You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by dgarske
Hi Vitus,
The last argument to `wc_EccPublicKeyToDer` is "with_AlgCurve" is a flag for when to include a header that has the Algorithm and Curve information". You should have it set to 1. Also you are not checking the return code from wc_EccPublicKeyDecode in the "verify" function.
You might find the wolfcrypt/test/test.c examples for `crypto_ecc_verify` and `crypto_ecc_sign` helpful. Those are around line 21646.
Thanks,
David Garske, wolfSSL
Hi sean00mcc,
You need to include the "-lm" for the std math library or use internal DH math using `WOLFSSL_DH_CONST`.
Thanks,
David Garske, wolfSSL
Hi buoy,
I am not aware of any Microblaze cross compile efforts.
Try something like this:
./configure --host=aarch64 CC=mb-g++ --disable-filesystem --disable-shared --disable-examples --disable-crypttests --prefix=[installdir]
make
make installWe have a few Xilinx examples located here:
https://github.com/wolfSSL/wolfssl-examples/pull/155
https://github.com/wolfSSL/wolfssl/tree … /XilinxSDK
Thanks,
David Garske, wolfSSL
Hi Scotty2541,
The manual is wrong/out of date. If WOLFSSL_TLS13 (--enable-tls13) is set then `wolfSSLv23_server_method` will try TLS v1.3 first and allow downgrade. If you want to disable SSLv3 and TLS 1.0 then make sure these are not defined `WOLFSSL_ALLOW_TLSV10` and `WOLFSSL_ALLOW_SSLV3`.
Thanks,
David Garske, wolfSSL
Hi Petr,
Thanks for the report and I suspect you are correct about this issue. I will investigate and provide some feedback shortly.
Thanks,
David Garske, wolfSSL
Hi vysocan76,
It looks like you are using the Standard Peripheral Library, which means you would not define WOLFSSL_STM32_CUBEMX. You might consider switching to the Cube HAL, which is still supported by ST. The SPL is end of life.
Thanks,
David Garske, wolfSSL
Hi vysocan76,
You might try adding `STM32_HAL_V2` to see if that will help.
Also you might try adding SP ECC support (WOLFSSL_HAVE_SP_ECC). If you are using ECDHE it will improve handshake time.
Can you tell me what cipher suite TLS is using?
If you are using USE_FAST_MATH with TFM_ARM that will be faster than normal math. And the SP WOLFSSL_SP_ARM_CORTEX_M_ASM is several times faster than that.
There is a good article https://www.wolfssl.com/user-generated- … wlib-nano/ that might help.
Thanks,
David Garske, wolfSSL
Hi vysocan76,
When you updated to the latest wolfSSL release did you pull latest master?
There have been some STM32 fixes after v4.5.0 here:
https://github.com/wolfSSL/wolfssl/pull/2996
https://github.com/wolfSSL/wolfssl/pull/3169
This error "AES_GCM_AUTH_E = -180, /* AES-GCM Authentication check failure */" is resolved with those PR's.
For the second issue with DH performance.... Those are complex math operations. You have three options.
1. Normal math (interger.c) don't define USE_FAST_MATH. This uses heap and is the smallest and slowest.
2. Use Fast math (tfm.c) define USE_FAST_MATH. This uses stack and is slightly faster.
3. Use Single Precision (sp_int.c) math. Define WOLFSSL_SP_DH. If you want to leverage CortexM speedups also define WOLFSSL_SP_ARM_CORTEX_M_ASM and it will use the sp_cortexm.c which is your fastest option.
SP build options are documented in the code here:
https://github.com/wolfSSL/wolfssl/blob … _int.c#L42
Thanks,
David Garske, wolfSSL
Hi ykuz,
It would help if you could point me to or share your code with me.
Make sure your header includes "#include <wolfssl/wolfcrypt/types.h>" which includes visibility.h. Take a look at wolfssl/wolfcrypt/visilbility.h and make sure you define BUILDING_WOLFSSL and HAVE_VISIBILITY.
Thanks,
David Garske, wolfSSL
Hi ykuz,
Make sure you add "WOLFSSL_API" to the header definition of the API, so it is available. Let me know if that doesn't help.
Thanks,
David Garske, wolfSSL
Hi wnqu,
Please make sure you include <wolfssl/options.h> prior to any other wolfSSL headers in your application. I am guessing that will resolve this. If not make sure you change the link to "-lwolfssl".
Thanks,
David Garske, wolfSSL
Hi Scotty2541,
There are a few types of session resumption.
1. Session cache on the server side, client uses a session id to determine which resumption. This requires server to store / cache session information.
2. Session tickets where server encrypts blob that client retains and presents it in the TLS session ticket extension. This one uses no resources on the TLS server.
For session ID its on by default unless "NO_SESSION_CACHE" is set. To use it here is an example.
/* Do TLS connect, read and write. */
/* Before shutdown or socket close call... */
WOLFSSL_SESSION* session = wolfSSL_get_session(ssl);
/* On next connect set the session before the TLS connect (wolfSSL_connect). */
wolfSSL_set_session(ssl, session);For Session Tickets you must enable and optionally set a callback:
static int sessionTicketCB(WOLFSSL* ssl,
const unsigned char* ticket, int ticketSz,
void* ctx)
{
(void)ssl;
(void)ticket;
printf("Session Ticket CB: ticketSz = %d, ctx = %s\n", ticketSz, (char*)ctx);
return 0;
}
wolfSSL_UseSessionTicket(ssl);
wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session");Here is an example for TLS client resumption:
https://github.com/wolfSSL/wolfssl-exam … s-resume.c
Thanks,
David Garske, wolfSSL
Hi AnMu5962,
Try adding "--disable-filesystem" to disable support for the file system. Cross compiling for a ARM armv7e with arm-none-eabi does not include STDIO file system support.
Thanks,
David Garske, wolfSSL
Hi Octopus01,
After the call to `wc_InitCert` you need to set subject, serial number, sigType and key usage for "keyCertSign". See example here: https://github.com/wolfSSL/wolfssl/blob … t.c#L12504
If you are using a self-signed certificate for the client mutual authentication then the server side needs to load this same certificate using `wolfSSL_CTX_load_verify_buffer`.
Thanks,
David Garske, wolfSSL
Hi Octopus01,
We have some good TLS examples here:
https://github.com/wolfSSL/wolfssl-exam … master/tls
The certificate is missing all the subject information (like common name). I suspect this certificate does not meet the requirements for TLS mutual auth. How did you generate this certificate?
Thanks,
David Garske, wolfSSL
Hi Octopus01,
Perhaps double check the use of `wolfSSL_CTX_trust_peer_buffer` on the client side. You should be using `wolfSSL_CTX_load_verify_buffer`. The -155 (ASN_NO_SIGNER_E) indicates the provided peer (server in this case) certificate could not be verified. If you want to bypass that check most users alter the `wolfSSL_set_verify` API call to use `WOLFSSL_VERIFY_NONE`, however this will bypass all peer certificate checking, so use it with caution.
Thanks,
David Garske, wolfSSL
Hi RyVel,
My first guess is a FIPS boundary check hash issue. If HAVE_FIPS (--enable-fips=v2) is set you must update the fips boundary hash in fips_test.c. See https://www.wolfssl.com/docs/fips-ready-user-guide/
Using a test seed won't cause this error, however a failure with the DRBG such as SHA256 returning FIPS_NOT_ALLOWED_E would.
Please review the FIPS ready user guide and let us know if that doesn't resolve it.
Thanks,
David Garske, wolfSSL
Hi akhi_gangwar,
You can debug the certificates being sent using the verify callback.
1. Add build option: WOLFSSL_ALWAYS_VERIFY_CB
2. Set callback function
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify);3. Pull in code like this to show the certificates: https://github.com/wolfSSL/wolfssl/blob … st.h#L1755
Then you can pinpoint which certificate is causing it.
Another option is to locally test the AWS connection and use Wireshark to view the peer's certificates.
Thanks,
David Garske, wolfSSL
Hi Scott,
We have several CSR generation and signing examples here:
https://github.com/wolfSSL/wolfssl-exam … er/certgen
The device would have a copy of the CA certificate (public info) to define as "trusted" to validate the peer.
A device would either have a key provisioned at factory or generate one and then generate a CSR for signing by a CA. A certificate is based on a key either RSA or ECC typically. During a TLS connection the certificate is presented and the key associated with it signs data to validate they own the key.
On the CA signing side we have some good scripts here:
https://github.com/wolfSSL/wolfTPM/blob … certreq.sh
Let me know if you have any issues or questions.
Thanks,
David Garske, wolfSSL
Hi akhi_gangwar,
Can you share the device certificate? Are you sure there are not other certificates in the chain presented that would expire then? AWS provides like 4 certificates in the chain.
Thanks,
David Garske, wolfSSL
Hi j3ll3,
I found a couple things.
1. The wolfSSL example server will not load the "-A v2g_root.cert.pem" if "-d" is provided. Without the CA loaded it will not be able to setup an OCSP certificate request.
2. Looks like you will need to load the -A as a chain for now. Two PEM's combined with Int CA -> Root CA. I put up a fix for this issue here:
https://github.com/wolfSSL/wolfssl/pull/3299
3. The example/server/server loads internal OCSP certificates for testing that may throw off your test. Feel free to comment out that section for testing. https://github.com/wolfSSL/wolfssl/blob … er.c#L2065
Here is the tests I ran that worked:
openssl ocsp -index index.txt -port 8080 -rsigner ocsp_root.cert.pem -rkey ocsp_root.key.pem -CA v2g_root.cert.pem -text -ndays 7
./examples/server/server -c cpo_sub_1.cert.pem -k cpo_sub_1.key.pem -A v2g_root.cert.pem -b -o
openssl s_server -cert cpo_sub_1.cert.pem -key cpo_sub_1.key.pem -CAfile v2g_root.cert.pem -accept 11111 -status_verbose
./examples/client/client -A v2g_root.cert.pem -x -W 3Thanks,
David Garske, wolfSSL
Hi eli.hughes,
Thanks for sharing these findings. I also hope other folks on the Cortex M will see this. The SP WOLFSSL_SP_ARM_CORTEX_M_ASM option is quite impressive for RSA/DH/ECC math speedups because it uses hand written assembly.
I will suggest to marketing we make this into a blog post.
Thanks,
David Garske, wolfSSL
Hi srihari,
Make sure you have the wolfssl root directory in your include path...
Thanks,
David Garske, wolfSSL
Hi srihari,
See section 3 of the user manual:
https://www.wolfssl.com/docs/wolfssl-manual/ch3/
3.6 ECHOCLIENT EXAMPLE
3.3 CLIENT EXAMPLE
These are calling the examples/echoclient and example/client here:
https://github.com/wolfSSL/wolfssl/tree/master/examples
The echo sends data and expects the same data back from echo server.
The simple client sends a Hello and expects a I hear you. It can also use the "-g" option to send a sample HTTP GET.
Thanks,
David Garske, wolfSSL
Hi j3ll3,
The -188 error indicates the certificate could not be tied back to a trusted CA. Perhaps a missing intermediate? Is it possible to share the wireshark and the certificates used? If you'd like to send them directly you can use support@wolfssl.com.
Thanks,
David Garske, wolfSSL
wolfSSL - Embedded SSL Library → Posts by dgarske
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.023 seconds (74% PHP - 26% DB) with 4 queries