You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by chrisc
Correct, wolfSSL_read and wolfSSL_write act the same way. You can see this by looking at EmbedSend() and EmbedReceive() in ./src/io.c.
Regards,
Chris
Hi,
wolfSSL_accept works with both blocking and non-blocking I/O. When the underlying I/O is non-blocking, wolfSSL_accept will return when the underlying I/O could not satisfy the needs of of wolfSSL_accept to continue the handshake. In this case, a call to wolfSSL_get_error will yield either SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE. The calling process must then repeat the call to wolfSSL_accept when data is available to read and wolfSSL will pick up where it left off.
You can look at the wolfSSL example server (./examples/server/server.c) for a usage example.
Best Regards,
Chris
Hi,
Are you porting over both client and server, or just one of the two?
Can you verify that all tests in the CTaoCrypt test application pass on your platform? This is usually a good starting place to start narrowing down the problem. After building CyaSSL embedded SSL, you can find the CTaoCrypt test app in the ./ctaocrypt/test directory.
If all tests pass, can you try sniffing the connection and sending the pcap file? You can either post it here, PM it direct to me, or send it to support@yassl.com
Thanks,
Chris
Hi,
We have ECC support available for CyaSSL embedded SSL, but haven't rolled it into the open source GPLv2 version of CyaSSL yet. The ECC-releated files in the CyaSSL repo and download (ecc.c, ecc.h) are just placeholder files for now.
Would you be interested in having a call to discuss using ECC with CyaSSL in more detail?
Thanks,
Chris
Because mongoose doesn't directly include the wolfssl/openssl/ssl.h compatibility header, the function names are not automatically mapped (ex: CyaSSL_free -> SSL_free). The next release of the yaSSL Embedded SSL Web Server will have support for the most recent version of wolfSSL.
Best Regards,
Chris
The changes we've made to the wolfSSL GitHub repository post-2.2.0 won't roll into a stable release on our download page until the next stable release of wolfSSL embedded ssl. We usually put out fairly frequent releases of wolfSSL, so it shouldn't be too long before the fix rolls into a stable release.
Best Regards,
Chris
Hi Philhippus,
This was a bug in wolfSSL which we recently fixed in our GitHub repository. Please reference the most current version of ./cyassl/ssl.h on GitHub as well as the following commits for details:
https://github.com/cyassl/cyassl/commit … 8909647443
https://github.com/cyassl/cyassl/commit … bd4cca15d8
Please let me know if you're still seeing problems after trying this.
Best Regards,
Chris
Hi,
To convert your private key from PEM format to DER format, you should be able to use the wolfSSL_KeyPemToDer() function. After you have converted the key to DER format, it is able to be loaded into an RsaKey struct using the RsaPrivateKeyDecode() function.
Best Regards,
Chris
Hi,
Have you installed the Windows 8 SDK? I was able to confirm that yaSSL 2.0.0 builds successfully on Windows 8 Consumer Preview with Visual Studio 11 Beta and Windows 8 SDK installed. The SDK should install the winsock2.h header for Visual Studio to pick up.
http://msdn.microsoft.com/en-us/windows … 52363.aspx
Best Regards,
Chris
Hi,
Version 2.2.0 of the CyaSSL embedded SSL/TLS library has been released and is now available for download. This release contains bug fixes, feature enhancements, and is a recommended update for all users. Changes include:
- Initial CRL (Certificate Revocation Lists) support with --enable-crl
- Initial OCSP (Online Certificate Status Protocol) support with --enable-ocsp
- Static ECDH suites including:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
- SHA-384 support
- ECC client certificate support
For more information on CRL checkout: http://en.wikipedia.org/wiki/Certificat … ation_list. More details on OCSP can be found here: http://en.wikipedia.org/wiki/Online_Cer … s_Protocol. The example/client has basic usage and the full API will be available in the manual. The addition of SHA-384 support makes CyaSSL even more compatible with other SSL implementations such as OpenSSL.
To download the open source, GPLv2-licensed version of CyaSSL 2.2.0, please visit our Download Page (http://yassl.com/yaSSL/download/downloadForm.php). If you have any questions or comments or would like more information on commercial versions of CyaSSL, please contact us at info@yassl.com.
For build instructions, a full feature list, API reference, and more, please see the CyaSSL Manual (http://www.yassl.com/yaSSL/Docs-cyassl-manual-toc.html).
Thanks,
Team yaSSL
Hi Sven,
Glad to hear you got things working!
CyaSSL_CTX_set_verify sets options for how peer validation is done in wolfSSL's embedded ssl. It is very similar to OpenSSL's SSL_CTX_set_verify. They've got a pretty good man page on it which you can view if you run the "man SSL_CTX_set_verify" command on your terminal if you have the OpenSSL man pages installed, or alternatively you can view it here: http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html.
- Chris
Hi Sven,
I was able to verify that wolfSSL can connect to the accounts.google.com server on port 443. I used Firefox to download the root CA certificate from the https://accounts.google.com page. My version of Firefox downloaded it in PEM format, which wolfSSL is able to use directly. I have attached the root CA which I used (VerisignClass3PublicPrimaryCA.pem, "Class 3 Public Primary Certification Authority").
To test, I used wolfSSL's example client application (./examples/client/client), with a few slight modifications:
1) I placed the above CA certificate into wolfSSL's certs directory and loaded it with the CyaSSL_CTX_load_verify_locations(...) function in ./examples/client/client.c:
CyaSSL_CTX_load_verify_locations(ctx, "./certs/VerisignClass3PublicPrimaryCA.pem", 0)2) I modified the client example to verify the peer:
CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);3) From the wolfSSL home directory, I tried connecting to the accounts.google.com server on port 443 using the example client:
./examples/client/client accounts.google.com 443You can see that wolfSSL successfully verified the peer:
CyaSSL Entering DoHandShakeMsg()
processing certificate
Loading peer's cert chain
Put another cert into chain
Put another cert into chain
Found Basic CA constraint
Found optional critical flag, moving past
About to verify certificate signature
Adding CA from chain
Adding a CA
Found Basic CA constraint
Found optional critical flag, moving past
Parsed new CA
Freeing Parsed CA
Freeing der CA
OK Freeing der CA
CyaSSL Leaving AddCA, return 0
Veriying Peer's cert
Found Basic CA constraint
Found optional critical flag, moving past
About to verify certificate signature
Verified Peer's cert
CyaSSL Leaving DoHandShakeMsg(), return 0
Can you verify that this works for you?
Thanks,
Chris
Hi Sven,
Which certificate did you download from https://accounts.google.com/? When I looked at the cert chain in my browser, this is the chain I see:
A. Class 3 Public Primary Certification Authority
B. Thawte SGC CA
C. www.google.com
Regards,
Chris
Hi Glenn,
CyaSSL currently has support for DTLS 1.0. You can find a little bit of info on it in section 4.2 of the CyaSSL manual (http://yassl.com/yaSSL/Docs-cyassl-manu … tures.html).
If you take a look at the example echoclient and echoserver applications in the CyaSSL download (/examples/echoclient/echoclient.c, /examples/echoserver/echoserver.c), or the example server and client, you can see DTLS-specific code blocks surrounded by the CYASSL_DTLS define.
Let me know if you have any more questions.
Best regards,
Chris
Hi,
A while back, we posted that the CyaSSL embedded SSL library would be getting support for Galois/Counter Mode (GCM) encryption in the near future. This is still true! If everything goes as planned, GCM support should be generally available for CyaSSL in June of this year. Specifically, GCM will be used in CyaSSL with AES and as a cipher suite for SSL.
One of the benefits of GCM is its efficiency and performance in both hardware and software. Galois/Counter Mode (GCM) for block ciphers incorporates both CTR (counter mode) as well as a message authentication code (MAC), providing both integrity and confidentiality. It is designed for block ciphers with a block size of 128 bits and is able to take full advantage of parallel processing and pipelining. Referencing the Wikipedia article on GCM, “the key feature is that the Galois field multiplication used for authentication can be easily computed in parallel thus permitting higher throughput than the authentication algorithms that use chaining modes, like CBC.”
To learn more about the performance and security details of GCM, you can visit the Wikipedia page listed below. We expect to see GCM more widely adopted in the near future. If you're interested in testing AES with GCM or have any question or comments please let us know.
GCM (Wikipedia): http://en.wikipedia.org/wiki/Galois/Counter_Mode
RFC 5288 (AES Galois Counter Mode (GCM) Cipher Suites for TLS): https://tools.ietf.org/html/rfc5288
-Team yaSSL
Hi,
Would you like to see the CyaSSL embedded SSL library integrated into the popular Qt framework? We’ve been throwing around the idea of adding CyaSSL support to Qt and want to hear your feedback. If CyaSSL was integrated into Qt, it would be available as a build option and alternative to using Qt with OpenSSL.
CyaSSL could provide the Qt framework with a much smaller footprint when compared to using Qt with OpenSSL. Looking at typical build sizes of both CyaSSL and OpenSSL, it is typical to see a 20X decrease in footprint size.
What do you think? Please let us know your thoughts, comments, and feedback at by replying here or emailing us at info@yassl.com.
Qt (Nokia): http://qt.nokia.com
Qt (Wikipedia): http://en.wikipedia.org/wiki/Qt_(framework)
Hi,
Team yaSSL has recently been considering the addition of the Camellia block cipher to the CyaSSL embedded SSL library, and we would like to request your feedback on this addition. Do you think it would be a beneficial addition? If it was added to CyaSSL, would you be interested in using it? Because we strive to shape our SSL library around what our users want and need, we greatly value your feedback.
If you are unfamiliar with the Camellia block cipher, you can find a Wikipedia article on the cipher here: http://en.wikipedia.org/wiki/Camellia_(cipher), or the Camellia cipher’s English homepage, here: http://info.isl.ntt.co.jp/crypt/eng/camellia/index.html.
Please send any feedback to info@yassl.com or reply to this thread, below.
Thanks!
Team yaSSL
Hi,
Why is CyaSSL a great solution when you have millions of connections per server? Memory consumption per connection can be as low as 3k, varying with the size of input and output buffers. This brings CyaSSL’s runtime memory consumption to 3-36kB depending on buffer size. Input and output buffers are created on demand when smaller than MAX_RECORD_SZ unless the user turns on STATIC_CHUNKS_ONLY.
In contrast, OpenSSL typically consumes 50-140k per connection. CyaSSL emphasizes small size, speed, and low memory use. These attributes make CyaSSL ideal for scaling on a huge magnitude. Other libraries often run into problems when trying to scale to hundreds of thousands of connections for applications like load balancing or cloud services. We have users doing just that.
Want to hear about how CyaSSL is being scaled in the cloud? Contact us and we'll share some of the use cases currently in production.
Hi,
Many of our users are curious about how the CyaSSL embedded SSL library will perform on a specific hardware device or in a specific environment. Because of the wide variety of different platforms and compilers used today in embedded, enterprise, and cloud-based environments, it is hard for us to give generic performance calculations across the board.
To help our users and customers in determining SSL performance for CyaSSL / CTaoCrypt, we provide a benchmark application which is bundled with CyaSSL. CyaSSL uses the CTaoCrypt cryptography library for all crypto operations by default. Because the underlying crypto is a very performance-critical aspect of SSL/TLS, our benchmark application runs performance tests on CTaoCrypt’s algorithms.
The benchmark utility is located in ctaocrypt/benchmark. Typical output may look like:
./ctaocrypt/benchmark/benchmark
AES 5 megs took 0.033 seconds, 149.84 MB/s
ARC4 5 megs took 0.017 seconds, 297.23 MB/s
HC128 5 megs took 0.004 seconds, 1185.10 MB/s
RABBIT 5 megs took 0.011 seconds, 453.14 MB/s
3DES 5 megs took 0.236 seconds, 21.18 MB/s
MD5 5 megs took 0.011 seconds, 444.13 MB/s
SHA 5 megs took 0.019 seconds, 261.73 MB/s
SHA-256 5 megs took 0.041 seconds, 122.98 MB/s
SHA-512 5 megs took 0.023 seconds, 213.44 MB/s
RSA 2048 encryption took 0.11 milliseconds, avg over 100 iterations
RSA 2048 decryption took 2.36 milliseconds, avg over 100 iterations
DH 2048 key generation 0.88 milliseconds, avg over 100 iterations
DH 2048 key agreement 0.92 milliseconds, avg over 100 iterationsThis is especially useful for comparing the public key speed before and after changing the math library. You can test the results using the normal math library (./configure), the fastmath library (./configure --enable-fastmath), and the fasthugemath library (./configure --enable-fasthugemath).
As always, please contact us with any questions or comments.
Thanks,
Team yaSSL
Hi,
Team yaSSL has been considering the addition of the GOST block cipher to our CyaSSL embedded SSL library. If you are unfamiliar with GOST, there is a great wikipedia article here: http://en.wikipedia.org/wiki/GOST_(block_cipher). If you think CyaSSL should include GOST, then let us know. We appreciate your feedback. Just contact us at info@yassl.com or reply here in this thread.
Thanks!
Hi,
We've started implementing Galois/Counter Mode (GCM) into CyaSSL. Specifically for use with AES and as a cipher suite for embedded SSL. One of the benefits of GCM is its efficiency and its performance appears to be pretty good as well. As an authenticated encryption algorithm it provides both integrity and confidentiality. We expect to see it more widely adopted in the near future. If you're interested in testing AES with GCM or have any question or comments please let us know.
GCM (Wikipedia): http://en.wikipedia.org/wiki/Galois/Counter_Mode
-Team yaSSL
Hi,
Did you know that the CyaSSL embedded SSL library supports FreeRTOS and OpenRTOS? FreeRTOS is a real-time operating system for embedded devices which is designed to be both small and simple. With an incredibly large user base, FreeRTOS/OpenRTOS supports 27 architectures and is downloaded from over 77 thousand times every year!
Just like CyaSSL, FreeRTOS is open source, royalty free, and very portable. To build CyaSSL for FreeRTOS, uncomment the #define for FREERTOS in ./cyassl/ctaocrypt/settings.h.
You can find a full list of FreeRTOS features on the FreeRTOS/OpenRTOS website. To learn more about CyaSSL, please visit the CyaSSL product page. If you have any questions about using CyaSSL with FreeRTOS, please contact us at info@yassl.com.
FreeRTOS / OpenRTOS: http://www.freertos.org
Hi,
CyaSSL is now available as a crypto provider for KoanLogic’s SCS library, LibSCS. SCS, a small cryptographic protocol layered on top of the HTTP cookie facility [RFC6265], allows its users to produce and consume authenticated and encrypted cookies, as opposed to usual cookies, which are un-authenticated and sent in clear text.
From the LibSCS README, “By having a non-tamperable proof of authorship attached, each SCS cookie can always be validated by the originator, making it possible for a server to handle clients' session state without the need to store it locally. In fact, an SCS enabled server could completely delegate the application state storage to the client (e.g. a web browser) and use it, in all respects, as a remote storage device. The result of the cryptographic transformations applied to state data can be used to ensure that its information authenticity and confidentiality attributes are the same as if they were stored privately on server-side.”
You can build LibSCS with CyaSSL by running the following commands. You must have KoanLogic’s makl installed on your development machine (http://koanlogic.com/makl/) to build the package. See the libscs README and INSTALL files for more detailed instructions.
makl-conf --crypto=cyassl
makllibscs GitHub repository: https://github.com/koanlogic/LibSCS
If you have any questions about CyaSSL with LibSCS, please contact KoanLogic (info@koanlogic) or yaSSL (info@yassl.com).
Hi,
yaSSL has recently ported the MIT Kerberos libraries to Android. The Android platform has previously been void of Kerberos support - forcing Android developers who are creating new applications or porting existing projects to either modify existing code or exclude Kerberos functionality from their apps and libraries altogether.
yaSSL has taken the first steps in bringing Kerberos to the Android platform. The native MIT Kerberos libraries have been cross-compiled for Android and are now able to be used natively with the Android NDK. yaSSL has added the CyaSSL embedded SSL library's cryptography library (CTaoCrypt) as a crypto implementation for Kerberos, allowing embedded projects to use CyaSSL's lightweight and fully functional crypto backend on Android.
In addition to the cross-compiled MIT Kerberos libraries, yaSSL has created a sample Android NDK application wrapping the functionality of kinit, klist, kvno, and kdestroy, and a sample client application with a simple GUI front-end. We hope this application provides a starting place for application developers interested in using Kerberos on Android.
The MIT Kerberos libraries and sample application are distributed under the MIT license and the code will be in the MIT Kerberos code repository in the near future. Until it has been merged into the MIT repositories, you can find the sample application and GSS-API wrapper on GitHub at the following URL. The sample application includes cross-compiled Kerberos and CyaSSL libraries. Instructions on cross compiling MIT Kerberos yourself will be released in the near future.
https://github.com/cconlon/kerberos-android-ndk
https://github.com/cconlon/kerberos-java-gssapi
Are you interested in using Kerberos on Android? Do you have any suggestions about the direction of the project so far? If so, please let us know your thoughts at info@yassl.com.
Thanks!
Hi!
As you may have read recently on our blog, we are seeking feedback from those who are particularly interested in using CyaSSL with Nginx and would like to work with us as beta testers.
We have been asked a number of times about CyaSSL integration with the Nginx web server. If you are not familiar with Nginx, it is a high performance, high concurrency web server that is becoming extremely popular these days. You can learn more about Nginx at nginx.com.
Nginx and CyaSSL make a likely pairing because they are both lean, compact, fast, and scale well under high volumes of connections. The big news today is that CyaSSL is now working with Nginx in the lab, and we expect it to become generally available in the near future.
If you are interested in working with us on this, please let us know at info@yassl.com.
Thanks,
Team yaSSL
wolfSSL - Embedded SSL Library → Posts by chrisc
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.026 seconds (67% PHP - 33% DB) with 4 queries