1

(2 replies, posted in wolfSSL)

Thanks for the support. We successfully integrated the wolfssl library.

I also managed to resolve the TLS handshake by including some more extension flags into the CA certificate.

so far all good.

Thanks for the support.

To answer my own question regarding the private key parsing error:

I found a site that decodes the private key from a der file. There is some difference in the generated keys:
- default wolfssl client-key.der: https://bit.ly/2kRB2az
- my key: https://bit.ly/2ksFxs0

Then I converted the private key pem file with the following command which does not generate the additional "header" in the der file:

openssl pkey -inform PEM -outform DER -in client-key.pem -out client-key.der

This works fine.

Hi David,

Thank you for your reply. I already have a working client which successfully establishes a TLS 1.2 connection with the server using the default (wolfssl) CA, certificates and keys. Then I generated the CA, client and server certificates with the commands described above and exchanged the default certificates with the new ones. The first thing was that the der key on the client side could not be loaded (error -4). Then I loaded the key in pem format which was successful however then the TLS handshake process failed.

If you need more info from my side please let me know.

Thanks again for your support.
Regards, Peter

I would like to create a selfsigned CA and then generate signed client and server certificates. For this purpose I executed the following commands:

Create CA key and selfigned CA certificate:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -out ca-key.pem
openssl req -x509 -new -nodes -addext keyUsage=critical,cRLSign,keyCertSign -key ca-key.pem -sha256 -days 3000 -out ca-cert.pem -subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=MyCompany/OU=MyProduct/CN=myDomain"

Create client certificate signed with CA:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out client-key.pem
openssl req -verbose -new -key client-key.pem -out client.csr -sha256 -subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=MyCompany/OU=MyProduct/CN=myDomain"
openssl x509 -req -extensions client_server_ssl -extfile openssl-ext.conf -extensions client_server -in client.csr -CA ca-cert.pem -CAkey ca-key.pem -days 3000 -CAcreateserial -out client-cert.pem

Content of  openssl-ext.conf is:

[ client_server ]
keyUsage = digitalSignature, keyEncipherment, keyAgreement

Convert client cert to der format:

openssl x509 -inform PEM -outform DER -in client-cert.pem -out client-cert.der

Covert client key to der format:

openssl pkcs8 -topk8 -inform PEM -outform DER -in client-key.pem -out client-key.der -nocrypt

To generate the server certificate I basically repeat the process of the client certificate generation.

I have two issues with those certificates:
1. The function wolfSSL_CTX_use_PrivateKey_buffer(..., WOLFSSL_FILETYPE_ASN1) fails loading the client-key.der with a result code -4. However if I load the pem file and execute the function wolfSSL_CTX_use_PrivateKey_buffer(..., WOLFSSL_FILETYPE_PEM) I have no issue. What would be the reason?

2. Connection with these certificates does not work

I use openssl 1.1.1

Any help would be appreciated

6

(2 replies, posted in wolfSSL)

Hello,

we want to integrate the wolfSSL into an ultra low power device where the CPU is held in sleep mode as much as possible. For this reason, everything is interrupt-driven; all threads are blocked by semaphores for an indefinite time otherwise the OS does not permit the CPU to enter into sleep mode. When the connectivity layer receives a data packet, it wakes up the CPU and then the CPU reads the data from the connectivity layer and then wakes a receiving thread that consumes the received data.
I was thinking to register the receive function with the wolfSSL_CTX_SetIORecv(). When needed, WolfSSL will call the ctx->CBIORecv() function and block indefinitely until data is pushed by the connectivity layer.

Is this the right approach to take? Or it is possible to push data into WolfSSL instead of polling for data?
Does wolfSSL_connect() have any means to timeout?

Regards, Peter