Can you connect to the server using the wolfSSL example client? What I usually do for interop testing is:

Shell 1:
 

~/Code/wolfssl$ openssl s_server -accept 11111 -cert ./certs/server-ecc.pem -key ./certs/ecc-key.pem -dtls1

Shell 2:
 

~/Code/wolfssl$ ./examples/client/client -u -A ./certs/ca-ecc-cert.pem -v2

The server will show "hello wolfssl!" in shell 1. If you type something and press enter that text will show up on the client in shell 2.

The testsuite.test works on your Mac (along with the other test utilities). That's good to hear. I'm using a Mac as well.

You say the testsuite.test fails on your Arm board. I looked at the log you attached and there is an failure where we generate a date, covert it to a string, and compare it to an expected value. In file tests/api.c line 10685, could you output the value of the string "date_str"?

In your first post you listed your wolfSSL configure command. Is that what you are using on the ARM board or on your Mac? Is the ARM you are using 32-bit or 64-bit?

Are you using blocking or non-blocking sockets?

The example echoserver is using blocking sockets. The client drives the echoserver's behavior. You should use non-blocking sockets. The call to wolfSSH_stream_read() should return a WS_WANT_READ error if there isn't data available on the socket.

As far as the DoChannelRequest() issue, I agree with you on the solution to the problem. I'm adding this to my list.

Could you enable debugging and see if DoChannelWindowAdjust() is called? It should report what the peer wants to add back to the window, the current peerWindowSz and the updated peerWindowSz.

The logging will produce a lot of noisy output. Could you send the log to me directly?

And you are using commit 87eb3ad from the GitHub repository?

Correct, you only need the root CA. The other intermediate signers should be in the certificate chain with the peer certificate.

For OCSP stapling, the client should be getting the OCSP response record, signed by the root CA (or its delegate), during the handshake. The OCSP response should be for the server's certificate. (And the response should be the same blob of data you would get if you requested the status directly from the OCSP service listed in the peer's certificate.)

You'll need to supply a custom verify callback function. The verify callback is passed the error type and it gives you a chance to force a success or failure depending. See our API manual for the functions wolfSSL_set_verify() or wolfSSL_CTX_set_verify().

This was due to a misreading of RFC 6347 section 4.2.2. This has been recently fixed in our GitHub repository, commit 6d520e0.

For the first case with the wolfSSL based server and OpenSSL s_client, this is exactly what I expect to happen. The OpenSSL client is telling you that it doesn't like the certificate the server gave it, but since it is a test client it continues with the connection. Note the verify errors:

depth=0 /C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/CN=ww.wolfssl.com/emailAddress=info@wolfssl.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/CN=ww.wolfssl.com/emailAddress=info@wolfssl.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/CN=ww.wolfssl.com/emailAddress=info@wolfssl.com
verify error:num=21:unable to verify the first certificate
verify return:1

As to the second case with the wolfSSL based client and OpenSSL s_server: According to Note 1 in our README file, "wolfSSL also no longer supports static key cipher suites with PSK, RSA, or ECDH." In your example, you are using the cipher suite AES128-SHA, which is a static RSA cipher suite. To get it to work you need to "#define WOLFSSL_STATIC_RSA" in your build.

Billy Bob:

In your callback for pcap_loop() are you accounting for the size of the ethernet header?

Our sniffer test code main function we have a variable called frame. It is normally set to 14, which is the size of the Ethernet frame header. (Or 4 if using a no-link interface.) The first thing that happens after receiving a packet from pcap_next() is the test adjusts the packet pointer past the ethernet frame header to the IP header (and adjusts the packet size accordingly) and then calls ssl_DecodePacket().

If the header isn't skipped, then the IP version number will be wrong as it is looking at part of the ethernet hardware address.

Billy Bob:

It kind of looks like the filter isn't working on the PCAP loop. Since it is working with pcap_next(). The sniffer is assuming that the data passed to it starts with the IP frame, not with any link local headers.

Can I ask about your project? How are you using the sniffer?

--John

Deepti:

I see that you also sent in a message to support@wolfssl.com. My colleague is helping you via that message chain.

Commonly, when we see and error -188, it is because the correct CA certificate for the peer wasn't loaded. For example, you can't use our CA certificate that is included with USE_CERT_BUFFERS_2048 to contact Google's server. (And I've seen a couple different certificate chains from Google that required different CA certificates.)