551 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi jammers,

We just pushed a patch to our GitHub repository which should solve several of the problems you are encountering.  You can find the patch here (https://github.com/cyassl/cyassl/commit … ef42bd1667).  This patch adds an include for <cyassl/ctaocrypt/settings.h> in wolfSSL's crypto.h file.  It also implements SSL_get_cipher() which is needed by ssmtp.

In addition to using the new patch, you'll need to swith "-lssl -lcrypto" for "-lcyassl" in configure.in.

Where is the modified stunnel and light-httpd sources referenced in the forum?
I can't see those downloads anywhere on this site.

You can find instructions to build lighttpd 1.4.23 with wolfSSL in the wolfSSL README file included in the download.  I believe the last time we looked at stunnel compatibility was with stunnel 4.31 and wolfSSL 1.4.0.  Is this something you will be needing?

Regards,
Chris

Go to forum: wolfSSL

552 Reply by chrisc

(5 replies, posted in wolfSSL)

Hi Nitin,

... the test.c file uses the same key to sign and verify. Am I missing something here?

A RSA private key contains the public key, therefore CyaSSL is able to use it as both the public and private key as used in test.c.  You can load a separate public key using RsaPublicKeyDecode if you would like.  Apart from this, RsaSSL_Sign and RsaSSL_Verify are just inverse operations to the RsaPublicEncrypt and RsaPrivateDecrypt functions described in the CTaoCrypt Usage Reference.

Also,  http://yassl.com/yaSSL/Docs-cyassl-manu … cates.html shows how to generate an RSA key. This is a private key. What about public key??

CTaoCrypt doesn't currently have functionality to generate an individual public key (but the private key does contain the public key, as mentioned above).  The reasoning behind this is that for SSL, the private key and the public key in the form of a certificate is all that is needed.  You could use the OpenSSL command line utility to generate an individual public key based off your private key if needed.

Regards,
Chris

Go to forum: wolfSSL

553 Reply by chrisc

(14 replies, posted in wolfSSL)

Glad to hear you got it worked out.  So, things are working correctly now?

- Chris

Go to forum: wolfSSL

554 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi,

Can you try using the most recent CyaSSL sources from GitHub (https://github.com/cyassl/cyassl) and see if your issue is resolved?  We recently made some changes to how CyaSSL processes CA certificates.  Please let me know if you are still having troubles.

Best Regards,
Chris

Go to forum: wolfSSL

555 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi jammers,

How did you configure the wolfSSL library?  Are you using version 2.0.2 of wolfSSL?

Regards,
Chris

Go to forum: wolfSSL

556 Reply by chrisc

(4 replies, posted in wolfSSL)

Hi protocold,

You can build only the CyaSSL embedded SSL library (excluding examples, testsuite, etc.) by issuing the following after ./configure:

make src/libcyassl.la

Regards,
Chris

Go to forum: wolfSSL

557 Reply by chrisc

(14 replies, posted in wolfSSL)

Hi mkey,

Can you try testing your code with the most recent CyaSSL code on GitHub (https://github.com/cyassl/cyassl)?  We've changed a few things regarding CA Basic Constraints recently which looks like it might make a difference.  Also, note that you can build CyaSSL with --enable-debug and then call CyaSSL_Debugging_ON() from your application for more verbose debug information from CyaSSL.

As you know, set SSL_VERIFY_PEER, using:

CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);

It looks like you have found the correct certificate chain, yes.  I downloaded the Equifax Secure Certificate Authority from here:  https://www.geotrust.com/resources/root-certificates/.

With CyaSSL (version >= 2.0), only the top or root certificate of the chain is required to be loaded as a trusted certificate in order to properly verify the chain.  So, in your case, you could load the equifax CA cert like this (where equifaxCert is the path to your Equifax CA Cert):

CyaSSL_CTX_load_verify_locations(ctx, equifaxCert, 0)

This will return SSL_SUCCESS upon success.  I tried this using our example client after making the above cert modifications (./examples/client/client pop.gmail.com 995) and it was able to connect to pop.gmail.com.

Note: the function CyaSSL_Init according to the manual returns a "1" if successful, while in fact it returns a 0 if everything went OK.

Thanks for the heads up on this.  We'll make sure the docs and/or code get changed to clear this up.

Regards,
Chris

Go to forum: wolfSSL

558 Reply by chrisc

(6 replies, posted in wolfSSL)

Hi Pedro,

CyaSSL_CTX_load_verify_buffer() returns SSL_BAD_FILE.

I believe this is due to the way you have entered your certificate string.  Try only separating lines with a newline (\n), and add a newline character after the closing "-----END CERTIFICATE-----" as well.  So, your corrected cert string would be:

const char cert[]= "-----BEGIN CERTIFICATE-----\nMIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJ\nBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh\nc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy\nMTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp\nemVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X\nDTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw\nFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMg\nUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo\nYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5\nMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB\nAQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4\npO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg0\n13gfqLptQ5GVj0VXXn7F+8qkBOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBAFFNzb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSk\nU01UbSuvDV1Ai2TT1+7eVmGSX6bEHRBhNtMsJzzoKQm5EWR0zLVznxxIqbxhAe7i\nF6YM40AIOw7n60RzKprxaZLvcRTDOaxxp5EJb+RxBrO6WVcmeQD2+A2iMzAo1KpY\noJ2daZH9\n-----END CERTIFICATE-----\n";

One thing to keep in mind is that you can turn on CyaSSL debugging by configuring CyaSSL with the "--enable-debug" option.  This will give you a much more verbose output of what is happening with CyaSSL.  After building CyaSSL with this enabled, you can turn on debug messages in your application by calling:

CyaSSL_Debugging_ON();

After you get your certificate to load (PCA-3G2.pem), you will probably run into another problem where CyaSSL doesn't think it is actually a CA certificate.  This is due to it lacking the CA:TRUE basic constraint.  If you would still like to use this certificate, you can download our current GitHub source package (https://github.com/cyassl/cyassl) which will allow this certificate to be imported as a CA cert.

*The CyaSSL API reference states CyaSSL_Init() returns SSL_SUCCESS (1) on success which, looking at the code, is wrong. It returns 0 when no error is found.

Thanks for the heads up on this.  We'll make sure to get this cleared up.

Let me know if this helps.  By the way, what kind of project are you working on for the Wii?

Best Regards,
Chris

Go to forum: wolfSSL

559 Reply by chrisc

(6 replies, posted in wolfSSL)

Hi Pedro,

The build fails when trying to compile the client example (which is expected but somehow messy to fix and I wanted to know if there was a more straightforward way of doing this).

You can build only the CyaSSL library (no examples, testsuite, etc.) by running:

make src/libcyassl.la

Regarding CyaSSL_CTX_load_verify_buffer, can you check the return value?  This function will return SSL_SUCCESS upon success and a variety of other values upon failure (See the CyaSSL API Reference for return values, http://yassl.com/yaSSL/Docs-cyassl-manu … rence.html).  This will tell you if your certificate buffer is being loaded.  It does look like you are providing the correct parameters to the function. 

What kind of message are you seeing when CyaSSL crashes?  Are you able to identify what part of InitSSL() is failing?

Regards,
Chris

Go to forum: wolfSSL

560 Reply by chrisc

(6 replies, posted in wolfSSL)

Hi Pedro,

DevkitPro support was added with CyaSSL rc2-1.0.0.  You can take a look at the CyaSSL README file (included in the CyaSSL download) for build instructions and more detailed information.  This will explain how to build and link with CyaSSL.  Please let me know if you run into problems.

Regards,
Chris

Go to forum: wolfSSL

561 Reply by chrisc

(15 replies, posted in wolfSSL)

Hi Nitin,

Just as pure guess work, I tried converting this key from PEM to DER and it worked !.. But, I'm not able to use these keys with the echo client and echo server examples..

The RsaPrivateKeyDecode() function only accepts keys in DER format (raw data).  To use the example echo client and echo server with DER-formatted keys, you will need to use the SSL_FILETYPE_ASN1 format instead of the SSL_FILETYPE_PEM format.  For example, the echo server would load a private key like this (where svrKey is a RSA key in DER format):

CyaSSL_CTX_use_PrivateKey_file(ctx, svrKey, SSL_FILETYPE_ASN1)

Here are the OpenSSL commands that we typically use to generate test CA keys and certificates and create test CA-signed certs.  To create a CA key and certificate:

1.  openssl genrsa 1024 > ca-key.pem
2.  openssl req -new -x509 -nodes -sha1 -days 1000 -key ca-key.pem > ca-cert.pem

To create a server key and CA-signed server cert:

1.  openssl req -newkey rsa:1024 -sha1 -days 1000 -nodes -keyout server-key.pem > server-req.pem
2.  openssl x509 -req -in server-req.pem -days 1000 -sha1 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

Does this help?

- Chris

Go to forum: wolfSSL

562 Reply by chrisc

(15 replies, posted in wolfSSL)

Hi Nitin,

What command and parameters did you use to generate your CA key using OpenSSL?

- Chris

Go to forum: wolfSSL

563 Reply by chrisc

(15 replies, posted in wolfSSL)

Not necessarily - you could define it in your source code as well if that was your preferred way.

Go to forum: wolfSSL

564 Reply by chrisc

(15 replies, posted in wolfSSL)

Hi Nitin,

I get "Cert undeclared" error. I'm unable to figure out why this is happening. Generating RSA keys works fine, but as soon as I declare a variable to generate certificate, I get this error.

You could be seeing this error if CYASSL_CERT_GEN is not defined.  Can you try defining -DCYASSL_CERT_GEN this when building your application and see if it resolves your error?

Regards,
Chris

Go to forum: wolfSSL

565 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi Bobo,

Thanks for the report.  We'll look into this.

- Chris

Go to forum: wolfSSL

566 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi Kevin,

What version of CyaSSL are you using the tutorial with?

./echoserver: error while loading shared libraries: libcyassl.so.2: cannot open shared object file: No such file or directory

This error occurs when the OS can't find the necessary shared library at runtime.  This could be caused by several things depending on what version of CyaSSL you were using.

1.  I just updated the SSL Tutorial (Makefiles, source files, etc.) to work with our newest versions of CyaSSL (2.0.2).  Beginning with our 2.0.0rc3 release, the default installation locations were changed for CyaSSL.  Please try downloading the most current version of the SSL Tutorial, now up at http://www.yassl.com/documentation/ssl-tutorial-2.0.zip.

2.  If you are still getting the error after updating to the newest SSL Tutorial version, make sure your LD_LIBRARY_PATH environment variable is set correctly to point to where the CyaSSL libraries are installed (/usr/local/lib in CyaSSL 2.0.2).

Linux:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib

Mac:

export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:/usr/local/lib

Does this help?

Regards,
Chris

Go to forum: wolfSSL

567 Topic by chrisc

(0 replies, posted in Announcements)

Hi,

We have released version 2.0.2 of the CyaSSL embedded SSL library.  Release 2.0.2 has bug fixes and a few new features including:

  • CTaoCrypt Runtime library detection settings when directly using the crypto
      library

  • Default certificate generation now uses SHAwRSA and adds SHA256wRSA generation

  • All test certificates now use 2048bit and SHA-1 for better modern browser
      support

  • Direct AES block access and AES-CTR (counter) mode

  • Microchip pic32 support

This new version can be downloaded here: http://yassl.com/yaSSL/Download.html

The CyaSSL manual is available online at: http://yassl.com/yaSSL/Docs-cyassl-manual-toc.html.  For build instructions
and comments about the new features please check the manual.  If you have any questions or comments about the new release, please let us know!

Thanks,
Team yaSSL

Go to forum: Announcements

568 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi,

WolfSSL hasn't been officially ported to the Freescale MQX RTOS yet, no.  This is something that's on our list of things to do.  Is this something that you would be interested in?  Have you tried building wolfSSL on MQX?

Best Regards,
Chris

Go to forum: wolfSSL

569 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Kchitiz,

Although it is missing from our product page (thanks for pointing this out, we'll have to add it), we have previously ported wolfSSL to WinCE.  The _WIN32_WCE defines in the wolfSSL code are for WinCE.

Please build wolfSSL with _WIN32_WCE and let me know if you run into any snags.

What kind of project are you working on with WinCE?

Regards,
Chris

Go to forum: wolfSSL

570 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi Nrupen,

It looks like the common name of the subject lacks a set header in your certificate.  In our initial interpretation of the X509 standard, we believed that the set header was required.  As such, wolfSSL returned an error.

We have checked in a patch to our GitHub repository that gives a warning if a certificate name lacks a set header, then continues execution for better OpenSSL compatibility.  Please take a look at the patch, here: https://github.com/cyassl/cyassl/commit … 7d53a812ea.

What kind of project are you working on?

Regards,
Chris

Go to forum: wolfSSL

571 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Michal,

You are correct, these flags can be used together while still providing all of CTaoCrypt's crypto functionality.  You can test this by building CyaSSL with NO_TLS, NO_CYASSL_SERVER, and NO_CYASSL_CLIENT and then running the test application under the /ctaocrypt/test directory of the CyaSSL download.

You will still have the public key infrastructure as well.  Normally verification is done internally within CyaSSL, but can also be done by hand (as the /ctaocrypt/test example does).

Regards,
Chris

Go to forum: wolfSSL

572 Reply by chrisc

(7 replies, posted in yaSSL (Deprecated) [READ ONLY])

Are you saying that the only way to import a public RSA key in DER or PEM format is to rewrite the decoder class?

Yes, in it's current state, yaSSL only supports public keys through certificates (for SSL).  Would you mind if I asked what your goal is?  If this feature is necessary, we can work with you to add it to yaSSL.

Regards,
Chris

Go to forum: yaSSL (Deprecated) [READ ONLY]

573 Reply by chrisc

(7 replies, posted in yaSSL (Deprecated) [READ ONLY])

Hi Kristofer,

yaSSL was designed to use public keys from certificates (see the example in taocrypt/test/test.cpp for reference).  If you run the "test" application in taocrypt/test with the example certificates, you will notice that FixedCiphertextLength is a non-zero value when using a certificate.

If you want to use OpenSSL format for public keys, then you can use CyaSSL with the --openssl-Extra build option.  Is there a reason why you chose to use yaSSL over CyaSSL?

Regards,
Chris

Go to forum: yaSSL (Deprecated) [READ ONLY]

574 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi,

Thanks for the bug report.  We've checked in a fix to our GitHub repository (https://github.com/cyassl/cyassl).  We have also added a new build option (--enable-noFilesystem) to make it easier to remove the filesystem for our embedded SSL library.

Regards,
Chris

Go to forum: wolfSSL

575 Topic by chrisc

(0 replies, posted in Announcements)

Hi!

We have released updated versions of both the wolfSSL embedded SSL/TLS library Manual and our SSL Programming tutorial.  The wolfSSL Manual is now available in an HTML version on our website in addition to the standard PDF download, and includes a new wolfSSL API Reference.  You can find the updated version of these documents at the following links.

wolfSSL Manual: https://www.wolfssl.com/wolfSSL/Docs-wo … l-toc.html
wolfSSL API Reference: https://www.wolfssl.com/wolfSSL/Docs-wo … rence.html
SSL Programming Tutorial: https://www.wolfssl.com/wolfSSL/Docs-wo … orial.html

If you have any questions or suggestions on how to make these documents better, please let us know.

Thanks,
Team wolfSSL

Go to forum: Announcements