Merge pull request #6077 from s-hadinger/tls_force_ec2

Fix Force Elliptic Curve for Letsencrypt TLS #6042
This commit is contained in:
Theo Arends 2019-07-12 09:27:14 +02:00 committed by GitHub
commit 166906f308
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 6 additions and 4 deletions

View File

@ -40,7 +40,7 @@ uint32_t *stack_thunk_light_save = NULL; /* Saved A1 while in BearSSL */
uint32_t stack_thunk_light_refcnt = 0;
//#define _stackSize (5600/4)
#ifdef USE_MQTT_AWS_IOT
#if defined(USE_MQTT_AWS_IOT) || defined(USE_MQTT_TLS_FORCE_EC_CIPHER)
#define _stackSize (5300/4) // using a light version of bearssl we can save 300 bytes
#else
#define _stackSize (3600/4) // using a light version of bearssl we can save 2k

View File

@ -758,7 +758,7 @@ extern "C" {
// We limit to a single cipher to reduce footprint
// we reference it, don't put in PROGMEM
static const uint16_t suites[] = {
#ifdef USE_MQTT_AWS_IOT
#if defined(USE_MQTT_AWS_IOT) || defined(USE_MQTT_TLS_FORCE_EC_CIPHER)
BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#else
BR_TLS_RSA_WITH_AES_128_GCM_SHA256
@ -785,8 +785,8 @@ extern "C" {
br_ssl_engine_set_aes_ctr(&cc->eng, &br_aes_small_ctr_vtable);
br_ssl_engine_set_ghash(&cc->eng, &br_ghash_ctmul32);
#ifdef USE_MQTT_AWS_IOT
// we support only P256 EC curve for AWS IoT, no EC curve for Letsencrypt
#if defined(USE_MQTT_AWS_IOT) || defined(USE_MQTT_TLS_FORCE_EC_CIPHER)
// we support only P256 EC curve for AWS IoT, no EC curve for Letsencrypt unless forced
br_ssl_engine_set_ec(&cc->eng, &br_ec_p256_m15);
#endif
}

View File

@ -8,6 +8,7 @@
* Add command Time to disable NTP and set UTC time as Epoch value if above 1451602800 (=20160101). Time 0 re-enables NTP (#5279)
* Add AZ7798 automatic setting of clock display (#6034)
* Add Epoch and UptimeSec to JSON messages (#6068)
* Fix Force Elliptic Curve for Letsencrypt TLS #6042
*
* 6.6.0 20190707
* Remove support of TLS on core 2.3.0 and extent support on core 2.4.2 and up

View File

@ -266,6 +266,7 @@
// Using TLS starting with version v6.5.0.16 compilation will only work using Core 2.4.2 and 2.5.2. No longer supported: 2.3.0
//#define USE_MQTT_TLS // Use TLS for MQTT connection (+34.5k code, +7.0k mem and +4.8k additional during connection handshake)
// #define USE_MQTT_TLS_CA_CERT // Force full CA validation instead of fingerprints, slower, but simpler to use (+2.2k code, +1.9k mem during connection handshake)
// #define USE_MQTT_TLS_FORCE_EC_CIPHER // Force Elliptic Curve cipher (higher security) required by some servers (automatically enabled with USE_MQTT_AWS_IOT) (+11.4k code, +0.4k mem)
// #define USE_MQTT_AWS_IOT // Enable MQTT for AWS IoT - requires a private key (+11.4k code, +0.4k mem)
// Note: you need to generate a private key + certificate per device and update 'sonoff/sonoff_aws_iot.cpp'
// Full documentation here: https://github.com/arendst/Sonoff-Tasmota/wiki/AWS-IoT