[openssl-users] DTLS cipher suite support

Matt Caswell matt at openssl.org
Thu Sep 3 08:31:22 UTC 2015



On 03/09/15 07:22, Bryce Kahle wrote:
> I would like to use openssl as a basic DTLS server from the command line
> using: openssl s_server -dtls1_2
> 
> The catch is I want to require the TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
> cipher suite. It appears OpenSSL currently doesn’t support this cipher
> suite, even though it supports the both ECDHE_ECDSA and AES_128_CCM_8

Released versions support ECDHE_ECDSA based ciphersuites, and libcrypto
supports CCM. Released versions of libssl do not support any CCM based
TLS ciphersuites.

> individually as separate operations.
> 
> Is there some small change I can make to enable support of this cipher
> suite? Perhaps this is already supported in an un-released version?

Support for this ciphersuite has recently been added to the master
branch (unreleased version 1.1.0). The changes required are non-trivial
so I would recommend against a backport. See:

https://github.com/openssl/openssl/commit/e75c5a794e71baa3d76214be3ac8dc6e082e4a1a

https://github.com/openssl/openssl/commit/3d3701ea20ca36215e3af5ac090797cfec5fca2a

https://github.com/openssl/openssl/commit/176f85a28ec73b16f68a4f1737fb4645b9e9ae7b

https://github.com/openssl/openssl/commit/f8f5f8369d1d76fd8ec28d3d2422a47f8440f452

https://github.com/openssl/openssl/commit/04dc8b36ef40d7ba8f33ff3d6c7c87a921e0715e


Matt


More information about the openssl-users mailing list