301 Reply by chrisc

(7 replies, posted in wolfSSL)

Hi Melek,

Yes, thanks for correcting me.  You are right - the ecc_export_x963() function exports the ECC key to X9.63 format, not DER.  wolfSSL embedded SSL doesn't currently have a function to export the generated key to DER.

Regards,
Chris

Go to forum: wolfSSL

302 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi Doug,

We recently put together several simple wolfSSL examples - some of which included DTLS examples.  You can find them here:

https://github.com/wolfSSL/wolfssl-examples

Do you see the same problem when using the DTLS examples from there?

Thanks,
Chris

Go to forum: wolfSSL

303 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi Marvin,

Can you re-test with the current wolfSSL version?  It looks like you were getting an ASN parse error.  We recently fixed an area which had been causing a parse error with some optional constraints.

Thanks,
Chris

Go to forum: wolfSSL

304 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi Frank,

Will you need functionality from asn.c/.h, or just functionality from rsa.c/.h?

It looks like rsa.c can be compiled individually as long as you include the following files as well:

arc4.c
integer.c
memory.c
random.c
rsa.c

This uses the normal big integer math library (integer.c).  To use the fastmath library instead, you'd use tfm.c instead of integer.c.

In ParseCertRelative() and ParseCRL() in asn.c use GetCA() and GetCAByName() which are located in ssl.c.

Best Regards,
Chris

Go to forum: wolfSSL

305 Reply by chrisc

(18 replies, posted in wolfSSL)

Hi Cyberrobot,

Yes, wolfSSL requires that the root CA certificate be loaded in order to verify the peer's certificate.  If there are intermediate certificates in the chain as well, but the peer doesn't send them, wolfSSL will need to have those intermediate certs loaded as well (in order to verify the integrity of the cert chain).

For example, if you have a cert chain that looks like:

RootCA -> IntCA -> Peer

If you only load RootCA into a wolfSSL server, and the peer only sends "Peer", wolfSSL won't be able to verify the chain unless "IntCA" is loaded as well.

It looks like https://www.microsoft.com is signed by the "Baltimore CyberTrust Root".  It looks like you may have the wrong root CA for the microsoft server.  Maybe they updated it after your cert bundle was created?

I usually use the "openssl s_client" command to view the certificate chain for a given server.  For example, to view the cert chain for microsoft.com, you could do:

openssl s_client -connect microsoft.com:443 -showcerts

Which shows the cert chain and the root CA as the "Baltimore CyberTrust Root".

Best Regards,
Chris

Go to forum: wolfSSL

306 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi JhihPing,

Our certificate generation functionality doesn't currently support adding Subject Key Identifier or Authority Key Identifier options yet.  How important is this functionality for you?

Thanks,
Chris

Go to forum: wolfSSL

307 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi,

Can you verify that you have the correct CA certificate loaded for Google?  I have attached the one which works for me.

Thanks,
Chris

Go to forum: wolfSSL

308 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Santa,

Can you clarify - are you looking to call wolfSSL from your PHP code directly?  If so, I haven't had any experience calling native C libraries from PHP code.  From a few searches, it looks like it might be possible to call native C code from PHP using SWIG or Zend extensions.

Thanks,
Chris

Go to forum: wolfSSL

309 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Alex,

In Visual Studio, you'll need to add the HAVE_AESCCM define to the list of preprocessor defines in your project properties in order to enable AES-CCM support.

Best Regards,
Chris

Go to forum: wolfSSL

310 Topic by chrisc

(0 replies, posted in Announcements)

Hi,

CyaSSL 3.1.0 has been released and is now available for download from the wolfSSL website (http://www.wolfssl.com/yaSSL/Download.html).  This release includes bug fixes and new features including:

- Fix for older versions of icc without 128-bit type
- Intel ASM syntax for AES-NI
- Updated NTRU support, keygen benchmark
- FIPS check for minimum required HMAC key length
- Small stack (--enable-smallstack) improvements for PKCS#7, ASN
- TLS extension support for DTLS
- Default I/O callbacks external to user
- Updated example client with bad clock test
- Ability to set optional ECC context info
- Ability to enable/disable DH separate from opensslextra using --enable-dh and --disable-dh
- Additional test key/cert buffers for CA and server, located in certs_test.h
- Updated example certificates

Please see the README and our on-line documentation for more information or feel free to contact us.

CyaSSL Manual:  http://www.yassl.com/yaSSL/Docs-cyassl-manual-toc.html

Go to forum: Announcements

311 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi Stanleyman,

At the moment, we have only tested it under Linux/Unix and OS X environments.  You may be able to use a unix-like shell for Windows such as Cygwin.

Best Regards,
Chris

Go to forum: wolfSSL

312 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi Stanleyman,

We do have a simple Java SSL/TLS server available in our "wolfSSL JNI" download package.  The example uses our JNI wrapper instead of the regular Java API's.  You can download the JNI wrapper bundle here:

http://yassl.com/yaSSL/download/downloadForm.php

Best Regards,
Chris

Go to forum: wolfSSL

313 Reply by chrisc

(5 replies, posted in wolfSSL)

Hi pcu,

STM32F2_CRYPTO doesn't have the same problem with multiple block cipher contexts since the functionality of each call is stored into the respective wolfCrypt structure (ie: Aes, Des, etc.).

I don't think a mutex would solve the issue, since the limitation isn't necessarily just with access to the hardware hash module, but more with the internal state of the hash module.

Best Regards,
Chris

Go to forum: wolfSSL

314 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi Marvin,

Do you have more details about the connection failure?  Can you try enabling debug messages in CyaSSL?

Thanks,
Chris

Go to forum: wolfSSL

315 Reply by chrisc

(8 replies, posted in wolfSSL)

Hi Brian,

We have not yet added support for secure renegotiation to wolfSSL embedded SSL.

Best Regards,
Chris

Go to forum: wolfSSL

316 Reply by chrisc

(2 replies, posted in wolfSSL)

Yun,

Glad to hear you found the correct link.

Best Regards,
Chris

Go to forum: wolfSSL

317 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi Cache,

We recently updated our SSL Tutorial code.  Can you try again using our most up to date version, available here:

http://www.wolfssl.com/documentation/ss … al-2.1.zip

Thanks,
Chris

Go to forum: wolfSSL

318 Reply by chrisc

(18 replies, posted in wolfSSL)

Hi cyberrobot,

Are you still having problems with finding the correct root certificate to load to verify the server you are connecting to?

Best Regards,
Chris

Go to forum: wolfSSL

319 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi zhbn,

See the example referenced in the response to this post:

http://www.yassl.com/forums/topic548-i- … -code.html

Best Regards,
Chris

Go to forum: wolfSSL

320 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi zhbn,

You can load a server's RSA private key into a wolfSSL server using the following function:

int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX* ctx, const char* file,int format)

This function is able to accept both PEM and DER formatted keys, using SSL_FILETYPE_PEM for the "format" argument with PEM encoded keys and SSL_FILETYPE_ASN1 for the "format" argument for DER encoded keys.

Best Regards,
Chris

Go to forum: wolfSSL

321 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi zhbn,

For an example of using CyaSSL key and certificate generation, you can reference the rsa_test() function in <cyassl_root>/ctaocrypt/test/test.c, specifically the code inside of the CYASSL_KEY_GEN and CYASSL_CERT_GEN #ifdef blocks.

CyaSSL will need to be compiled with --enable-certgen to enable certificate generation and --enable-keygen if you want to do RSA key generation.

Best Regards,
Chris

Go to forum: wolfSSL

322 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi zhbn,

The RsaPublicKeyDecode() function requires the input buffer (input) to be in DER format, with size specified by "inSz".

Best Regards,
Chris

Go to forum: wolfSSL

323 Reply by chrisc

(7 replies, posted in wolfSSL)

Hi cyberrobot,

If you define KEEP_PEER_CERT when compiling wolfSSL, you should be able to use the following function to get the CommonName from a CYASSL_X509*:

char*  CyaSSL_X509_get_subjectCN(CYASSL_X509* x509)

Best Regards,
Chris

Go to forum: wolfSSL

324 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi zhbn,

Is your goal to build against wolfSSL's OpenSSL compatibility layer, or to convert your application over to the native wolfSSL API completely?

In the case of the former, oftentimes a good first approach is to try linking against the wolfSSL library (compiled with the OpenSSL compatibility layer enabled), and then view the feature / function gaps.  This usually lets you begin to get a scope for the project.

Best Regards,
Chris

Go to forum: wolfSSL

325 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi zhbn,

It sounds like the server you are testing against is only using TLS 1.2.  Are you testing against the wolfSSL embedded SSL example server?

If you would like to use SSL 3.0 with the wolfSSL example server, you can change the protocol version used with the "-v" option, i.e.:

./examples/server/server -v 0

Best Regards,
Chris

Go to forum: wolfSSL