You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by embhorn
You can use the verify callback to over ride the cert signing errors. The example I shared earlier will accomplish what you are trying to do.
Hi sapi01
Need to clarify a couple points from your post:
> When I try to connect to my wolfSSL server, I'm getting `-188` on `wolfSSL_connect()`
Is this error in the client? Both peers will need the self-signed cert. You are basically doing a shared secret when doing mutual authentication and using self-signed certs.
Alternatively you could write a verify callback to override the cert failures for particular servers.
https://github.com/wolfSSL/wolfssl-exam … back.c#L55
Thanks,
Eric @ wolfSSL Support
Hello yass007
Thanks for contacting wolfSSL Support. Are you calling `wolfSSH_shutdown` before attempting the reconnect?
https://github.com/wolfSSL/wolfssh/blob … nt.c#L1140
Thanks,
Eric @ wolfSSL Support
Hello a940153,
The `SSL_VERIFY_CLIENT_ONCE` flag is regarded as unsafe and is ignored in wolfSSL. You can use session tickets to securely reconnect a peer.
Hmm. Does it need to be called once (as in during some init), or in every encrypt / decrypt routine? I'd like to ping David about this next week.
Hi Tammy,
This sounds very similar to the ST HAL issue described here:
https://community.st.com/s/question/0D5 … le-missing
Thanks,
Eric @ wolfSSL Support
Hi Hu,
Please try adding a define for `WOLFSSL_SP_4096` to enable the larger bit sizes.
Thanks,
Eric @ wolfSSL Support
Hello kackle123
The web doc is out date from the code. There are two API
int MqttClient_WaitMessage_ex(MqttClient *client, MqttObject* msg,
int timeout_ms)
{
return MqttClient_WaitType(client, msg, MQTT_PACKET_TYPE_ANY, 0,
timeout_ms);
}
int MqttClient_WaitMessage(MqttClient *client, int timeout_ms)
{
if (client == NULL)
return MQTT_CODE_ERROR_BAD_ARG;
return MqttClient_WaitMessage_ex(client, &client->msg, timeout_ms);
}As you can see, `MqttClient_WaitMessage` does take 2 parameters.
Are you trying to read an incoming publish, whose topic you have already subscribed? You should try setting up a publish callback. Here is an example:
https://github.com/wolfSSL/wolfMQTT/blo … ient.c#L58
Thanks,
Eric @ wolfSSL Support
Here is the patch for the code to get the test working:
fips_test.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/fips_test.c b/fips_test.c
index 78008dc..21db828 100644
--- a/fips_test.c
+++ b/fips_test.c
@@ -809,6 +809,15 @@ static int ECDSA_PairwiseAgreeTest(int type, const char* msg)
return ret;
}
+#ifdef ECC_TIMING_RESISTANT
+ ret = wc_ecc_set_rng(&ecc, &rng);
+ if (ret != 0) {
+ wc_ecc_free(&ecc);
+ wc_FreeRng(&rng);
+ return ret;
+ }
+#endif
+
switch (type) {
case WC_SHA256 :
{Hello sahl.john
There is a fix pending for the RNG dependency. This fix will be available in the next release, although I can't provide a specific timeline. I will update as soon as the fix is available (i.e. the PR has been merged).
Thanks,
Eric @ wolfSSL Support
In Wolf/src/ssl.c : Line 310087 (in version 4-7)
/* These constant values are protocol values made by egd */ #if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) #define WOLFSSL_EGD_NBLOCK 0x01 #include <sys/un.h> #endif
A couple lines above this, this compiler conditional
#ifndef FREERTOS_TCPshould be changed to:
#if !defined(FREERTOS_TCP) && !defined(WOLFSSL_TIRTOS)Please let us know if this resolves the issue for your environment.
Hello nmehta,
In order to give you the highest priority for your FIPS question, could you please send an email to support@wolfssl.com ?
Kind regards,
Eric @wolfSSL Support
Hello Scotty2541,
Sounds like there could be a missing check for TI_RTOS. Would you please let us know if this fixes the build issue?
diff --git a/src/ssl.c b/src/ssl.c
index 7432ffe73..486b3129a 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -31736,7 +31736,7 @@ int wolfSSL_RAND_write_file(const char* fname)
return bytes;
}
-#ifndef FREERTOS_TCP
+#if !defined(FREERTOS_TCP) && !defined(WOLFSSL_TIRTOS)
/* These constant values are protocol values made by egd */
#if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API)Kind regards,
Eric @ wolfSSL Support
Hi Tammy,
The code changes are still making their way through the review cycle.
I just pushed another commit that fixes the build errors for
--disable-ecc.
Thanks,
Eric
Hello Tammy,
I was able to reproduce the build errors with wolfSSL configured as:
./configure --enable-ssh --disable-filesystem --disable-aesgcmI created a pull request here:
https://github.com/wolfSSL/wolfssh/pull/328
Thanks,
Eric @ wolfSSL Support
Hello iain.moir
Welcome to the wolfSSL Support Forums!
We are constantly striving to make the build process as painless as possible, but there will always be some unique environments that need a little extra effort. We are very adept at helping users to get started with the library.
Here is our QuickStart guide:
https://www.wolfssl.com/docs/quickstart/
Please email us at support@wolssl.com with any questions.
Thanks,
Eric @ wolfSSL Support
Hi cxenof03,
Welcome to the wolfSSL Forums!
The specific option for enabling TLS sessions is `HAVE_SESSION_TICKET`.
There is not currently an equivalent macro for the `./configure --enable-all` option, but you can use the "user_settings" method to get close:
https://github.com/wolfSSL/wolfssl/tree … es/configs
Here is an example that configures most of the library options:
https://github.com/wolfSSL/wolfssl/blob … ings_all.h
Thanks,
Eric @ wolfSSL Support
Hi Hu,
Welcome to the wolfSSL Support Forums!
The RIOT-OS build does not use the same instructions as the linux build for wolfSSL. Configuration changes should be made in the user_settings.h header. You should add a define for `WOLFSSL_AES_COUNTER`.
https://github.com/RIOT-OS/RIOT/blob/ma … settings.h
Thanks,
Eric @ wolfSSL Support
Hi steins,
Thanks for the project details. If you get stuck, please send an email to support@wolfssl.com where we can better prioritize your request.
Cheers,
Eric @ wolfSSL Support
Hello steins,
Thanks for joining the wolfSSL Support forums. You are trying to isolate all the functions for parsing and decoding a certificate? Any particular reason? The compiler tools should allow you to optimize any unused functionality.
What is the environment you are building in / for?
Thank,
Eric @ wolfSSL Support
Hi Shaun,
The linux wolfMQTT client does connect to mqtt.eclipseprojects.io using TLS with the default certs / config.
eric@ubuntu:~/repos/wolfMQTT$ ./examples/mqttclient/mqttclient -h mqtt.eclipseprojects.io -t
MQTT Client: QoS 0, Use TLS 1
MQTT Net Init: Success (0)
MQTT Init: Success (0)
NetConnect: Host mqtt.eclipseprojects.io, Port 8883, Timeout 5000 ms, Use TLS 1
MQTT TLS Setup (1)
MQTT TLS Verify Callback for mqttclient: PreVerify 0, Error -188 (ASN no signer error to confirm failure)
Subject's domain name is R3
Allowing cert anyways
MQTT TLS Verify Callback for mqttclient: PreVerify 1, Error 0 (none)
Subject's domain name is mqtt.eclipseprojects.io
MQTT Socket Connect: Success (0)
MQTT Connect: Proto (v3.1.1), Success (0)
MQTT Connect Ack: Return Code 0, Session Present 0
MQTT Subscribe: Success (0)
Topic wolfMQTT/example/testTopic, Qos 0, Return Code 0
MQTT Publish: Topic wolfMQTT/example/testTopic, Success (0)
MQTT Waiting for message...
MQTT Message: Topic wolfMQTT/example/testTopic, Qos 0, Len 4
Payload (0 - 4): test
MQTT Message: Done
^CReceived SIGINT
Network Error Callback: Error (Network) (error -8)
MQTT Exiting...
MQTT Unsubscribe: Success (0)
MQTT Disconnect: Success (0)
MQTT Socket Disconnect: Success (0)Did you try forcing TLS?
Thanks,
Eric @ wolfSSL Support
Hi Gus,
Thanks for the update. Next step in debugging this would be to review a pcap of the failing handshake.
If you'd prefer to move off this public forum, please send an email to support@wolfssl.com referencing this forum thread and attach a pcap of the handshake.
Thanks,
Eric @ wolfSSL Support
Hello Gus,
While we always recommend that users are on the latest release, the version error you are seeing is likely related to the TLS protocol version in the handshake. You will probably be able to fix the issue by configuring and using a later version of the TLS protocol to establish the connection.
Please review section 4.2 PROTOCOL SUPPORT
https://www.wolfssl.com/docs/wolfssl-manual/ch4/
Thanks,
Eric @ wolfSSL Support
Hi Remy,
No, I do not think you need the pk callback option, but you mentioned earlier in the thread.
The `NO_ECC_KEY_EXPORT` define comes from here (because `HAVE_ECC` is defined):
https://github.com/wolfSSL/wolfssl/blob … gs.h#L1821
The public key is exported to the `ssl->hsKey` structure in order to compute the shared secret.
ret = EccSharedSecret(ssl,
(ecc_key*)ssl->hsKey, ssl->peerEccKey,
args->output + OPAQUE8_LEN, &args->length,
ssl->arrays->preMasterSecret + OPAQUE16_LEN,
&ssl->arrays->preMasterSz,
WOLFSSL_CLIENT_END
);wolfSSL - Embedded SSL Library → Posts by embhorn
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.024 seconds (77% PHP - 23% DB) with 5 queries