PolarSSL is now part of ARM Official announcement and rebranded as mbed TLS.

Minimal TLS configuration for HTTPS connections


Sep 8, 2017 08:30
Yum

Can you recommend minimum configuration for HTTPS connections that supports TLS v1.2 and key exchange (not the pre-shared)

  • Is config-suite-b.h is the one I should be looking at.
  • What are the ciphers which one can safely remove without impacting interoperability with most servers.
  • I looked at the guide of reducing footprint which talks about removing unused ECP curves. How would I know what are unused or which ones do you recommend to remove.

Thanks

 
Sep 10, 2017 08:30
Ron Eldor

Hi Yum,
Note that the configuration files supplied are examples, and not guidance.
You could use config-mini-tls1_1.h as reference and modify it to your needs ( e.g. change the TLS protocol to 1.2, remove MBEDTLS_SSL_SRV_C if you are only client and so on )
In addition, you should enable ECC curves and relevant definitions( e.g. MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C and MBEDTLS_ECP_C) if you wish to use ECC negotiation. I believe MBEDTLS_GCM_C is also recommended. As there are many servers and use cases, I can't recommend what cipher-suite you should use. It's all dependent on your application needs and use case.
You can look at this post for information of used cipher suites.
I would keep SECP256R1 curve and higher, as defined in the NIST config suite-b support.
Regards,
Mbed TLS Team member
Ron