Hi zhq0918,

There's a post on intel's forums (here: https://software.intel.com/en-us/forums … pic/742944) about using the function sgx_get_trusted_time, which may be what you're looking for with getting the enclave's time. Additionally, intel's documentation has the following information on the function as well: https://01.org/sites/default/files/docu … os_pdf.pdf. The function is documented on page 189.

Hi zhq0918,

That error is reported when there are certificates not valid (yet), or if the date being used is incorrect. Can you verify that the device's set date and the enclave's set date are accurate or close to the current date?

Hi move,

I don't believe there's a way to detect at runtime if the max_fragment_length has been negotiated, but you are able to check the current values of the max_fragment_length extension in the ssl object by using the wolfSSL_GetMaxOutputSize API. It checks the SSL object and returns what the current max_fragment_length extension value is.

Hope this helps!

Hi move,

If you want to detect features enabled by the configure script, you'll want to use the options file that was mentioned earlier (wolfssl/options.h). The config.h file is used with the MDK builds and wouldn't work very well with your application.

Hi move,

The two header files you're referring to aren't really there for detecting features, they're there to tell the wolfSSL library which features it should build with. You can search the files to see if features are being used or not though. Depending on the configuration of the wolfSSL library, it can use different settings files under different names.

The options.h file is generated and used when the wolfSSL library is configured and built with automake tools and the configure script. The settings.h file is used for setting OS-specific options that the wolfSSL library will use. Every application using the wolfSSL library should be including the file wolfssl/wolfcrypt/settings.h before including any other wolfSSL headers, and I see that it is being included in examples/client/client.c around line 27. Is this the client you're referring to?

If you had any other questions or information that was needed, please feel free to let me know.

6

(0 replies, posted in wolfBoot)

Welcome to the wolfBoot secure boot loader forum. Please submit any questions, comments, feature requests, or anything else related to wolfBoot here. Stay tuned for more information about the wolfBoot product.

Additionally, inquiries may also be sent to support@wolfssl.com for best response times

Hi m0ot,

I couldn't find anything immediately wrong with the certificate or your code after a first glance, except for one thing - when you're passing the buffer to wolfSSL_CTX_load_verify_buffer, you should be passing the length of the buffer instead of the size of the pointer variable. When performing sizeof calls, if you pass a pointer variable like that it'll only return the size of the pointer and not the size of the buffer the pointer is referring to.

If changing this doesn't resolve your issue, then it may help debug the issue if you enable wolfSSL debugging, and share the error codes that are being encountered when you are attempting to use the modified example.

8

(1 replies, posted in wolfSSL (formerly CyaSSL))

Hi Okba,

It's kind of strange that that function isn't being documented. From what I can tell, it should be documented on this page here: https://www.wolfssl.com/doxygen/wolfssl_2ssl_8h.html. In regards to the actual explanation of what that function does, let me share the snippet that should be describing the function on that page.

    Allows caller to set the Public Key Callback for RSA Verification.
    The callback should return the number of plaintext bytes for success or
    < 0 for an error.  The ssl and ctx pointers are available for the user’s
    convenience.  sig is the signature to verify and sigSz denotes the length
    of the signature.  out should be set to the beginning of the verification
    buffer after the decryption process and any padding.  keyDer is the RSA
    Public key in ASN1 format and keySz is the length of the key in bytes.
    An example callback can be found wolfssl/test.h myRsaVerify().

The function "wolfSSL_CTX_SetRsaVerifyCb" should not return anything on its own, as it's return type is void.

For future reference, when these functions are not being described in the documentation, many wolfSSL API have descriptions located within the wolfSSL library itself, at the following location: <wolfssl-root>/doc/dox_comments/header_files/.

Please let me know if there was anything I missed or if you'd like any further information.

9

(7 replies, posted in wolfSSL (formerly CyaSSL))

Hi valcroft,

Sorry for the delay in my reply. I looked at the example code you had shared and there didn't seem to be any obvious problems with it, so I looked at the certificates you had mentioned. The certificate you were defining in your code was an issued certificate for Google, which to me does not appear as if it would work, but as you're successfully connecting to the webserver and receiving the 400 response, it obviously succeeds when loaded in with trustidrootx3_chain.pem, so this may not be the issue but it is something to keep in mind.

In response to actually receiving the blank response from the webserver, the client is actually receiving something from the server - the "400 bad request" response (79 bytes long). Would you be able to pass in the "-g" option to the client application when connecting to the sandnox domain? This should resolve that "bad request"/empty response issue.

Thank you!

10

(7 replies, posted in wolfSSL (formerly CyaSSL))

Hi valcroft,

Thanks for using wolfSSL! I'm sorry that you had been running into an issue and are now running into the problem with no data being given, or with the blank response. I'll look into this some more, and I'll try and figure out what could be causing this.

Thank you!

11

(0 replies, posted in wolfTPM)

Welcome to the wolfTPM portable TPM 2.0 forum. Please submit any questions, comments, feature requests, or anything else related to wolfTPM here. Stay tuned for more information about the wolfTPM product.

Additionally, inquiries may also be sent to support@wolfssl.com for best response times.

12

(0 replies, posted in wolfSSH)

Welcome to the wolfSSH lightweight SSH library forum. Please submit any questions, comments, feature requests, or anything else related to wolfSSH here.  Stay tuned for more information about the wolfSSH product.

Additionally, inquiries may also be sent to support@wolfssl.com for best response times.

13

(6 replies, posted in wolfSSL (formerly CyaSSL))

Hi zeta,

The Makefile is actually just an auto-generated file that has more information about the wolfSSL configure options than regular compiler options. Compiler options can be added when building however by using the "CFLAGS" variable. Additionally, using the "--enable-debug" option should perform the same function as the "-g" option. I've shown both of these options below:

./autogen.sh
./configure CFLAGS="-g"    #Option A
./configure --enable-debug #Option B

More information about building wolfSSL can be found in chapter 2 of the wolfSSL manual. Please let me know how this suggestion works out for you!

Thank you!

Hi jb3,

There shouldn't be any such gencertbuff.pl file anywhere in the wolfSSL library. There is, however a file called gencertbuf.pl in the root directory wink - it seems to be just a typo when searching for the file. Do you mind if I ask where you saw the spelling of the file? It could be a typo that needs to be fixed in wolfSSL documentation.

Hope this helps!

15

(4 replies, posted in wolfSSL (formerly CyaSSL))

Hi david.ruiz,

I checked internally on some applications that could be run on some GPUs and just found out that we actually DO NOT support CUDA and OpenCL frameworks. We have had interest in the past on running wolfSSL on GPUs and so we had done a small amount of work porting wolfSSL to GPUs, but had never actually completed any ports.

Do you mind if I ask what you're interested in using wolfSSL for on a GPU?

Sorry about that misinformation before.
Thank you!

16

(4 replies, posted in wolfSSL (formerly CyaSSL))

Hi david.ruiz,

wolfSSL is currently ported to two GPU frameworks, Cuda and OpenCL. Cuda was created by Nvidia, and would be used to write programs for their graphics cards. OpenCL was created by the Khronos Group, and would be used to write programs for a wider range of units (not only GPUs).

More information on CUDA: http://en.wikipedia.org/wiki/CUDA
More information on OpenCL: https://en.wikipedia.org/wiki/OpenCL

Hi kporenta,

In order to determine if this is the issue that you are truly experiencing, could you please share a test application that we are able to compile so we can reproduce the issue for testing purposes? Additionally, would you be able to share the openssl command you are using?

Thank you!

Hi ehsan.aerabi,

In addition to John's suggestion, another thing I would point out is that you are passing the size of the pA pointer and the size of the gA pointer to wc_DhSetKey, not the actual size of the data. I would instead change that call to use these variables:

int pASz = sizeof(dh_p);
int gASz = sizeof(dh_g);

and then pass those variables in place of the previous sizeof calls (below)

ret = wc_DhSetKey(&keyA, pA, pASz, gA, gASz);

Hi zeta,

I'm glad to hear that it worked out for you! And yes, you can ask questions regarding general information about TLS here, but you will tend see best response times if you email support@wolfssl.com!

Hi zeta,

Thanks for reaching out with this error. After looking at it, it seems like the examples/server/server application can't recognize

DHE-RSA-AES-128-SHA

It does, however, recognize

DHE-RSA-AES128-SHA

(this was found in src/internal.c, line 15570).

Please let me know if this solves your issue.

Thank you!

Hi Jim,

Glad to hear that it started working out for you! And just in case, if you did want to install to a different directory from the default directory that wolfSSL installs to, then all that's needed is to specify that directory while running the "configure" script. An example would look like this:

$ ./configure --prefix=/home/alex/some_directory/

Please let us know if you have any other questions at all.

Thank you!
Alex Abrahamson

Hi Jim,

After doing a quick search to find out more about that error code, I found this article (https://stackoverflow.com/questions/363 … -error-127) on stack overflow.

Could you maybe post your configure command that you used prior to running make & make install?

Thank you!

Hi rmartin92,

Which port number are you referring to when you say standard port?