SSL/TLS Cipher Selection#

SSL Parameters#

Macro

Meaning

RSI_SSL_VERSION

RSI_SSL_V_2 = TLS 1.2 (default)

RSI_SSL_V_1 = TLS 1.1

RSI_SSL_V_0 = TLS 1.0

RSI_SSL_RELEASE_2_0

RSI_ENABLE - Use all ciphers configured by SSL_RELEASE_2_0_ALL_CIPHERS

RSI_DISABLE - Only use ciphers supported by TLS 1.2

RSI_SSL_CIPHERS

If RSI_SSL_RELEASE_2_0 is enabled, SSL_RELEASE_2_0_ALL_CIPHERS specifies the set of supported ciphers.

If RSI_SSL_RELEASE_2_0 is enabled, SSL_RELEASE_2_0_ALL_CIPHERS specifies which ciphers are enabled for use.

Macro

Meaning

SSL_RELEASE_2_0_ALL_CIPHERS

BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

BIT_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA

BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA

BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

BIT_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

BIT_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

BIT_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

BIT_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

BIT_TLS_RSA_WITH_AES_256_CBC_SHA256

BIT_TLS_RSA_WITH_AES_128_CBC_SHA256

BIT_TLS_RSA_WITH_AES_256_CBC_SHA

BIT_TLS_RSA_WITH_AES_128_CBC_SHA

BIT_TLS_RSA_WITH_AES_128_CCM_8

BIT_TLS_RSA_WITH_AES_256_CCM_8

If RSI_SSL_RELEASE_2_0 is disabled, the following ciphers are enabled for use.

Macro

Meaning

BIT_DHE_RSA_GCM

DHE_RSA in combination with GCM secure ciphers ...

> BIT_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

> BIT_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

BIT_ECDHE_RSA_GCM

ECDHE_RSA in combination with GCM secure ciphers ...

> BIT_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

> BIT_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

BIT_DHE_RSA_CBC

DHE_RSA in combination with CBC secure ciphers ...

> BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

> BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

BIT_ECDHE_RSA_CBC

ECDHE_RSA in combination with CBC secure ciphers ...

> BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

> BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

BIT_ECDHE_ECDSA_CBC

ECDHE_ECDSA in combination with CBC secure ciphers ...

> BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

> BIT_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

SSL_NEW_CIPHERS

To enable more secure newly added ciphers

To use individual ciphers other than the default configurations shown above, configure the following macros under RSI_SSL_CIPHERS which is included in the release /sapi/include/rsi_wlan_common_config.h folder.

Bit Position

Macro

BIT(0)

BIT_TLS_RSA_WITH_AES_256_CBC_SHA256

BIT(1)

BIT_TLS_RSA_WITH_AES_128_CBC_SHA256

BIT(2)

BIT_TLS_RSA_WITH_AES_256_CBC_SHA

BIT(3)

BIT_TLS_RSA_WITH_AES_128_CBC_SHA

BIT(4)

BIT_TLS_RSA_WITH_AES_128_CCM_8

BIT(5)

BIT_TLS_RSA_WITH_AES_256_CCM_8

BIT(6)

Reserved

BIT(7)

Reserved

BIT(8)

BIT_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

BIT(9)

BIT_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

BIT(10)

BIT_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

BIT(11)

BIT_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

BIT(12)

Reserved

BIT(13)

Reserved

BIT(14)

BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

BIT(15)

BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

BIT(16)

BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA

BIT(17)

BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA

BIT(18)

BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

BIT(19)

BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

BIT(20)

BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

BIT(21)

BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

BIT(22)

BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

BIT(23)

BIT_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

BIT(24)

BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

BIT(25)

BIT_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

BIT(26)

BIT_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

BIT(27)

BIT_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

BIT(28)

Reserved

BIT(29)

Reserved

BIT(30)

Reserved

BIT(31)

SSL_NEW_CIPHERS


Note! The RS9116W does not include hardware support for GCM based ciphers. Use of these ciphers may impact performance since related crypto operations are performed by software.