You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by embhorn
Hi Juan,
"-140" corresponds to a ASN_PARSE_E error. So yes, probably something is wrong in the cert buffer you are passing in.
Here is a perl script we use that coverts DER to a C array:
https://github.com/wolfSSL/wolfssl/blob … /dertoc.pl
You could also try getting the wolfMQTT AWS example to work first, then try modifying for your specific project:
https://github.com/wolfSSL/wolfMQTT/blo … s/awsiot.c
The example uses PEM certs / keys in buffers.
Thanks,
Its not perfect (maybe the debug log buffer gets overrun), but here is a sample of using the demo to connect to a local mosquitto broker with TLS enabled:
TCP/IP Stack: Initialization Started
TCP/IP Stack: Initialization Ended - success
Interface PIC32INT on host MCHPBOARD_E - NBNS disabled
Created the mqtt Commands
PIC32INT IP Address: 0.0.0.0
PIC32INT IP Address: 192.168.86.38
mqtt start
MQTT pub/sub demo has been started
>MQTT Task - Client Start: QoS 0, broker 192.168.86.43
MQTT Task - run message: WMQTT_NETGlue_Initialize, res: 0
MQTT Task - run message: MqttClient_Init, res: 0
MQTT Task - run message: MqttClient_SetDisconnectCallback, res: 0
WMQTT_NET_GLUE Info: Started Connect
WMQTT_NET_GLUE Info: Connected Successfully
WMQTT_NET_GLUE Info: Start TLS
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering SSLv23_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_load_verify_buffer_ex
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
Unsupported name type, skipping
wolfSSL Enter FreeingwolfSSL SignaturwolfSSL wolfSSL ShrinkinreceivedprocessiwolfSSL wolfSSL wolfSSL wolfSSL Leaving RsaVerify, return 51
wolfSSL Leaving DoServerKeyExchange, return 0
Shrinking input buffer
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakwolfSSL Leaving EccMakeKey, return 0
wolfSSL Entering EccSharedSecret
wolfSSL Leaving EccSharedSecret, return 0
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendClientKeyExchange, return 0
sent: client key exchange
connect state: FIRST_REPLY_SECOND
connect state: FIRST_REPLY_THIRD
growing output buffer
Shrinking output buffer
sent: change cipher spec
connect state: FIRST_REPLY_FOURTH
wolfSSL Entering SendFinished
growing output buffer
wolfSSL Entering BuildMessage
wolfSSL Leaving BuildMessage, return 0
Shrinking output buffer
wolfSSL Leaving SendFinished, return 0
sent: finished
connect state: FINISHED_DONE
wolfSSL error occurred, error = -323
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -323
wolfSSL Entering SSL_connect()
wolfSSL error occurred, error = -323
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -323
wolfSSL Entering SSL_connect()
wolfSSL error occurred, error = -323
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -323
wolfSSL Entering SSL_connect()
wolfSSL error occurred, error = -323
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -323
wolfSSL Entering SSL_connect()
wolfSSL error occurred, error = -323
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -323
wolfSSL Entering SSL_connect()
wolwolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL receivedwolfSSL wolfSSL wolfSSL wolfSSL wolfSSL MQTT TaswolfSSL wolfSSL wolfSSL wolfSSL MQTT TasOkay, I've enabled debug by using a custom logging function:
In Harmony3\net_apps_pic32mz\apps\wolfmqtt_demo\firmware\src\config\pic32mz_ef_sk\net_pres\pres\net_pres_enc_glue.c
Add the debug header:
#include "system/debug/sys_debug.h"Add just before NET_PRES_EncProviderStreamClientInit0
void NET_PRES_LogFunc(const int logLevel, const char *const logMessage)
{
/* Skip WANT_READ and WANT_WRITE errors */
if ((strstr("-323", logMessage) == NULL) &&
(strstr("-327", logMessage) == NULL))
SYS_CONSOLE_PRINT("%s\r\n", logMessage);
}Then in NET_PRES_EncProviderStreamClientInit0, add the section #ifdef DEBUG_WOLFSSL
bool NET_PRES_EncProviderStreamClientInit0(NET_PRES_TransportObject * transObject)
{
const uint8_t * caCertsPtr;
int32_t caCertsLen;
if (!NET_PRES_CertStoreGetCACerts(&caCertsPtr, &caCertsLen, 0))
{
return false;
}
if (_net_pres_wolfsslUsers == 0)
{
#ifdef DEBUG_WOLFSSL
wolfSSL_SetLoggingCb(NET_PRES_LogFunc);
wolfSSL_Debugging_ON();
#endif
wolfSSL_Init();
_net_pres_wolfsslUsers++;
}Lastly, add "#define DEBUG_WOLFSSL" to configuration.h
Yeah, I am going back and trying to enable debug logging in my MCH project, and it is not trivial!
For using the AWS example, it is somewhat complicated by the `NET_GLUE` layer that MCH added. But you should be able to figure out which parts are different by reviewing the example:
https://github.com/wolfSSL/wolfMQTT/blo … s/awsiot.c
You should pay attention to the `mqtt_aws_tls_cb` and the `mqtt_aws_tls_verify_cb`. Also note that the topic must include the AWS device name (see `AWSIOT_PUBLISH_TOPIC` in the example).
For a private key, you can use wolfTPM2_RsaDecrypt
Hello Juan,
Thanks for reaching out. Great to hear that you are back to using wolfMQTT.
Could you enable DEBUG_WOLFSSL in the configuration and add a line to the application to call to wolfSSL_Debugging_ON(). This will enable debug logging for wolfSSL.
Thanks,
Eric @ wolfSSL Support
Hello Federico,
We are delighted to hear that you are finding the wolfTPM library useful!
To accomplish an encrypt operation without padding, you can use wolfTPM2_RsaEncrypt with the padScheme parameter set to TPM_ALG_NULL.
Here is an example:
https://github.com/wolfSSL/wolfTPM/blob … #L326-L342
Let us know if there are questions.
Thanks,
Eric @ wolfSSL Support
Hello Scotty,
The callback is being triggered for each error encountered. There are checks for "valid-from" and "expiration", each could be triggered if the system time and date are invalid.
You can override the date errors like this:
https://github.com/wolfSSL/wolfssl/blob … st.h#L2829
Or is you know the time will always be invalid, you can bypass cert date checking in the wolfSSL config by defining `NO_ASN_TIME`.
I'll review the CA signer issue with the team tomorrow. I suspect it could be the order that the certs are loaded. Could you please enable debug logging and share the log showing the signer error?
Thanks,
Eric @ wolfSSL Support
Hello stroebeljc,
Certainly! Here is an example from our repository:
https://github.com/wolfSSL/wolfssl-exam … mple.c#L67
Let us know if there are questions.
Thanks,
Eric @ wolfSSL Support
Responding in ZenDesk ticket
Hi Denis,
Would you please send an email to support@wolfssl.com referencing this issue?
Thanks,
Eric @ wolfSSL Support
Hello Anika,
Thanks for joining the wolfSSL Forums. If you do not require support for TLS protocol, you can greatly reduce the size with
--enable-cryptonlyThis should also alleviate some of the component dependencies you were seeing.
Let us know if there are further questions.
Thanks,
Eric @ wolfSSL Support
The server is expecting the data channel to resume the session. You'll need to save the session from the first connection, and then set the session before doing the second connection.
Here is an example:
https://github.com/wolfSSL/wolfssl-exam … s-resume.c
Hi Davide,
This is a bit more complex problem than what should be supported in a forum post. Could you please open a formal support ticket by emailing support@wolfssl.com?
Thanks,
Eric
Hello lili,
Thanks for your post. PSK is used to negotiate the first connection handshake. If sessions are enabled, the server will provide a session key (or ticket) that can be to quickly resume the connection without the full handshake.
Here is an example:
https://github.com/wolfSSL/wolfssl-exam … s-resume.c
Kind regards,
Eric @ wolfSSL Support
Hello zyhaha,
Thanks for joining the wolfSSL Forums. It sounds like the server is expecting the client to use a session ticket to renegotiate the connection. Could you please share a pcap of the first and second connections?
Kind regards,
Eric @ wolfSSL Support
Hello Ahmed,
Thanks for also emailing wolfSSL support. I've responded to your questions from our ZenDesk portal.
Kind regards,
Eric @ wolfSSL Support
Hello cachristiansen
Thanks for joining the forum. In order to provide highest priority support, we recommend emailing support@wolfssl.com with your questions.
The default implementation of wc_RNG_GenerateBlock will use the TSIP RNG via the seed operation. You can implement you r own block RNG function by defining CUSTOM_RAND_GENERATE_BLOCK.
Thanks,
Eric @ wolfSSL Support
Hello Davide,
Thanks for joining the wolfSSL forums. The timeout error simply indicates that the client has been inactive long enough that it needs to send a ping to the broker to maintain the connection. It is an informative error.
Could you tell us more about your project and goals with wolfMQTT?
Thanks,
Eric @ wolfSSL Support
Hello Malik,
Thanks for joining the wolfSSL Forums.
The -322 code corresponds to the following error in wolfssl/error-ssl.h
DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */The error code DOMAIN_NAME_MISMATCH would make sense if you are using a certificate issued for one domain with a different domain.
Could you please provide some more details such as the domains in question, the cert(s) in question and how we might reproduce on our end?
Do you have a site accessible that we can test against and a copy of the certificate in question?
Kind regards,
Eric @ wolfSSL Support
Hi beaveryoga,
Excellent, thanks for sharing this! Were there any issues or changes required?
Kind regards,
Eric @ wolfSSL Support
Hello celov65111
Welcome and thanks for joining the wolfSSL Forums. I moved this topic to the wolfTPM section, under the assumption that you are using wolfTPM to access the TPM device. Please correct me if I am mistaken.
Here is an example of reading a key from nvram:
https://github.com/wolfSSL/wolfTPM/blob … ram/read.c
Let us know if there are any questions.
Kind regards,
Eric @ wolfSSL Support
Hi labonte_d
Thanks for contacting wolfSSL Support. The compatibility layer of wolfSSL is intended to cover the most widely used OpenSSL API, but there are some gaps. I can open open a feature request for implementing the BIO_TYPE_SOCKET type if you'd like. I'd suggest adding the type define and seeing if there are further issues.
For the SHA224_Init issues, I do see that SHA224_Init is defined to wolfSSL_SHA224_Init in wolfssl/wolfssl/openssl/sha.h
Does realm-core/src/realm/util/encrypted_file_mapping.cpp include options.h before any other wolfSSL headers?
Thanks,
Eric @ wolfSSL Support
Hello Manaury,
We have an excellent PKCS12 example that parses out the key and cert:
https://github.com/wolfSSL/wolfssl-exam … pto/pkcs12
(I replied to your support ticket, but I am copying the response here for posterity.)
Hello Rafa,
Welcome to the wolfSSL Forums. Yes, you are absolutely on the right track. The network layer of wolfMQTT is transport agnostic. Here is an example of a UART port:
https://github.com/wolfSSL/wolfMQTT/blo … mqttuart.c
You'll notice the network layer only requires a structure and a few functions.
Let us know if there are questions and feel free to email support@wolfssl.com for priority pre-sales support.
Thanks,
Eric @ wolfSSL Support
wolfSSL - Embedded SSL Library → Posts by embhorn
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.023 seconds (76% PHP - 24% DB) with 4 queries