You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by kareem_wolfssl
Hi bkeller02,
Thanks for the followup. Please try running nm on the output library, for example /usr/local/lib/libwolfssl.a.
If you still see wc_ChaCha20Poly1305_Decrypt in the output, try running "ldd" on your application and confirm that it is pointing to the correct wolfSSL library. If you have a system wolfSSL package installed, try uninstalling it.
Thanks,
Kareem
Hi bkeller02,
I expect the function wc_ChaCha20Poly1305_Decrypt to be available with the defines HAVE_CHACHA and HAVE_POLY1305, there are no additional requirements for this function as of 5.7.6. Just to be sure, can you try replacing these flags with --enable-chacha --enable-poly1305 and let me know if it helps?
If not, please confirm what version of wolfSSL you're using. Please also try running
nm -g --defined-onlyon your wolfSSL library and confirm whether you see wc_ChaCha20Poly1305_Decrypt in the output.
Thanks,
Kareem
Hi Mohammed,
Thank you for the followup. As you are working on a commercial project, please forward your issue to support [AT] wolfssl [DOT] com.
Thanks,
Kareem
Hi Mohammed,
As the site you are connecting to is hosted by a CDN, you will most likely need to enable SNI to connect: https://www.wolfssl.com/documentation/m … ssl_usesni
If this doesn't help you can also try enabling alt cert chains via: --enable-altcertchains
Can you share a bit about your project with wolfSSL? Are you using wolfSSL in a personal or commercial project? If these details are sensitive, please contact us at support [AT] wolfssl [DOT] com.
Thanks,
Kareem
Hello da,
We can look into adding a manual reset for the alert count, we will need to open a feature request for this. Please email us at support [AT] wolfssl [DOT] com to set this up.
Thanks,
Kareem
Hi fenster,
To start with, build wolfSSL with --enable-distro and any other features you wish to enable, then run "make deb", this will generate an installable Debian package. You can alternatively run "make deb-docker" to perform this build inside of a docker container.
We don't currently support building a Debian package from wolfssl-py, only a PIP package which you'll find the instructions for here: https://github.com/wolfSSL/wolfssl-py
If you'd like us to add support for this, I can help you set up a feature request, please email us at support [AT] wolfssl [DOT] com.
Thanks,
Kareem
Hello da,
Great question. You can define the macro WOLFSSL_ALERT_COUNT_MAX to the max number of alerts you want to accept before throwing an error, so if you truly want to ignore alerts you can: #define WOLFSSL_ALERT_COUNT_MAX 9999
We do not reset the alert count in the code anywhere so this will eventually get tripped if enough alerts are accumulated. The count is not reset until the WOLFSSL struct is freed.
I would recommend finding a way to fix the errors leading to alerts rather than ignoring/suppressing them.
Can you share some information about your project? Are you working on a personal or commercial project? Feel free to email us at support [AT] wolfssl [DOT] com if this information is sensitive.
Thanks,
Kareem
Hi Sadanand,
Great question. So we don't have a define called HAVE_AESCCM_8, and you don't need any extra defines. The exact same build settings are used to enable TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256.
If I'm understanding right, your connection is closing after a few seconds, is that correct? If so, are you confident your server supports the cipher suite TLS_AES_128_CCM_8_SHA256?
Please share your user_settings.h and generate and share a full debug log. To generate a debug log, build with --enable-debug --enable-debug-trace-errcodes and run wolfSSL_Debugging_ON() at the start of your program.
Please share some information about your project. Are you working on a personal or commercial project?
Feel free to email us at support [AT] wolfssl [DOT] com if any of this information is sensitive.
Thanks,
Kareem
wolfSSL will attempt to include stdarg.h if OPENSSL_EXTRA is defined, you'll need to remove this define if you don't have this header available on your system.
Hi Nilesh,
Great question. So the client only needs to store/know about the root CA, to load this use wolfSSL_CTX_load_verify_buffer. The server will load the intermediate certs and the server certs, you can use wolfSSL_CTX_use_certificate_chain_buffer for this.
During the connection, the server will send over its cert and all intermediates, then the client will verify that the chain is verified against the root CA it has loaded.
Hi Nilesh,
I am happy to help. So if I'm understanding right, you want to be able to update your certificate buffer without recompiling your application. In this case we would recommend setting aside a section of flash for your certificate, and pointing your cert buffer to this address. Then you can update your certificate by replacing this section rather than recompiling your entire application.
We don't support automatically generating certificates as described. If you would like us to add support for this, we would need to set up a feature request, please contact us at support [AT] wolfssl [DOT] com to set this up.
Thanks,
Kareem
This define will go in your user_settings.h, you can find more information on and some examples of user_settings here: https://github.com/wolfSSL/wolfssl/tree … es/configs
I would recommend starting with user_settings_template.h and adjusting it to your use case.
Hi Nilesh,
Great question. Security wise, you are better off generating a new CA certificate with a lower expiration date like 1 year vs a longer expiration date like 20 years.
Around the 1 year mark when your certificate is about to expire, you will want to generate a new certificate for the server, we have some examples of how to do this with wolfSSL here: https://github.com/wolfSSL/wolfssl-exam … er/certgen
On the client side, you will need to load the newly generated CA certificate instead of the old one, since you are using a static buffer in code you'd need to update this buffer and rebuild your code. If your device supports a filesystem, you could point wolfSSL to a file which you'd replace when the cert expires.
May I ask if you are using wolfSSL in a personal or commercial project? Feel free to email us at support [AT] wolfssl [DOT] com if this information is sensitive.
Thanks,
Kareem
Hi Bryce,
Thank you for your interest in wolfSSL and great question. For Integrity OS, you will need to define __INTEGRITY or INTEGRITY, this define should be set by default by your toolchain.
We have various IDE example projects here which you may find helpful: https://github.com/wolfSSL/wolfssl/tree/master/IDE
May I ask what kind of project you are using wolfSSL in and whether it is personal or commercial? You are welcome to email us at support [AT] wolfssl [DOT] com if these details are sensitive.
Thanks,
Kareem
Hi OilProducts,
What version of wolfSSL are you using and which compiler are you using on OS X? What version is your OS X compiler/toolchain? If you aren't using our latest release 5.7.6, please give it a try and let me know if it helps.
Thanks,
Kareem
Hi Sunnysunday,
Are you confident you are not setting your WOLFSSL_CTX/WOLFSSL ciphers at runtime before connecting? wolfSSL_get_ciphers gets the full list of enabled cipher suites in the library, not the currently enabled cipher suites in your WOLFSSL.
Thanks,
Kareem
Hi de2,
Please share your build settings for wolfSSL and tinycurl, please also ensure you are using the latest version of each which is currently wolfSSL 5.7.4 and tinycurl 8.4.0. Which TLS versions/algorithms do you require for your use case?
As you are using a static library, note that the library size is not the final size as the linker will discard a significant part of the library when linking to your application. If you are using libcurl rather than tinycurl as a standalone application you will need to link it into your application then check the size with your toolchain's size utility or with the map file generated by your compiler. Please also ensure that you are using your compiler's size optimization option (for example -Os) and have LTO enabled.
Thanks,
Kareem
Hello Happy,
-140/ASN_PARSE_E is a general error thrown when the cert/CRL passed in is invalid in some way. For more information on where this error is coming from, please rebuild with --enable-debug --enable-debug-trace-errcodes.
Thanks,
Kareem
Hi alem,
It looks like you're failing to build the kernel helper get_thread_size. You could try bypassing the need to build this by building with KERNEL_THREAD_STACK_SIZE=16384 make, but we generally don't expect that you should be having issues building this.
Are you confident your kernel module build environment is set up correctly? Are you able to build any other kernel modules, even an example "hello world" module?
Please share some details on your project and whether you are using wolfSSL in a commercial or personal project. You are welcome to email us at support [AT] wolfssl [DOT] com if this information is sensitive.
Thanks,
Kareem
Hello Happy,
-179 is CRL_CERT_DATE_ERR, this means the CRL's date is not valid when compared to the current time.
You may find our debug logging helpful, you can enable it by building with --enable-debug and running wolfSSL_Debugging_ON() at the start of your program.
Thanks,
Kareem
Hello Sunnysunday,
Those cipher suites require WOLFSSL_STATIC_PSK defined and PSK, AES/AES-CBC, TLS and SHA256 enabled. It looks like your config is only missing WOLFSSL_STATIC_PSK, you will need to manually add this flag as it is not supported with a configure argument currently: "CFLAGS=-DWOLFSSL_STATIC_PSK" ./configure ...
Thanks,
Kareem
Hello Happy,
-190 is ASN_CRL_NO_SIGNER_E, this means the CRL's CA cert is not registered with wolfSSL. You will need to register your CA cert with wolfSSL_CertManagerLoadCA before calling wolfSSL_CertManagerLoadCRLBuffer.
Thanks,
Kareem
For the dynamic library error you need to copy the given hash into verifyCore in fips_test.c and rebuild wolfSSL.
Hi Volga,
When using wolfSSL as a static library, the hash will change depending on the application wolfSSL is built against. You will need to run strongswan with wolfSSL linked, then get the FIPS hash from there and rebuild wolfSSL with that hash. I would recommend building as a dynamic library if possible as it will be more straightforward.
Hi Volga,
That error means the FIPS hash was not updated correctly, you will need to update your FIPS hash or wolfSSL will not initialize.
Thanks,
Kareem
wolfSSL - Embedded SSL Library → Posts by kareem_wolfssl
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.018 seconds (86% PHP - 14% DB) with 5 queries