You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by chrisc
Hi,
Thanks for the bug report. We've checked in a fix to our GitHub repository (https://github.com/cyassl/cyassl). We have also added a new build option (--enable-noFilesystem) to make it easier to remove the filesystem for our embedded SSL library.
Regards,
Chris
Hi!
We have released updated versions of both the wolfSSL embedded SSL/TLS library Manual and our SSL Programming tutorial. The wolfSSL Manual is now available in an HTML version on our website in addition to the standard PDF download, and includes a new wolfSSL API Reference. You can find the updated version of these documents at the following links.
wolfSSL Manual: https://www.wolfssl.com/wolfSSL/Docs-wo … l-toc.html
wolfSSL API Reference: https://www.wolfssl.com/wolfSSL/Docs-wo … rence.html
SSL Programming Tutorial: https://www.wolfssl.com/wolfSSL/Docs-wo … orial.html
If you have any questions or suggestions on how to make these documents better, please let us know.
Thanks,
Team wolfSSL
Hi,
Minimizing wolfSSL build sizes depends on what protocols, ciphers, and cipher suites you are looking to use. Using the --enable-small build option will give you a fully working wolfSSL client and server, but several features will be disabled. Currently --enable-small disables the following features:
TLS, HMAC, AES, 3DES, SHA-256, Error Strings, HC-128, RABBIT, PSK, DSA, and DH
If you are only going to be using client functionality, the server parts can be disabled by defining NO_CYASSL_SERVER. See the "Building wolfSSL" document (sections III and V) for a list of build options and defines. For certificate verification, wolfSSL verifies all certificates internally by default unless it is turned off, but the files needed shouldn't change.
What's the philosophy of the minimal build - how does OpenWRT's idea of minimal differ from the configure option?
I'm not positive of the configuration used in the OpenWrt example, but the standard build size with a client and server functionality on an embedded platform is usually <= 60k.
Regards,
Chris
SheldonC,
Correct, sslFrame points to the current frame to process, whereas sslBytes is the data we haven't processed yet.
if (newEnd > reassemblyList->begin) {
Trace(OVERLAP_REASSEMBLY_BEGIN_STR);
/* remove bytes already on reassembly list */
*sslBytes -= newEnd - reassemblyList->begin;
}To address the section you had in bold, shown above, newEnd is equal to the sequence number we expect plus the SSL bytes we need to consume. We check to see if newEnd is past the beginning of our first reassemblyList item. If so, we might have frames that will be processed twice, so we want to remove those duplicates from being processed again (in sslBytes).
reassemblyList->end is not the same as *expected - they differ in purpose. The reassemblyList (a linked-list of pointers) caches packets which are out of order and can't be processed yet. reassemblyList->end is the end of the first item in the list, where *expected is the next sequence number we need to process.
if (newEnd > reassemblyList->end) {
Trace(OVERLAP_REASSEMBLY_END_STR);
/* may be past reassembly list end (could have more on list)
so try to add what's past the front->end */
AddToReassembly(session->flags.side, reassemblyList->end +1,
*sslFrame + reassemblyList->end - *expected + 1,
newEnd - reassemblyList->end, session, error);
}In the next block of code, shown above, we test whether newEnd is greater than the end of the first item in our reassemblyList. If it is, we may need to add that data into the reassemblyList (if it is not already there). This is done by the AddToReassembly function.
Does this help clear things up?
- Chris
Hi Sheldon,
Thanks for the bug fix. We've made your suggested change and committed it to our GitHub repository.
Regards,
Chris
Glad to hear you got it figured out. One of the items on our task list is to update our embedded SSL library in OpenWrt to 2.0.
- Chris
Could you tell me a little more about the chain you are trying to verify, and the CA certs you are loading? Such as:
- Structure of your server certificate
- Does your CA certificate file which you are loading contain only a single CA cert?
- If so, is it signed by anyone else (another CA)?
Thanks,
Chris
Could you tell me what RSA key size you are using? Also, is your CA file you are loading a single certificate, or a cert chain?
Thanks,
Chris
Are you using the most current version of CyaSSL (2.0)? We changed several things in 2.0 as far as certificate handling. Let me know if you still get the error with 2.0.
- Chris
Hi,
Have you tried our most current version of CyaSSL (CyaSSL 2.0) to see if you still get the same error? You can download it from here: http://yassl.com/yaSSL/Download.html.
Regards,
Chris
Hi j3g,
Have you checked the value you are getting for "b" in GetName()? CyaSSL is expecting the tag 0x06 (ASN_OBJECT_ID).
Is the server you are testing against public? If not, could you send the server certificate and server key you are using to support@yassl.com?
Thanks,
Chris
Hi Deepak,
- CRYPTO_num_locks
- CRYPTO_set_locking_callback
- CRYPTO_set_id_callback
We haven't implemented the above 3 functions because they're not needed in CyaSSL (but you can find placeholders for them in ssl.c). For CyaSSL thread safety, please look at section VI of our "CyaSSL Additional Features" document (http://yassl.com/yaSSL/Docs_CyaSSL_Addi … tures.html). Unlike OpenSSL, CyaSSL avoids using global data, static data, and the sharing of objects.
- BIO_new_file
- PEM_read_bio_DHparams
- SSL_CTX_set_verify_depth
- load_dh_params
CyaSSL doesn't support the above functions. RAND_add and setting tmp_dh are handled internally by CyaSSL.
- SSLv23 method
CyaSSL provides SSLv23_client_method() and SSLv23_server_method() to use for this.
CyaSSL's OpenSSL compatibility layer is not fully complete. Instead we provide a subset of the most commonly-used functions from OpenSSL to allow for ease of porting CyaSSL embedded SSL into existing OpenSSL projects (about 200 out of their 4000 functions). Very often, even though CyaSSL doesn't have the exact function you might be looking for from OpenSSL, it should have similar functionality.
Our OpenSSL Compatibility layer is expanded as we encounter new porting efforts. The comments you see about GoAhead are just indications those functions were brought to our attention during that port.
Regards,
Chris
Hi,
wolfSSL (as of release 1.6.0), includes support for RSA key generation. wolfSSL must be built with the "--enable-keygen" option. You can then you can follow instructions provided in Chapter 7 of the wolfSSL Manual: "Keys and Certificates", here:
http://yassl.com/yaSSL/Docs-cyassl-manu … cates.html
Regards,
Chris
Ok, thanks for letting us know. We'll add that to our documentation.
- Chris
Good to hear. We'll add that to our documentation.
- Chris
Thanks, we'll look into getting these cleared up.
- Chris
Ken,
Glad to hear you're happy with wolfSSL! You're correct, DTLS sounds like it would be the best option to me as well.
If you update to the latest version of wolfSSL from GitHub (https://github.com/wolfSSL/wolfssl), you can adjust the MTU size by altering MAX_MTU in internal.h. As for the ECC stuff, it's currently undetermined when the official release will be.
- Chris
Hi,
Yes, you can use the CBIORecv/CBIOSend function pointers to point to your own custom I/O functions (you can use the EmbedSend() and EmbedReceive() functions as templates and guides). You would then be able to hand off the data buffer to one of your other protocols from within your custom send function and bring it back to wolfSSL with your custom receive function.
Why do you want to use DTLS?
Regards,
Chris
Hi topher,
Similar to your other thread about certificate serial numbers (http://yassl.com/forums/topic81-x509-serial-number.html), wolfSSL doesn't provide a way to directly access peer-certificate dates. Is this something that you need?
wolfSSL does all verification internally, including notBefore and notAfter dates. The SSL_CTX_set_verify() function allows you to set options for how the verification is done. Setting SSL_VERIFY_PEER will cause the server to send a certificate request to the client.
Regards,
Chris
topher,
Sounds like an interesting embedded SSL project. What kind of server are you creating? Currently, getSerialNumber() functionality isn't on our list, but if you have a need for it, we can work with you to add the functionality.
Regards,
Chris
Hi,
Have you considered using OCSP instead of a CRL? There are several issues surrounding CRLs (See the "Problems" section of the CRL wikipedia page: http://en.wikipedia.org/wiki/Certificat … ation_list. OCSP is the current method to deal with those problems.
If using OCSP, you could enable SESSION_CERTS in wolfSSL, and use the cert chain to hand off to an OCSP server you had access to. With OCSP, one of the things you would still need though is the cert serial number.
If you want to implement OCSP with wolfSSL, we could help if you would like.
Regards,
Chris
Hi,
wolfSSL does all verification internally (signature, date, domain name). The X509_get_serialNumber() function is part of wolfSSL's OpenSSL Compatibility layer, and is currently just a stub that always returns 0.
Why do you need the serial number?
Regards,
Chris
Hi,
I wasn't able to reproduce your error about zlib not being found. I was able to verify that the configure script doesn't check for zlib if the "--with-libz" option is not given. Which version of wolfSSL are you using?
Thanks,
Chris
Sam,
Would you mind explaining a little more?
Thanks,
Chris
Sam,
Glad to hear that you found our SSL sniffer to use with your project!
sslFrame is the input pointer. This means that it points to the input frame, whether that be the original data or a decoded frame. To the end consumer of the input, it doesn't matter if sslFrame is pointing to the original data or decoded data.
In the code you referenced above, the encrypted data can't be used as input, so it is decrypted by the "DecryptMessage()" function and stored into the output buffer. After this, sslFrame is re-pointed to the output buffer (our decrypted data).
Does this help?
- Chris
wolfSSL - Embedded SSL Library → Posts by chrisc
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.023 seconds (67% PHP - 33% DB) with 4 queries