Minimal TLS configuration for HTTPS connections
Can you recommend minimum configuration for HTTPS connections that supports TLS v1.2 and key exchange (not the pre-shared)
- Is config-suite-b.h is the one I should be looking at.
- What are the ciphers which one can safely remove without impacting interoperability with most servers.
- I looked at the guide of reducing footprint which talks about removing unused ECP curves. How would I know what are unused or which ones do you recommend to remove.
Note that the configuration files supplied are examples, and not guidance.
You could use config-mini-tls1_1.h as reference and modify it to your needs ( e.g. change the TLS protocol to 1.2, remove
MBEDTLS_SSL_SRV_C if you are only client and so on )
In addition, you should enable ECC curves and relevant definitions( e.g.
MBEDTLS_ECP_C) if you wish to use ECC negotiation.
MBEDTLS_GCM_C is also recommended. As there are many servers and use cases, I can't recommend what cipher-suite you should use. It's all dependent on your application needs and use case.
You can look at this post for information of used cipher suites.
I would keep SECP256R1 curve and higher, as defined in the NIST config suite-b support.
Mbed TLS Team member