You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by kareem_wolfssl
Hi Sunnysunday,
Are you confident you are not setting your WOLFSSL_CTX/WOLFSSL ciphers at runtime before connecting? wolfSSL_get_ciphers gets the full list of enabled cipher suites in the library, not the currently enabled cipher suites in your WOLFSSL.
Thanks,
Kareem
Hi de2,
Please share your build settings for wolfSSL and tinycurl, please also ensure you are using the latest version of each which is currently wolfSSL 5.7.4 and tinycurl 8.4.0. Which TLS versions/algorithms do you require for your use case?
As you are using a static library, note that the library size is not the final size as the linker will discard a significant part of the library when linking to your application. If you are using libcurl rather than tinycurl as a standalone application you will need to link it into your application then check the size with your toolchain's size utility or with the map file generated by your compiler. Please also ensure that you are using your compiler's size optimization option (for example -Os) and have LTO enabled.
Thanks,
Kareem
Hello Happy,
-140/ASN_PARSE_E is a general error thrown when the cert/CRL passed in is invalid in some way. For more information on where this error is coming from, please rebuild with --enable-debug --enable-debug-trace-errcodes.
Thanks,
Kareem
Hi yechenz37,
We don't generally recommend --enable-all as this will enable every single feature leading to an inefficient library build. Instead we would recommend tuning your build for your use case, if you are receiving linking errors it means you are missing a build option for an API you are using.
--enable-all does not enable small stack, they are separate defines.
We do support reallocating a buffer as long as your system supports the realloc system call, this is used in a few places in the code.
Great find on LARGE_STATIC_BUFFERS, that will help avoid allocations for connections as your TLS buffer is now larger. How many mallocs are you seeing with this option enabled?
Thanks,
Kareem
Hi alem,
It looks like you're failing to build the kernel helper get_thread_size. You could try bypassing the need to build this by building with KERNEL_THREAD_STACK_SIZE=16384 make, but we generally don't expect that you should be having issues building this.
Are you confident your kernel module build environment is set up correctly? Are you able to build any other kernel modules, even an example "hello world" module?
Please share some details on your project and whether you are using wolfSSL in a commercial or personal project. You are welcome to email us at support [AT] wolfssl [DOT] com if this information is sensitive.
Thanks,
Kareem
Hi yechenz37,
Please share your wolfSSL version and build settings (user_settings.h or ./configure line), in particular if you are using small stack or SP no malloc. These settings, especially small stack, will lead to an increase in malloc/frees.
We do support fully disabling malloc when using static memory as you've found but if you only want to minimize mallocs rather than disabling them completely we can accommodate that as well.
Are you able to share any information on your project and whether it is personal or commercial? Feel free to email us at support [AT] wolfssl [DOT] com if this information is sensitive.
Thanks,
Kareem
Hello Happy,
-179 is CRL_CERT_DATE_ERR, this means the CRL's date is not valid when compared to the current time.
You may find our debug logging helpful, you can enable it by building with --enable-debug and running wolfSSL_Debugging_ON() at the start of your program.
Thanks,
Kareem
Hello Sunnysunday,
Those cipher suites require WOLFSSL_STATIC_PSK defined and PSK, AES/AES-CBC, TLS and SHA256 enabled. It looks like your config is only missing WOLFSSL_STATIC_PSK, you will need to manually add this flag as it is not supported with a configure argument currently: "CFLAGS=-DWOLFSSL_STATIC_PSK" ./configure ...
Thanks,
Kareem
Hello Happy,
-190 is ASN_CRL_NO_SIGNER_E, this means the CRL's CA cert is not registered with wolfSSL. You will need to register your CA cert with wolfSSL_CertManagerLoadCA before calling wolfSSL_CertManagerLoadCRLBuffer.
Thanks,
Kareem
For the dynamic library error you need to copy the given hash into verifyCore in fips_test.c and rebuild wolfSSL.
Hi Volga,
When using wolfSSL as a static library, the hash will change depending on the application wolfSSL is built against. You will need to run strongswan with wolfSSL linked, then get the FIPS hash from there and rebuild wolfSSL with that hash. I would recommend building as a dynamic library if possible as it will be more straightforward.
Hi Volga,
That error means the FIPS hash was not updated correctly, you will need to update your FIPS hash or wolfSSL will not initialize.
Thanks,
Kareem
Hi volga629,
Since you are using FIPS ready, please try adding a call to wc_RunAllCast_fips() after strongswan calls (wolf)SSL_Init() and let me know if it helps. If not, please enable wolfSSL debug logging and attach a debug log here.
Thanks,
Kareem
Hello volga629,
-203 IN_CORE_FIPS_E means our FIPS hash check failed. When building wolfSSL FIPS you must update the FIPS hash after any build option/environment change, you can either run the script fips-hash.sh in the root of the wolfSSL directory or run the wolfCrypt test and copy the hash it outputs to fips_test.c. Then rebuild and retry using wolfSSL with strongswan.
Thanks,
Kareem
Hi volga629,
Yes, configure is what I would recommend to set up wolfSSL with strongswan, since you are able to use configure arguments instead of having to define every single setting. Your setup looks correct to me.
For the Visual Studio case you will also need the IDE/WIN10 user_settings.h I linked merged with yours, and WOLFSSL_FIPS_READY defined.
Thanks,
Kareem
Hi volga629,
You can safely disregard the message in your most recent post as it is just a warning.
For the missing references you are seeing, you will need multiple defines added to your build settings for strongswan. Since you are using FIPS ready, you will want to start with our "WIN10" Visual Studio project and define WOLFSSL_FIPS_READY in user_settings.h: https://github.com/wolfSSL/wolfssl/tree … /IDE/WIN10
Then you will want to add the following defines to fully enable strongswan support:
#define OPENSSL_ALL
#define SESSION_CERTS
#define WOLFSSL_KEY_GEN
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_EXT
#define HAVE_CRL
#define WOLFSSL_CERT_REQ
#define HAVE_OCSP
#define WOLFSSL_DES_ECB
#define WOLFSSL_LOG_PRINTF
#define WOLFSSL_PUBLIC_MP
#define HAVE_EX_DATA
#define WOLFSSL_DTLSThanks,
Kareem
For Visual Studio you'll need to add the path to your wolfSSL library to your project's additional library directories and wolfssl.lib to your additional dependencies in project properties -> librarian -> general.
Hello volga629,
Yes, after building wolfSSL you will want to install it with "sudo make install" so your linker can find it. Depending on wolfSSL's install path, you may need to add the path to LD_LIBRARY_PATH as well.
Thanks,
Kareem
Hello Volga,
I am seeing a recent commit for PARSE_ERROR in strongswan which should fix this, please try rebuilding with it applied and let me know if it helps: https://github.com/strongswan/strongswa … 2e31a046e1
Thanks,
Kareem
Hello Isabella,
To enable a DTLS MTU you will need to define WOLFSSL_DTLS and WOLFSSL_DTLS_MTU. These defines enable DTLS and enable setting the DTLS MTU. We do support DTLS 1.3 as well which you can enable by defining WOLFSSL_DTLS13.
The implication is you're enabling DTLS which is different than TLS, it uses UDP vs TLS which uses TCP. You can't set the MTU in TLS 1.3, we only support this for DTLS.
Thanks,
Kareem
Hi chyuk98,
Thanks for your interest in wolfSSL. We don't currently support BLAKE1, only BLAKE2 as you've seen. If you'd like to have us add support for BLAKE1, please reach out to us at support [AT] wolfssl [DOT] com so we can set up a feature request.
Thanks,
Kareem
I'm glad to hear you were able to get your connection working.
Check out our documentation on static memory here: https://www.wolfssl.com/docs/static-buffer-allocation/
Hi Isabella,
-188/Unknown CA means you are loading the wrong CA cert for the server you are trying to connect to. You can confirm you're loading the correct CA cert by connecting with your browser and checking the security/cert chain info there.
Note that since you are using static memory, you must pass in a buffer to functions like wolfSSL_X509_NAME_oneline.
Thanks,
Kareem
Hello Happy,
After enabling CRL checking, wolfSSL will automatically check your CRL as part of the connection.
If you want to manually perform this check, you can set up a cert manager, enable CRL checking on it with wolfSSL_CertManagerEnableCRL, load your CRL with wolfSSL_CertManagerLoadCRL/wolfSSL_CertManagerLoadCRLBuffer then call wolfSSL_CertManagerCheckCRL to check the CRL: https://www.wolfssl.com/documentation/m … ercheckcrl
Thanks,
Kareem
Hi MO380,
Please reach out to us at support [AT] wolfssl [DOT] com, you should be able to attach files there. Please attach your user_settings.h/configure line in your ticket.
Thanks,
Kareem
wolfSSL - Embedded SSL Library → Posts by kareem_wolfssl
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.017 seconds (86% PHP - 14% DB) with 4 queries