return 0;
}
-#define TLS_DEFAULT_CIPHERS \
- TLS_CIPHER(AES_128_GCM_SHA256) \
- TLS_CIPHER(AES_256_GCM_SHA384) \
- TLS_CIPHER(AES_128_CBC_SHA) \
- TLS_CIPHER(AES_256_CBC_SHA) \
- TLS_CIPHER(3DES_EDE_CBC_SHA)
-
-static const int default_ciphersuites_nodhe[] =
+#define AES_CIPHERS(v) \
+ MBEDTLS_TLS_##v##_WITH_AES_128_GCM_SHA256, \
+ MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384, \
+ MBEDTLS_TLS_##v##_WITH_AES_128_CBC_SHA, \
+ MBEDTLS_TLS_##v##_WITH_AES_256_CBC_SHA
+
+static const int default_ciphersuites_server[] =
{
-#define TLS_CIPHER(v) \
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v, \
- MBEDTLS_TLS_ECDHE_RSA_WITH_##v, \
- MBEDTLS_TLS_RSA_WITH_##v,
- TLS_DEFAULT_CIPHERS
-#undef TLS_CIPHER
+ AES_CIPHERS(ECDHE_ECDSA),
+ AES_CIPHERS(ECDHE_RSA),
+ AES_CIPHERS(RSA),
0
};
-static const int default_ciphersuites[] =
+static const int default_ciphersuites_client[] =
{
-#define TLS_CIPHER(v) \
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v, \
- MBEDTLS_TLS_ECDHE_RSA_WITH_##v, \
- MBEDTLS_TLS_DHE_RSA_WITH_##v, \
- MBEDTLS_TLS_RSA_WITH_##v,
- TLS_DEFAULT_CIPHERS
-#undef TLS_CIPHER
+ AES_CIPHERS(ECDHE_ECDSA),
+ AES_CIPHERS(ECDHE_RSA),
+ AES_CIPHERS(DHE_RSA),
+ MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ AES_CIPHERS(RSA),
+ MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
0
};
mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_rng(conf, _urandom, NULL);
- if (server)
- mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_nodhe);
- else
- mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites);
+ if (server) {
+ mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_server);
+ mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+ MBEDTLS_SSL_MINOR_VERSION_3);
+ } else
+ mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_client);
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_conf_session_cache(conf, &ctx->cache,