151 Reply by embhorn

(18 replies, posted in wolfMQTT)

Here is a pcap of the wolfMQTT example awsiot running from linux. From your log, it seems there is a problem with the cipher change after the handshake. Can you please share the wolfSSL settings from configuration.h?

Go to forum: wolfMQTT

152 Reply by embhorn

(4 replies, posted in wolfSSL)

Ah, yes!

This works:

./examples/client/client -h api.abuseipdb.com -p 443 -g -S api.abuseipdb.com -v 4 -j

Go to forum: wolfSSL

153 Reply by embhorn

(4 replies, posted in wolfSSL)

Hello BerHav,

Thanks for joining the wolfSSL Forums. I was able to reproduce the issue with the wolfSSL client example in linux. I'll review with the team tomorrow.

./examples/client/client -h api.abuseipdb.com -p 443 -g

connect state: CLIENT_HELLO_SENT
SSL version error
wolfSSL Entering SendAlert
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendAlert, return 0
wolfSSL error occurred, error = 326 line:10162 file:src/internal.c
wolfSSL error occurred, error = 326 line:12350 file:src/ssl.c
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -326
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -326
wolfSSL Entering ERR_error_string
wolfSSL_connect error -326, record layer version error

Go to forum: wolfSSL

154 Reply by embhorn

(3 replies, posted in wolfCrypt)

Oh, that's great! I think you'll find our repository of ATECC demos very useful:
https://github.com/wolfSSL/microchip-atecc-demos

Go to forum: wolfCrypt

155 Reply by embhorn

(3 replies, posted in wolfCrypt)

Hi Pokemon,

Thanks for joining the wolfSSL Forums. Perhaps it would be helpful to review some SE implementations. Here is a good reference:
https://github.com/wolfSSL/wolfssl/tree … ort/silabs
https://github.com/wolfSSL/wolfssl/blob … labs_ecc.c

What platform is your SE using?

Thanks,
Eric @ wolfSSL Support

Go to forum: wolfCrypt

156 Reply by embhorn

(18 replies, posted in wolfMQTT)

Hi Juan,

"-140" corresponds to a ASN_PARSE_E error. So yes, probably something is wrong in the cert buffer you are passing in.

Here is a perl script we use that coverts DER to a C array:
https://github.com/wolfSSL/wolfssl/blob … /dertoc.pl

You could also try getting the wolfMQTT AWS example to work first, then try modifying for your specific project:
https://github.com/wolfSSL/wolfMQTT/blo … s/awsiot.c

The example uses PEM certs / keys in buffers.

Thanks,

Go to forum: wolfMQTT

157 Reply by embhorn

(18 replies, posted in wolfMQTT)

Its not perfect (maybe the debug log buffer gets overrun), but here is a sample of using the demo to connect to a local mosquitto broker with TLS enabled:

TCP/IP Stack: Initialization Started
TCP/IP Stack: Initialization Ended - success
    Interface PIC32INT on host MCHPBOARD_E     - NBNS disabled
Created the mqtt Commands
PIC32INT IP Address: 0.0.0.0
PIC32INT IP Address: 192.168.86.38
mqtt start
MQTT pub/sub demo has been started
>MQTT Task - Client Start: QoS 0, broker 192.168.86.43
MQTT Task - run message: WMQTT_NETGlue_Initialize, res: 0
MQTT Task - run message: MqttClient_Init, res: 0
MQTT Task - run message: MqttClient_SetDisconnectCallback, res: 0
WMQTT_NET_GLUE Info: Started Connect
WMQTT_NET_GLUE Info: Connected Successfully
WMQTT_NET_GLUE Info: Start TLS
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering SSLv23_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_load_verify_buffer_ex
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
        Unsupported name type, skipping
wolfSSL Enter   FreeingwolfSSL SignaturwolfSSL wolfSSL ShrinkinreceivedprocessiwolfSSL wolfSSL wolfSSL wolfSSL Leaving RsaVerify, return 51
wolfSSL Leaving DoServerKeyExchange, return 0
Shrinking input buffer

wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakwolfSSL Leaving EccMakeKey, return 0
wolfSSL Entering EccSharedSecret
wolfSSL Leaving EccSharedSecret, return 0
growing output buffer

Shrinking output buffer

wolfSSL Leaving SendClientKeyExchange, return 0
sent: client key exchange
connect state: FIRST_REPLY_SECOND
connect state: FIRST_REPLY_THIRD
growing output buffer

Shrinking output buffer

sent: change cipher spec
connect state: FIRST_REPLY_FOURTH
wolfSSL Entering SendFinished
growing output buffer

wolfSSL Entering BuildMessage
wolfSSL Leaving BuildMessage, return 0
Shrinking output buffer

wolfSSL Leaving SendFinished, return 0
sent: finished
connect state: FINISHED_DONE
wolfSSL error occurred, error = -323
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -323
wolfSSL Entering SSL_connect()
wolfSSL error occurred, error = -323
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -323
wolfSSL Entering SSL_connect()
wolfSSL error occurred, error = -323
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -323
wolfSSL Entering SSL_connect()
wolfSSL error occurred, error = -323
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -323
wolfSSL Entering SSL_connect()
wolfSSL error occurred, error = -323
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -323
wolfSSL Entering SSL_connect()
wolwolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL wolfSSL receivedwolfSSL wolfSSL wolfSSL wolfSSL wolfSSL MQTT TaswolfSSL wolfSSL wolfSSL wolfSSL MQTT Tas

Go to forum: wolfMQTT

158 Reply by embhorn

(18 replies, posted in wolfMQTT)

Okay, I've enabled debug by using a custom logging function:

In Harmony3\net_apps_pic32mz\apps\wolfmqtt_demo\firmware\src\config\pic32mz_ef_sk\net_pres\pres\net_pres_enc_glue.c

Add the debug header:

#include "system/debug/sys_debug.h"

Add just before NET_PRES_EncProviderStreamClientInit0

void NET_PRES_LogFunc(const int logLevel, const char *const logMessage)
{
    /* Skip WANT_READ and WANT_WRITE errors */
    if ((strstr("-323", logMessage) == NULL) && 
        (strstr("-327", logMessage) == NULL))
        SYS_CONSOLE_PRINT("%s\r\n", logMessage);
}

Then in NET_PRES_EncProviderStreamClientInit0, add the section #ifdef DEBUG_WOLFSSL

bool NET_PRES_EncProviderStreamClientInit0(NET_PRES_TransportObject * transObject)
{
    const uint8_t * caCertsPtr;
    int32_t caCertsLen;
    if (!NET_PRES_CertStoreGetCACerts(&caCertsPtr, &caCertsLen, 0))
    {
        return false;
    }
    if (_net_pres_wolfsslUsers == 0)
    {
    #ifdef DEBUG_WOLFSSL
        wolfSSL_SetLoggingCb(NET_PRES_LogFunc);
        wolfSSL_Debugging_ON();
    #endif
        wolfSSL_Init();
        _net_pres_wolfsslUsers++;
    }

Lastly, add "#define DEBUG_WOLFSSL" to configuration.h

Go to forum: wolfMQTT

159 Reply by embhorn

(18 replies, posted in wolfMQTT)

Yeah, I am going back and trying to enable debug logging in my MCH project, and it is not trivial!

For using the AWS example, it is somewhat complicated by the `NET_GLUE` layer that MCH added. But you should be able to figure out which parts are different by reviewing the example:
https://github.com/wolfSSL/wolfMQTT/blo … s/awsiot.c

You should pay attention to the `mqtt_aws_tls_cb` and the `mqtt_aws_tls_verify_cb`. Also note that the topic must include the AWS device name (see `AWSIOT_PUBLISH_TOPIC` in the example).

Go to forum: wolfMQTT

160 Reply by embhorn

(3 replies, posted in wolfTPM)

For a private key, you can use wolfTPM2_RsaDecrypt

Go to forum: wolfTPM

161 Reply by embhorn

(18 replies, posted in wolfMQTT)

Hello Juan,

Thanks for reaching out. Great to hear that you are back to using wolfMQTT.

Could you enable DEBUG_WOLFSSL in the configuration and add a line to the application to call to wolfSSL_Debugging_ON(). This will enable debug logging for wolfSSL.

Thanks,
Eric @ wolfSSL Support

Go to forum: wolfMQTT

162 Reply by embhorn

(3 replies, posted in wolfTPM)

Hello Federico,

We are delighted to hear that you are finding the wolfTPM library useful!

To accomplish an encrypt operation without padding, you can use wolfTPM2_RsaEncrypt with the padScheme parameter set to TPM_ALG_NULL.

Here is an example:
https://github.com/wolfSSL/wolfTPM/blob … #L326-L342

Let us know if there are questions.

Thanks,
Eric @ wolfSSL Support

Go to forum: wolfTPM

163 Reply by embhorn

(2 replies, posted in wolfSSL)

Hello Scotty,

The callback is being triggered for each error encountered. There are checks for "valid-from" and "expiration", each could be triggered if the system time and date are invalid.

You can override the date errors like this:
https://github.com/wolfSSL/wolfssl/blob … st.h#L2829

Or is you know the time will always be invalid, you can bypass cert date checking in the wolfSSL config by defining `NO_ASN_TIME`.

I'll review the CA signer issue with the team tomorrow. I suspect it could be the order that the certs are loaded. Could you please enable debug logging and share the log showing the signer error?

Thanks,
Eric @ wolfSSL Support

Go to forum: wolfSSL

164 Reply by embhorn

(10 replies, posted in wolfCrypt)

Hello stroebeljc,

Certainly! Here is an example from our repository:
https://github.com/wolfSSL/wolfssl-exam … mple.c#L67

Let us know if there are questions.

Thanks,
Eric @ wolfSSL Support

Go to forum: wolfCrypt

165 Reply by embhorn

(5 replies, posted in wolfCrypt)

Responding in ZenDesk ticket

Go to forum: wolfCrypt

166 Reply by embhorn

(1 replies, posted in wolfSSL)

Hi Denis,

Would you please send an email to support@wolfssl.com referencing this issue?

Thanks,
Eric @ wolfSSL Support

Go to forum: wolfSSL

167 Reply by embhorn

(5 replies, posted in wolfCrypt)

Hello Anika,

Thanks for joining the wolfSSL Forums. If you do not require support for TLS protocol, you can greatly reduce the size with 

--enable-cryptonly

This should also alleviate some of the component dependencies you were seeing.

Let us know if there are further questions.

Thanks,
Eric @ wolfSSL Support

Go to forum: wolfCrypt

168 Reply by embhorn

(4 replies, posted in wolfSSL)

The server is expecting the data channel to resume the session. You'll need to save the session from the first connection, and then set the session before doing the second connection.

Here is an example:
https://github.com/wolfSSL/wolfssl-exam … s-resume.c

Go to forum: wolfSSL

169 Reply by embhorn

(3 replies, posted in wolfMQTT)

Hi Davide,

This is a bit more complex problem than what should be supported in a forum post. Could you please open a formal support ticket by emailing support@wolfssl.com?

Thanks,
Eric

Go to forum: wolfMQTT

170 Reply by embhorn

(1 replies, posted in wolfSSL)

Hello lili,

Thanks for your post. PSK is used to negotiate the first connection handshake. If sessions are enabled, the server will provide a session key (or ticket) that can be to quickly resume the connection without the full handshake.

Here is an example:
https://github.com/wolfSSL/wolfssl-exam … s-resume.c

Kind regards,
Eric @ wolfSSL Support

Go to forum: wolfSSL

171 Reply by embhorn

(4 replies, posted in wolfSSL)

Hello zyhaha,

Thanks for joining the wolfSSL Forums. It sounds like the server is expecting the client to use a session ticket to renegotiate the connection. Could you please share a pcap of the first and second connections?

Kind regards,
Eric @ wolfSSL Support

Go to forum: wolfSSL

172 Reply by embhorn

(2 replies, posted in wolfCrypt)

Hello Ahmed,

Thanks for also emailing wolfSSL support. I've responded to your questions from our ZenDesk portal.

Kind regards,
Eric @ wolfSSL Support

Go to forum: wolfCrypt

173 Reply by embhorn

(1 replies, posted in wolfCrypt)

Hello cachristiansen

Thanks for joining the forum. In order to provide highest priority support, we recommend emailing support@wolfssl.com with your questions.

The default implementation of wc_RNG_GenerateBlock will use the TSIP RNG via the seed operation. You can implement you r own block RNG function by defining CUSTOM_RAND_GENERATE_BLOCK.

Thanks,
Eric @ wolfSSL Support

Go to forum: wolfCrypt

174 Reply by embhorn

(3 replies, posted in wolfMQTT)

Hello Davide,

Thanks for joining the wolfSSL forums. The timeout error simply indicates that the client has been inactive long enough that it needs to send a ping to the broker to maintain the connection. It is an informative error.

Could you tell us more about your project and goals with wolfMQTT?

Thanks,
Eric @ wolfSSL Support

Go to forum: wolfMQTT

175 Reply by embhorn

(3 replies, posted in wolfSSL)

Hello Malik,

Thanks for joining the wolfSSL Forums.

The -322 code corresponds to the following error in wolfssl/error-ssl.h

    DOMAIN_NAME_MISMATCH         = -322,   /* peer subject name mismatch */

The error code DOMAIN_NAME_MISMATCH would make sense if you are using a certificate issued for one domain with a different domain.

Could you please provide some more details such as the domains in question, the cert(s) in question and how we might reproduce on our end?

Do you have a site accessible that we can test against and a copy of the certificate in question?

Kind regards,
Eric @ wolfSSL Support

Go to forum: wolfSSL