226 Reply by dgarske

(5 replies, posted in wolfSSL)

Hi akhi_gangwar,

You can debug the certificates being sent using the verify callback.

1. Add build option: WOLFSSL_ALWAYS_VERIFY_CB
2. Set callback function 

wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify);

3. Pull in code like this to show the certificates: https://github.com/wolfSSL/wolfssl/blob … st.h#L1755

Then you can pinpoint which certificate is causing it.

Another option is to locally test the AWS connection and use Wireshark to view the peer's certificates.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

227 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi Scott,

We have several CSR generation and signing examples here:
https://github.com/wolfSSL/wolfssl-exam … er/certgen

The device would have a copy of the CA certificate (public info) to define as "trusted" to validate the peer.

A device would either have a key provisioned at factory or generate one and then generate a CSR for signing by a CA. A certificate is based on a key either RSA or ECC typically. During a TLS connection the certificate is presented and the key associated with it signs data to validate they own the key.

On the CA signing side we have some good scripts here:
https://github.com/wolfSSL/wolfTPM/blob … certreq.sh

Let me know if you have any issues or questions.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

228 Reply by dgarske

(5 replies, posted in wolfSSL)

Hi akhi_gangwar,

Can you share the device certificate? Are you sure there are not other certificates in the chain presented that would expire then? AWS provides like 4 certificates in the chain.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

229 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi j3ll3,

I found a couple things.

1. The wolfSSL example server will not load the "-A v2g_root.cert.pem" if "-d" is provided. Without the CA loaded it will not be able to setup an OCSP certificate request.

2. Looks like you will need to load the -A as a chain for now. Two PEM's combined with Int CA -> Root CA. I put up a fix for this issue here:
https://github.com/wolfSSL/wolfssl/pull/3299

3. The example/server/server loads internal OCSP certificates for testing that may throw off your test. Feel free to comment out that section for testing. https://github.com/wolfSSL/wolfssl/blob … er.c#L2065

Here is the tests I ran that worked:

openssl ocsp -index index.txt -port 8080 -rsigner ocsp_root.cert.pem -rkey ocsp_root.key.pem -CA v2g_root.cert.pem -text -ndays 7

./examples/server/server -c cpo_sub_1.cert.pem -k cpo_sub_1.key.pem -A v2g_root.cert.pem -b -o
openssl s_server -cert cpo_sub_1.cert.pem -key cpo_sub_1.key.pem -CAfile v2g_root.cert.pem -accept 11111 -status_verbose

./examples/client/client -A v2g_root.cert.pem -x -W 3

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

230 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi eli.hughes,

Thanks for sharing these findings. I also hope other folks on the Cortex M will see this. The SP WOLFSSL_SP_ARM_CORTEX_M_ASM option is quite impressive for RSA/DH/ECC math speedups because it uses hand written assembly.

I will suggest to marketing we make this into a blog post.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

231 Reply by dgarske

(2 replies, posted in General Inquiries)

Hi srihari,

Make sure you have the wolfssl root directory in your include path...

Thanks,
David Garske, wolfSSL

Go to forum: General Inquiries

232 Reply by dgarske

(1 replies, posted in General Inquiries)

Hi srihari,

See section 3 of the user manual:
https://www.wolfssl.com/docs/wolfssl-manual/ch3/

3.6 ECHOCLIENT EXAMPLE
3.3 CLIENT EXAMPLE

These are calling the examples/echoclient and example/client here:
https://github.com/wolfSSL/wolfssl/tree/master/examples

The echo sends data and expects the same data back from echo server.

The simple client sends a Hello and expects a I hear you. It can also use the "-g" option to send a sample HTTP GET.

Thanks,
David Garske, wolfSSL

Go to forum: General Inquiries

233 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi j3ll3,

The -188 error indicates the certificate could not be tied back to a trusted CA. Perhaps a missing intermediate? Is it possible to share the wireshark and the certificates used? If you'd like to send them directly you can use support@wolfssl.com.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

234 Reply by dgarske

(1 replies, posted in General Inquiries)

Hi kbarb,

Did you happen to see the instructions for HiFive Unleashed here?
https://github.com/wolfSSL/wolfssl/tree … -UNLEASHED
https://github.com/wolfSSL/wolfssl/tree … -compiling

The errors above look like either libc or sysroot target/host mismatch issue with cross-compiling.  Perhaps try using `--with-sysroot=` instead of manually putting it into "CFLAGS"-I..."?

Thanks,
David Garske, wolfSSL

Go to forum: General Inquiries

235 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi Scoobi_FreeBSD,

If you define single threaded it just means you will not use the same WOLFSSL_CTX or WOLFSSL object from more than one thread at a time. You could have separate instances of those for multiple threads at the same time.

For the uITRON4 build issues I will have to defer to another engineer.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

236 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi anonazh228,

I believe you need to compile in the assembly versions of the code in `aes_asm.asm`. See the example project here: https://github.com/wolfSSL/wolfssl/blob … xproj#L343

And build options:
https://github.com/wolfSSL/wolfssl/blob … ings.h#L52

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

237 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi srihari,

Looks like "rl_fs.h" is for the file system and is not part of wolfSSL.

If you do not have that support in your platform then define "NO_FILESYSTEM" to disable it.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

238 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi Scoobi_FreeBSD,

You can also build with "SINGLE_THREADED" defined to disable threading / mutex support. What Renesas uiTRON headers are not found when using WOLFSSL_uITRON4?

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

239 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi Scoobi_FreeBSD,

See our "More Downloads" page. https://www.wolfssl.com/download/downloadMoreForm.php
Microchip_ATECC_Demos.zip

You are correct that `WOLFSSL_ATMEL` is specific to the ASF and you are not required to set `WOLFSSL_ATMEL` to use the ATECC508A/608A code.

#if defined(WOLFSSL_ATMEL) || defined(WOLFSSL_ATECC508A) || \
    defined(WOLFSSL_ATECC608A) || defined(WOLFSSL_ATECC_PKCB)

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

240 Reply by dgarske

(4 replies, posted in wolfSSL)

Hi akhi_gangwar,

The -155 "RSA_FUNCTION MP_EXPTMOD_E: memory/config problem" means either stack too small or FP_MAX_BITS is not set large enough. If you have FP_MAX_BITS 8192 you should be good with fast math.

Did you try the SP version of our math. It's much much faster and memory efficient.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

241 Reply by dgarske

(4 replies, posted in wolfSSL)

Hi akhi_gangwar,

That sounds like a stack issue. The fast math option uses stack for the math variables. Setting the FP_MAX_BITS to 8192 is correct (double max key size). But you'll also need to make sure your task or linker script increases the allowed / reserved stack space. By disabling fast math it uses heap. The normal math is slower because of the extra malloc/free calls.

You might also try using our single precision small math option with these options:

#define WOLFSSL_SP
#define WOLFSSL_SP_SMALL      /* use smaller version of code */
#define WOLFSSL_HAVE_SP_RSA
#define WOLFSSL_HAVE_SP_DH
#define WOLFSSL_HAVE_SP_ECC
#define WOLFSSL_SP_4096       /* enable 4096-bit */
//#define WOLFSSL_SP_MATH     /* only SP math - eliminates integer/tfm math code, so only standard curves/key sizes are supported */
//#define WOLFSSL_SP_ASM      /* enable the assembly speedup */
//#define WOLFSSL_SP_ARM_CORTEX_M_ASM /* optional cortex-m speedups */

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

242 Reply by dgarske

(8 replies, posted in wolfCrypt)

Hi Scotty2541,

The most common reasons for this is:

1) The signature has the ASN.1 encoding. See WC_SIGNATURE_TYPE_RSA_W_ENC, wc_SignatureDerEncode or wc_EncodeSignature.

Can you share a snippet of the code you are using?

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

243 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi rahila_shams,

The difference between DH and ECC is the asymmetric algorithm used for securely deriving a shared secret. If DH is disabled only ECDH(E) cipher suites are available.

For setting the build option I recommend using our user_settings.h and WOLFSSL_USER_SETTINGS to define NO_DH. See our first FAQ item here: https://www.wolfssl.com/docs/frequently … r_wolfSSL?

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

244 Reply by dgarske

(1 replies, posted in wolfMQTT)

Hi srihari,

We have a new STM Cube pack that you can use to generate a project for your STM hardware.

See https://www.wolfssl.com/docs/stm32/ for instructions.

Thanks,
David Garske, wolfSSL

Go to forum: wolfMQTT

245 Reply by dgarske

(2 replies, posted in wolfSSL)

Hi sergiop,

Thanks for this report. I will setup a test case for this and validate. I would expect that sequence of openssl compatibility calls to work.

Also we have an example for setting up a TLS proxy with native wolfSSL API's. I'm emailing you that example.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

246 Reply by dgarske

(2 replies, posted in wolfSSL)

Hi sergiop,

The word `template` is reserved with some compilers. This has already been renamed to `tpl` post v4.4.0 release here:
https://github.com/wolfSSL/wolfssl/pull/2921

I just pushed the fix for the missing `X509_add_ext` to PR:
https://github.com/wolfSSL/wolfssl/pull/3199

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

247 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi torntrousers,

Looks like your Arduino doesn't have "time.h" support.

You have a couple options:

1. Disable ASN time support using "NO_ASN_TIME"

2. Override the time support. See this example:
https://github.com/wolfSSL/wolfssl/blob … ngs.h#L452
https://github.com/wolfSSL/wolfssl/blob … main.c#L32

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

248 Reply by dgarske

(2 replies, posted in wolfSSL)

Hi Markus,

It looks like you just need to add `--enable-des3 CFLAGS="-DWOLFSSL_DES_ECB"` to your ./configure call when building and installing wolfSSL.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

249 Reply by dgarske

(4 replies, posted in wolfSSL)

Hi he1n,

Yes. See `WOLFSSL_SSLKEYLOGFILE` define to output master secret used by Wireshark logging to file. Defaults to sslkeylog.log, but can be overridden using `WOLFSSL_SSLKEYLOGFILE_OUTPUT`.

1. Build wolfSSL using:
./configure CFLAGS="-DSHOW_SECRETS -DWOLFSSL_SSLKEYLOGFILE"

2. By default it outputs to a file named "sslkeylog.log" using this Wireshark Pre-Master-Secret Format:
CLIENT_RANDOM <clientrandom> <mastersecret>

3. You can tell Wireshark where to find the key file via Edit→Preferences→Protocols→SSL→(Pre)-Master-Secret log filename.

Key logging feature was added in PR 1873 (https://github.com/wolfSSL/wolfssl/pull/1873)
Commit: https://github.com/wolfSSL/wolfssl/pull … dd532b587b

You will get a compiler warning for this feature because it should never be used in production. Here is the PR with those details:
https://github.com/wolfSSL/wolfssl/pull/2053

The #warning can be ignored as error using ./configure CFLAGS="-W#warnings".

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

250 Reply by dgarske

(6 replies, posted in wolfSSL)

Hi weaver4,

You might consider moving the --sysroot out of the LDFLAGS and using --with-sysroot=.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL