Skip to content

Commit

Permalink
Add force Elliptic Curve for Letsencrypt TLS arendst#6042
Browse files Browse the repository at this point in the history
  • Loading branch information
s-hadinger committed Jul 8, 2019
1 parent 57310a7 commit edc898f
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 4 deletions.
2 changes: 1 addition & 1 deletion sonoff/StackThunk_light.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ uint32_t *stack_thunk_light_save = NULL; /* Saved A1 while in BearSSL */
uint32_t stack_thunk_light_refcnt = 0;

//#define _stackSize (5600/4)
#ifdef USE_MQTT_AWS_IOT
#if defined(USE_MQTT_AWS_IOT) || defined(USE_MQTT_TLS_FORCE_EC_CIPHER)
#define _stackSize (5300/4) // using a light version of bearssl we can save 300 bytes
#else
#define _stackSize (3600/4) // using a light version of bearssl we can save 2k
Expand Down
6 changes: 3 additions & 3 deletions sonoff/WiFiClientSecureLightBearSSL.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -758,7 +758,7 @@ extern "C" {
// We limit to a single cipher to reduce footprint
// we reference it, don't put in PROGMEM
static const uint16_t suites[] = {
#ifdef USE_MQTT_AWS_IOT
#if defined(USE_MQTT_AWS_IOT) || defined(USE_MQTT_TLS_FORCE_EC_CIPHER)
BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#else
BR_TLS_RSA_WITH_AES_128_GCM_SHA256
Expand All @@ -785,8 +785,8 @@ extern "C" {
br_ssl_engine_set_aes_ctr(&cc->eng, &br_aes_small_ctr_vtable);
br_ssl_engine_set_ghash(&cc->eng, &br_ghash_ctmul32);

#ifdef USE_MQTT_AWS_IOT
// we support only P256 EC curve for AWS IoT, no EC curve for Letsencrypt
#if defined(USE_MQTT_AWS_IOT) || defined(USE_MQTT_TLS_FORCE_EC_CIPHER)
// we support only P256 EC curve for AWS IoT, no EC curve for Letsencrypt unless forced
br_ssl_engine_set_ec(&cc->eng, &br_ec_p256_m15);
#endif
}
Expand Down
1 change: 1 addition & 0 deletions sonoff/my_user_config.h
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,7 @@
// Using TLS starting with version v6.5.0.16 compilation will only work using Core 2.4.2 and 2.5.2. No longer supported: 2.3.0
//#define USE_MQTT_TLS // Use TLS for MQTT connection (+34.5k code, +7.0k mem and +4.8k additional during connection handshake)
// #define USE_MQTT_TLS_CA_CERT // Force full CA validation instead of fingerprints, slower, but simpler to use (+2.2k code, +1.9k mem during connection handshake)
// #define USE_MQTT_TLS_FORCE_EC_CIPHER // Force Elliptic Curve cipher (higher security) required by some servers (automatically enabled with USE_MQTT_AWS_IOT) (+11.4k code, +0.4k mem)
// #define USE_MQTT_AWS_IOT // Enable MQTT for AWS IoT - requires a private key (+11.4k code, +0.4k mem)
// Note: you need to generate a private key + certificate per device and update 'sonoff/sonoff_aws_iot.cpp'
// Full documentation here: https://github.com/arendst/Sonoff-Tasmota/wiki/AWS-IoT
Expand Down

0 comments on commit edc898f

Please sign in to comment.