SSL/TLS Cipher Selection#

SSL Parameters#

Macro

Meaning

RSI_SSL_RELEASE_2_0

RSI_ENABLE - Use all ciphers configured by SSL_RELEASE_2_0_ALL_CIPHERS

RSI_DISABLE - Only use ciphers supported by TLS 1.2

RSI_SSL_CIPHERS

If RSI_SSL_RELEASE_2_0 is enabled, SSL_RELEASE_2_0_ALL_CIPHERS specifies the set of supported ciphers.

  • The RSI_SSL_CIPHERS and RSI_SSL_RELEASE_2_0 macros are defined in the /sapi/include/rsi_wlan_common_config.h file of the SDK.

  • If RSI_SSL_RELEASE_2_0 macro is enabled, the SSL_RELEASE_2_0_ALL_CIPHERS macro shall be defined. This macro represents a set of fourteen ciphers (defined by SSL_DEFAULT_CIPHERS) along with the following six user-configurable ciphers. user-configurable ciphers

    Bit Position

    Macro

    BIT(0)

    BIT_TLS_RSA_WITH_AES_256_CBC_SHA256

    BIT(1)

    BIT_TLS_RSA_WITH_AES_128_CBC_SHA256

    BIT(2)

    BIT_TLS_RSA_WITH_AES_256_CBC_SHA

    BIT(3)

    BIT_TLS_RSA_WITH_AES_128_CBC_SHA

    BIT(4)

    BIT_TLS_RSA_WITH_AES_128_CCM_8

    BIT(5)

    BIT_TLS_RSA_WITH_AES_256_CCM_8

Macro

Meaning

SSL_RELEASE_2_0_ALL_CIPHERS

BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

BIT_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA

BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA

BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

BIT_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

BIT_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

BIT_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

BIT_TLS_RSA_WITH_AES_256_CBC_SHA256

BIT_TLS_RSA_WITH_AES_128_CBC_SHA256

BIT_TLS_RSA_WITH_AES_256_CBC_SHA

BIT_TLS_RSA_WITH_AES_128_CBC_SHA

BIT_TLS_RSA_WITH_AES_128_CCM_8

BIT_TLS_RSA_WITH_AES_256_CCM_8

If RSI_SSL_RELEASE_2_0macro is disabled, enabling the SSL_NEW_CIPHERS bit is mandatory, and the following ciphers are enabled for use.

Macro

Meaning

BIT_DHE_RSA_GCM

DHE_RSA in combination with GCM secure ciphers ...

> BIT_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

> BIT_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

BIT_ECDHE_RSA_GCM

ECDHE_RSA in combination with GCM secure ciphers ...

> BIT_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

> BIT_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

BIT_DHE_RSA_CBC

DHE_RSA in combination with CBC secure ciphers ...

> BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

> BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

BIT_ECDHE_RSA_CBC

ECDHE_RSA in combination with CBC secure ciphers ...

> BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

> BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

BIT_ECDHE_ECDSA_CBC

ECDHE_ECDSA in combination with CBC secure ciphers ...

> BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

> BIT_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

SSL_NEW_CIPHERS

To enable more secure newly added ciphers

To use individual ciphers other than the default configurations shown above, configure the following macros under RSI_SSL_CIPHERS

Bit Position

Macro

BIT(0)

BIT_TLS_RSA_WITH_AES_256_CBC_SHA256

BIT(1)

BIT_TLS_RSA_WITH_AES_128_CBC_SHA256

BIT(2)

BIT_TLS_RSA_WITH_AES_256_CBC_SHA

BIT(3)

BIT_TLS_RSA_WITH_AES_128_CBC_SHA

BIT(4)

BIT_TLS_RSA_WITH_AES_128_CCM_8

BIT(5)

BIT_TLS_RSA_WITH_AES_256_CCM_8

BIT(6)

Reserved

BIT(7)

Reserved

BIT(8)

BIT_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

BIT(9)

BIT_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

BIT(10)

BIT_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

BIT(11)

BIT_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

BIT(12)

Reserved

BIT(13)

Reserved

BIT(14)

BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

BIT(15)

BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

BIT(16)

BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA

BIT(17)

BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA

BIT(18)

BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

BIT(19)

BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

BIT(20)

BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

BIT(21)

BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

BIT(22)

BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

BIT(23)

BIT_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

BIT(24)

BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

BIT(25)

BIT_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

BIT(26)

BIT_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

BIT(27)

BIT_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

BIT(28)

Reserved

BIT(29)

Reserved

BIT(30)

Reserved

BIT(31)

SSL_NEW_CIPHERS


Note! The RS9116W does not include hardware support for GCM based ciphers. Use of these ciphers may impact performance since related crypto operations are performed by software.

  • SSL_NEW_CIPHERS should not be set alone. User is required to set the other corresponding bits in the bitmap along with SSL_NEW_CIPHERS to enable the cipher selection.

- e.g. (SSL_NEW_CIPHERS | BIT_TLS_RSA_WITH_AES_256_CBC_SHA256 | BIT_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)#