Cipher Suites
The C SDK supports the default cipher suites of Apache Tomcat up to and including Tomcat 8.0.33. Subsequent versions of Tomcat may exclude ciphers that are used by earlier versions of OpenSSL and therefore could prevent the C SDK from connecting to the server in question (a ThingWorx Platform).
With OpenSSL, you can choose from 110 ciphers. For more information about the supported cipher suites, visit https://www.openssl.org/docs/manmaster/man1/ciphers.html.
* 
As of release 2.2.5, the C SDK upgraded to OpenSSL 1.1.1. Version 2.2.12 of the C SDK upgrades to OpenSSL 1.1.1j. OpenSSL 1.1.1 does not support FIPS mode, and is not backwards compatible to OpenSSL 1.0.2. FIPS mode requires OpenSSL 1.0.2 or earlier.
The C SDK provides a template of wrappers that you can use to customize security for your application. This file is located in ../src/tls/twTemplateSSL.h of the C SDK installation.
Custom Cipher Suites
As of v.2.1.2 of the C SDK, you can customize what cipher suites are used at run time through a C SDK parameter. Called cipher_set, this parameter has been added to the twcfg data structure of the C SDK. This parameter allows you to specify a string that contains your cipher suite configuration. This parameter is supported only for builds that are based on OpenSSL. When specifying a string, use the OpenSSL cipher list configuration format, which you can find at http://openssl.cs.utah.edu/docs/apps/ciphers.html#cipher_list_format.
If you do not specify any cipher suites, secure defaults are used. The default string is set in twOpenSSL.h as follows:
#define TW_SSL_DEFAULT_CIPHER_STRING
ALL:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ADH:!IDEA:!3DES:!SRP:!SSLv3
The file, twNoTls.h, sets the cipher suite to null because the functionality is not supported in the build.
* 
A warning appears if the C SDK detects a different OpenSSL version being used at run time than the version with which the application was built.
A Note About Cipher Suites
If your application communicates with an instance of the ThingWorx Platform that uses Java 1.7, the cipher suite list should include !kEDH (as shown below) to disable Ephemeral Diffie-Hellman ciphers. Otherwise, Ephemeral Diffie-Hellman (EDH) key exchange will fail, and your device application will be unable to connect to the ThingWorx Platform.

<CipherSuites>DEFAULT:!kEDH</CipherSuites>
Was this helpful?