You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by chrisc
Hi Hans-Jürgen,
I just tested against www.cacert.org:443 using our example client and the wolfSSLv23_client_method(), and the connection worked ok for me.
To do the test, I just made a quick change of wolfSSLv3_client_method() to wolfSSLv23_client_method() in client.c (just a quick and dirty change to let me select it using "-v 0" from the command line), then did:
make clean
make
./examples/client/client -h www.cacert.org -p 443 -d -v 0 -gBest Regards,
Chris
Hi Hans-Jürgen,
The problem you are running into is being caused by the RSA key size. root.crt uses a 4096-bit RSA key.
One of the less portable aspects of fastmath is the need for fixed buffers to reduce dynamic memory use. By default, these buffers allow a 2048 bit X 2048 bit multiply into a 4096 bit buffer. Since most sites are using 2048 bit RSA keys this is fine. But for those sites that have a 4096 bit RSA key you'll need to increase the fastmath buffer size to 8192. Since root.crt uses a 4096-bit RSA key, you'll need to increase the fastmath buffer size. You can do this using the define:
FP_MAX_BITS
and setting it to 8192. Unfortunately, this will also increase the runtime stack use since the buffers used in the public key operations are bigger.
So, try:
cd wolfssl-2.7.0
make clean
./configure C_EXTRA_FLAGS="-DFP_MAX_BITS=8192"
make
wget http://www.cacert.org/certs/root.crt
./examples/client/client -h www.cacert.org -p 443 -v 1 -A root.crt -gLet me know if that works for you.
Best Regards,
Chris
Hi Hans-Jürgen,
Thanks for the report. I'll look into this and get back to you.
Best Regards,
Chris
Hi Amit,
wolfSSL embedded SSL doesn't currently support secure renegotiation, but you could always just set up a new connection and have the client re-connect with a new handshake if the existing connection becomes invalid.
Best Regards,
Chris
Hey Steffen,
No problem, we're here to help our users. I'm just glad to hear you got it working. Feel free to reach out to us anytime.
Best Regards,
Chris
Hi Steffen,
I tested wolfSSL_CTX_load_verify_buffer() on my development machine (OS X) with the cert bundle you attached. This seemed to work - the function returned SSL_SUCCESS. Can you verify that the context pointer (ctx) you are passing to wolfSSL_CTX_load_verify_buffer() is valid?
Thanks,
Chris
Hi Steffen,
Thanks for attaching a link to the cert bundle you are using. We'll look into this and get back to you.
- Chris
Hi Rainer,
Thanks for taking a look at CyaSSL. We have tried to make our error codes user friendly. Typically many of the CyaSSL API functions will return SSL_SUCCESS or SSL_FAILURE, where subsequently the application can call CyaSSL_get_error(...) to retrieve the more specific error code. Our documentation covers more details about error codes in Chapter 8 (http://yassl.com/yaSSL/Docs-cyassl-manu … gging.html).
In the case of certificate verification, CyaSSL handles all verification internally and will give a -155, ASN_SIG_CONFIRM_E (ASN sig error) if verification of a peer certificate fails. Optionally CyaSSL allows the application to register its own verify callback which will be called when verification fails. This callback will be presented a more detailed error code related to the failure reason (dates, signer, etc.).
Our OpenSSL compatibility layer maps roughly 300 of OpenSSL's most commonly used functions to the native CyaSSL API. It was designed to make porting applications over from OpenSSL easier. As OpenSSL has over 4,000 functions, it's only a subset and is continually growing as we do more ports into existing applications. We encourage users to use the native CyaSSL API if possible, as footprint size is increased when enabling the compatibility layer. I believe that error codes will be the same in either case.
Best Regards,
Chris
Hi,
Have you tried building with both the regular big integer math library as well as the fastmath library to see if one gave you a smaller memory usage?
If you are doing a source build (not using the ./configure system), the big integer library is enabled by default. If you are building with the ./configure system, the fastmath library is enabled by default on 64-bit systems. You can use the --enable-fastmath or --disable-fastmath build options to turn on/off fastmath, or define USE_FAST_MATH to turn it on when not using ./configure.
When building with fastmath, there are a few options you can try which may reduce memory size. You can define TFM_TIMING_RESISTANT, which will reduce stack usage and disable timing side channel attacks. And the other define you can try using is POSITIVE_EXP_ONLY, which will reduce stack use even more when we assume no negative exponents. RSA, ECC, and DH only use positive exponents..
Best Regards,
Chris
Hi Steffen,
wolfSSL doesn't currently support AES-ECB mode of operation. We do support AES in CBC, CTR, GCM, and CCM modes though. ECB (Electronic codebook) mode is not regarded as very secure. If you take a look at the penguin image on the following Wikipedia page under the "ECB" section, you will see that it doesn't hide patterns very well:
https://en.wikipedia.org/wiki/Block_cip … _operation
Best Regards,
Chris
Hi,
I think this is expected(?)
If so how to find out the worst case time?
Yes, this is expected. The longer the ECC key size, the longer the ecc_mulmod() function will take to complete. wolfSSL embedded SSL supports up to 521-bit ECC keys.
Also how to estimate worst case stack and heap requirement?
We don't currently have a measurement of ECC memory usage on hand when used individually. We do have a resource usage document which shows ECC memory usage when used with SSL/TLS. I will send this over in a Private Message.
Best Regards,
Chris
Hi syang,
All of our products, including CyaSSL and wolfCrypt/CTaoCrypt are dual licensed under both the GPLv2 as well as a commercial license. If your product cannot tolerate the terms of the GPLv2, you would need to purchase a commercial license.
Individual crypto modules fall under the same license model, where you would need to purchase a commercial license if the GPLv2 did not fit into your project. Please feel free to send us additional licensing questions at licensing@wolfssl.com.
Best Regards,
Chris
Hi Yun,
Please see the following commit to our embedded SSL library which fixes this issue:
https://github.com/cyassl/cyassl/commit … 125d39d664
Best Regards,
Chris
We have had many users run wolfSSL in a bare metal (no OS) environment. Once your bare metal and LwIP environment was set up, wolfSSL should layer in on top of that, yes.
Best Regards,
Chris
Hi Yun,
Thanks for the report. I'll look into this and get back to you.
Best Regards,
Chris
Alphonsa,
We have had users compile wolfSSL with a large variety of compilers. Code Composer studio hasn't come up yet though. Generally wolfSSL is pretty easy to compile with new compilers, but let us know if you run into any problems.
Best Regards,
Chris
Hi Alphonsa,
We have ported wolfSSL to both SafeRTOS and FreeRTOS as well as LwIP. I believe you will need to follow the steps outlined in Section 2.4 of the wolfSSL Manual, then define WOLFSSL_SAFERTOS and WOLFSSL_LWIP in <wolfssl_root>/wolfssl/wolfcrypt/settings.h. Have you already done this?
Thanks,
Chris
Hi Alphonsa,
I just sent you an email with the porting guide attached.
Best Regards,
Chris
Hi ctb,
Email sent. Also, just FYI, we're working on getting you a response to your other forum post about verifying digital signatures.
Best Regards,
Chris
We would like to announce to our community that Gearman, a framework designed to distribute tasks to multiple machines or processes, now has SSL/TLS support using the CyaSSL lightweight SSL library.
From the Gearman site, Gearman “allows you to do work in parallel, to load balance processing, and to call functions between languages. It can be used in a variety of applications, from high-availability web sites to the transport of database replication events. In other words, it is the nervous system for how distributed processing communicates.”
If you are interested in using Gearman with CyaSSL, Brian Aker explains how to do so in this Google Groups post: https://groups.google.com/forum/?fromgr … varqZ6OYk.
Gearman: http://www.gearman.org/
The bi-monthly release of CyaSSL, 2.7.0, is now ready to download from our website. New features include:
- SNI (Server Name Indication) for both the client and server with --enable-sni
- KEIL MDK-ARM project files in IDE/MDK-ARM
- Domain name match checks now included wildcard and Subject altname checks by default
- More consistent error returns across all APIs
- Authority Subject ID support for Certificate matching
- Persistent session and certificate cache functionality
- Client session table lookups at the library level instead of making the application cache the sessions
- Camellia support for the SSL sniffer
- User controllable settings for DTLS timeout values
- DTLS reliability enhancements for the handshake
- Better ThreadX support out of the box
Please see the README and our on-line documentation for more information or feel free to contact us.
Hi Ezequiel,
I just sent you an email with the porting guide attached.
Best Regards,
Chris
Hi Nitay,
wolfSSL embedded SSL does allow the user to set a context per WOLFSSL object. From Section 5.1.2 of the wolfSSL Manual:
The user can set a context per wolfSSL object (session) with wolfSSL_SetIOWriteCtx() and wolfSSL_SetIOReadCtx(), as demonstrated at the bottom of io.c. For example, if the user is using memory buffers, the context may be a pointer to a structure describing where and how to access the memory buffers. The default case, with no user overrides, registers the socket as the context.
This context will then be passed to the I/O callbacks using the ctx parameter, where the I/O callbacks are prototyped by:
/* I/O callbacks */
typedef int (*CallbackIORecv)(WOLFSSL *ssl, char *buf, int sz, void *ctx);
typedef int (*CallbackIOSend)(WOLFSSL *ssl, char *buf, int sz, void *ctx);Best Regards,
Chris
Nitay,
It sounds like you're on the right track with registering your own I/O callbacks. The callbacks were designed to allow applications to control how they read/write data to/from wolfSSL. For your Recv callback, you'll just need to pass the encrypted data buffer received over your transport medium to wolfSSL through the provided buffer, "buf", in your callback. For an example, you can reference the EmbedReceive() function in <wolfssl_root>/src/io.c.
I'm not familiar with IOCP myself, so if I'm misunderstanding what you are trying to do, please correct me.
Best Regards,
Chris
Ni Nitay,
I think I may have discovered why you are unable to download wolfSSL. I'm guessing you have cookies disabled in Chrome? When I try downloading wolfSSL using your information above on Win. 7 x64 with Chrome with cookies enabled, it works. When I have cookies disabled, it behaves exactly as you mentioned.
The wolfSSL download form saves session information between pages, which it uses to verify information entered. Not allowing sites to save information must prevent this from happening.
Best Regards,
Chris
wolfSSL - Embedded SSL Library → Posts by chrisc
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.023 seconds (69% PHP - 31% DB) with 4 queries