SSL/TLS Cipher Selection#

SSL Parameters#


Macro	Meaning
`RSI_SSL_RELEASE_2_0`	`RSI_ENABLE` - Use all ciphers configured by `SSL_RELEASE_2_0_ALL_CIPHERS`
	`RSI_DISABLE` - Only use ciphers supported by TLS 1.2
`RSI_SSL_CIPHERS`	If `RSI_SSL_RELEASE_2_0` is enabled, `SSL_RELEASE_2_0_ALL_CIPHERS` specifies the set of supported ciphers.

The RSI_SSL_CIPHERS and RSI_SSL_RELEASE_2_0 macros are defined in the /sapi/include/rsi_wlan_common_config.h file of the SDK.

If RSI_SSL_RELEASE_2_0 macro is enabled, the SSL_RELEASE_2_0_ALL_CIPHERS macro shall be defined. This macro represents a set of fourteen ciphers (defined by SSL_DEFAULT_CIPHERS) along with the following six user-configurable ciphers. user-configurable ciphers


Bit Position	Macro
`BIT(0)`	`BIT_TLS_RSA_WITH_AES_256_CBC_SHA256`
`BIT(1)`	`BIT_TLS_RSA_WITH_AES_128_CBC_SHA256`
`BIT(2)`	`BIT_TLS_RSA_WITH_AES_256_CBC_SHA`
`BIT(3)`	`BIT_TLS_RSA_WITH_AES_128_CBC_SHA`
`BIT(4)`	`BIT_TLS_RSA_WITH_AES_128_CCM_8`
`BIT(5)`	`BIT_TLS_RSA_WITH_AES_256_CCM_8`


Macro	Meaning
`SSL_RELEASE_2_0_ALL_CIPHERS`	`BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256`
	`BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256`
	`BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`
	`BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`
	`BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`
	`BIT_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`
	`BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
	`BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
	`BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA`
	`BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA`
	`BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`
	`BIT_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA`
	`BIT_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`
	`BIT_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA`
	`BIT_TLS_RSA_WITH_AES_256_CBC_SHA256`
	`BIT_TLS_RSA_WITH_AES_128_CBC_SHA256`
	`BIT_TLS_RSA_WITH_AES_256_CBC_SHA`
	`BIT_TLS_RSA_WITH_AES_128_CBC_SHA`
	`BIT_TLS_RSA_WITH_AES_128_CCM_8`
	`BIT_TLS_RSA_WITH_AES_256_CCM_8`

If RSI_SSL_RELEASE_2_0macro is disabled, enabling the SSL_NEW_CIPHERS bit is mandatory, and the following ciphers are enabled for use.


Macro	Meaning
`BIT_DHE_RSA_GCM`	`DHE_RSA` in combination with GCM secure ciphers ...
	> `BIT_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`
	> `BIT_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384`
`BIT_ECDHE_RSA_GCM`	`ECDHE_RSA` in combination with GCM secure ciphers ...
	> `BIT_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
	> `BIT_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
`BIT_DHE_RSA_CBC`	`DHE_RSA` in combination with CBC secure ciphers ...
	> `BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256`
	> `BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256`
`BIT_ECDHE_RSA_CBC`	`ECDHE_RSA` in combination with CBC secure ciphers ...
	> `BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`
	> `BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`
`BIT_ECDHE_ECDSA_CBC`	`ECDHE_ECDSA` in combination with CBC secure ciphers ...
	> `BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`
	> `BIT_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`
`SSL_NEW_CIPHERS`	To enable more secure newly added ciphers

To use individual ciphers other than the default configurations shown above, configure the following macros under RSI_SSL_CIPHERS


Bit Position	Macro
`BIT(0)`	`BIT_TLS_RSA_WITH_AES_256_CBC_SHA256`
`BIT(1)`	`BIT_TLS_RSA_WITH_AES_128_CBC_SHA256`
`BIT(2)`	`BIT_TLS_RSA_WITH_AES_256_CBC_SHA`
`BIT(3)`	`BIT_TLS_RSA_WITH_AES_128_CBC_SHA`
`BIT(4)`	`BIT_TLS_RSA_WITH_AES_128_CCM_8`
`BIT(5)`	`BIT_TLS_RSA_WITH_AES_256_CCM_8`
`BIT(6)`	Reserved
`BIT(7)`	Reserved
`BIT(8)`	`BIT_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`
`BIT(9)`	`BIT_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384`
`BIT(10)`	`BIT_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
`BIT(11)`	`BIT_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
`BIT(12)`	Reserved
`BIT(13)`	Reserved
`BIT(14)`	`BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256`
`BIT(15)`	`BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256`
`BIT(16)`	`BIT_TLS_DHE_RSA_WITH_AES_256_CBC_SHA`
`BIT(17)`	`BIT_TLS_DHE_RSA_WITH_AES_128_CBC_SHA`
`BIT(18)`	`BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`
`BIT(19)`	`BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`
`BIT(20)`	`BIT_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
`BIT(21)`	`BIT_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
`BIT(22)`	`BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`
`BIT(23)`	`BIT_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`
`BIT(24)`	`BIT_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`
`BIT(25)`	`BIT_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA`
`BIT(26)`	`BIT_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`
`BIT(27)`	`BIT_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA`
`BIT(28)`	Reserved
`BIT(29)`	Reserved
`BIT(30)`	Reserved
`BIT(31)`	`SSL_NEW_CIPHERS`

Note! The RS9116W does not include hardware support for GCM based ciphers. Use of these ciphers may impact performance since related crypto operations are performed by software.

SSL_NEW_CIPHERS should not be set alone. User is required to set the other corresponding bits in the bitmap along with SSL_NEW_CIPHERS to enable the cipher selection.

SSL/TLS Cipher Selection#

SSL Parameters#

- e.g. (SSL_NEW_CIPHERS | BIT_TLS_RSA_WITH_AES_256_CBC_SHA256 | BIT_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)#