76

(2 replies, posted in wolfSSL)

Hi Scotty

There are a couple of ways to resolve this. You could

  • Use NTP to set the time prior to connecting to the server.

  • Disable time verification during runtime by loading certs using _ex version of load API with WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY flag

  • Use a verify callback to override the date errors during the first server connection.

  • Configure no date checks ever - define NO_ASN_TIME_CHECK

Let us know if that helps.

Thanks,
Eric - wolfSSL Support

77

(8 replies, posted in wolfCrypt)

Hello groovytacocat,

Welcome to the wolfSSL forums!

There are two method for using a custom RNG source with wolfSSL:
"Custom Seed Source" using CUSTOM_RAND_GENERATE to seed the P-RNG
or
"Bypass P-RNG and use only HW RNG" using CUSTOM_RAND_GENERATE_BLOCK

By setting NO_HASHDRBG, you are disabling the P-RNG, but you have not defined CUSTOM_RAND_GENERATE_BLOCK

Please try removing the define for NO_HASHDRBG


Could you tell us a bit more about your project using wolfSSL? Feel free to email us at support@wolfssl.com if you'd prefer a more private venue.

Thanks,
Eric - wolfSSL Support

78

(4 replies, posted in wolfSSL)

Hi RJ,

You can use VSCode to build the wolfSSL library by simply opening the folder where you cloned or downloaded wolfSSL.

Or you can use the GitHub extension to "Clone GitHub Repository..."
Enter "https://github.com/wolfSSL/wolfssl.git"
Then "Clone from URL https://github.com/wolfSSL/wolfssl.git" and select a folder in which to store the code.

Next you can build using Cmake, or using the command line using these instructions:
https://github.com/wolfSSL/wolfssl/blob/master/INSTALL

After installing wolfSSL, you can link the library to your application by adding "-lwolfssl" to your compiler flags. Be sure to add the wolfSSL include files that were installed to the application.

#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/settings.h>

79

(1 replies, posted in wolfSSL)

Hello RJ

Thanks for joining the wolfSSL Forums. We have an excellent examples repository. You will need to create a new MPLABX project, as these are generic examples, not Harmony specific:
https://github.com/wolfSSL/wolfssl-exam … er-tls13.c

Could you tell us a bit about your project? Feel free to email support@wolfssl.com if you'd prefer to keep this information private.

Thanks,
Eric - wolfSSL Support

Hello Bilal,

Thanks for joining the wolfSSL Forums. The -188 error indicates that the client should load a CA cert that can be used to verify the server's cert during the handshake. As you found, you can skip this check, or use a verify callback.

The -112 error is commonly encountered when a memory alloc fails.

Could you please tell us a bit about your project? Please feel free to send an email to support@wolfssl.com if you'd prefer a more private discussion.

Thanks,
Eric - wolfSSL Support

81

(27 replies, posted in wolfSSL)

Hello Adam,

Thanks for joining the wolfSSL forums. I am checking with the team to see if we any relevant docs or examples for ESP32 using Arduino framework.

Could you tell us a bit about your project? If you'd prefer to keep it private, feel free to email support@wolfssl.com

Kind regards,
Eric - wolfSSL Support

Hello Óscar,

Thanks for joining the wolfSSL Forums.

Here are the DTLS demos:
https://github.com/wolfSSL/wolfssl-exam … aster/dtls

And here are the PSK demos for TLS, which you can easily adapt to DTLS:
https://github.com/wolfSSL/wolfssl-exam … master/psk

Can you tell us a bit about your project using wolfSSL?

Thanks,
Eric - wolfSSL Support

Hi Karthikeyan

Thanks for joining the wolfSSL forums. I've copied my answer to the support ticket you opened here:

Are you already able to build wolfSSL in MPLAB?
https://github.com/wolfSSL/wolfssl/tree/master/mplabx

After you get wolfSSL building, we have an unofficial port of wolfSSH for MPLAB:
https://github.com/wolfSSL/wolfssh/pull/52

You can follow the instructions in the readme:
https://github.com/wolfSSL/wolfssh/blob … /README.md

84

(1 replies, posted in wolfSSL)

Hi sand7000

Welcome to the wolfSSL Forums! Please send an email to facts@wolfssl.com and we can get you in contact with the right business director. Sounds like a cool project. Is this something you will be open-sourcing?

Thanks,
Eric - wolfSSL Support

Hello jbquick,

Thanks for contacting wolfSSL Support. I have requested a review of this from a colleague.

86

(4 replies, posted in wolfSSL)

Hi aashishkul,

Excellent! the library is very flexible, and your expectations are reasonable. Here is a link to our tuning guide:
https://www.wolfssl.com/docs/tuning-guide/

Additionally, here are some reference configurations that will be useful:
https://github.com/wolfSSL/wolfssl/tree … es/configs

For additional assistance with optimization, please open a support ticket by emailing support@wolfssl.com

Regarding the warning, are you working with the latest version of the library?

87

(2 replies, posted in wolfSSL)

Hi astc

What is the server doing? If it is not sending messages, I could see where your test would break.

I modified our simple examples to do what you are trying to accomplish:
https://github.com/wolfSSL/wolfssl-exam … master/tls

diff --git a/tls/client-tls.c b/tls/client-tls.c
index d1e06be..9f13d84 100644
--- a/tls/client-tls.c
+++ b/tls/client-tls.c
@@ -133,32 +133,68 @@ int main(int argc, char** argv)
         goto cleanup;
     }
 
-    /* Get a message for the server from stdin */
-    printf("Message for server: ");
-    memset(buff, 0, sizeof(buff));
-    if (fgets(buff, sizeof(buff), stdin) == NULL) {
-        fprintf(stderr, "ERROR: failed to get message for server\n");
-        ret = -1;
-        goto cleanup;
-    }
-    len = strnlen(buff, sizeof(buff));
-
-    /* Send the message to the server */
-    if ((ret = wolfSSL_write(ssl, buff, len)) != len) {
-        fprintf(stderr, "ERROR: failed to write entire message\n");
-        fprintf(stderr, "%d bytes of %d bytes were sent", ret, (int) len);
-        goto cleanup;
+#if 1
+    while (1)
+    {
+        int err;
+        char stringtosend[1024];
+        char readBuf[1024];
+
+        printf("Send a string to the server\n"
+               "x to exit\n");
+        if (fgets(stringtosend, sizeof(stringtosend), stdin) == NULL) {
+            printf("error reading");
+        }
+        do {
+            ret = wolfSSL_write(ssl, stringtosend, sizeof(stringtosend));
+            err = wolfSSL_get_error(ssl, ret);
+        } while (err == WOLFSSL_ERROR_WANT_READ || err == WOLFSSL_ERROR_WANT_WRITE);
+        printf("Sent (%d): %s\n", err, stringtosend);
+
+        XMEMSET(readBuf, 0, sizeof(readBuf));
+        do {
+            ret = wolfSSL_read(ssl, readBuf, sizeof(readBuf)-1);
+            err = wolfSSL_get_error(ssl, ret);
+        } while (err == WOLFSSL_ERROR_WANT_READ || err == WOLFSSL_ERROR_WANT_WRITE);
+        printf("Read (%d): %s\n", err, readBuf);
+
+
+        //ssl->buffers.clearOutputBuffer.length = 0;
+        if (stringtosend[0] == 'x' && stringtosend[1] == '\n'){
+            break;
+        }
     }
-
-    /* Read the server data into our buff array */
-    memset(buff, 0, sizeof(buff));
-    if ((ret = wolfSSL_read(ssl, buff, sizeof(buff)-1)) == -1) {
-        fprintf(stderr, "ERROR: failed to read\n");
-        goto cleanup;
-    }
-
-    /* Print to stdout any data the server sends */
-    printf("Server: %s\n", buff);
+#else
+    do {
+        /* Get a message for the server from stdin */
+        printf("Message for server: ");
+        memset(buff, 0, sizeof(buff));
+        if (fgets(buff, sizeof(buff), stdin) == NULL) {
+            fprintf(stderr, "ERROR: failed to get message for server\n");
+            ret = -1;
+            goto cleanup;
+        }
+        len = strnlen(buff, sizeof(buff));
+
+        /* Send the message to the server */
+        if ((ret = wolfSSL_write(ssl, buff, len)) != len) {
+            fprintf(stderr, "ERROR: failed to write entire message\n");
+            fprintf(stderr, "%d bytes of %d bytes were sent", ret, (int) len);
+            goto cleanup;
+        }
+
+        /* Read the server data into our buff array */
+        memset(buff, 0, sizeof(buff));
+        if ((ret = wolfSSL_read(ssl, buff, sizeof(buff)-1)) == -1) {
+            fprintf(stderr, "ERROR: failed to read\n");
+            goto cleanup;
+        }
+
+        /* Print to stdout any data the server sends */
+        printf("Server: %s\n", buff);
+
+    } while(1);
+#endif
 
     /* Bidirectional shutdown */
     while (wolfSSL_shutdown(ssl) == SSL_SHUTDOWN_NOT_DONE) {
diff --git a/tls/server-tls.c b/tls/server-tls.c
index fa79a4d..6fc3c50 100644
--- a/tls/server-tls.c
+++ b/tls/server-tls.c
@@ -160,35 +160,35 @@ int main()
 
         printf("Client connected successfully\n");
 
-
-
-        /* Read the client data into our buff array */
-        memset(buff, 0, sizeof(buff));
-        if ((ret = wolfSSL_read(ssl, buff, sizeof(buff)-1)) == -1) {
-            fprintf(stderr, "ERROR: failed to read\n");
-            goto exit;
-        }
-
-        /* Print to stdout any data the client sends */
-        printf("Client: %s\n", buff);
-
-        /* Check for server shutdown command */
-        if (strncmp(buff, "shutdown", 8) == 0) {
-            printf("Shutdown command issued!\n");
-            shutdown = 1;
-        }
-
-
-
-        /* Write our reply into buff */
-        memset(buff, 0, sizeof(buff));
-        memcpy(buff, reply, strlen(reply));
-        len = strnlen(buff, sizeof(buff));
-
-        /* Reply back to the client */
-        if ((ret = wolfSSL_write(ssl, buff, len)) != len) {
-            fprintf(stderr, "ERROR: failed to write\n");
-            goto exit;
+        while(!shutdown) {
+            /* Read the client data into our buff array */
+            memset(buff, 0, sizeof(buff));
+            if ((ret = wolfSSL_read(ssl, buff, sizeof(buff)-1)) == -1) {
+                fprintf(stderr, "ERROR: failed to read\n");
+                goto exit;
+            }
+
+            /* Print to stdout any data the client sends */
+            printf("Client: %s\n", buff);
+
+            /* Check for server shutdown command */
+            if (strncmp(buff, "shutdown", 8) == 0) {
+                printf("Shutdown command issued!\n");
+                shutdown = 1;
+            }
+
+
+
+            /* Write our reply into buff */
+            memset(buff, 0, sizeof(buff));
+            memcpy(buff, reply, strlen(reply));
+            len = strnlen(buff, sizeof(buff));
+
+            /* Reply back to the client */
+            if ((ret = wolfSSL_write(ssl, buff, len)) != len) {
+                fprintf(stderr, "ERROR: failed to write\n");
+                goto exit;
+            }
         }
 
         /* Notify the client that the connection is ending */

88

(4 replies, posted in wolfSSL)

Hello aashishkul

Welcome to the wolfSSL Forums.

You can build a non-standard environment by creating a new library project and pointing to the source and header folders.
https://www.wolfssl.com/documentation/m … nvironment

You do not need to use the autotools scripts to generate make files. You can place all the configuration defines into a file name user_settings.h and add a CFLAG define for WOLFSSL_USER_SETTINGS.

Additionally, we offer services to get wolfSSL built in your environment. Please send an email to facts@wolfssl.com to learn more about this process.

Thanks,
Eric - wolfSSL Support

Hi razvi.david

Are you working with the latest code from the repository? We did recently fix an issue that sounds similar to this.

Would you like to open a support ticket? The forum is a low priority venue for helping customers. Please send an email to support@wolfssl.com and reference this forum post.

Thanks,
Eric - wolfSSL Support

I just tested this edge case using the TLS resume example I referred to earlier. I set a BP after the first connection completed, and restarted the server to ensure the session ticket would not be recognized.

The second client connection succeeded, and it was indicated that the session could not be resumed, i.e. a new session was established.

Message for server: test
Server: I hear you fa shizzle!
Session ID not reused; Successful resume.
Message for server: test
Server: I hear you fa shizzle!

Could you share the configuration settings being used? Also please enable debug logging (./configure --enable-debug and add a call to wolfSSL_Debugging_ON() in the client) and share the log showing the error.

Hello razvi.david

Welcome to the wolfSSL Forums.

Could you tell us a bit about your project using wolfSSL?

Is the server restarted in between sessions?

You can observe a successful session ticket reuse using the examples.
<wolfssl>
./configure --enable-session-ticket && make

<server>
./examples/server/server -i

SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL curve name is SECP256R1
Client message: hello wolfssl!
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL curve name is SECP256R1
Client message: hello wolfssl!
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL reused session
Client message: resuming wolfssl!

<client connects twice>
./examples/client/client -r

Session Ticket CB: ticketSz = 142, ctx = initial session
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL curve name is SECP256R1
I hear you fa shizzle!
Session Ticket CB: ticketSz = 142, ctx = resumed session
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL reused session
reused session id
 resumeI hear you fa shizzle!

Additionally, here is a TLS resume example:
https://github.com/wolfSSL/wolfssl-exam … s-resume.c

As for allowing the connection with a session ticket that is unrecognized, I believe that is supported. The server should just send a new session ticket. That would be the same if a session ticket expired.

Thanks,

That code corresponds to VERIFY_SIGN_ERROR, which indicates that the signature is invalid.

Are you using STM32 Cube IDE with the wolfSSL cube pack? What configuration are you using?

Hi astc

Welcome to the wolfSSL forums.

Are you able to run the wolfCrypt tests on your platform? It's a good idea to verify the core cryptography first to be sure there is not some underlying problem.
https://github.com/wolfSSL/wolfssl/tree … crypt/test

Thanks,
Eric - wolfSSL Support

Hello tuankiet,

Welcome to the wolfSSL Forums. The linker is complaining about system calls ("inet_pton", "__errno_location", etc)

Could this be related to order the libraries are included?

-L/home/tuankiet/Documents/tools/riscv-32imac/lib -L/home/tuankiet/Documents/tools/riscv-32imac/riscv32-unknown-elf/lib -L/home/tuankiet/Documents/tools/riscv-32imac/sysroot/lib -L/home/tuankiet/Documents/tools/riscv-32imac/sysroot/usr/lib /home/tuankiet/Documents/tools/wolfssl-build-riscv32/lib/libwolfssl.a -lm

Kind regards,
Eric - wolfSSL Support

Hi Nikos,

Thanks for contacting wolfSSL Forums.

We are reviewing this and will post an update.

Thanks,
Eric @ wolfSSL Support

Hi bahadirmaktav,

You can use the wolfSSL example client application to get similar functionality:

Build wolfSSL with

./configure --enable-all CFLAGS="-DSHOW_CERTS" && make

Run the client

./examples/client/client -h <hostname> -p <port>

Use the -j option to override CA issues

Thanks,
Eric - wolfSSL Support

Hi kj3141

Please send an email to our support team so that this issue is properly tracked

support@wolfssl.com

Thanks,
Eric - wolfSSL Support

98

(4 replies, posted in wolfMQTT)

I was able to use the wolfMQTT example client on linux to connect to the test broker

$ ./examples/mqttclient/mqttclient -h test.mosquitto.org -t
MQTT Client: QoS 0, Use TLS 1
MQTT Net Init: Success (0)
MQTT Init: Success (0)
NetConnect: Host test.mosquitto.org, Port 8883, Timeout 5000 ms, Use TLS 1
MQTT TLS Setup (1)
MQTT TLS Verify Callback for mqttclient: PreVerify 0, Error -188 (ASN no signer error to confirm failure)
  Subject's domain name is test.mosquitto.org
  Allowing cert anyways
MQTT Socket Connect: Success (0)
MQTT Connect: Proto (v3.1.1), Success (0)
MQTT Connect Ack: Return Code 0, Session Present 0
MQTT Subscribe: Success (0)
  Topic wolfMQTT/example/testTopic, Qos 0, Return Code 0
MQTT Publish: Topic wolfMQTT/example/testTopic, Success (0)
MQTT Waiting for message...
MQTT Message: Topic wolfMQTT/example/testTopic, Qos 0, Len 4
Payload (0 - 4) printing 4 bytes:
test
MQTT Message: Done
^CReceived SIGINT
Network Error Callback: Error (Network) (error -8)
MQTT Exiting...
MQTT Unsubscribe: Success (0)
MQTT Disconnect: Success (0)
MQTT Socket Disconnect: Success (0)

99

(4 replies, posted in wolfMQTT)

Great, increasing the stack got you past the first issue. Now the broker is sending an alert after the TLS client hello is sent:


wolfSSL (1): received record layer msg
wolfSSL (1): got ALERT!
wolfSSL (1): Alert type: handshake_failure
wolfSSL (0): wolfSSL error occurred, error = 40
wolfSSL (0): wolfSSL error occurred, error = -313

This could be because the broker expects some extension that the client is not sending, or there was not a mutually agreeable cipher suite or protocol version.

It might be easier to try connecting to a local broker (maybe mosquitto?) that you could more easily monitor the handshake using Wireshark.

100

(4 replies, posted in wolfMQTT)

Hi b.stefano,

Great to hear from you again. From the log, it seems that the allocation of the SSL structure is failing. This could be because of a memory failure. Could you try increasing the available stack size?

Thanks,
Eric - wolfSSL Support