1 Topic by akr

  • akr
  • Member
  • Offline
  • Registered: Yesterday
  • Posts: 1

Topic: Disable not-recommended TLS 1.3 signature algorithms

Hi,

I am working on an embedded device that uses the wolfSSL library to establish a TLS 1.3 channel with the backend server.

According to the https://www.bsi.bund.de/SharedDocs/Down … 102-2.html, the rsa_pkcs1_sha256, rsa_pkcs1_sha384, and rsa_pkcs1_sha512 will not be recommended anymore from 2026 onward. Therefore, I would like to remove them so the device does not offer them in the TLS ClientHello message. I tried to find a tutorial or a guide on how to do that, but I was unable to.

I would be grateful for any advice or guidance.
Thank you in advance!

Share

  • From: Mobile, AL
  • Registered: 2013-12-11
  • Posts: 382

Re: Disable not-recommended TLS 1.3 signature algorithms

Hello akr,

Welcome to the wolfSSL Forums.

There are a few ways to accomplish a reduction in the available ciphers. You can configure the library with `--enable-harden-tls`

Alternatively, you can specify the cipher list at run-time using the API `wolfSSL_CTX_set_cipher_list`
Here is an example:
https://github.com/wolfSSL/wolfssl-exam … ls-ecdhe.c

Could you tell us a bit about your project and where you are located for our support records? Please feel free to email us at support@wolfssl.com if you'd prefer to keep that private.

Kind regards,
Eric - wolfSSL

embhorn's Website

Share