76 Reply by embhorn

(6 replies, posted in wolfSSL)

I just tested this edge case using the TLS resume example I referred to earlier. I set a BP after the first connection completed, and restarted the server to ensure the session ticket would not be recognized.

The second client connection succeeded, and it was indicated that the session could not be resumed, i.e. a new session was established.

Message for server: test
Server: I hear you fa shizzle!
Session ID not reused; Successful resume.
Message for server: test
Server: I hear you fa shizzle!

Could you share the configuration settings being used? Also please enable debug logging (./configure --enable-debug and add a call to wolfSSL_Debugging_ON() in the client) and share the log showing the error.

Go to forum: wolfSSL

77 Reply by embhorn

(6 replies, posted in wolfSSL)

Hello razvi.david

Welcome to the wolfSSL Forums.

Could you tell us a bit about your project using wolfSSL?

Is the server restarted in between sessions?

You can observe a successful session ticket reuse using the examples.
<wolfssl>
./configure --enable-session-ticket && make

<server>
./examples/server/server -i

SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL curve name is SECP256R1
Client message: hello wolfssl!
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL curve name is SECP256R1
Client message: hello wolfssl!
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL reused session
Client message: resuming wolfssl!

<client connects twice>
./examples/client/client -r

Session Ticket CB: ticketSz = 142, ctx = initial session
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL curve name is SECP256R1
I hear you fa shizzle!
Session Ticket CB: ticketSz = 142, ctx = resumed session
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL reused session
reused session id
 resumeI hear you fa shizzle!

Additionally, here is a TLS resume example:
https://github.com/wolfSSL/wolfssl-exam … s-resume.c

As for allowing the connection with a session ticket that is unrecognized, I believe that is supported. The server should just send a new session ticket. That would be the same if a session ticket expired.

Thanks,

Go to forum: wolfSSL

78 Reply by embhorn

(7 replies, posted in wolfSSL)

That code corresponds to VERIFY_SIGN_ERROR, which indicates that the signature is invalid.

Are you using STM32 Cube IDE with the wolfSSL cube pack? What configuration are you using?

Go to forum: wolfSSL

79 Reply by embhorn

(7 replies, posted in wolfSSL)

Hi astc

Welcome to the wolfSSL forums.

Are you able to run the wolfCrypt tests on your platform? It's a good idea to verify the core cryptography first to be sure there is not some underlying problem.
https://github.com/wolfSSL/wolfssl/tree … crypt/test

Thanks,
Eric - wolfSSL Support

Go to forum: wolfSSL

80 Reply by embhorn

(1 replies, posted in wolfSSL)

Hello tuankiet,

Welcome to the wolfSSL Forums. The linker is complaining about system calls ("inet_pton", "__errno_location", etc)

Could this be related to order the libraries are included?

-L/home/tuankiet/Documents/tools/riscv-32imac/lib -L/home/tuankiet/Documents/tools/riscv-32imac/riscv32-unknown-elf/lib -L/home/tuankiet/Documents/tools/riscv-32imac/sysroot/lib -L/home/tuankiet/Documents/tools/riscv-32imac/sysroot/usr/lib /home/tuankiet/Documents/tools/wolfssl-build-riscv32/lib/libwolfssl.a -lm

Kind regards,
Eric - wolfSSL Support

Go to forum: wolfSSL

81 Reply by embhorn

(8 replies, posted in wolfCrypt)

Hi Nikos,

Thanks for contacting wolfSSL Forums.

We are reviewing this and will post an update.

Thanks,
Eric @ wolfSSL Support

Go to forum: wolfCrypt

82 Reply by embhorn

(1 replies, posted in wolfSSL)

Hi bahadirmaktav,

You can use the wolfSSL example client application to get similar functionality:

Build wolfSSL with

./configure --enable-all CFLAGS="-DSHOW_CERTS" && make

Run the client

./examples/client/client -h <hostname> -p <port>

Use the -j option to override CA issues

Thanks,
Eric - wolfSSL Support

Go to forum: wolfSSL

83 Reply by embhorn

(1 replies, posted in wolfSSL)

Hi kj3141

Please send an email to our support team so that this issue is properly tracked

support@wolfssl.com

Thanks,
Eric - wolfSSL Support

Go to forum: wolfSSL

84 Reply by embhorn

(4 replies, posted in wolfMQTT)

I was able to use the wolfMQTT example client on linux to connect to the test broker

$ ./examples/mqttclient/mqttclient -h test.mosquitto.org -t
MQTT Client: QoS 0, Use TLS 1
MQTT Net Init: Success (0)
MQTT Init: Success (0)
NetConnect: Host test.mosquitto.org, Port 8883, Timeout 5000 ms, Use TLS 1
MQTT TLS Setup (1)
MQTT TLS Verify Callback for mqttclient: PreVerify 0, Error -188 (ASN no signer error to confirm failure)
  Subject's domain name is test.mosquitto.org
  Allowing cert anyways
MQTT Socket Connect: Success (0)
MQTT Connect: Proto (v3.1.1), Success (0)
MQTT Connect Ack: Return Code 0, Session Present 0
MQTT Subscribe: Success (0)
  Topic wolfMQTT/example/testTopic, Qos 0, Return Code 0
MQTT Publish: Topic wolfMQTT/example/testTopic, Success (0)
MQTT Waiting for message...
MQTT Message: Topic wolfMQTT/example/testTopic, Qos 0, Len 4
Payload (0 - 4) printing 4 bytes:
test
MQTT Message: Done
^CReceived SIGINT
Network Error Callback: Error (Network) (error -8)
MQTT Exiting...
MQTT Unsubscribe: Success (0)
MQTT Disconnect: Success (0)
MQTT Socket Disconnect: Success (0)

Go to forum: wolfMQTT

85 Reply by embhorn

(4 replies, posted in wolfMQTT)

Great, increasing the stack got you past the first issue. Now the broker is sending an alert after the TLS client hello is sent:


wolfSSL (1): received record layer msg
wolfSSL (1): got ALERT!
wolfSSL (1): Alert type: handshake_failure
wolfSSL (0): wolfSSL error occurred, error = 40
wolfSSL (0): wolfSSL error occurred, error = -313

This could be because the broker expects some extension that the client is not sending, or there was not a mutually agreeable cipher suite or protocol version.

It might be easier to try connecting to a local broker (maybe mosquitto?) that you could more easily monitor the handshake using Wireshark.

Go to forum: wolfMQTT

86 Reply by embhorn

(4 replies, posted in wolfMQTT)

Hi b.stefano,

Great to hear from you again. From the log, it seems that the allocation of the SSL structure is failing. This could be because of a memory failure. Could you try increasing the available stack size?

Thanks,
Eric - wolfSSL Support

Go to forum: wolfMQTT

87 Reply by embhorn

(1 replies, posted in wolfSSL)

Hi Keterna,

Welcome to the wolfSSL Forums! Yes, you are on the right track. You'll need to define HAVE_SECRET_CALLBACK to access the wolfSSL_set_tls13_secret_cb API.

Here is a client example that writes the shared secret to a log file, which can then be used to decrypt the packets in wrieshark:
https://github.com/wolfSSL/wolfssl-exam … nt-tls13.c

Here is the analogous server example:
https://github.com/wolfSSL/wolfssl-exam … er-tls13.c

Could you tell us a bit more about your project? Feel free to email support@wolfssl.com if you'd prefer a less public discussion.

Thanks,
Eric - wolfSSL Support

Come see us at Black Hat in Las Vegas August 9th & 10th, booth #2617!
https://www.blackhat.com/us-23/

Go to forum: wolfSSL

88 Reply by embhorn

(1 replies, posted in wolfSSL)

Hello Amjal,

Sorry to hear about your trouble with the Zephyr port. The port was last tested on Zephyr 2.7 with Zephyr SDK 0.13.1.

If this is a project blocker, I suggest using our Support system by emailing support@wolfssl.com

Thanks,
Eric - wolfSSL Support

Go to forum: wolfSSL

89 Reply by embhorn

(3 replies, posted in wolfMQTT)

Hi sricor,

I have responded to your ticket in our Zendesk portal. Thanks for sending that in.

Go to forum: wolfMQTT

90 Reply by embhorn

(3 replies, posted in wolfMQTT)

Hello sricor,

Welcome to the wolfSSL Forums. This sounds like a very interesting project. If the return code is MQTT_CODE_CONTINUE, then the IO driver is returning EINPROGRESS or EWOULDBLOCK, indicating that the driver buffer is not being emptied. I'd like to try to reproduce this. Could you please send an email to support@wolfssl.com mentioning this forum post?

Thanks,
Eric - wolfSSL Support

Go to forum: wolfMQTT

91 Reply by embhorn

(2 replies, posted in wolfSSL)

Hello hakahane

Welcome to the wolfSSL forums. Thanks for bringing this to our attention! I've fixed it in
https://github.com/wolfSSL/wolfssl/pull/6532

Please give it a test and let us know if you find other issues.

Kind regards,
Eric - wolfSSL Support

Go to forum: wolfSSL

92 Reply by embhorn

(3 replies, posted in wolfCrypt)

Hello solamnic

Welcome to the wolfSSL Forums. I've requested feedback from our engineers on your questions.

Thanks,
Eric - wolfSSL Support

Go to forum: wolfCrypt

93 Reply by embhorn

(1 replies, posted in wolfCrypt)

Hi Alex,

The key parameter is not constant for the async state machine and in order to utilize the key's heap memory. So long as one hash verify operation completes before reusing the key, it can be reused.

Thanks,
Eric - wolfSSL Support

Go to forum: wolfCrypt

94 Reply by embhorn

(3 replies, posted in wolfCrypt)

A lot of the math functions your are trying to use are gated because they are not typically used by applications. I can't really give you a "guide" to exposing these API. You should review the header files, as they are a pretty good indicator if a function is gated.

Go to forum: wolfCrypt

95 Reply by embhorn

(3 replies, posted in wolfCrypt)

Hi wangzihao,

The --enable-fpecc option enables Fixed Point cache ECC. It is not required to use ecc_mul2add.

You do need to make the function public by adding -DWOLFSSL_PUBLIC_ECC_ADD_DBL to CFLAGS

Please keep these questions coming! We are happy to help others learn!

Thanks,
Eric

Go to forum: wolfCrypt

96 Reply by embhorn

(3 replies, posted in wolfCrypt)

Hi wangzihao,

You'll want to pass in the the curve ID to wc_ecc_get_generator:

        ret = wc_ecc_get_generator(pt, wc_ecc_get_curve_idx(ECC_SECP256R1));

There is an example in test_wc_ecc_get_generator() in tests/api.c

Thanks,
Eric - wolfSSL Support

Go to forum: wolfCrypt

97 Reply by embhorn

(5 replies, posted in wolfCrypt)

Hi avlec,

I recommend sending an email to our support team. It will be easier for us to make suggestions if we first gather your version and config information.

support@wolfssl.com

Thanks,
Eric

Go to forum: wolfCrypt

98 Reply by embhorn

(2 replies, posted in wolfCrypt)

Hello alex65,

Thanks for joining the wolfSSL Forums. Usually an undefined error indicates that the component you are trying use is not configured
in wolfSSL. Please check that the following macro is defined

HAVE_AES_ECB

Here are instructions for changing the configuration:
https://github.com/wolfSSL/wolfssl/tree … figuration

Thanks,
Eric - wolfSSL Support

Go to forum: wolfCrypt

99 Reply by embhorn

(1 replies, posted in wolfSSL)

Hello cvinothkumar,

Thanks for joining the wolfSSL Forums. You'll want to use wc_PKCS12_parse to get the DER cert out of the bundle.
https://github.com/wolfSSL/wolfssl-exam … -example.c

Then you can retrieve the public key from the DER cert
https://github.com/wolfSSL/wolfssl-exam … m-certfile

Could you tell us a bit about your project?

Thanks,
Eric - wolfSSL Support

Go to forum: wolfSSL

100 Reply by embhorn

(8 replies, posted in wolfSSH)

Hi testwolverinebagel,

Thanks for joining the wolfSSL Forums. That is odd. Is this on an embedded platform that may be delayed while trying to negotiate a secure connection?

I will check with the team to see if we have a wolfSSH example client set up with EPOLL that you could review.

Kind regards,
Eric - wolfSSL Support

Go to forum: wolfSSH