1 Topic by waigor

(1 replies, posted in wolfSSL)

Hi there,

I am using WolfSSL server for my HTTPS server. After initialise the HTTPS server, at some point, I want to reload a new certificate and key using wolfSSL_CTX_use_certificate_file() and wolfSSL_CTX_use_PrivateKey_file(). However, if I use chrome the firefox, the new certificate will not come in effect immediately. I have to wait for about 5-10 minutes for them to come in effect.

I trace it down on wireshark, I found out that the certificate is only update/exchange about every 500 seconds, even they have SSL handshakes multiple times
(see the attachment)

Thats the same for firefox and chrome, but for IE11, every handshake they will exchange the certificate.

Is this something to do at our server side or purely a browser problem?

Thanks

Go to forum: wolfSSL

2 Reply by waigor

(3 replies, posted in wolfSSL)

Hi David,

Thanks for you reply. I'm currently giving the CTX 1MB (1,048,578 Bytes) memory, and it is still having error. I set the minimum version of TLS to version 1.

Here is the code for the cipher list:
static const char ec_cipher_list[] =
        "ECDHE-ECDSA-AES128-SHA256:"
        "ECDHE-ECDSA-AES128-GCM-SHA256:"
        "ECDHE-ECDSA-AES128-SHA:"
        "ECDHE-ECDSA-AES256-SHA384:"
        "ECDHE-ECDSA-AES256-GCM-SHA384:"
        "ECDHE-ECDSA-AES256-SHA";

static const char rsa_cipher_list[] =
        "ECDHE-RSA-AES128-GCM-SHA256:"
        "ECDHE-RSA-AES128-SHA:"
        "ECDHE-RSA-AES128-SHA256:"
        "ECDHE-RSA-AES256-GCM-SHA384:"
        "ECDHE-RSA-AES256-SHA:"
        "ECDHE-RSA-AES256-SHA384:"
        "ECDHE-RSA-DES-CBC3-SHA:"
        "DHE-RSA-AES128-SHA256:"
        "DHE-RSA-AES256-SHA256:"
        "DHE-RSA-AES128-SHA:"
        "DHE-RSA-AES256-SHA:"
        "EDH-RSA-DES-CBC3-SHA";

Here is a more clear graph with what is ok what is not, the changes both involve in certificate, key and cipher suites change:

ECC=======>RSA    not ok
RSA=======>ECC    ok
RSA=======>ECC=======>RSA   not ok

Thanks
Waigor

Go to forum: wolfSSL

3 Topic by waigor

(3 replies, posted in wolfSSL)

Hi there,

In my application, my device initially use a ECC key and certificate with wolfSSL_CTX_use_certificate_file() and wolfSSL_CTX_use_PrivateKey_file(), then setting the cipher using API wolfSSL_CTX_set_cipher_list() with ECC cipher list. Later on, my devices generate a new certificate with RSA key, i repeat the step above with RSA cipher list, then Wolfssl report MATCH_SUITE_ERROR error during handshake.

If I do the another way around, initialise the device with RSA key, and switch to ECC key later on, this error will not happen.

Anyone know the cause of this and how to fix it? Or is there any limitations on this changing cipher list?

FYI, I initialize the WolfSSL with wolfSSL_Init() and wolfSSL_CTX_load_static_memory() API.

Thanks

Go to forum: wolfSSL

4 Reply by waigor

(9 replies, posted in wolfSSL)

Hi Kaleb,

Thanks for that. I already achieved that in openSSL smile Since our device is embedded and not running on Linux or Windows, and we already have WolfSSL built in the device, so I just wanna see if WolfSSL can do the same job, as we expect our device to generate its own self-signed certificate.

Regards

Go to forum: wolfSSL

5 Reply by waigor

(9 replies, posted in wolfSSL)

Hi Kaleb,

Thanks for your information.

Actually, our project was completed. However, due to the recent update in chrome, since version72, chrome is defining any certificate (which was working fine with firefox and IE for the past 5+ years) without SAN field as "invalid", and unable to establish TCP connections. So we are just working to updating those self-signed certificates.

Thanks

Go to forum: wolfSSL

6 Reply by waigor

(9 replies, posted in wolfSSL)

Hi Kaleb,

Please inform me if there's an update smile

Thanks

Go to forum: wolfSSL

7 Reply by waigor

(9 replies, posted in wolfSSL)

Hi Kaleb,

I am currently using WolfSSl to generate self-signed certificates for the offline web servers.  In the SAN case, I am working on putting the IP address of the web server into the SAN field.

Here are part of the code (including the code you gave me) to generate the certificate, the code was working perfectly fine without the SAN part (even generated certificate with your new code still makes the certificate invalid):

    Cert myCert;
    unsigned char *keyPem;
    int keyPemLen = 0;
    unsigned char *keyDer;
    int keyDerLen = 0;
    int certPemLen = 0;
    int ret = -1;
    word32 idx = 0;
    int certSz = 0;
    unsigned char *certDer;
    int certDerSz;
    unsigned char *certPem;
    ecc_key privKey, pubKey;
    RNG    rng;
    FILE *f;

    wc_InitRng(&rng);
    keyPem = malloc(4096);
    keyDer = malloc(4096);
    certDer = malloc(4096);
    certPem = malloc(4096);

    wc_InitCert(&myCert);


    char myAltNames[] = {
                             // SEQUENCE (2 elements)
                              0x30, 0x14,
                             // OBJECT IDENTIFIEER: 2.5.29.17 subjectAltName
                             // (X.509 extension)
                              0x06, 0x03, 0x55, 0x1D, 0x11,
                             // OCTET STRING (1 element)
                              0x04, 0x0D, //NOTE: 0x0D = length 13, this needs updated based on string length
                             // SEQUENCE (1 element)
                              0x30, 0x0B,
                             // String, value: "DNS:localhost"
                              0x82, 0x09, 0x6C, 0x6F, 0x63, 0x61, 0x6C, 0x68,
                              0x6F, 0x73, 0x74
                                     };      
        strncpy(myCert.subject.country, "NZ", CTC_NAME_SIZE);
        strncpy(myCert.subject.state, "Auckland", CTC_NAME_SIZE);
        strncpy(myCert.subject.locality, "CBD", CTC_NAME_SIZE);
        strncpy(myCert.subject.org, "Test Ltd", CTC_NAME_SIZE);
        strncpy(myCert.subject.unit, "WEB Server", CTC_NAME_SIZE);
        XMEMCPY(myCert.altNames, myAltNames, XSTRLEN(myAltNames));              
        myCert.altNamesSz = (int) sizeof(myAltNames);    

        myCert.daysValid = 365 * 20;

         ret = wc_ecc_make_key(&rng, keyLen / 8, &privKey);
    
        if (ret != 0)
            goto error_out;
    
        ret = wc_ecc_make_key(&rng, keyLen / 8, &pubKey);
    
        if (ret != 0)
            goto error_out;
        
        myCert.sigType = CTC_SHA256wECDSA;

//        ret = wc_SetAltNames(&myCert,"a:/xxx/xxx.pem");
//        
//        if (ret != 0){
//            goto error_out;
//        }
        certSz = wc_MakeSelfCert(&myCert, certDer, 4096, &rsaKey, &rng);
        
        if(certSz <= 0)
        {
            ret = 1;
            wc_FreeRsaKey(&rsaKey);
            goto error_out;
        }
        
        certSz = wc_SignCert(myCert.bodySz, myCert.sigType, certDer, 4096, NULL, &privKey, &rng);
        
        if(certSz <= 0)
        {
            ret = 1;
            goto error_out;
        }
        
        certPemLen = wc_DerToPem(certDer, certSz, certPem, 4096, CERT_TYPE);
        
        if( certPemLen <= 0 )
        {
            ret = 1;
            goto error_out;
        }
        
        keyDerLen = wc_EccKeyToDer(&privKey, keyDer, 4096);
        
        if(keyDerLen <= 0)
        {
            ret = 1;
            goto error_out;
        }
        
        keyPemLen = wc_DerToPem(keyDer, keyDerLen, keyPem, 4096, ECC_PRIVATEKEY_TYPE);
        
        if( certPemLen <= 0 )
        {
            ret = 1;
            goto error_out;
        }
    f = fopen("D:/xxx.crt", "wb");
    if (f)
    {
        unsigned char *ptr = certPem;
        do {
            ret = fwrite(ptr, 1, certPemLen, f);
            if( ret <= 0 )
                break;
            certPemLen -= ret;
            ptr += ret;
        } while( certPemLen > 0 );
        fclose(f);
    }
    
    f = fopen("D:/xxx.key", "wb");
    if (f)
    {
        unsigned char *ptr = keyPem;
        do {
            ret = fwrite(ptr, 1, keyPemLen, f);
            if( ret <= 0 )
                break;
            keyPemLen -= ret;
            ptr += ret;
        } while( keyPemLen > 0 );
        fclose(f);
    }

The part that using wc_SetAltNames is commented out in the code above, please see if I am using it correctly?

Apart from this, I also define the following in the beginning of the asn_public.h to enable the SAN:

#define WOLFSSL_ALT_NAMES

Am I putting the SAN part at the right place? Since u mention that the SAN need to be in ASN.1 format and the Cert structure is not seem to be relative to ASN.1 ....

Looking forward to your reply smile

Thanks

Go to forum: wolfSSL

8 Topic by waigor

(9 replies, posted in wolfSSL)

Hi there,

I have difficulty with setting the subject alternative name (IP address: xxx.xxx.xxx.xxx) for the certificate in WolfSSL. I tried using the method in this post https://www.wolfssl.com/forums/topic140 … l-api.html as the code below:

Cert myCert;
char myAltNames[CTC_MAX_ALT_SIZE]="IP Address: 169.254.50.10";
XMEMCPY(myCert.altNames, myAltNames, XSTRLEN(myAltNames));
myCert.altNamesSz = XSTRLEN(myAltNames);

And i also tried using the function wc_SetAltNames() with a .pem file (full details in this page https://wolfssl.com/doxygen/group__ASN.html). None of them work for me, they both generate invalid certificates. In Firefox, it has such error code: SSL_ERROR_RX_RECORD_TOO_LONG.

When i open the generated certificate file in windows, it says invalid. The source code of the certificate look quiet invalid to me too:

-----BEGIN CERTIFICATE-----
MIIDyDAAoAMCAQICCAFW11SX7K/5MAoGCCqGSM49BAMCMIGEMQswCQYDVQQGEwJO
WjETMBEGA1UECAwKV2VsbGluZ3RvbjESMBAGA1UEBwwJTmdhdXJhbmdhMRAwDgYD
VQQKDAc0UkYgTHRkMRkwFwYDVQQLDBBSYWRpbyBXRUIgU2VydmVyMR8wHQYDVQQD
DBZBcHJpc2EgU1IrIFIxMzEwMDAzODY2MCIYDzIwMTkxMDAzMDAwMDAwWhgPMjAz
OTA5MjkwMDAwMDBaMIGEMQswCQYDVQQGEwJOWjETMBEGA1UECAwKV2VsbGluZ3Rv
bjESMBAGA1UEBwwJTmdhdXJhbmdhMRAwDgYDVQQKDAc0UkYgTHRkMRkwFwYDVQQL
DBBSYWRpbyBXRUIgU2VydmVyMR8wHQYDVQQDDBZBcHJpc2EgU1IrIFIxMzEwMDAz
ODY2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEV+ZJjpKHip6F46e2/8RTyws
MCWMAfvHGR5DxNrnvGcIM8DSn1XRnCC4j8ObpUBNpWo/B0cwsdEFxfA3zT8Oi6Me
MBwwGgYDVR0RBBMwEYIJQXByaXNhU1IrhwSsER4KAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAADAKBggqhkjOPQQDAgNIADBFAiEA1cVJAWWY
pL+C5ZwWuV2cDv7G7FFTQR7E40KeMtu3i9YCIEH9kvgojBSxuwUy074Jo5G8x0iy
pFXFg5W/VdSGcGc7
-----END CERTIFICATE-----

Without anything related to this alternative name, my code works perfectly fine and the generated certificate was "valid" (with no SAN field).


How could I solve this? All I want is add just some like this in the subject alternative name field in the certificate file:
     
      IP Address: XXX.XXX.XXX.XXX

Thank you in advance.

Go to forum: wolfSSL