ARMmbed

ARC4 cipher support

Hi,

I see that mbedtls config.h has below two macros for ARC4 cipher support

MBEDTLS_ARC4_C
MBEDTLS_REMOVE_ARC4_CIPHERSUITES

As per name they seem to achieve opposite results (one enables & other disables support for ARC4), however by default both of them are enabled. Looking at the usage of these macros they kind of work exclusive of each other. Shouldn’t they be related & used in conjunction ?

Hi @tls_user
Thank you for your question.
MBEDTLS_ARC4_C is the configuration whether you want to have ARC4 module in your system.
AS you probably know, ARC4 is considered a weak unsecure algorithm, which is not recomended to be used. Therefore the definition of MBEDTLS_REMOVE_ARC4_CIPHERSUITES, which tell the TLS stack not to add ARC4 related ciphersuites in the ClientHello message.

If MBEDTLS_ARC4_C is not defined, hten yues, you are correct, MBEDTLS_REMOVE_ARC4_CIPHERSUITES has no effect.
However, if for example you have some application that needs ARC4 cipher, but you still want to use secure TLS connection without ARC 4 ciphersuites, then you should keep MBEDTLS_ARC4_C and MBEDTLS_REMOVE_ARC4_CIPHERSUITES defined.
Does this make sense?
Regards,
Mbed TLS Team member
Ron

Hi Ron,

Thanks for quick response, it makes sense

Regards