#
Hi, I can't seem to get stunnel-4.31 to compile against cyassl-1.4.0. As per README file, I compiled cyassl-1.4.0 with: ./configure --disable-shared --enable-opensslExtra --enable-fastmath --without-zlib make make openssl-links And compiled stunnel-4.31 with: ./configure --with-ssl=/root/diablo/cyassl/cyassl-1.4.0 make I get these errors: prototypes.h:115: error: expected specifier-qualifier-list before ‘ENGINE’ prototypes.h:278: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token I played with <cyassldir>/include/openssl/engine.h and added "#undef HAVE_OSSL_ENGINE_H", thinking that cyassldir's "#undef HAVE_OPENSSL_ENGINE_H" was a typo. That got me a step further, but I ended up with a bunch of errors relating to incomplete type: ctx.c: In function ‘sess_new_cb’: ctx.c:402: error: dereferencing pointer to incomplete type ctx.c:403: error: dereferencing pointer to incomplete type ctx.c:403: error: dereferencing pointer to incomplete type ctx.c: In function ‘sess_get_cb’: Upon inspection, I don't see SSL being completely defined anywhere in the openssl compatibility API. Am I missing something? Just for sanity, I downloaded the stunnel-cyassl.tar.gz file and tried to get that to compile but ended up with the same errors. How did you get that to compile?
#
touskaProject Admin

[Avatar]
2010-02-24 00:21:30 UTC
Hi, I just built CyaSSL 1.4.0 with stunnel 4.31, steps: For CyaSSL 1) ./configure --disable-shared --enable-opensslExtra --enable-fastmath --without-zlib is no longer needed as it is now off by default 2) make 3) make install may need sudo make install, default is /usr/local/cyassl For stunnel 1) ./configure --with-ssl=/usr/local/cyassl 2) Makefile changes a) remove def for HAVE_OSSL_ENGINE_H=1, needs to be cleaned up b) change -lssl -lcrypto to -lcyassl (ideally should work without this change but sometimes system openssl is picked up first and causes linker problems) 3) Move two definitions out of version #ifdef in prototypes.h since stunnel uses them whether defined or not a) ocsp_addr b) ocsp_path These are both in LOCAL_OPTIONS and can just be moved a couple lines above the SSLEAY_VERSION_NUMBER , needs to be cleaned up 4) comment out all calls to cache_transfer() in ctx.c since CyaSSL handles these internally and because CyaSSL uses opaque typedefs that aren't defined at the API level (only internally), needs to be cleaned up -- use function calls instead of deference. Potentially the DEFAULT_STACK_SIZE may need to be increased when using fastmath. On OS X for example, a value of 90,112 fixes stack corruption. Let me know if you have any questions. I'll submit a request to have these changes placed in a new stunnel so that CyaSSL can be used without changes.
#
stevef67

[Avatar]
2010-02-24 02:53:29 UTC
Thank you touska. Got it to compile with those instructions. I would like to get the cache_transfer() working to get remote session caching. All it needs is to be able to get access to ssl->ctx, but the SSL structure is not completely defined at that point in ctx.c. I notice that the SSL typedef is defined in <cyassldir>/include/cyassl_int.h, but is not included in any of the openssl compatibility layer include files. Manually including cyassl_int.h would just throw up errors.
#
touskaProject Admin

[Avatar]
2010-02-24 18:42:50 UTC
Glad it worked, forget to mention commenting out print_stats() too but it looks like you figured that out. It's not quite as simple as just exposing the CTX pointer in SSL. SSL_SESSION has a couple of dereferences too, session_id and session_id_length. And every app that's ported has a couple more... yaSSL started with the goal of the most basic API functions compatibility. Not source and type compatibility which was impossible anyway since yaSSL is in C++. It also gives the user less ways to shoot themselves in the foot. wolfSSL continued this and I believe leaving the type definitions internal is the correct choice. Especially since OpenSSL types are supposed to be used as if the type is incomplete, i.e., dereferencing isn't needed since API calls exist to retrieve those values. In this case, SSL_get_SSL_CTX() and SSL_SESSION_get_id() provide the 3 values (get_id gets both the session and length). Adding those to wolfSSL and getting stunnel to use them is just a matter of coordination. I'm not sure a remote session cache is a great idea. That's exposing the master secret to the wire (or even wireless). Anyone with the master secret can decode the entire session. Seems like a lot of risk. What's wrong with CyaSSL's internal cache? I guess I'm asking why is a remote session cache important?
#
olistudent

[Avatar]
2010-03-27 21:40:00 UTC
Hi. Is there a patched version of stunnel-4.31 with wolfssl support available? Or can anbody of you provide a patch?
#
olistudent

[Avatar]
2010-03-28 10:44:34 UTC
Okay, my colleague was faster. If anybody is interested the patches can be found here: http://trac.freetz.org/browser/trunk/ma … el/patches However not all of them are related to this topic. You should provide the environment variable "OPENSSL_ALTERNATIVE=cyassl" during configure to get it running. Regards Oliver