TLS 1.2 support advertised but no SHA-384/SHA-512 capability

[facchinm]

Moved from arduino/Arduino#4730
@mashikawa wrote:

Hi, I purchased the Arduino Wifi 101 shield for an IoT project and found that I could not connect to certain servers via SSL. Some worked (www.google.com:443) and others did not (plot.ly:443).

Using Wireshark to monitor the TLS handshake I found that the WINC1500 hardcodes the TLS Client Hello value to 1.2 ( since firmware version 9.3.0 ), although the device does not handle ciphers longer than 256bits ( SHA-256 ). This actually makes it only TLS1.1 compatible. Some servers now implement SHA-384 and SHA-512 ciphers as part of the TLS1.2 protocol and they can respond to the TLS1.2 request with these ciphers, which the WINC1500 (Wifi101) cannot decrypt and so the connection fails. I have recreated the issue using OpenSSL and have attached the output to this request for info.

I raised a support request with Atmel ( Case 00037229 ), suggesting they allow the TLS value to be modified by the user via the software and they responded with the following message:

Created By: Anu Ramakrishnan (3/21/2016 4:09 AM)
[Recipients: Michael Kelsall]

Hi Micheal,
Yes, we do not support SHA-384 and 512. Thank you for the feedback regarding the usage of TLS1.2 mode. We have raised a bug internally for this and we will follow up to get it fixed in future releases.
We do not share firmware sources of the ATWINC1500, sorry for the inconvenience.
Regards,
Anu

This is a good response but I am now worried the issue may sit on a development list with low priority for an extended period of time..... Can anyone help to progress this as I am sure the problem will get worse as more website implement longer ciphers to improve security.

Regards,
Michael.

OpenSSL_ATWINC1500_TLS_Examples.txt

[mashikawa]

Cheers guys, let me know if you want any help testing the fix.

[mashikawa]

I received the following request from Atmel Support, so could "cmagile" please provide the incident numbers he referred to, so we can try to escalate this issue:

"Please respond above this email, avoid inline comments

Commented by Anu Ramakrishnan (Atmel) 2016-03-28 23:56 PDT
[Recipients: Michael Kelsall]

Hi Michael,

I am following up on this internally. We will get back to you as soon as we have further information.
Meanwhile, can you provide the case numbers/mail thread of the issues raised by the Arduino team in this regard, for our reference?

Regards
Anu "

From #4730:
cmaglie commented 8 days ago
For the record: we have already reported this problem to Atmel more than once in the last two months. Unfortunately there isn't much we can do except waiting for a new release of the firmware.

[sandeepmistry]

Hi @mashikawa,

We've heard back from Atmel on this. SHA-384 certificate support is scheduled to be added in the June 2016 firmware release. Also, as of now, there are no plans to support SHA-512.

[hiteule]

Hi,
Somebody has any news about the firmware update ? (Yep, we are in June 2016 :) )
Some site I want to use have a Comodo certificate with a SHA-384 encryption.

[sandeepmistry]

Hi @hiteule,

I've contact Atmel support about this, unfortunately the June release is now pushed out to September.

cc/ @ThibaultRichard

[q2dg]

In any case, if this issue succeed, please remember to update the line "Support TLS 1.1 (SHA256)" from https://www.arduino.cc/en/Main/ArduinoWiFiShield101 , please.

[erhanalankus]

Any updates?

[sandeepmistry]

@erhanalankus unfortunately nothing to report yet.

See: #90 (comment):

expected release data of late Oct 2016.

[hiteule]

Hey, any news from Atmel about the firmware update ?