26 Reply by embhorn

(3 replies, posted in wolfSSL)

I've requested our business director, Scott McClung, to reach out to set up a call with our engineers. Please keep an eye out for an email.

Thanks,
Eric - wolfSSL Support

Go to forum: wolfSSL

27 Reply by embhorn

(3 replies, posted in wolfSSL)

Hi wirediot,

Welcome to the wolfSSL Forums. Could you tell us a bit about your project using wolfSSL and where you are located for our support records?

The default cert verification logic in wolfSSL is more stringent (secure) than other SSL libs in that we require the root CA to be loaded, as opposed to verifying the peer cert based on any cert that matches. You can loosen this requirement by enabling the define WOLFSSL_ALT_CERT_CHAINS.

https://github.com/wolfSSL/wolfssl/blob … .c#L33-L37
* WOLFSSL_ALT_CERT_CHAINS:
*     Allows CA's to be presented by peer, but not part of a valid chain.
*     Default wolfSSL behavior is to require validation of all presented peer
*     certificates. This also allows loading intermediate CA's as trusted
*     and ignoring no signer failures for CA's up the chain to root.

So to answer your questions:

1. Is this implementation in accordance to RFC?  what part of RFC does this comply to that we need to absolute load "A"?

Yes

2. What changes are needed in embeddedSSL if we just need to validate using B or C?

See discussion above.

3. from a security perspective, I understand both are secure and loading A does not mean it is more secure, but isnt B or C more likely to be revoked rather than A?

Root certs are much less frequently revoked, but it can happen. Which is why things like OCSP exist.

5. if there are multiple flavors of B and C, wouldn't it be safer to just load A and let device validate B/C/D through chain validation?

Yes!

5. do we know if all the SSL clients operate same way (openSSL, mbedTLS, etc)?

They are definitely different.

Thanks,
Eric - wolfSSL Support

Go to forum: wolfSSL

28 Reply by embhorn

(1 replies, posted in wolfMQTT)

Hello valschroeder

Welcome to the wolfSSL Forums. Yes, wolfMQTT sounds like a great fit for your project!

We have lots of example projects in the library. I'm not sure what you mean by "manual work to handle incoming messages". The client subscribes to a topic and messages are received.

Could you tell us a bit about your MQTT project and where you are located for our support records?

Thanks,
Eric - wolfSSL Support

Go to forum: wolfMQTT

29 Reply by embhorn

(4 replies, posted in wolfCrypt)

Hi gabriel,

Welcome to the wolfSSL Forums. Could you tell us a bit about your project using wolfSSL and where you are from for our support records?

We have a benchmarking tool that will be of interest to you:
https://github.com/wolfSSL/wolfssl/tree … /benchmark

The ED448 sign operation does perform a hash also:
https://github.com/wolfSSL/wolfssl/blob … 448.c#L355

The "ph" is for pre-hashed, signifying that the message is pre-hashed before the signature calculation.

Thanks,
Eric - wolfSSL Support

Go to forum: wolfCrypt

30 Reply by embhorn

(9 replies, posted in wolfCrypt)

Is the compiler in the environment path? Can you invoke it from the command line right there?

Go to forum: wolfCrypt

31 Reply by embhorn

(1 replies, posted in wolfSSL)

Hi DDaugher

Welcome to the wolfSSL Forums.

Yes, AES-GCM is a good candidate. You can check out the wolfSSL crypto benchmarking tool to get a better idea of throughputs.
https://github.com/wolfSSL/wolfssl/tree … /benchmark

We also have several excellent examples in this other repository:
https://github.com/wolfSSL/wolfssl-examples
https://github.com/wolfSSL/wolfssl-exam … crypto/aes

Could you tell us a bit about your project? Feel free to email us at support@wolfssl.com for a more private conversation.

Thanks,
Eric - wolfSSL Support

Go to forum: wolfSSL

32 Reply by embhorn

(9 replies, posted in wolfCrypt)

Can you try using WSL to install the PPC compiler and build the wolfSSL lib there?

Go to forum: wolfCrypt

33 Reply by embhorn

(9 replies, posted in wolfCrypt)

I'm not going to say its impossible, but certainly it will be more straightforward on Linux.

Go to forum: wolfCrypt

34 Reply by embhorn

(9 replies, posted in wolfCrypt)

When you set up the cross compilation in the configure step, the tools will have that macro available.
https://www.wolfssl.com/documentation/m … ss-compile

Go to forum: wolfCrypt

35 Reply by embhorn

(9 replies, posted in wolfCrypt)

Hi asn,

Welcome to the wolfSSL Forums.

You should not add configuration defines in the source files. This will always result in undefined behavior.

This is the preferred method for configuring the library:
https://www.wolfssl.com/using-user_settings-h-wolfssl/

Yes, you can build wolfSSL for PPC. The environment variable `__ppc__` will be detected to set up the correct settings for that architecture.

Let us know if there are questions.

Thanks,
Eric - wolfSSL Support

Go to forum: wolfCrypt

36 Reply by embhorn

(3 replies, posted in wolfCrypt)

Hi James,

Please email support@wolfssl.com for a discussion about FIPS impacts.

Go to forum: wolfCrypt

37 Reply by embhorn

(3 replies, posted in wolfCrypt)

Hello James,

Thanks for joining the wolfSSL Forums. wolfSSL does not currently support ECC571. I can help you open an official feature request. Please email support@wolfssl.com to get the process started.

Kind regards,
Eric - wolfSSL Support

Go to forum: wolfCrypt

38 Reply by embhorn

(4 replies, posted in wolfSSL)

Servers often do not support bidirectional shutdown, instead just silently closing the connection.

In the case of DTLS, a time out while waiting for the close notify could be used to handle the case of a non-responding server.

Go to forum: wolfSSL

39 Reply by embhorn

(4 replies, posted in wolfSSL)

Hi bp787

Are you trying to do a bi-directional shutdown?

Does the server respond with anything after the first shutdown? Do you have a pcap of the interaction?

Thanks,
Eric - wolfSSL Support

Go to forum: wolfSSL

40 Reply by embhorn

(1 replies, posted in wolfSSL)

That protocol is not currently supported in wolfSSL, but we do accept feature requests. You can start the process by emailing support@wolfssl.com

Go to forum: wolfSSL

41 Reply by embhorn

(2 replies, posted in wolfCrypt)

Hello Jens,

Thanks for joining the wolfSSL Forums.

Yes, we implemented Karatsuba in 2022:
https://github.com/wolfSSL/wolfssl/pull/4853
You'll see some comparison benchmarks in the comments of that PR

Have you checked out our wolfBoot project?
https://github.com/wolfSSL/wolfBoot
https://github.com/wolfSSL/wolfBoot/blo … md#stm32h7

Feel free to email us at support@wolfssl.com with any questions.

Kind regards,
Eric - wolfSSL Support

Go to forum: wolfCrypt

42 Reply by embhorn

(1 replies, posted in wolfSSL)

Hello mrinalilothey

Welcome to the wolfSSL Forums.

We have some example projects for IAR Workbench to get you started:
https://github.com/wolfSSL/wolfssl/tree … /IAR-EWARM

Let us know if there are questions. You can always open a support ticket by emailing support@wolfssl.com

Could you tell us a bit about your project using wolfSSL?

Thanks,
Eric - wolfSSL Support

Go to forum: wolfSSL

43 Reply by embhorn

(2 replies, posted in wolfSSL)

Hi Nicolas,

Welcome to the forums!

My colleague is going to review and provide a response for you.

Thanks,
Eric - wolfSSL Support

Go to forum: wolfSSL

44 Reply by embhorn

(12 replies, posted in wolfSSL)

Hi invoker,

I would recommend opening a support ticket by emailing support@wolfssl.com

Thanks,
Eric

Go to forum: wolfSSL

45 Reply by embhorn

(12 replies, posted in wolfSSL)

I just meant that maybe you could setup a reproducer using the certs you are trying

Go to forum: wolfSSL

46 Reply by embhorn

(12 replies, posted in wolfSSL)

Could you create a test case using the wolfSSL examples?

<wolfssl>./examples/server/server
<wolfssl>./examples/client/client

Go to forum: wolfSSL

47 Reply by embhorn

(8 replies, posted in wolfSSH)

The keygen component is present in source, but there is not a separate utility (yet)
https://github.com/wolfSSL/wolfssh/blob … c/keygen.c

It looks like the listenAddress option is not fully supported yet.

Go to forum: wolfSSH

48 Reply by embhorn

(8 replies, posted in wolfSSH)

Hello forza,

Thanks for joining the wolfSSL Forums. wolfSSH-sshd is intended to be full replacement for the OpenSSH server. Here is a getting started video:
https://www.youtube.com/watch?v=xJOyoalxA0U

There doesn't seem to be any official documentation on the wolfsshd itself

This is relatively new feature of the project, so documentation is still forthcoming.

I'll check with the team about the key-gen tool.

Could you tell us a bit about your project using wolfSSH? Feel free to email us at support@wolfssl.com for a more private discussion.

Kind regards,
Eric - wolfSSL Support

Go to forum: wolfSSH

49 Reply by embhorn

(12 replies, posted in wolfSSL)

Thanks for sharing the log inline....

From the log, the peer sent a "decrypt error" alert:

received record layer msg
got ALERT!
Alert type: decrypt_error
wolfSSL error occurred, error = 51 line:20389 file:src/internal.c
wolfSSL error occurred, error = 313 line:12991 file:src/ssl.c

So the peer was not able to decode the message and quit the handshake.

Can you provide more info about the server?

Go to forum: wolfSSL

50 Reply by embhorn

(12 replies, posted in wolfSSL)

Hello invoker,

Thanks for joining the wolfSSL Forums. Unfortunately we needed to disable file attachments in these forums, so I am unable to see your log.

You are welcome to create a support ticket by emailing support@wolfssl.com

Are you connecting to one of the wolfSSL example servers?

Kind regards,
Eric - wolfSSL Support

Go to forum: wolfSSL