_cbc,sha}

{ecdhe_ecdsa,'3des_ede_cbc',sha}

{ecdhe_rsa,'3des_ede_cbc',sha}

{dhe_rsa,'3des_ede_cbc',sha}

{dhe_dss,'3des_ede_cbc',sha}

{ecdh_ecdsa,'3des_ede_cbc',sha}

{ecdh_rsa,'3des_ede_cbc',sha}

{rsa,aes_256_gcm,aead,sha384}

{rsa,aes_256_cbc,sha256}

{rsa,aes_128_gcm,aead,sha256}

{rsa,aes_128_cbc,sha256}

{rsa,aes_256_cbc,sha}

{rsa,aes_128_cbc,sha}

{rsa,'3des_ede_cbc',sha}

]
==============================

What I am looking for is `TLS_PSK_WITH_AES_128_CBC_SHA256` and `TLS_PSK_WITH_AES_128_CCM_8`. I think they might be supported by OTP-21.1, but I am not sure as they are not listed in the output of `ssl:cipher_suites(all)`.

I found a [wiki](https://github.com/erlang/otp/wiki/Cipher-suite-correspondence-table) about this, but it seems to be outdated.
Could you confirm this? Can I use following SSL config in my application?

==============================
{ciphers, [

{psk, aes_128_cbc, sha256}

{psk, aes_128_ccm, 8}

]}
==============================

Best Regards,
//Shawn

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Ingela Anderton Andin added a comment - 08/Oct/18 11:33 PM

ssl:cipher_suites(anonymous, 'tlsv1.2'). Will show among other

{cipher => aes_128_cbc,key_exchange => ecdhe_psk, mac => sha256,prf => default_prf}

CCM is currently not supported, but probably will be in a future release.

As for the table it was not created by the OTP team.

Show

Ingela Anderton Andin added a comment - 08/Oct/18 11:33 PM ssl:cipher_suites(anonymous, 'tlsv1.2'). Will show among other # {cipher => aes_128_cbc,key_exchange => ecdhe_psk, mac => sha256,prf => default_prf} , CCM is currently not supported, but probably will be in a future release. As for the table it was not created by the OTP team.

Hide

Permalink

terry-xiaoyu added a comment - 09/Oct/18 3:37 AM

I've changed this issue to 'New Feature', requiring the 'CCM' ciphers.

Show

terry-xiaoyu added a comment - 09/Oct/18 3:37 AM I've changed this issue to 'New Feature', requiring the 'CCM' ciphers.

Hide

Permalink

terry-xiaoyu added a comment - 10/Oct/18 5:02 AM

Hi, is there any way to add my own CCM ciphers? Do I have to make the changes and rebuild my own OTP?

Show

terry-xiaoyu added a comment - 10/Oct/18 5:02 AM Hi, is there any way to add my own CCM ciphers? Do I have to make the changes and rebuild my own OTP?

Hide

Permalink

Ingela Anderton Andin added a comment - 10/Oct/18 11:13 AM

Needed support in the crypto application was recently added. So now the ssl application needs to be updated to handle CCM cipher suites. You can always create a PR to add it.

Show

Ingela Anderton Andin added a comment - 10/Oct/18 11:13 AM Needed support in the crypto application was recently added. So now the ssl application needs to be updated to handle CCM cipher suites. You can always create a PR to add it.

Hide

Permalink

Ingela Anderton Andin added a comment - 03/Dec/18 8:10 PM

It is in the backlog for OTP 22, but not promising it will make it.

Show

Ingela Anderton Andin added a comment - 03/Dec/18 8:10 PM It is in the backlog for OTP 22, but not promising it will make it.

People

Assignee:

Team PS

Reporter:

terry-xiaoyu

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

08/Oct/18 9:15 AM

Updated:

01/Apr/19 11:00 AM

Resolved:

01/Apr/19 11:00 AM

Development

Agile

View on Board