You are not logged in. Please login or register.
Active topics Unanswered topics
Welcome to the wolfSSL Forums!
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
References
Stable Releases - download stable product releases.
Development Branch - latest development branch on GitHub.
wolfSSL Manual - wolfSSL (formerly CyaSSL) product manual and API reference.
Search options (Page 3 of 4)
Nitin,
You need to tell the echoserver about the CA of the client cert you've created. The echoserver has no way to verify the client cert you've created without it, that's why you're getting failure to verify signature.
You can use CyaSSL_CTX_load_verify_locations() with the ca-cert.pem CA on the echoserver.
You should also note the echoserver changes directory upon startup. I'd also recommend using different names for keys and certs than wolfSSL uses for its tests ones, just to keep everything clear.
-Todd
We've pushed these changes to our embedded SSL github sources. Thanks for the report.
Thanks Paul. I just checked in a patch yesterday that changes CyaSSL's default certificate generation to SHA-1 with RSA since iOS 5 no longer accepts MD5 with RSA either. We'll update the CyaSSL test certificates on Monday and have a blog about these changes.
By the way, the echoserver example would probably be easier for you. It doesn't have client verification and sends an HTTP reply if a GET is received, and runs in a loop.
Thanks again,
-Todd
Ok. We'll plan on adding OpenSSL public keys to the Rsa decoder for the next release which should be in the next month or so.
Are you trying to implement your own SSL type handshake, only simpler? If so, the security you think you're getting is almost certianly not as strong as it appears. In order to ensure proper authentication and encryption SSL is probably the way to go. I'd recommend using SSL and then transferring the password over the secure channel.
Even if we patched TaoCrypt to support OpenSSL public keys directly (instead of through certificates) it still wouldn't meet your requirement of OpenSSL compatibility since TaoCrypt isn't API compatible with OpenSSL's crypto API.
I take it SSL is too costly?
Thanks! I've pushed these changes.
You're correct. It didn't make it into 1.9.0. Though it has made it into our source on github and will make it into the next release, more testing is needed at this point. You can try it out with:
git clone git@github.com:cyassl/cyassl.git
cd cyassl
./autogen.sh
./configure (whichever options you use)
make
Thanks for taking the time to submit the patch! We'll add to the main branch this week.
Thanks eof! We'll add these this week to the main branch.
Thanks for the patch! It's been pushed to our embedded SSL library on github.
SSL_connect() will return success (done) or failure (fatal_error), that's just the way the API was designed. To see the actual error, call SSL_get_error(). In this case WANT_READ will be converted to SSL_ERROR_WANT_READ for OpenSSL compatibility. See man SSL_connect for more details (or look online if the SSL man pages aren't installed on your system).
NON_BLOCKING is a define used by the examples. wolfSSL proper doesn't "know" blocking or non-blocking, it's neutral by design.
SSL_connect() works in blocking and non-blocking mode. The while loop is there because some steps require reading multiple blocks. If the underlying I/O is non-blocking and no I/O is ready then ProcessReply() will return the error WANT_READ which causes an immediate return from the function. You can test this by defining NON_BLOCKING for the examples.
The handshake callback is intended for embedded SSL systems for debugging support. That is, when a good debugger isn't available and sniffing is impractical. It basically allows a trace of the handshake and won't be helpful for network i/o.
You'll want to use wolfSSL's user I/O callbacks found in cyassl_io.c. By default, wolfSSL uses EmbedReceive() to get data and EmbedSend() to send data. But you can write any I/O functions you want and then register them with CyaSSL_SetIORecv() and CyaSSL_SetIOSend(). You can also set a context for each SSL session with CyaSSL_SetIOReadCtx() and CyaSSL_SetIOWriteCtx(). The void* ctx could point to a structure that has information about where the next read or write buffer is, the size, and anything else you may need to track.
Try to follow the the error handling strategy of the default send/recv functions for maximum compatibility. That is, if wolfSSL calls your Recv function and no data is ready and you don't want to block, just return IO_ERR_WANT_READ. Then when you're notified by your network callback that I/O is ready just call the wolfSSL function again that didn't have data ready, like SSL_read() or SSL_connect() and it will pick up where it left off.
Not currently. It's one of the strange things about DTLS. It not only eliminates the advantage UDP has over TCP in terms of startup, it actually makes it worse. And it basically requires full TCP semantics during the handshake removing the 2nd advantage. The other advantage is broadcasting but I'm not sure if that could even work with DTLS since each client will have different keys because of the way the handshake is designed.
You may be better off using TLS but overwriting the underlying I/O like you've been doing?
Thanks, you're right, having SSL_ERROR_NONE when result > 0 is more compatible with OpenSSL. I've put it into our latest patch of our embedded SSL library which should be available tomorrow on github.
At this point we do not have ECC for our embedded SSL library. We're still looking into patent and license issues before making that available.
Let us know what else you find.
Thanks.
You can now build CyaSSL 1.9.0+ with the latest sources available from curl at git clone git://github.com/bagder/curl.git.
To use it.
CyaSSL steps:
1) get CyaSSL 1.9.0
2) ./configure --disable-static
3) make
4) sudo make install
curl steps
1) git latest curl sources from above link
2) ./buildconf
3) ./configure --disable-shared --with-cyassl --without-ssl --enable-debug
4) make
You'll now have a new curl with CyaSSL in src/. If you're not loading all the CA certificates you need to verify sites for testing use -k to do insecure mode, e.g.,
./curl https://gmail.google.com -k
Did you try the Visual Studio Project or something else? What problems are you running into?
Definitely. Though to be a perfect drop in replacement we'd have to implement the several thousand function calls they support, and that would probably negate the size advantage.
It was a little more work than I thought and we never finished it. We have enough customer/ potential customer work right though that our efforts for other project compatibility has fallen off. It's certainly on our todo list. Maybe we can devout some time to it later this month. We'd also assist anyone trying to do it themselves if that's an option.
Pros: Not having to implement the OS specific locking/unlocking of the session cache mutex in a multi-threaded environment.
Cons: For the client the con isn't too bad unless the client would otherwise be doing a lot of session resumptions and/or there are device constraints making public key operations extremely slow on the device. For the server, the cons are pretty big unless there are a low number of clients and they aren't doing session resumption.
This is a little cleaner when KEY_GEN is on, it will be in the next release:
buf = XMALLOC(len, heap, DYNAMIC_TYPE_RSA);
if (buf == NULL) {
return -1;
}
XMEMSET(buf, 0, len);
I know someone put CyaSSL into a VPN, though I'm not sure I ever learned which one.
wolfSSL is thread safe, in fact the only part of the library that requires protection is the session cache for session resumption. That doesn't appear to be the issue here.
Are you using a separate SSL* for each client connection? Is the concurrent server threaded? If SSL_get_peer_certificate() isn't returning a cert either SSL_accept() failed or the peer didn't actually send a certificate. Are you checking the return of SSL_accept(). If everything looks good can you send a wireshark trace of two simultaneous connection attempts that reveals the problem to todd@wolfssl.com? Thanks.
RSA bit strength is determined by the server's RSA key strength in the server's certificate. If you want RSA 2048 make sure the server's RSA key pair and certificate is using RSA 2048.
The wolfSSL client will use TLS_DHE_RSA_WITH_AES_256_CBC_SHA by default if the server supports it. The wolfSSL server doesn't currently support it. But now that wolfSSL has key generation with the latest release it will be added into the next release or so.
Posts found: 51 to 75 of 97
Generated in 0.018 seconds (89% PHP - 11% DB) with 4 queries