576 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi,

Minimizing wolfSSL build sizes depends on what protocols, ciphers, and cipher suites you are looking to use.  Using the --enable-small build option will give you a fully working wolfSSL client and server, but several features will be disabled.  Currently --enable-small disables the following features:

TLS, HMAC, AES, 3DES, SHA-256, Error Strings, HC-128, RABBIT, PSK, DSA, and DH

If you are only going to be using client functionality, the server parts can be disabled by defining NO_CYASSL_SERVER.  See the "Building wolfSSL" document (sections III and V) for a list of build options and defines.  For certificate verification, wolfSSL verifies all certificates internally by default unless it is turned off, but the files needed shouldn't change.

What's the philosophy of the minimal build - how does OpenWRT's idea of minimal differ from the configure option?

I'm not positive of the configuration used in the OpenWrt example, but the standard build size with a client and server functionality on an embedded platform is usually <= 60k.

Regards,
Chris

Go to forum: wolfSSL

577 Reply by chrisc

(1 replies, posted in wolfSSL)

SheldonC,

Correct, sslFrame points to the current frame to process, whereas sslBytes is the data we haven't processed yet.

if (newEnd > reassemblyList->begin) {
    Trace(OVERLAP_REASSEMBLY_BEGIN_STR);
                    
        /* remove bytes already on reassembly list */
        *sslBytes -= newEnd - reassemblyList->begin;
}

To address the section you had in bold, shown above, newEnd is equal to the sequence number we expect plus the SSL bytes we need to consume. We check to see if newEnd is past the beginning of our first reassemblyList item.  If so, we might have frames that will be processed twice, so we want to remove those duplicates from being processed again (in sslBytes).

reassemblyList->end is not the same as *expected - they differ in purpose. The reassemblyList (a linked-list of pointers) caches packets which are out of order and can't be processed yet. reassemblyList->end is the end of the first item in the list, where *expected is the next sequence number we need to process.

if (newEnd > reassemblyList->end) {
    Trace(OVERLAP_REASSEMBLY_END_STR);
                    
    /* may be past reassembly list end (could have more on list)
       so try to add what's past the front->end */
    AddToReassembly(session->flags.side, reassemblyList->end +1,
        *sslFrame + reassemblyList->end - *expected + 1,
        newEnd - reassemblyList->end, session, error);
}

In the next block of code, shown above, we test whether newEnd is greater than the end of the first item in our reassemblyList. If it is, we may need to add that data into the reassemblyList (if it is not already there). This is done by the AddToReassembly function.

Does this help clear things up?

- Chris

Go to forum: wolfSSL

578 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Sheldon,

Thanks for the bug fix.  We've made your suggested change and committed it to our GitHub repository.

Regards,
Chris

Go to forum: wolfSSL

579 Reply by chrisc

(6 replies, posted in wolfSSL)

Glad to hear you got it figured out.  One of the items on our task list is to update our embedded SSL library in OpenWrt to 2.0.

- Chris

Go to forum: wolfSSL

580 Reply by chrisc

(6 replies, posted in wolfSSL)

Could you tell me a little more about the chain you are trying to verify, and the CA certs you are loading?  Such as:

- Structure of your server certificate
- Does your CA certificate file which you are loading contain only a single CA cert?
- If so, is it signed by anyone else (another CA)?

Thanks,
Chris

Go to forum: wolfSSL

581 Reply by chrisc

(6 replies, posted in wolfSSL)

Could you tell me what RSA key size you are using?  Also, is your CA file you are loading a single certificate, or a cert chain?

Thanks,
Chris

Go to forum: wolfSSL

582 Reply by chrisc

(6 replies, posted in wolfSSL)

Are you using the most current version of CyaSSL (2.0)?  We changed several things in 2.0 as far as certificate handling.  Let me know if you still get the error with 2.0.

- Chris

Go to forum: wolfSSL

583 Reply by chrisc

(6 replies, posted in wolfSSL)

Hi,

Have you tried our most current version of CyaSSL (CyaSSL 2.0) to see if you still get the same error?  You can download it from here: http://yassl.com/yaSSL/Download.html.

Regards,
Chris

Go to forum: wolfSSL

584 Reply by chrisc

(6 replies, posted in wolfSSL)

Hi j3g,

Have you checked the value you are getting for "b" in GetName()?  CyaSSL is expecting the tag 0x06 (ASN_OBJECT_ID).

Is the server you are testing against public?  If not, could you send the server certificate and server key you are using to support@yassl.com?

Thanks,
Chris

Go to forum: wolfSSL

585 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Deepak,

- CRYPTO_num_locks
- CRYPTO_set_locking_callback
- CRYPTO_set_id_callback

We haven't implemented the above 3 functions because they're not needed in CyaSSL (but you can find placeholders for them in ssl.c).  For CyaSSL thread safety, please look at section VI of our "CyaSSL Additional Features" document (http://yassl.com/yaSSL/Docs_CyaSSL_Addi … tures.html).  Unlike OpenSSL, CyaSSL avoids using global data, static data, and the sharing of objects.

- BIO_new_file
- PEM_read_bio_DHparams
- SSL_CTX_set_verify_depth
- load_dh_params

CyaSSL doesn't support the above functions.  RAND_add and setting tmp_dh are handled internally by CyaSSL.

- SSLv23 method

CyaSSL provides SSLv23_client_method() and SSLv23_server_method() to use for this.

CyaSSL's OpenSSL compatibility layer is not fully complete.  Instead we provide a subset of the most commonly-used functions from OpenSSL to allow for ease of porting CyaSSL embedded SSL into existing OpenSSL projects (about 200 out of their 4000 functions).  Very often, even though CyaSSL doesn't have the exact function you might be looking for from OpenSSL, it should have similar functionality.

Our OpenSSL Compatibility layer is expanded as we encounter new porting efforts.  The comments you see about GoAhead are just indications those functions were brought to our attention during that port.

Regards,
Chris

Go to forum: wolfSSL

586 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi,

wolfSSL (as of release 1.6.0), includes support for RSA key generation.  wolfSSL must be built with the "--enable-keygen" option.  You can then you can follow instructions provided in Chapter 7 of the wolfSSL Manual: "Keys and Certificates", here:

http://yassl.com/yaSSL/Docs-cyassl-manu … cates.html

Regards,
Chris

Go to forum: wolfSSL

587 Reply by chrisc

(3 replies, posted in wolfSSL)

Ok, thanks for letting us know.  We'll add that to our documentation.

- Chris

Go to forum: wolfSSL

588 Reply by chrisc

(5 replies, posted in wolfSSL)

Good to hear.  We'll add that to our documentation.

- Chris

Go to forum: wolfSSL

589 Reply by chrisc

(1 replies, posted in wolfSSL)

Thanks, we'll look into getting these cleared up.

- Chris

Go to forum: wolfSSL

590 Reply by chrisc

(5 replies, posted in wolfSSL)

Ken,

Glad to hear you're happy with wolfSSL!  You're correct, DTLS sounds like it would be the best option to me as well. 

If you update to the latest version of wolfSSL from GitHub (https://github.com/wolfSSL/wolfssl), you can adjust the MTU size by altering MAX_MTU in internal.h.  As for the ECC stuff, it's currently undetermined when the official release will be.

- Chris

Go to forum: wolfSSL

591 Reply by chrisc

(5 replies, posted in wolfSSL)

Hi,

Yes, you can use the CBIORecv/CBIOSend function pointers to point to your own custom I/O functions (you can use the EmbedSend() and EmbedReceive() functions as templates and guides).  You would then be able to hand off the data buffer to one of your other protocols from within your custom send function and bring it back to wolfSSL with your custom receive function.

Why do you want to use DTLS?

Regards,
Chris

Go to forum: wolfSSL

592 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi topher,

Similar to your other thread about certificate serial numbers (http://yassl.com/forums/topic81-x509-serial-number.html), wolfSSL doesn't provide a way to directly access peer-certificate dates.  Is this something that you need?

wolfSSL does all verification internally, including notBefore and notAfter dates.  The SSL_CTX_set_verify() function allows you to set options for how the verification is done.  Setting SSL_VERIFY_PEER will cause the server to send a certificate request to the client.

Regards,
Chris

Go to forum: wolfSSL

593 Reply by chrisc

(6 replies, posted in wolfSSL)

topher,

Sounds like an interesting embedded SSL project.  What kind of server are you creating?  Currently, getSerialNumber() functionality isn't on our list, but if you have a need for it, we can work with you to add the functionality.

Regards,
Chris

Go to forum: wolfSSL

594 Reply by chrisc

(6 replies, posted in wolfSSL)

Hi,

Have you considered using OCSP instead of a CRL? There are several issues surrounding CRLs (See the "Problems" section of the CRL wikipedia page: http://en.wikipedia.org/wiki/Certificat … ation_list. OCSP is the current method to deal with those problems.

If using OCSP, you could enable SESSION_CERTS in wolfSSL, and use the cert chain to hand off to an OCSP server you had access to.  With OCSP, one of the things you would still need though is the cert serial number.

If you want to implement OCSP with wolfSSL, we could help if you would like.

Regards,
Chris

Go to forum: wolfSSL

595 Reply by chrisc

(6 replies, posted in wolfSSL)

Hi,

wolfSSL does all verification internally (signature, date, domain name).  The X509_get_serialNumber() function is part of wolfSSL's OpenSSL Compatibility layer, and is currently just a stub that always returns 0.

Why do you need the serial number?

Regards,
Chris

Go to forum: wolfSSL

596 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi,

I wasn't able to reproduce your error about zlib not being found.  I was able to verify that the configure script doesn't check for zlib if the "--with-libz" option is not given.  Which version of wolfSSL are you using?

Thanks,
Chris

Go to forum: wolfSSL

597 Reply by chrisc

(5 replies, posted in wolfSSL)

Sam,

Would you mind explaining a little more?

Thanks,
Chris

Go to forum: wolfSSL

598 Reply by chrisc

(5 replies, posted in wolfSSL)

Sam,

Glad to hear that you found our SSL sniffer to use with your project!

sslFrame is the input pointer. This means that it points to the input frame, whether that be the original data or a decoded frame.  To the end consumer of the input, it doesn't matter if sslFrame is pointing to the original data or decoded data. 

In the code you referenced above, the encrypted data can't be used as input, so it is decrypted by the "DecryptMessage()" function and stored into the output buffer.  After this, sslFrame is re-pointed to the output buffer (our decrypted data).

Does this help?

- Chris

Go to forum: wolfSSL

599 Reply by chrisc

(5 replies, posted in wolfSSL)

Hi,

Thanks for the bug submission, we've made the fix and checked it in. Bugs can either be submitted here in our forums or by opening a GitHub issue on our wolfSSL GitHub project page (https://github.com/wolfSSL/wolfssl).

What project are you working on?

Regards,
Chris

Go to forum: wolfSSL

600 Topic by chrisc

(0 replies, posted in Announcements)

http://www.yassl.com/images/conferences/rsa2011.jpg

We’ll be exhibiting at the RSA Conference 2011 (http://www.rsaconference.com/2011/usa/index.htm).  Our booth number is 330.  The conference will be held February 14-18 at Moscone in San Francisco.  If you’re planning to be there, please plan to stop by to discuss CyaSSL, our implementation of the TLS 1.2 protocol.  We’ll also be visiting customers in the Bay Area that week, so let us know if you’d like us to set aside some time for you by emailing us at info@yassl.com.

Go to forum: Announcements