You are not logged in. Please login or register.
Active topics Unanswered topics
Welcome to the wolfSSL Forums!
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
References
Stable Releases - download stable product releases.
Development Branch - latest development branch on GitHub.
wolfSSL Manual - wolfSSL (formerly CyaSSL) product manual and API reference.
Search options (Page 2 of 7)
Hi de2,
Please share your build settings for wolfSSL and tinycurl, please also ensure you are using the latest version of each which is currently wolfSSL 5.7.4 and tinycurl 8.4.0. Which TLS versions/algorithms do you require for your use case?
As you are using a static library, note that the library size is not the final size as the linker will discard a significant part of the library when linking to your application. If you are using libcurl rather than tinycurl as a standalone application you will need to link it into your application then check the size with your toolchain's size utility or with the map file generated by your compiler. Please also ensure that you are using your compiler's size optimization option (for example -Os) and have LTO enabled.
Thanks,
Kareem
Hello Happy,
-140/ASN_PARSE_E is a general error thrown when the cert/CRL passed in is invalid in some way. For more information on where this error is coming from, please rebuild with --enable-debug --enable-debug-trace-errcodes.
Thanks,
Kareem
Hi alem,
It looks like you're failing to build the kernel helper get_thread_size. You could try bypassing the need to build this by building with KERNEL_THREAD_STACK_SIZE=16384 make, but we generally don't expect that you should be having issues building this.
Are you confident your kernel module build environment is set up correctly? Are you able to build any other kernel modules, even an example "hello world" module?
Please share some details on your project and whether you are using wolfSSL in a commercial or personal project. You are welcome to email us at support [AT] wolfssl [DOT] com if this information is sensitive.
Thanks,
Kareem
Hello Happy,
-179 is CRL_CERT_DATE_ERR, this means the CRL's date is not valid when compared to the current time.
You may find our debug logging helpful, you can enable it by building with --enable-debug and running wolfSSL_Debugging_ON() at the start of your program.
Thanks,
Kareem
Hello Sunnysunday,
Those cipher suites require WOLFSSL_STATIC_PSK defined and PSK, AES/AES-CBC, TLS and SHA256 enabled. It looks like your config is only missing WOLFSSL_STATIC_PSK, you will need to manually add this flag as it is not supported with a configure argument currently: "CFLAGS=-DWOLFSSL_STATIC_PSK" ./configure ...
Thanks,
Kareem
Hello Happy,
-190 is ASN_CRL_NO_SIGNER_E, this means the CRL's CA cert is not registered with wolfSSL. You will need to register your CA cert with wolfSSL_CertManagerLoadCA before calling wolfSSL_CertManagerLoadCRLBuffer.
Thanks,
Kareem
For the dynamic library error you need to copy the given hash into verifyCore in fips_test.c and rebuild wolfSSL.
Hi Volga,
When using wolfSSL as a static library, the hash will change depending on the application wolfSSL is built against. You will need to run strongswan with wolfSSL linked, then get the FIPS hash from there and rebuild wolfSSL with that hash. I would recommend building as a dynamic library if possible as it will be more straightforward.
Hi Volga,
That error means the FIPS hash was not updated correctly, you will need to update your FIPS hash or wolfSSL will not initialize.
Thanks,
Kareem
Hi volga629,
Since you are using FIPS ready, please try adding a call to wc_RunAllCast_fips() after strongswan calls (wolf)SSL_Init() and let me know if it helps. If not, please enable wolfSSL debug logging and attach a debug log here.
Thanks,
Kareem
Hello volga629,
-203 IN_CORE_FIPS_E means our FIPS hash check failed. When building wolfSSL FIPS you must update the FIPS hash after any build option/environment change, you can either run the script fips-hash.sh in the root of the wolfSSL directory or run the wolfCrypt test and copy the hash it outputs to fips_test.c. Then rebuild and retry using wolfSSL with strongswan.
Thanks,
Kareem
Hi volga629,
Yes, configure is what I would recommend to set up wolfSSL with strongswan, since you are able to use configure arguments instead of having to define every single setting. Your setup looks correct to me.
For the Visual Studio case you will also need the IDE/WIN10 user_settings.h I linked merged with yours, and WOLFSSL_FIPS_READY defined.
Thanks,
Kareem
Hi volga629,
You can safely disregard the message in your most recent post as it is just a warning.
For the missing references you are seeing, you will need multiple defines added to your build settings for strongswan. Since you are using FIPS ready, you will want to start with our "WIN10" Visual Studio project and define WOLFSSL_FIPS_READY in user_settings.h: https://github.com/wolfSSL/wolfssl/tree … /IDE/WIN10
Then you will want to add the following defines to fully enable strongswan support:
#define OPENSSL_ALL
#define SESSION_CERTS
#define WOLFSSL_KEY_GEN
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_EXT
#define HAVE_CRL
#define WOLFSSL_CERT_REQ
#define HAVE_OCSP
#define WOLFSSL_DES_ECB
#define WOLFSSL_LOG_PRINTF
#define WOLFSSL_PUBLIC_MP
#define HAVE_EX_DATA
#define WOLFSSL_DTLS
Thanks,
Kareem
For Visual Studio you'll need to add the path to your wolfSSL library to your project's additional library directories and wolfssl.lib to your additional dependencies in project properties -> librarian -> general.
Hello volga629,
Yes, after building wolfSSL you will want to install it with "sudo make install" so your linker can find it. Depending on wolfSSL's install path, you may need to add the path to LD_LIBRARY_PATH as well.
Thanks,
Kareem
Hello Volga,
I am seeing a recent commit for PARSE_ERROR in strongswan which should fix this, please try rebuilding with it applied and let me know if it helps: https://github.com/strongswan/strongswa … 2e31a046e1
Thanks,
Kareem
Hello Isabella,
To enable a DTLS MTU you will need to define WOLFSSL_DTLS and WOLFSSL_DTLS_MTU. These defines enable DTLS and enable setting the DTLS MTU. We do support DTLS 1.3 as well which you can enable by defining WOLFSSL_DTLS13.
The implication is you're enabling DTLS which is different than TLS, it uses UDP vs TLS which uses TCP. You can't set the MTU in TLS 1.3, we only support this for DTLS.
Thanks,
Kareem
Hi chyuk98,
Thanks for your interest in wolfSSL. We don't currently support BLAKE1, only BLAKE2 as you've seen. If you'd like to have us add support for BLAKE1, please reach out to us at support [AT] wolfssl [DOT] com so we can set up a feature request.
Thanks,
Kareem
I'm glad to hear you were able to get your connection working.
Check out our documentation on static memory here: https://www.wolfssl.com/docs/static-buffer-allocation/
Hi Isabella,
-188/Unknown CA means you are loading the wrong CA cert for the server you are trying to connect to. You can confirm you're loading the correct CA cert by connecting with your browser and checking the security/cert chain info there.
Note that since you are using static memory, you must pass in a buffer to functions like wolfSSL_X509_NAME_oneline.
Thanks,
Kareem
Hello Happy,
After enabling CRL checking, wolfSSL will automatically check your CRL as part of the connection.
If you want to manually perform this check, you can set up a cert manager, enable CRL checking on it with wolfSSL_CertManagerEnableCRL, load your CRL with wolfSSL_CertManagerLoadCRL/wolfSSL_CertManagerLoadCRLBuffer then call wolfSSL_CertManagerCheckCRL to check the CRL: https://www.wolfssl.com/documentation/m … ercheckcrl
Thanks,
Kareem
Hi MO380,
Please reach out to us at support [AT] wolfssl [DOT] com, you should be able to attach files there. Please attach your user_settings.h/configure line in your ticket.
Thanks,
Kareem
Hi Scott,
The two main sources of documentation on our build flags are section 2 of our manual and our user_settings.h examples:
https://www.wolfssl.com/documentation/m … ssor-macro
https://github.com/wolfSSL/wolfssl/tree … es/configs
PSK is enabled by default and doesn't need a flag to enable it. If you wanted to disable it, you would define NO_PSK.
<wolfssl dir>/configure.ac is what translates our configure arguments into defines, but I would recommend consulting our documentation first.
Thanks,
Kareem
Hi MO380,
-323 WANT_READ is an expected error during a connection, this just means you should call the connect/read function again until the error goes away. The error is indicating wolfSSL needs to read additional data which hasn't come in yet.
Check out our LWIP example here: https://github.com/wolfSSL/wolfssl-exam … aster/lwip
Thanks,
Kareem
Hi Rob,
Great question. We don't currently support this with public APIs, we can give you some guidance on how to do this with internal APIs but it will take some work. Please contact us at support [AT] wolfssl [DOT] com for more information on this.
Thanks,
Kareem
Posts found: 26 to 50 of 173
Generated in 0.021 seconds (88% PHP - 12% DB) with 4 queries