Hi gurus,

I don't think this question has been asked before but please point it out if it's the case.

I'm currently following the tutorial "Compiling Client Applications" and I would like to configure what cyphersuite is used by Anjay and this case mbed (since it's what I'm using).
I'm on a RPi but I don't think it matters.
I've followed these steps for compilation (and installation):
For mbed

$ cmake -DENABLE_TESTING=OFF -DCMAKE_INSTALL_PREFIX=/tmp/mbedtls/install .
$ make
$ make install

For Anjay

cmake -DDTLS_BACKEND="mbedtls" -DMBEDTLS_ROOT_DIR=/tmp/mbedtls/install .
make && make -j

And prior to all that I've replaced 'include/mbedtls/config.h' with 'configs/config-ccm-psk-tls1_2.h' as suggested in the 'config/README.txt' from mbedtls.

However, whenever my client connects it always offers 49 ciphersuites in the 'Client Hello' message and TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 is choosen by the server. I would like to use a ciphersuite which is easier to decrypt in Wireshark (like TLS_PSK_WITH_AES_128_CCM_8).

I've tried make clean on both projects to cleanup the cache...but it still doesn't work.

Could you please suggest what do to (differently)?

Thanks a lot in advance!

Something like this worked for me (mbedTLS 2.16.0):

1. Patched configs/config-ccm-psk-tls1_2.h

diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h
index c9b58dd53..57aa40043 100644
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h
@@ -42,6 +42,22 @@
 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 #define MBEDTLS_SSL_PROTO_TLS1_2
 
+/* NOTE: required by Anjay and avs_commons */
+#define MBEDTLS_SSL_PROTO_DTLS
+
+/**
+ * NOTE: this is just to compile demo on x86, you may not define this if you're
+ * targeting some kind of embedded platform and you have to implement timing
+ * functions in some other way.
+ */
+#define MBEDTLS_TIMING_C
+
+/**
+ * NOTE: currently, this is required if you intend to use DTLS session
+ * resumption in Anjay.
+ */
+#define MBEDTLS_BIGNUM_C
+
 /* mbed TLS modules */
 #define MBEDTLS_AES_C
 #define MBEDTLS_CCM_C

2. Copied configs/config-ccm-psk-tls1_2.h to include/mbedtls/config.h -- frankly speaking, this seems a bit crazy, but without it a generic config.h will be installed (and no, overriding MBEDTLS_CONFIG_FILE doesn't help there), which is not good, as it contains definitions of features the build does not actually have, and that unfortunately leads to compile-time errors in avs_commons which actually does perform some compile time feature checks.

3. Configured and compiled the mbedTLS:

$ cmake -DENABLE_TESTING=OFF -DCMAKE_INSTALL_PREFIX=/tmp/stuff/mbedtls .
$ make -j install

4. Configured and compiled Anjay (without certificates enabled):

$ cmake . -DMBEDTLS_ROOT_DIR=/tmp/stuff/mbedtls -DWITH_X509=OFF
$ make -j

There likely exists a more elegant approach to mbedTLS configuration, but unfortunately I don't know about it.

Thanks a lot @SzNaIdeR but it still doesn't work for me. It's almost as if none of the configuration is taken into consideration by Anjay (or mbed). I see all the cyphersuites being installed as before.
Not sure if it's some caching issue (given I did a make clean and deleted the /tmp/mbestls folder)

Could you post a log from a clean build of Anjay (cmake command output)? Right now it sounds a bit like Anjay used system-installed mbed TLS instead of the build with custom config.

Hi @dextero, I think so too but it's hard to find out why Anjay behaves that way and how to change it. E.g. where is the 'system-installed mbed TLS'? Maybe we could just replace it?

Here is the output of my cmake (after making cleanups...)

cmake . -DMBEDTLS_ROOT_DIR=/tmp/mbedtls/install -DWITH_X509=OFF
-- Looking for dlsym() in library: 
-- Looking for dlsym
-- Looking for dlsym - not found
-- Looking for dlsym() in library: dl
-- Looking for dlsym
-- Looking for dlsym - found
-- Checking if IN6_IS_ADDR_V4MAPPED is usable
-- Checking if IN6_IS_ADDR_V4MAPPED is usable - no
-- DTLS backend: mbedtls
-- Checking if IN6_IS_ADDR_V4MAPPED is usable
-- Checking if IN6_IS_ADDR_V4MAPPED is usable - no
-- Could NOT find Doxygen (missing:  DOXYGEN_EXECUTABLE) 
* generating root cert
* generating root cert - done
* generating client cert
Signature ok
subject=CN = localhost
Getting CA Private Key
* generating client cert - done
* generating server cert
Signature ok
subject=CN = localhost
Getting CA Private Key
* generating server cert - done
* creating trustStore.jks
Trust this certificate? [no]:  Certificate was added to keystore
* creating trustStore.jks - done
* creating keyStore.jks
* creating keyStore.jks - done

NOTE: To make demo successfully connect to Californium cf-secure server, copy contents of the /home/pi/Documents/Anjay/output/certs to the cf-secure/certs subdirectory and restart the server.

-- Could NOT find Doxygen (missing:  DOXYGEN_EXECUTABLE) 
-- Configuring done
-- Generating done
-- Build files have been written to: /home/pi/Documents/Anjay

I could also send the 'make' output but it's a bit too long

Looks like you used make clean, however that only deletes compiled objects / binaries / libraries, but not CMake configuration (which is what needs to be cleaned-up actually).

Please do $ rm -r CMakeCache.txt CMakeFiles/ in the project root directory and try again.

Hi @SzNaIdeR it worked! I did try cleaning the cmake cache a couple of times but I didn't know how to do it properly.
awesome, thanks a lot!

@2trc in latest version of Anjay as of today,
there is an option to specify ciphersuite in demo client:
--ciphersuites CIPHERSUITE[,CIPHERSUITE...] - Sets the ciphersuites to be used by default for (D)TLS connections. (default: TLS library defaults)