Thanks for the suggestion.  When we add support for small frame MTUs in a coming version of wolfSSL embedded ssl we'll make sure this works.

Thanks for the reports.

1) How did you get our embedded SSL source?  The downloadable 2.4.0 should have cyassl/version.h in the .zip.  Our github tree also has it checked in although there was a day where it was missing in the last couple weeks.

2) The latest github tree now has fixes for all of these warnings on Windows x64 except for...

3) The 64 bit shift warning.  Using i64 isn't portable.  We do have a somewhat portable 64bit macro W64LIT except for platforms that don't have 64bit types available of course.  It doesn't make any sense to me to have the index of the array use a 64 bit type, especially since it isn't portable to many of our platforms.  We could explicitly cast the shift to 32 bits but that just makes the code harder to read there.  I'm going to leave that warning for now.  We'll discuss it at our next meeting.

Thanks again for the reports.

Just commited a fix.

You can always remove -Werror from the Makefile to get past these warning errors as we're testing all compilers/versions/systems with the recent decision to treats warnings as errors in the source tree.  The release versions won't have this restriction.

ripemd and hc128 aren't used by browsers.  aesni is a way to process AES in hardware on a compatible Intel chipset, but it's still just normal AES to the browser.  aesgcm is starting to be used by browsers.

Can you do a git pull

./autogen.sh
./configure
make clean
make
?

I just checked in some changes for the new build warnings/errors for linux64.

You can see the commit here: https://github.com/cyassl/cyassl/commit … ec657b859e

Thanks Joe!

We've added the feature but in the current wolfSSL ASN framework.  It's now available on github.

No replacement is on the map yet.

If you --enable-yassl-testing the same ParseCert() is called with the same arguments.  Also, SSL_connect() calls ParseCert().  I've never seen this stack problem in those instances.  Is it possible something else is damaging the stack and you're just seeing it then?

Yes.  wolfSSL is good to use for the SSL handshake.  See the echoserver example for maximum browser compatibility.

No, after the client gets a "Connection established" it starts a SSL/TLS handshake.  After that is complete it will issue a GET or whatever it wants.

The easiest way to monitor this is to put Wireshark between the browser and proxy.  Make sure what you think is happening is happening.

The browser is not going to like having wolfSSL pretend to be the server.  The hostname of the certificate won't match and it won't be signed by a trusted authority.  This is not a simple task.  Read up on the relevant RFCs for HTTP,SSL, proxies.

Part of the problem is probably that sites often use redirection, sometimes multiple, depending on the address used, current login status, etc.  For example, hotmail may take you to the login which has a different certificate and chain than the actual mail certificate and chain.  When you connect directly with CyaSSL you are first having to go through the login process I'm guessing.  Maybe you should start with some simpler fixed certificate sites?  The CyaSSL example echoserver is a verify simple https web server.

Hi Nitin,

Thanks for sending the CA (rootcert) and generated certs.  wolfSSL is setting the correct issuer information but in a different order than the OpenSSL generated one.  I've never seen OpenSSL do this before (with that order that is), what version are you using?  My understanding is that the name information should go

C (Country)
ST (State)
L (Locality)
O (Organization)
OU (O Unit)
CN (Common Name)
/optional like email

In the short term I guess you'll have to use the same SSL package to do the CA and issued certificates, which is pretty common I suppose.  If we can confirm that OpenSSL is correct in varying the order of the issuer information we'll have to patch wolfSSL to copy the issuer information verbatim instead of trying to interpret it and reorder it.

Thanks for the report. 

-Todd