You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by kareem_wolfssl
Hello Isabella,
To enable a DTLS MTU you will need to define WOLFSSL_DTLS and WOLFSSL_DTLS_MTU. These defines enable DTLS and enable setting the DTLS MTU. We do support DTLS 1.3 as well which you can enable by defining WOLFSSL_DTLS13.
The implication is you're enabling DTLS which is different than TLS, it uses UDP vs TLS which uses TCP. You can't set the MTU in TLS 1.3, we only support this for DTLS.
Thanks,
Kareem
Hi chyuk98,
Thanks for your interest in wolfSSL. We don't currently support BLAKE1, only BLAKE2 as you've seen. If you'd like to have us add support for BLAKE1, please reach out to us at support [AT] wolfssl [DOT] com so we can set up a feature request.
Thanks,
Kareem
I'm glad to hear you were able to get your connection working.
Check out our documentation on static memory here: https://www.wolfssl.com/docs/static-buffer-allocation/
Hi Isabella,
-188/Unknown CA means you are loading the wrong CA cert for the server you are trying to connect to. You can confirm you're loading the correct CA cert by connecting with your browser and checking the security/cert chain info there.
Note that since you are using static memory, you must pass in a buffer to functions like wolfSSL_X509_NAME_oneline.
Thanks,
Kareem
Hello Happy,
After enabling CRL checking, wolfSSL will automatically check your CRL as part of the connection.
If you want to manually perform this check, you can set up a cert manager, enable CRL checking on it with wolfSSL_CertManagerEnableCRL, load your CRL with wolfSSL_CertManagerLoadCRL/wolfSSL_CertManagerLoadCRLBuffer then call wolfSSL_CertManagerCheckCRL to check the CRL: https://www.wolfssl.com/documentation/m … ercheckcrl
Thanks,
Kareem
Hi MO380,
Please reach out to us at support [AT] wolfssl [DOT] com, you should be able to attach files there. Please attach your user_settings.h/configure line in your ticket.
Thanks,
Kareem
Hi Scott,
The two main sources of documentation on our build flags are section 2 of our manual and our user_settings.h examples:
https://www.wolfssl.com/documentation/m … ssor-macro
https://github.com/wolfSSL/wolfssl/tree … es/configs
PSK is enabled by default and doesn't need a flag to enable it. If you wanted to disable it, you would define NO_PSK.
<wolfssl dir>/configure.ac is what translates our configure arguments into defines, but I would recommend consulting our documentation first.
Thanks,
Kareem
Hi MO380,
-323 WANT_READ is an expected error during a connection, this just means you should call the connect/read function again until the error goes away. The error is indicating wolfSSL needs to read additional data which hasn't come in yet.
Check out our LWIP example here: https://github.com/wolfSSL/wolfssl-exam … aster/lwip
Thanks,
Kareem
Hi Rob,
Great question. We don't currently support this with public APIs, we can give you some guidance on how to do this with internal APIs but it will take some work. Please contact us at support [AT] wolfssl [DOT] com for more information on this.
Thanks,
Kareem
Hi Scott,
wolfSSL_get_ciphers gets the entire cipher list compiled into the library, it is not getting the currently enabled cipher list. To get that, you can call wolfSSL_get_cipher_list_ex(ssl, priority). You will need to make the WOLFSSL object from the WOLFSSL_CTX after you call wolfSSL_CTX_set_cipher_list for it to reflect the cipher list you've set.
Thanks,
Kareem
Hi rvdvpdt,
Great question. We do support parsing custom extensions with a callback function, check out our example of this here: https://github.com/wolfSSL/wolfssl-exam … callback.c
Thanks,
Kareem
Hi bp787,
To enable wolfssl_dtls_set_mtu, you will need to build with WOLFSSL_DTLS_MTU defined, or if you are using ./configure, you can use --enable-dtls-mtu.
Setting the rx buffer size doesn't apply if you are not using IO callbacks. Please try setting the MTU and let me know if it helps.
Thanks,
Karee
We do not enable OCSP by default, you need to define HAVE_OCSP, then call wolfSSL_EnableOCSP to enable it: https://www.wolfssl.com/documentation/m … enableocsp
Hi dcanthony,
How much stack are you giving wolfSSL? A very common source of crashes/issues is insufficient stack, wolfSSL generally needs about 20-30KB of stack. As you are on an embedded system I would also recommend defining WOLFSSL_SMALL_STACK.
You may also be running into issues with entropy from your RNG or your RNG in general. Are you confident your RNG is functioning correctly?
You are correct that you'll usually need additional defines for your RNG, I am not seeing a seed generation function for your platform's RNG so you will need to define your own.
I recommend basing your user_settings.h off of our template here: https://github.com/wolfSSL/wolfssl/blob … template.h
You will want to define your own seed generation function with CUSTOM_RAND_GENERATE: https://github.com/wolfSSL/wolfssl/blob … ate.h#L424
Since you're able to see debug logging, if possible I would recommend upgrading to 5.7.2 and defining WOLFSSL_DEBUG_TRACE_ERROR_CODES in addition to DEBUG_WOLFSSL, this will print error and line numbers in our debug logs. This feature was added in 5.7.2 so you would need to upgrade for it.
It looks like you have an active support contract with us, can you follow up on this by emailing us at support [AT] wolfssl [DOT] com? Please provide debug logs and your user_settings.h as well.
Thanks,
Kareem
Hello Happy,
We do support CRLs which you can enable by building wolfSSL with --enable-crl. To activate support at runtime, call wolfSSL_CTX_EnableCRL followed by wolfSSL_CTX_LoadCRL. You can find documentation for these functions here: https://www.wolfssl.com/documentation/m … tx_loadcrl
Thanks,
Kareem
Hi Leonie,
Thanks for the followup. For FFDHE 3072, try defining the CFLAG HAVE_FFDHE_3072.
What size are your DH params? Are you confident both wolf and OpenSSL are using the same size? For wolfSSL, you should ideally use 2048, 3072 or 4096, as our code for 1024-bit is not as accelerated.
I would recommend trying WOLFSSL_OLD_PRIME_CHECK as well and seeing if it helps.
If you continue to see the same issue, it would help if you can profile your code and see which functions are taking the most time.
Thanks,
Kareem
Hi Preethi,
Thanks for the followup, I'm glad to hear my suggestions helped.
SP math assembly will help significantly, please share your build log with errors so I can hopefully help you enable this for further speedups. Your build settings would also be helpful.
As you having trouble attaching files here, please contact us at support [AT] wolfssl [DOT] com for further assistance.
Thanks,
Kareem
Hi Preethi,
I am not able to see your build settings, can you reattach them?
For the best speed with ECC, I would recommend using SP math with SP math assembly speedups:
#define WOLFSSL_HAVE_SP_ECC
#define WOLFSSL_SP_MATH_ALL
#define WOLFSSL_SP_ARM_CORTEX_M_ASMECC_SHAMIR is also a good define for speeding up ECC operations, I would recommend consulting the ECC section of our user_settings.h template here: https://github.com/wolfSSL/wolfssl/blob … template.h
Also make sure you are using our latest wolfSSL release, 5.7.2.
What is the size of the key you are trying to verify?
Thanks,
Kareem
Hello Leonie,
Thank you for your interest in wolfSSL and your extended testing. I would strongly recommend removing --enable-all from your configure line and replacing it with: --enable-sp --enable-sp-math --enable-sp-asm --enable-intelasm. This will enable our fastest math library, SP math, and all of our assembly speedups. OpenSSL uses assembly by default, so this will be a more equivalent comparison.
You can also optionally add CFLAGS='-DWOLFSSL_OLD_PRIME_CHECK' for a further speedup, but this does hurt security and isn't generally recommended.
As for session tickets, we do have an internal session cache which should be enabled by default.
Thanks,
Kareem
Hello Craig,
Great question. Since the forum post you linked, we have implemented a set of APIs for AES-GCM streaming which provides exactly what you're looking for.
Check out our example here: https://github.com/wolfSSL/wolfssl-exam … -encrypt.c Build instructions here: https://github.com/wolfSSL/wolfssl-exam … crypto/aes
Note that you will need to build with --enable-aesgcm-stream to enable this feature.
Thanks,
Kareem
Hello Philippe,
It looks like you are asking for a set of zero-copy callbacks, does that sound correct?
If so, we don't currently support this, we would like to add support but it would take significant time.
Please contact us at support [AT] wolfssl [DOT] com to discuss this further.
Thanks,
Kareem
Hi ppawel87,
Please try defining WOLFSSL_CERT_EXT in your user_settings.h and let me know if it helps.
If not, please attach your certs and confirm which site you are trying to connect to. If this information is sensitive, you may email us at support [AT] wolfssl [DOT] com with this information.
Thanks,
Kareem
Hi MUH,
The current wolfCrypt version is stored in the variable __version__ in wolfcrypt/_version.py, you can get it as follows:
from wolfcrypt._version import __version__
Thanks,
Kareem
Hi manya,
I just saw your updated post. Disabling asm will work around the issue, but ideally I would like to get this fixed so you can benefit from our assembly optimizations as well.
Hi manya,
Please share your build config for wolfSSL (./configure line or user_settings.h). I will have our assembly expert review this.
It would be helpful to know if you see the same issue on wolfSSL master.
Thanks,
Kareem
wolfSSL - Embedded SSL Library → Posts by kareem_wolfssl
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.017 seconds (86% PHP - 14% DB) with 4 queries