You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by chrisc
Hi,
The sniffer doesn't currently support IPv6 at this time.
Regards,
Chris
Hi,
Most of these are explained in Chapter 2 of the wolfSSL Manual (http://yassl.com/yaSSL/Docs-cyassl-manu … yassl.html). I have included brief explanations below as well.
--enable-fortress
This option was added for a specific customer build, which enabled a specific set of build options related to their environment.
--enable-bump
This option is used when wolfSSL is being compiled for use with our SSL proxy.
--enable-leanpsk
Very small build using PSK, and eliminating many features from the library. Approximate build size for wolfSSL on an embedded system with this enabled is 21kB.
--enable-webserver
This turns on functions required over the standard build that will allow full functionality for building with the yaSSL Embedded Web Server.
--enable-gcc-hardening
Enabling this option will add extra compiler security checks.
--enable-fastmath
Enabling fastmath will speed up public key operations like RSA, DH, and DSA. By default, wolfSSL embedded SSL uses the normal big integer math library. This is generally the most portable and generally easiest to get going with. The negatives to the normal big integer library are that it is slower and it uses a lot of dynamic memory. This option switches the big integer library to a faster one that uses assembly if possible. Assembly inclusion is dependent on compiler and processor combinations. Some combinations will need additional configure flags and some may not be possible. Help with optimizing fastmath with new assembly routines is available on a consulting basis.
--enable-fasthugemath
Enabling fasthugemath includes support for the fastmath library and greatly increases the code size by unrolling loops for popular key sizes during public key operations. Try using the benchmark utility before and after using fasthugemath to see if the slight speedup is worth the increased code size.
Best Regards,
Chris
Hi Doug,
Thanks for your comments about the SSL tutorial and for bringing the expired certificates to our attention. I'll put it on our list to take another pass through the tutorial and give it a refresh/update and add in any extra enhancements which may make it easier to use.
If you have any additional feedback on the tutorial, specifically areas you would like to see improved upon, please let me know. Ideally, we'd like to make it as easy for users to work through as possible.
Best Regards,
Chris
Hi br92,
When we tested with QNX before, no special build options were needed to get wolfSSL embedded SSL to compile and run. I believe this was compiled for QNX using the GCC toolchain.
Best Regards,
Chris
Hi mtilchen,
We have had several users who have cross compiled wolfSSL embedded SSL for ARM platforms using GCC.
Do you know what your stack and heap sizes are set at? Oftentimes we'll see hard faults like this when one of these is not set high enough. For reference, I have attached the wolfSSL Resource Use document which shows typical runtime memory usage of wolfSSL per session.
One thing which can also make a difference here is what math library you are using. WolfSSL let's users choose between two different math libraries - the normal big integer (which it looks like you are using) and the fastmath library.
By default, wolfSSL uses the normal big integer math library. This is generally the most portable and generally easiest to get going with. The negatives to the normal big integer library are that it is slower and it uses a lot of dynamic memory. The fastmath library on the other hand uses less dynamic memory and moves it to the stack instead, also providing speed improvements (using assembly optimizations where possible).
You can enable fastmath by defining USE_FAST_MATH, and since the stack usage can be high, we also recommend defining TFM_TIMING_RESISTANT as well.
Best Regards,
Chris
Hi Zeddi,
I've seen that the server example (/examples/server/server.c) uses the client certificate instead of the CA certificate as the default CA certificate.
The reasoning behind this is that our test client's certificate is actually self-signed, and not signed by a separate CA certificate. In order for the server example to verify the client certificate, it needs to load in the cert used to sign the client cert, which in this case is the client cert itself.
Imho it would be more intuitive if there would be two individual certificates (e.g. ./certs/server-ecc-cert.pem for the server with CA:FALSE basic constraint and ./certs/ca-ecc-cert.pem for the CA with CA:TRUE basic constraint) in the case of ECC.
Thanks for the suggestion. We'll add it to our todo list for when we get time. We'll need to update our test certificates by July anyways.
Thanks,
Chris
Hi Stéphane,
Are you initializing your RsaKey structure with InitRsaKey() before your call to RsaPublicKeyDecode?
Regards,
Chris
Hi Joe,
I just pushed that fix, which should roll out with our next stable release:
https://github.com/cyassl/cyassl/commit … a7995a54f1
Thanks,
Chris
Hi Luca,
/usr/bin/ld: final link failed: Memory exhausted
This makes me think the problem may be unique to your shell or environment. As the debug build will be larger in file size and use more memory, can you check your shell's available memory?
Thanks,
Chris
Hi jmazza,
Thanks for brining this to our attention. I believe you are correct. There should be a check to make sure the pointer is not NULL before we try to free it with the XFREE definition in the FREESCALE_MQX define of ./wolfssl/ctaocrypt/settings.h.
In ./wolfssl/ctaocrypt/settings.h, under the code block for FREESCALE_MQX, can you try changing the XFREE definition from:
#define XFREE(p, h, type) _mem_free(p)to
#define XFREE(p, h, type) {void* xp = (p); if((xp)) _mem_free(xp);}Thanks,
Chris
Hi Daniel,
I believe that your question was answered by Moises over email. Is that correct?
Thanks,
Chris
Hi Naresh,
I believe your questions were answered over email. Is that correct?
Thanks,
Chris
Hi djconcept,
The -208 error is a SOCKET_ERROR_E, or "error state on socket".
We typically use the echoserver (./examples/echoserver/echoserver) to test against browsers, as it handles connections a little different. Browsers usually need to re-try the SSL handshake at least twice, as they need to ask the user to confirm connecting to an "unsecure" site (because our test certificates are self-signed).
It may be that your client (Chrome) is trying to do a second connection attempt, when your server has already shut down. To see the difference, if you run our example server on your desktop machine (./examples/server/server), then connect through your browser:
You'll see the inaccessible error from Chrome like you listed above. If you then try with our echoserver example (./examples/echoserver/echoserver), you should see that it works like expected.
Best Regards,
Chris
Hi DC,
CyaSSL proper has been designed to be IP-neutral regarding IPv4 or IPv6. The CyaSSL examples (client, server, etc.) can use IPv6 by compiling CyaSSL with the "--enable-ipv6" build option.
If you don't mind me asking, what kind of project are you working on?
Best Regards,
Chris
Hi Lucas,
It sounds like you are making good progress on porting wolfSSL over to your environment. You may have found it already, but if not, you can find the wolfSSL Porting Guide here:
http://yassl.com/yaSSL/Docs-cyassl-porting-guide.html
You can write and register your own I/O callbacks for wolfSSL to use. These callbacks would then integrate down to your LwIP layer. The callbacks are documented both in the Porting Guide above as well as Section 5.1.2 of the wolfSSL Manual:
http://yassl.com/yaSSL/Docs-cyassl-manu … ility.html
In general, your application will handle setting up and connecting the socket, then hand it over to wolfSSL to do the SSL/TLS handshake and SSL communication from there on out. Our SSL Tutorial may be helpful to look through (http://yassl.com/yaSSL/Docs-cyassl-manu … orial.html), or our example client and server application located in:
./examples/client/client.c
./examples/server/server.c
Best Regards,
Chris
Hi Robboe,
Can you try updating the config.guess and config.sub files found under:
<cyassl_root>/build-aux
with the ones attached here?
Thanks,
Chris
Hi,
Thanks for the report. This should be fixed with this commit to our embedded SSL library:
https://github.com/cyassl/cyassl/commit … b9f930331f
Thanks,
Chris
Hi Raphael,
What you're seeing using nonblocking I/O is expected behavior when the underlying I/O would block. From the API document for wolfSSL_accept(), found here: http://www.yassl.com/yaSSL/Docs-cyassl- … on-io.html:
wolfSSL_accept() works with both blocking and non-blocking I/O. When the underlying I/O is non-blocking, wolfSSL_accept() will return when the underlying I/O could not satisfy the needs of of wolfSSL_accept to continue the handshake. In this case, a call to wolfSSL_get_error() will yield either SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE. The calling process must then repeat the call to wolfSSL_accept when data is available to read and wolfSSL will pick up where it left off.
As an example, you can look at how ./examples/server/server.c handles non-blocking I/O with NonBlockingSSL_Accept() using wolfSSL embedded SSL.
Best Regards,
Chris
Hi James,
Currently our crypto API for AES (including CTR, but also other modes of operation) requires that the user application pad the input to an AES block size before encryption. So, at the moment, it's not necessarily a bug, but has been a conscious decision.
As we get more crypto-only users, we may want to consider handling the padding ourselves internally to help improve usability. Thanks for brining this to our attention, and for the suggested fix.
Best Regards,
Chris
Hi Daniel,
Thanks for bringing this to our attention. Yes, this is something we will need to fix. wolfssl/test.h is used in our example applications which have had IPv6 support for quite a while now, where OCSP was added more recently.
We'll put this on our todo list, but I can't give you a definitive timeline at the moment. How pressing is this fix for you?
Thanks,
Chris
Hi Sivakumar,
The change you mentioned above was intentional. Since we added support for encrypt/decrypt callbacks, padding is now handled at encrypt or decrypt time.
Are you using the same version of the sniffer as your are of wolfSSL? If not, can you update both to the most current wolfSSL embedded SSL version?
If both are on the same version of wolfSSL, can you try using our most current version on GitHub and see if you still see the same problem? wolfSSL on GitHub can be found here: https://github.com/cyassl/cyassl.
Do you mind if I ask what kind of project you are using the sniffer with?
Thanks,
Chris
Hi,
To use wolfSSL embedded SSL on top of other transport mediums besides TCP/IP, you can make use of wolfSSL's I/O abstraction layer to write your own send/receive callbacks. You can find more details about writing your own callbacks in Section 5.1.2 of the wolfSSL Manual (http://yassl.com/yaSSL/Docs-cyassl-manu … ility.html), or in our wolfSSL Porting Guide (http://yassl.com/yaSSL/Docs-cyassl-porting-guide.html).
Best Regards,
Chris
Hi Nikhil,
Is this the best I can achieve using wolfSSL or you have any suggestions for me to get better performance from wolfSSL.
This is probably close to the best, unless you have a processor which supports Intel's AES-NI, or you can do further speed optimizations through your compiler.
You can also switch to a faster cipher suite, as long as you don't need to use TLS_RSA_WITH_RC4_128_SHA. For instance, our HC-128 stream cipher is our fastest cipher available - even faster than RC4. You can see a relative speed graph here: http://yassl.com/yaSSL/benchmarks-cyassl.html.
Also please update expected performance from wolfSSL.
Can you clarify what expected performance you are referring to?
Thanks,
Chris
Hi,
Are you compiling wolfSSL with fastmath or the normal big integer library. Fastmath can be enabled by adding USE_FAST_MATH to your preprocessor flags and compile in tfm.c instead of integer.c.
Best Regards,
Chris
Hi,
We have a problem during the client-server communication, where the server doesn't complete the SSL handshake. This cause the connect function to be stuck forever and it never returns.
Do you know where the SSL handshake is getting stuck? Have you turned on wolfSSL debug messages? You can do so by adding DEBUG_WOLFSSL to your preprocessor flags, then calling wolfSSL_Debugging_ON() / wolfSSL_Debugging_OFF() from your code.
We want to have a (blocking) connect function that we can call with a timeout, and if it doesn't able to complete the connection during that timeout, it simply returns with an error. Can I do that at all?
By default wolfSSL uses send() and recv() in its default I/O callbacks. You should be able to set a timeout value on your socket when you initially create it, using setsockopt().
Because we failed to do the above, we thought of using the non-blocking connect call. The problem was, we couldn't compile it with WOLFSSL_CALLBACKS set. Can I do that without defining WOLFSSL_CALLBACKS?
Yes, you can use non-blocking I/O without defining WOLFSSL_CALLBACKS. woflSSL can use either blocking or non-blocking I/O. See the API reference for wolfSSL_connect(), wolfSSL_accept(), wolfSSL_read(), or wolfSSL_write() for more info on how each works when non-blocking I/O is used.
Our example client and server are also set up to do non-blocking I/O when the "-N" command line option is used. Feel free to look at client.c or server.c for example usage.
Best Regards,
Chris
wolfSSL - Embedded SSL Library → Posts by chrisc
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.026 seconds (72% PHP - 28% DB) with 4 queries