SSL/TLS Cipher Selection#
SSL Parameters#
Macro | Meaning |
|---|
RSI_SSL_VERSION
| RSI_SSL_V_2 = TLS 1.2 (default)
|
| RSI_SSL_V_1 = TLS 1.1
|
| RSI_SSL_V_0 = TLS 1.0
|
RSI_SSL_RELEASE_2_0
| RSI_ENABLE - Use all ciphers configured by SSL_RELEASE_2_0_ALL_CIPHERS
|
| RSI_DISABLE - Only use ciphers supported by TLS 1.2
|
RSI_SSL_CIPHERS
| If RSI_SSL_RELEASE_2_0 is enabled, SSL_RELEASE_2_0_ALL_CIPHERS specifies the set of supported ciphers. |
If RSI_SSL_RELEASE_2_0 is enabled, SSL_RELEASE_2_0_ALL_CIPHERS specifies which ciphers are enabled for use.
Macro | Meaning |
|---|
SSL_RELEASE_2_0_ALL_CIPHERS
| BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|
| BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
| BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
|
| BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
| BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
|
| BIT_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
| BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
| BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
| BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|
| BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|
| BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
| BIT_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
| BIT_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
| BIT_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
| BIT_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
| BIT_TLS_RSA_WITH_AES_256_CBC_SHA256
|
| BIT_TLS_RSA_WITH_AES_128_CBC_SHA256
|
| BIT_TLS_RSA_WITH_AES_256_CBC_SHA
|
| BIT_TLS_RSA_WITH_AES_128_CBC_SHA
|
| BIT_TLS_RSA_WITH_AES_128_CCM_8
|
| BIT_TLS_RSA_WITH_AES_256_CCM_8
|
If RSI_SSL_RELEASE_2_0 is disabled, the following ciphers are enabled for use.
Macro | Meaning |
|---|
BIT_DHE_RSA_GCM
| DHE_RSA in combination with GCM secure ciphers ...
|
| > BIT_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| > BIT_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
BIT_ECDHE_RSA_GCM
| ECDHE_RSA in combination with GCM secure ciphers ...
|
| > BIT_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| > BIT_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
BIT_DHE_RSA_CBC
| DHE_RSA in combination with CBC secure ciphers ...
|
| > BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |
| > BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
BIT_ECDHE_RSA_CBC
| ECDHE_RSA in combination with CBC secure ciphers ...
|
| > BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| > BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
BIT_ECDHE_ECDSA_CBC
| ECDHE_ECDSA in combination with CBC secure ciphers ...
|
| > BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
| > BIT_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
SSL_NEW_CIPHERS
| To enable more secure newly added ciphers |
To use individual ciphers other than the default configurations shown above, configure the following macros under RSI_SSL_CIPHERS which is included in the release /sapi/include/rsi_wlan_common_config.h folder.
Bit Position | Macro |
|---|
BIT(0)
| BIT_TLS_RSA_WITH_AES_256_CBC_SHA256
|
BIT(1)
| BIT_TLS_RSA_WITH_AES_128_CBC_SHA256
|
BIT(2)
| BIT_TLS_RSA_WITH_AES_256_CBC_SHA
|
BIT(3)
| BIT_TLS_RSA_WITH_AES_128_CBC_SHA
|
BIT(4)
| BIT_TLS_RSA_WITH_AES_128_CCM_8
|
BIT(5)
| BIT_TLS_RSA_WITH_AES_256_CCM_8
|
BIT(6)
| Reserved |
BIT(7)
| Reserved |
BIT(8)
| BIT_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|
BIT(9)
| BIT_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
|
BIT(10)
| BIT_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
BIT(11)
| BIT_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
BIT(12)
| Reserved |
BIT(13)
| Reserved |
BIT(14)
| BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|
BIT(15)
| BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
BIT(16)
| BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|
BIT(17)
| BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|
BIT(18)
| BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
|
BIT(19)
| BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
BIT(20)
| BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
BIT(21)
| BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
BIT(22)
| BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
|
BIT(23)
| BIT_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
BIT(24)
| BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
BIT(25)
| BIT_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
BIT(26)
| BIT_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
BIT(27)
| BIT_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
BIT(28)
| Reserved |
BIT(29)
| Reserved |
BIT(30)
| Reserved |
BIT(31)
| SSL_NEW_CIPHERS
|
Note! The RS9116W does not include hardware support for GCM based ciphers. Use of these ciphers may impact performance since related crypto operations are performed by software.
