TLS 1.2 CCM modes

[jadamcrain]

I am implementing a standard that requires that both sides support TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8. These ciphers are in OpenSSL, but are disabled by default.

I see that #4 has kind of stalled.

Is there any way that you're aware to set the default cipher list when using the openssl library via environment variable?

I've tried via the openssl config file /etc/ssl/openssl.cnf but that seems to get ignored... perhaps it only pertains to the openssl cli?

[sfackler]

If you're using OpenSSL specifically you may want to look into using the openssl crate directly which would give you full control over the configuration.

[jadamcrain]

Unfortunately, we have a lot of investment already in both reqwest and axum which use either rustls or native-tls. I'm exploring adding the CCM modes to rustls in parallel.

[jadamcrain]

FYI, the easiest path forward was to build a custom version of openssl until we can get CCM into rustls:

This can be done in openssl by editing include/openssl/ssl.h

changing:

# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"

to

# define SSL_DEFAULT_CIPHER_LIST "ALL:-COMPLEMENTOFDEFAULT:!eNULL:ECDHE-ECDSA-AES128-CCM8"