51

(1 replies, posted in wolfSSL)

Hello Messias,

You will need to use our custom OID support to mark extensions as critical/non-critical.
Check out our example here: https://github.com/wolfSSL/wolfssl-exam … ns-example
https://github.com/wolfSSL/wolfssl-exam … stom_ext.c
The second parameter of wc_SetCustomExtension specifies whether the extension is marked as critical or not.

Thanks,
Kareem

52

(1 replies, posted in wolfSSL)

Hi Jun Li,

We do have different behavior than OpenSSL by default with cert chains, to use OpenSSL's behavior you can build wolfSSL with WOLFSSL_ALT_CERT_CHAINS.  Let me know if you still have any issues with alt cert chains defined.

Thanks,
Kareem

53

(10 replies, posted in wolfSSL)

Happy to help.

What error code is wolfSSL_PEM_read_PrivateKey returning?  Can you provide the private key you are trying to load, and the code you are using?  Feel free to email us at support [AT] wolfssl [DOT] com if this is sensitive info.

Thanks,
Kareem

54

(10 replies, posted in wolfSSL)

Happy to help.

For wolfSSL_EC_KEY_dup, you'll need OpenSSL all enabled as well, so you'll need to add --enable-opensslall to your ./configure line.
wolfSSL_EC_POINT_is_on_curve requires USE_ECC_B_PARAM.  Add CFLAGS='-DUSE_ECC_B_PARAM' to your configure line.

We don't currently support EC_GROUP_get0_generator or PEM_write_PrivateKey.  You will need to replace these functions, or send a request to support AT wolfssl DOT com if you'd like to see these added to our compatibility layer.
I also wanted to note we provide wolfEngine, for full OpenSSL compatibility: https://github.com/wolfSSL/wolfEngine  But we do recommend using our OpenSSL compatibility layer when possible.

Hi Chris,

We do not support doing this at runtime.  Are you able to remove the undesired certificates from your chain before passing it to wolfSSL?

Thanks,
Kareem

56

(10 replies, posted in wolfSSL)

Hello,

Which version of wolfSSL are you using?  If you aren't using our latest release (5.4.0), try upgrading and let me know if it helps.
How are you building wolfSSL?  Can you share your build settings (user_settings.h or ./configure line)?
Your includes look correct, make sure you have <wolfssl/options.h> included before all other wolfssl headers in all files using these headers.

Thanks,
Kareem

57

(2 replies, posted in wolfCrypt)

Hello vico,

The RA4M2 uses SCE hardware acceleration, which we do support.  To activate this support, define WOLFSSL_RENESAS_SCEPROTECT in your user_settings.h.
For a template, check out our RA6M4 e2studio project, which also uses SCE: https://github.com/wolfSSL/wolfssl/tree … udio/RA6M4

May I ask if this is for a commercial or personal project?

Thanks,
Kareem

58

(9 replies, posted in wolfSSL)

You can disable wolfSSL's certificate validity check using wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
This significantly hurts security, and we strongly recommend against it.  Instead, you should register your CA certificates by calling wolfSSL_CTX_load_verify_locations(ctx, NULL, "/path/to/CAcerts/"); before connecting.

Thanks,
Kareem

Hi msjeon,

Try running /bin/bash ./configure ...  If that fails, your bash is likely too old (our minimum requirement is 3.x), so you will need to upgrade.  Alternatively, you can use our Makefile + user_settings.h instead of ./configure.  See our template in IDE/GCC-ARM (you can remove all of the ARM specific parts).

On Solaris, you will want to build wolfSSL as a static library using --enable-static --disable-shared, and ensure you are using gmake to build.  You may also need to disable our builtin make clean at the end of ./configure using --disable-makeclean.

Thanks,
Kareem

60

(3 replies, posted in wolfSSL)

I am happy to help, Farhan.

Check out our docs on wolfSSL + Renesas here: https://www.wolfssl.com/docs/renesas/
The link I provided has some example projects for e2studio. We also have some for CS+: https://github.com/wolfSSL/wolfssl/tree … B/Projects

Please continue to use our ticket system via support [at] wolfssl [dot] com for further support.

Thanks,
Kareem

61

(3 replies, posted in wolfSSL)

Hello Farhan,

We do have various Renesas example projects, but we don't currently have one for the RA6M5.  You can see our example projects here: https://github.com/wolfSSL/wolfssl/tree … s/e2studio
Can you work off of the RA6M4 project?  I don't see anything too platform-specific in our user_settings.h, so you should be able to use it as a reference.

Thanks,
Kareem

Hello ballen,

We do not support this feature currently, but by writing your own custom HAL functions, you can add support for it.  For more on wolfBoot HAL, see: https://github.com/wolfSSL/wolfBoot/blo … ocs/HAL.md
Our STM32F7 HAL is a good example, in particular see the array flash_sector.  You could use this code as a rough template and make these sectors non-contiguous:  https://github.com/wolfSSL/wolfBoot/blo … /stm32f7.c
I also wanted to note we do support external flash partitions, we just don't currently support splitting a partition without code changes.  For more on wolfBoot partitions, see: https://github.com/wolfSSL/wolfBoot/blo … titions.md

May I ask what platform you are using wolfBoot on?

Thanks,
Kareem

63

(1 replies, posted in wolfSSL)

Hi altech,

First, if you are not on the latest wolfSSL version (5.2.0), please try upgrading and let me know if it helps.
If not, can you share your user_settings.h?

UNKNOWN_RECORD_TYPE means we did not recognize the type in the record header, most likely you are not enabling support for the TLS version Firefox is trying to use, which is most likely TLS 1.3.
To enable TLS 1.3 support, make sure you have the following defined:

#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_HKDF

Thanks,
Kareem
wolfSSL Support

64

(3 replies, posted in wolfCrypt)

Hi abdulwazeed1,

It sounds like you are running into a threading issue, since it works after repeated tries.  Are you confident you are not sharing any context between threads?  Each thread needs its own Aes, WOLFSSL, etc objects.
If you still run into issues, please reach out to support [AT] wolfssl [DOT] com so we can prioritize this issue.

Thanks,
Kareem

65

(3 replies, posted in wolfCrypt)

Hi abdulwazeed1,

What version of wolfSSL are you using?  If you are not using the latest stable (5.2.0), please upgrade and let me know if it helps.
Are wc_AesCbcEncrypt and/or wc_AesCbcDecrypt returning an error code for the invalid packets?  If so, what error code are you seeing?
If neither of the above help, please enable debug logging by building with DEBUG_WOLFSSL or --enable-debug, and running wolfSSL_Debugging_ON().  Then attach your debug logs here.  Please also share your build settings.
Lastly, please clarify whether you are using a multi-threaded application on either side.  Note that for multi-threading we require separate Aes objects for each thread.

Thanks,
Kareem

66

(3 replies, posted in wolfSSL)

Hi rkumar,

Please upgrade to the latest wolfSSL, 5.2.0 and let me know if you still have any issues.

Thanks,
Kareem

67

(11 replies, posted in wolfSSL)

Hi Junkhar,

I realized you're using 4.7.0, which is outdated.  Please upgrade to the latest wolfSSL version (currently 5.1.0) and let me know if you still see any issues.

Thanks,
Kareem

68

(11 replies, posted in wolfSSL)

Hi Junkhar,

Can you attach your pcap wireshark file, rather than a png?  If there is any sensitive information, feel free to email it to us at support [AT] wolfssl [DOT] com.

One common issue on your platform is the encrypt-then-mac/extended master secret extensions being disabled by default.  It's worth trying again with them enabled, add this to your user_settings.h, then rebuild and let me know if it helps:

#define HAVE_EXTENDED_MASTER
#define HAVE_ENCRYPT_THEN_MAC

Thanks,
Kareem

Hi werchter,

You should build with WOLFSSL_PUBLIC_MP defined and use mp_read_unsigned_bin, which will be built as a public API.
Check out our example here: https://github.com/wolfSSL/wolfssl-exam … ecc_sign.c

Thanks,
Kareem

70

(16 replies, posted in wolfSSL)

Hi Alex,

You will want to use SP math rather than Fast math to increase your speed.  Replace USE_FAST_MATH with the following:
WOLFSSL_SP_MATH_ALL
WOLFSSL_SP_ASM
Let me know if you still have speed issues.

Thanks,
Kareem

71

(16 replies, posted in wolfSSL)

Hi Alex,

If your platform doesn't support hardware acceleration for AES, I would recommend trying Chacha/Poly.  Yes, you should remove your fast math define.
You are correct that ARMASM won't work with ARMv5, but you should still be able to use SP math assembly which I would definitely recommend.

Thanks,
Kareem

72

(16 replies, posted in wolfSSL)

Hi Alex,

Glad to hear you were able to resolve your issue.  What platform/architecture are you on?  Which cipher suite are you using?
In general, I'd recommend using SP math over fast math, and SP math assembly if your platform supports it.
Check out our user settings template here for more info on our SP math and other settings: https://github.com/wolfSSL/wolfssl/blob … template.h
I would also enable ARM assembly with WOLFSSL_ARMASM, assuming you're on ARM.
You will want to disable small AES-GCM if possible as it will have a significant speed impact (GCM_SMALL).

Thanks,
Kareem

73

(16 replies, posted in wolfSSL)

Hi Alex,

What platform and OS are you using?  How much stack/heap are you giving to wolfSSL?
What kind of webpage are you serving with wolfSSL?  Is it something that would spawn multiple connections?
Does closing your Chrome tab and opening a new one resolve the issue, or does it require a full browser restart?

If this information is too sensitive to share in a public forum, feel free to contact us at support@wolfssl.com

Thanks,
Kareem

74

(16 replies, posted in wolfSSL)

Hi Alex,

3.15.3 is extremely outdated and unsupported.  Please update to 5.0 and let me know if it fixes the issue for you.

75

(16 replies, posted in wolfSSL)

Hi Alex,

A couple of questions:
1) Does a hard refresh (usually Ctrl+F5) show the same issue in your browser?
2) What version of wolfSSL are you using?  Do you still see the issue with the latest wolfSSL, 5.0?

Thanks,
Kareem