1 (edited by Scotty2541 2021-05-17 10:51:03)

Topic: 18 seconds to Key Exchange...?

Hello,
I am using version 4.7 in a TI SYSBIOS RTOS environment, running on an A8 am335x MCU.

A TCP/IP socket server is running in the device. I am connecting to it with a chrome browser.

The server in the ARM device has self signed certificates.  So naturally the browser gives a prompt and warning.

When using a 2048 bit cert key, the page appears within 1/2 second.

When using a 4096 bit key, it takes 18 seconds.  (Actually it take more because apparently, the browser is failing and reconnecting...  so it is really 38 seconds).

It is even sucking all the MCU time from the TI RTOS tasks, as nothing else runs while it is doing whatever this math is.

I have tried many of these settings in this thread, https://www.wolfssl.com/forums/post5516.html#p5516
however nothing budges.

Currently, the settings I have defined are:

#define USE_FAST_MATH
#define ALT_ECC_SIZE

#define OPENSSL_EXTRA        /*   */

//  From the "settings.h"
    #define FP_MAX_BITS 8192        /*  Increase for 4096 bit key */
    #define USE_CERT_BUFFERS_2048
    #define USE_CERT_BUFFERS_4096
    #define HAVE_ECC
    #define HAVE_ALPN
    #define USE_WOLF_STRTOK /* use with HAVE_ALPN */
    #define HAVE_TLS_EXTENSIONS
    #define HAVE_AESGCM

//  Speed up tests
#define WOLFSSL_SP_DH
#define WOLFSSL_HAVE_SP_ECC


//  New settings, trying to get client to connect
#define    WOLFSSL_AES_256
#define RSA_LOW_MEM
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512

#define NO_PSK
#define HAVE_AESGCM
#define ECC_USER_CURVES
#define ECC_SHAMIR
#define WOLFSSL_RIPEMD
#define HAVE_EXTENDED_MASTER

I also have wireshark traces for both certificates (2048 = okay, 4096 = SLOW). They are zipped and attached.
(IP ...93 is the server, IP ...111 is my browser laptop connecting to it)

Any advice appreciated.

-Scott

Post's attachments

WireShark.zip 13.52 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.
-Scott
<Code shown is not to scale>

Share

Re: 18 seconds to Key Exchange...?

Hi Scott,

Make sure you set `WOLFSSL_SP_4096` to enable 4096-bit support for SP math. Also set `WOLFSSL_HAVE_SP_RSA` and `WOLFSSL_HAVE_SP_DH` to speedup RSA/DH with SP math.

For this A8 you can also enable SP assembly speedups for RSA/DH and ECC using `WOLFSSL_SP_ARM_THUMB_ASM`. If the code size grows too large you can use `WOLFSSL_SP_SMALL`. You might also consider disabling DH and use just ECDHE for the key share using `NO_DH`.

Thanks,
David Garske, wolfSSL

Share

Re: 18 seconds to Key Exchange...?

David,
Thanks but no change.

Actually it made it worse.  See comments associated with my definitions:

//  Speed up tests
#define WOLFSSL_SP_DH
#define WOLFSSL_HAVE_SP_ECC
#define WOLFSSL_SP_4096                <--  Enabled this, but (with the ones below turned off)  still 18 seconds.
//#define WOLFSSL_HAVE_SP_RSA          <--  I enabled these, and it SLOWED to over 20 seconds.  The browser times out and actually NEVER connected
//#define WOLFSSL_HAVE_SP_DH           <--
// #define WOLFSSL_SP_ARM_THUMB_ASM    <--   the TI compiler doesn't like the inline assembler.


//  New settings, trying to get client to connect
#define    WOLFSSL_AES_256
#define RSA_LOW_MEM
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512

Code size is not really an issue.

Any other ideas?

-Scott
<Code shown is not to scale>

Share

Re: 18 seconds to Key Exchange...?

Hi Scott,

See here for a list of SP math build options:
https://github.com/wolfSSL/wolfssl/blob … _int.c#L42

For the assembly an you try using `WOLFSSL_SP_ARM32_ASM`

Try disabling DH (NO_DH) and only use RSA and ECC. For SP related build options try just these:

#define WOLFSSL_SP_MATH
#define WOLFSSL_HAVE_SP_RSA
#define WOLFSSL_HAVE_SP_ECC
#define WOLFSSL_SP_4096
#define WOLFSSL_SP_ARM32_ASM
#define NO_DH
#define HAVE_ECC

Thanks,
David Garske, wolfSSL

Share