1 Reply by gojimmypi

(7 replies, posted in wolfSSL)

Hi rocotocloc -

Glad to help!

Just one clarification regarding user_settings.h.

I should have been more clear: the wolfssl user_settings.h needs to be in the wolfssl component directory, which may vary depending on if it is a managed component or not:

[project]\components\wolfssl\include\user_settings.h

  // or

[project]\managed_components\wolfssl__wolfssl\include\user_settings.h

  // or (for completeness, if not Managed Component and installed to ESP-IDF)

[ESP-IDF]\[version]\components\wolfssl\include\user_settings.h

And as you discovered, the Managed Component source is "locked" and is required to be converted to a non-managed component if contents changed. This includes the `user_settings.h`. There must also be exactly one wolfssl component throughout the entire toolchain.

See the docs:

https://docs.espressif.com/projects/esp … ystem.html

like setting "CONFIG_WOLFSSL_ALT_CERT_CHAINS=y" in sdkconfig

Somewhat. The sdkconfig file is auto-generated. I suggest you put desired default settings in the `sdkconfig.defaults` file.

My only doubt here is that not all #define directives have their equivalent in the `sdkconfig` file

Things like enabling WOLFSSL_ALT_CERT_CHAINS must be done via the `idy.py menuconfig` for Managed Components, which in turn means there must be Kconfig logic for the setting.

NOW is a good time to put in a request for any new Kconfig settings! smile We'll be having a release in the near future, so if you'd like anything specific to be included, please let me know right away and/or send a message to support [at] wolfssl.com

Cheers

Jim

Go to forum: wolfSSL

2 Reply by gojimmypi

(7 replies, posted in wolfSSL)

Hi rocotocloc -

can say my project is now working and I can connect to my website by using the appropriate root certificate,

Yay! nicely done.

One of the things to be aware of for some CDN / load balanced sites such as `google.com` is that a different ISP may have a different cert chain. My ESP32 was connecting directly, my computer via VPN. For example, each would see a different result for:

openssl s_client -connect www.google.com:443 -showcerts -servername www.google.com < /dev/null

The root cause was the FP_MAX_BITS. I had it set to 4096, but that's for only a 2048 bit (the size needs to hold two operands!)

Since some of the certs use RSA, these are needed:

#define HAVE_RSA
#define FP_MAX_BITS (2 * 4096)

I put back your original curl file and confirmed it is working:

https://curl.se/ca/cacert.pem

I have this all resolved in the latest commit on my sample app:

https://github.com/gojimmypi/wolfssl/tr … ssl_client

I realize this is not at all intuitive, so I put together this PR that should make certificate troubleshooting vastly more easy:

https://github.com/wolfSSL/wolfssl/pull/8902

With the PR, when the `FP_MAX_BITS` is found to be too small at runtime, and when `WOLFSSL_DEBUG_CERTS` is enabled, a message such like this will be displayed:

I (15765) wolfssl: TFM fp_exptmod_nct failed: P.used (128) > (FP_SIZE/2); FP_SIZE: 136; FP_MAX_SIZE: 4096
I (15773) wolfssl: Consider adjusting current FP_MAX_BITS: 4096

Answers to your specific questions:

Where to define custom #define properties in my project?

All settings should be in the `user_settings.h`. There should be only one file, located in

[project]\components\wolfssl\include\user_settings.h

See the reference template project:

https://github.com/wolfSSL/wolfssl/tree … s/template

I am using wolfSSL through ESP Component Registry.

This will be a little tricky, as the registered components don't like to be changed. There will be instruction at build time to convert to a non-managed component.

major problem was related to lack of #define directives in user_settings.h but you have all these:

Oh, some of those were just for testing. Sorry for the confusion there. The one in the working commit, above, should be cleaned up now.

So far so good but I found some examples where this doesn't work and I don't know why.

I'm pretty sure this is the RSA and max bit settings.

For example I can see you already have this config property: "CONFIG_WOLFSSL_ALT_CERT_CHAINS", which is the equivalent of "#define WOLFSSL_ALT_CERT_CHAINS".

The wolfSSL setting is `WOLFSSL_ALT_CERT_CHAINS`. Macros with a `CONFIG_`prefix came from the ESP-IDF menuconfig via Kconfig.

Not clear what this means (in component README):

- The wolfSSL-related `components/[name]/include` directory should be empty for all components except wolfssl.

There are other components such as wolfssh and wolfmqtt; ONLY wolfssl should have a `user_settings.h` in the respective include directory

- Files in this directory are renamed with `.bak` suffixes when performing publish-time build checks.

This is intended for wolfssl maintainers. I'll make this more clear in future releases. It refereces what happens when components are published to the ESP Registry.


Please let me know if this answers all of your questions or if I can be of further assistance.

I'll be working more on additional `WOLFSSL_DEBUG_CERTS` functionality. Open to suggestions for other diagnostics.

Best Regards & Have a great weekend!

Jim

Go to forum: wolfSSL

3 Reply by gojimmypi

(7 replies, posted in wolfSSL)

Hi rocotocloc

Thank you very much for sharing the the code sample and your observations. That's really helpful. I have been able to reproduce the problem you are seeing, but only have a partial solution.

Per our related discussion at the other thread:

https://www.wolfssl.com/forums/post8388.html

I think the primary problem is an issue with either the certs and/or the user_settings.h

Could you please share your user_settings.h either here, and/or send to support [at] wolfssl.com ?

I've put together a sample that works with TLS 1.2 here:

https://github.com/gojimmypi/wolfssl/tr … ssl_client

Your code is in the `other.c` source file:

https://github.com/gojimmypi/wolfssl/bl … in/other.c

See the limited certs that I am using here:

https://github.com/gojimmypi/wolfssl/bl … rts.pem#L1

TLS 1.3 is considerably more strict, and I've not yet been able to assemble to proper certs that will work.

I'll work on this more tomorrow, just wanted to reply here & share my progress. It is an interesting problem.

Go to forum: wolfSSL

4 Reply by gojimmypi

(6 replies, posted in wolfSSL)

Hi @rocotocloc

That sounds interesting! Even for just development stage products, we might be able to provide additional pre-sales support to help with integration for your commercial product. I definitely encourage you to send a message to support [at] wolfssl.com

Yes, I understand your reluctance to use a custom toolchain. If you are only talking to a limited number of servers, a fixed PEM certificate is probably the better way to go. Not only is it more standard, but on an embedded device better performance, too.

To clarify: it is only the ESP-IDF build-time-generated Certificate Bundle binary file that is not compatible between mbedTLS and wolfSSL. I believe both properly support a PEM root CA files directly (those not assembled into a single file by the python script). wolfSSL certainly does. For reference, this is the difference:

https://github.com/wolfSSL/wolfssl/blob … dle.c#L152

I'll go reply to the other forum question now regarding the certificate validation failure.

You may also be interested in some other recent changes to wolfSSL for Espressif support, such as this PR updating example for Post Quantum Key Exchange (ML-KELM) support:

https://github.com/wolfSSL/wolfssl/pull/8813

btw - are you using the wolfSSL source directly, or with a Managed Component?

https://components.espressif.com/compon … sl/wolfssl

Best Regards,

Jim

p.s. There are other wolfSSL products that might be useful for your project: wolfSSH, wolfMQTT, wolfTPM

Go to forum: wolfSSL

5 Reply by gojimmypi

(6 replies, posted in wolfSSL)

Hi @rocotocloc

do you mean I can use that propietary Espressif bundle at the moment?

Well, that depends. Basically yes, but with an ESP-IDF update or patch.

The wolfSSL PR 7936 that I referred to needs a modified ESP-IDF. One option is the my_531 branch mentioned below.

I also put up this PR at Espressif yesterday for the ESP-IDF v5.5 beta-1:

https://github.com/espressif/esp-idf/pull/16145

Additionally, I should point out that the bundles are *not* compatible between mbedTLS and wolfSSL. This is not an issue for ESP-IDF builds, as included in the upstream PR, I also have a wolfSSL-specific python script gen_crt_bundle.py that runs at build time.

See:

https://github.com/wolfSSL/wolfssl/tree … crt_bundle

I've also added some features like manually specifying a bundle file. This was primarily for PlatformIO builds, but others will likely find it useful as well.

Can you tell me more about your project? Is this for a commercial product? If so we can prioritize helping you with an interim solution until the upstream Espressif code is merged. Please send a message to support [at] wolfssl.com

Go to forum: wolfSSL

6 Reply by gojimmypi

(6 replies, posted in wolfSSL)

Hi rocotocloc & Anthony,

There are two different types of "Certificate Bundles."

The first is the standard, RFC-compliant format - a simple list of certificates - as Anthony described in his reply. This is the preferred and official method.

The second is Espressif’s (more specifically, mbedTLS’s) custom, proprietary format used exclusively in the ESP-IDF. This format is generated at build time using the gen_crt_bundle.py Python script, located here:

https://github.com/espressif/esp-idf/tr … crt_bundle

Given the error message, I assume this is the Certificate Bundle method you are referring to?

We added support for this Espressif-style Certificate Bundle to wolfSSL last year:

https://github.com/wolfSSL/wolfssl/pull/7936

And just this week, we added improved support for PlatformIO Certificate Bundles:

https://github.com/wolfSSL/wolfssl/pull/8847

Currently, some minor modifications to the ESP-IDF are needed to properly link wolfSSL with the esp-tls library when using Certificate Bundle support. These changes can be found in my fork here:

https://github.com/gojimmypi/esp-idf/tree/my_531

I still need to submit a pull request upstream to add this support to the official Espressif releases. The branch above targets ESP-IDF v5.3.1. Unless otherwise requested, my first PR will aim to port the changes to the latest master (v5.5).

If this is for a commercial product, please feel free to contact us at support [at] wolfssl.com and/or open a GitHub issue.

Thank you for your interest in wolfSSL,

Jim

Edit: for reference here are the files changed between my ESP-IDF branch and upstream:

$ git diff --name-only c8fc5f6 041cd42
.github/workflows/release_zips.yml
.gitignore
README.md
components/esp-tls/CMakeLists.txt
components/esp-tls/Kconfig
components/esp-tls/esp-tls-crypto/esp_tls_crypto.c
components/esp-tls/esp_tls.c
components/esp-tls/esp_tls.h
components/esp-tls/esp_tls_wolfssl.c
components/esp-tls/private_include/esp_tls_private.h
components/esp-tls/private_include/esp_tls_wolfssl.h
components/esp_http_client/esp_http_client.c
components/tcp_transport/transport_ssl.c
package.json
version.txt

Go to forum: wolfSSL

7 Reply by gojimmypi

(10 replies, posted in wolfSSL)

Cool. I'd like to help.

Regarding the certificate management, wolfSSL of course has all the standard RFCs implemented.

If perhaps you wanted to use the Espressif ESP-IDF esp-tls component and/or the "Certificate Bundles" (non-standard, something that mbedTLS created) I have a fork of the ESP-IDF that implements that using wolfSSL:

https://github.com/gojimmypi/esp-idf/tr … ts/esp-tls

and some examples, such as this one:

https://github.com/gojimmypi/wolfssl/tr … ttp_client

I suggest at this point, you please sent a message to support@wolfssl.com and reference this forum topic. Or I think you might have already working with Martin?

We can offer some pre-sales integration as well as more comprehensive integration & consulting services to get you up & running.

Depending on your target audience, you may also be interested in our FIPS certification:

https://www.wolfssl.com/license/fips/

And depending on how tightly integrated the EV Charging is with other automotive systems, your may be interested in the wolfHSM:

https://www.wolfssl.com/wolfssl-inc-ann … y-modules/

Best Regards

Go to forum: wolfSSL

8 Reply by gojimmypi

(10 replies, posted in wolfSSL)

That's curious. Just changing the library location should not have made a difference.

Do you have a user_settings.h in some other location? It should really be only in one place: in the component.

Please let me know if there are and suggested changes to the wolfSSL library, or if this was really only an issue in your project.

Note there are some minor post-v5.7.6 changes for the next release: https://github.com/wolfSSL/wolfssl/pull/8641

In any case - YAY! Glad you have it working.

Is this still for your EV Charge Point product? Let me know if you'd like to be in contact with one of the business directors; The 2025 wolfSSL roadmap is coming together, in case you have input on it.

Go to forum: wolfSSL

9 Reply by gojimmypi

(10 replies, posted in wolfSSL)

> Is there a difference for 5.7.6 as a managed component in regards to where the user_settings.h needs to be located it is currently in  the root folder of our application?

There's been no change in the user_settings.h for a managed component, but I've only ever tested it in the Managed Component directory. It is unlikely that the user_settings.h could be removed from the component, without making it an unmanaged component. So if there's another user_settings.h someplace, that might explain odd behaviour.

There's of course an issue with changes to managed component, thus I've been expanding the use of Kconfig. See also:

https://github.com/wolfSSL/wolfssl/issues/7969

See the template example:

https://github.com/wolfSSL/wolfssl/tree … sl/include

Also, be sure to always include the wolfSSL settings.h before any other include, and never include user_settings.h explicitly.

Make sure #define WOLFSSL_USER_SETTINGS is seen by all wolfSSL files.


> managed component might not be ready yet for 5.4

I've been developing with ESP-IDF v5.3 so indeed there may be issues with newer versions of the ESP-IDF

Go to forum: wolfSSL

10 Reply by gojimmypi

(10 replies, posted in wolfSSL)

Hi Adam,

Typically the 

<wolfssl/options.h>

is not used concurrently with 

<wolfssl/wolfcrypt/settings.h>

More importantly:  

<wolfssl/wolfcrypt/settings.h>

needs to be specified before each wolfSSL include file.

Also - the 

WOLFSSL_USER_SETTINGS

*MUST* be seen by each of 

settings.h

files in wolfSSL.

Typically the odd errors occur when these criteria are not met.

There's additional information and examples here: 

https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif

Go to forum: wolfSSL

11 Reply by gojimmypi

(2 replies, posted in wolfSSL)

sairos1987 wrote:

It's a shame I couldn't attend it! Can you share the main points that happened in this conference?

Spoiler: it's super easy, but even more is covered than just getting started. Check out the recording:


https://youtu.be/xD3AWFmg-Vo

See also the related blog:

https://www.wolfssl.com/getting-started … udio-2022/

Go to forum: wolfSSL

12 Topic by gojimmypi

(2 replies, posted in wolfSSL)

I'll presenting a live webinar this Wednesday

February 19, 2025
10:00 AM Pacific time

Getting Started with wolfSSL using Visual Studio 2022

https://us02web.zoom.us/webinar/registe … gistration

There will be a variety of tips for troubleshooting as well as Best Practices for using wolfSSL with C, C++ and C#.

Included are sample projects for both Windows platforms as well as some embedded: all in Visual Studio.

Connect your desktop wolfSSL-based TLS 1.3 app to an embedded IoT device.

Go to forum: wolfSSL

13 Reply by gojimmypi

(5 replies, posted in wolfSSL)

Hello Gabriel,

That's excellent! Glad you have it working.

Note that wolfSSL has many different configuration options to tune for performance, size, etc. See the docs:

https://www.wolfssl.com/documentation/m … ter02.html

If you decide to include OpenSSL in your analysis, there's a wolfSSL compatibility layer:

https://www.wolfssl.com/documentation/m … ter13.html

Best of luck with your project! Please let me know if I can help in any way.

Jim

Go to forum: wolfSSL

14 Reply by gojimmypi

(5 replies, posted in wolfSSL)

Hello Gabriel,

Thank you for providing the source code and additional details.

Now that I see what you are doing, perhaps this will help.

I placed your code in my `wolfssl-gojimmypi\IDE\Espressif\ESP-IDF\examples`directory so that wolfSSL source code would be found in a parent directory. Alternatively, the `WOLFSSL_ROOT` environment variable can be set, as described above. From your log, you probably don't need to move your code.

Please try adding these two lines to the `CryptoAPI` component `CmakeLists.txt` in `esp32-crypto-api\components\CryptoAPI`:

set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS")

There are still a few compile errors, indirectly related to wolfSSL that can be readily addressed, but otherwise successful:


Error    enumeration value 'RSA' not handled in switch wolfssl_IDF_v5.2_ESP32 C:\workspace\wolfssl-gojimmypi\IDE\Espressif\ESP-IDF\examples\esp32-crypto-api\components\CryptoAPI\src\WolfsslModule.cpp 98  
Error    'ret' may be used uninitialized               wolfssl_IDF_v5.2_ESP32 C:\workspace\wolfssl-gojimmypi\IDE\Espressif\ESP-IDF\examples\esp32-crypto-api\components\CryptoAPI\src\WolfsslModule.cpp 399 
Error    'cert_type' may be used uninitialized         wolfssl_IDF_v5.2_ESP32 C:\workspace\wolfssl-gojimmypi\IDE\Espressif\ESP-IDF\examples\esp32-crypto-api\components\CryptoAPI\src\WolfsslModule.cpp 488

The message you asked about is informative and otherwise ok:

C:/Users/myuser/Documents/CryptoAPI/components/wolfssl is not within IDF_PATH.

It only indicates that the wolfSSL is not an ESP-IDF component.

Please let me know how that goes.

Best Regards,

Jim

Go to forum: wolfSSL

15 Reply by gojimmypi

(5 replies, posted in wolfSSL)

Hello gabriel and thank you for your interest in wolfSSL.

It does appear that your local project component directory is correctly structured.

Without seeing your source code, it is difficult to say exactly what the root cause of the problem may be, but I do have some suggestions for you.

I started with the bare-bones Espressif template example here:

https://github.com/wolfSSL/wolfssl/tree … s/template

Using your example of  needing`wc_InitRsaKey()`, the `ed25519.h` file needs to be included.

The two most important things to remember:

1) `WOLFSSL_USER_SETTINGS` needs to be defined. See the first line in the `template/main/CMakeLists.txt`:

set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS")

2) It is important to include the wolfssl/wolfcrypt/settings.h files before any other wolfSSL includes.


#ifdef WOLFSSL_USER_SETTINGS
    #include <wolfssl/wolfcrypt/settings.h>
    #ifndef WOLFSSL_ESPIDF
        #warning "Problem with wolfSSL user_settings."
        #warning "Check components/wolfssl/include"
    #endif
    #include <wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h>
#else
    /* Define WOLFSSL_USER_SETTINGS project wide for settings.h to include   */
    /* wolfSSL user settings in ./components/wolfssl/include/user_settings.h */
    #error "Missing WOLFSSL_USER_SETTINGS in CMakeLists or Makefile:\
    CFLAGS +=-DWOLFSSL_USER_SETTINGS"
#endif

#include <wolfssl/wolfcrypt/ed25519.h>

Then I added these two lines to `void app_main(void)` int `main.c`:


    ed25519_key key;
    wc_ed25519_init(&key);

I was able to confirm the template example would compile.

If you try these steps and the file still cannot be found, please reply with the CMake output, in particular the sections that include the `WOLFSSL_ROOT` keyword. Ensure you are using a recent CMakeLists.txt, such as the one on the example template `components/wolfssl` directory. There should be something like this in the log:

-- Starting FIND_WOLFSSL_DIRECTORY: 
-- The WOLFSSL_ROOT environment variable is not set. Searching...
-- WOLFSSL_ROOT found in sdkconfig/KConfig: ~/workspace/wolfssl
-- CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT sdkconfig setting = ~/workspace/wolfssl
-- WOLFSSL_ROOT Variable defined, but source code not found: C:/Users/<user>/workspace/wolfssl
-- CMAKE_CURRENT_SOURCE_DIR = .

After the lines of search, there should be an indication of the wolfSSL directory found:

-- Found wolfssl in CURRENT_SEARCH_DIR = C:/workspace/wolfssl-<user>
-- Found WOLFSSL_ROOT via CMake specification.

You may consider setting an environment variable `WOLFSSL_ROOT` that points your wolfSSL source code directory if your directory structure is such that wolfSSL is not in a parent directory from your project. Moving your project into the wolfSSL directory structure is also an option.

There's additional information and a link to a YouTube video on Getting Started with wolfSSL on the ESP32 here:

https://github.com/wolfSSL/wolfssl/tree … /Espressif

If these tips don't help, it would be great if you could supply a small reproducer app sample so I can further assist you.

Please let me know how it goes. Thank you.

Jim

Go to forum: wolfSSL

16 Reply by gojimmypi

(4 replies, posted in wolfCrypt)

Hi gabriel,

I've done PQ on the ESP32, but only the key share part, and prior to the recent NIST approvals. See X/Tweet thread:

https://x.com/gojimmypi/status/1772675517482705379

I also wrote this blog:  https://www.wolfssl.com/post-quantum-ke … sif-esp32/ that might help.

In the tweet thread there's this example code:

            ret = wolfSSL_UseKeyShare(ssl, WOLFSSL_P521_KYBER_LEVEL5);
            if (ret == SSL_SUCCESS) {
                ESP_LOGI(TAG, "UseKeyShare WOLFSSL_P521_KYBER_LEVEL5 success");
            }
            else {
                ESP_LOGE(TAG, "UseKeyShare WOLFSSL_P521_KYBER_LEVEL5 failed");
            }

and this optional config for user_settings.h

#if 1
    #define WOLFSSL_EXPERIMENTAL_SETTINGS
    #define WOLFSSL_HAVE_KYBER
    #define WOLFSSL_WC_KYBER
#endif

Here's a copy of the client code from the tweet thread:

$ ./examples/client/client  -h 192.168.1.38 -v 4 -l  TLS_AES_128_GCM_SHA256 --pqc KYBER_LEVEL5
Using Post-Quantum KEM: KYBER_LEVEL5
SSL version is TLSv1.3
SSL cipher suite is TLS_AES_128_GCM_SHA256
I hear you fa shizzle!
gojimmypi:/mnt/c/workspace/wolfssl-master

I've been meaning to reach out to Anthony to see what might be different now that NIST has PQ out of "experimental mode". That will depend on the specific version of wolfSSL you are using.

I, too went down the road of liboqs. I don't recall where I saw that, but it is not needed for wolfSSL PQ.

p.s. there's a failly significant upgrade in a recent PR that adds wolfSSL support to the esp-tls layer:

https://github.com/wolfSSL/wolfssl/pull/7936

Good luck with your project! Let us know how it goes & if you encounter any problems.

Cheers

Go to forum: wolfCrypt

17 Reply by gojimmypi

(7 replies, posted in wolfSSL)

Hi parmstrong3 - if you'd be able to get your workflow operational with the ESP-IDF, I suspect we could also get it  working with PlatformIO.

My personal skill set is certainly stronger with the ESP-IDF, but I'd be happy to do all I can to assist with your build process, particularly as a commercial customer. After you reach out to your contact, let's arrange a time for a call to discuss your specific needs.

Thank you for your interest in wolfSSL.

Jim

Go to forum: wolfSSL

18 Reply by gojimmypi

(7 replies, posted in wolfSSL)

Hi parmstrong3 -

Thanks for taking the new wolfSSL PlatformIO support for a test drive!

Yes, it's true there's currently a lot of room for improvement in the Espressif examples for wolfSSL. See:

https://github.com/espressif/esp-idf/issues/13966

In particular, the esp-tls layer not only adds complexity, but today when selecting wolfSSL using: 

idf.py menuconfig

the examples such as esp_http_client do not work properly, as you've seen.

A fix is currently in the works, and more importantly: a vastly superior method of integrating wolfSSL into the ESP-IDF using Managed Components from the ESP Registry. You'll see in the #13966 thread, that Ivan has an excellent solution for allowing the ESP-IDF to "see" a component installed in the local project. There's a partially working example here:

https://github.com/gojimmypi/esp-idf/tree/wolfssl

(the https WIP example is in a different repo)

In the meantime, my best advice is to use wolfSSL directly instead of using the esp-tls layer. See the examples:

https://github.com/wolfSSL/wolfssl/tree … F/examples

I realize these are only using the TLS layer, but the read & writes should be easily adapted to an HTTPS example.

Here's a blog on using the Managed Components:

https://www.wolfssl.com/wolfssl-now-ava … -registry/

If you *really* want to use the eps-tls, the esp-wolfssl needs to be installed manually. As you noticed, it is no longer included in the ESP-IDF. Also note the version there is really quite stale. There's also an unintuitive setting needed, as seen in the esp-tls Kconfig file:

        config ESP_TLS_USING_WOLFSSL
            depends on TLS_STACK_WOLFSSL

So be sure to click the `Include wolfSSL in ESP-TLS` settings to enable the TLS_STACK_WOLFSSL. This too is currently being improved.

I'm completely confident we can get wolfSSL HTTPS working robustly, even though the Espressif examples and the ESP-IDF itself need a little bit of TLC.

Go to forum: wolfSSL

19 Reply by gojimmypi

(27 replies, posted in wolfSSL)

Hi Adam,

That's excellent! Glad we are making progress. Now onto the OpenSSL conversion:

Are you using the same user_settings.h that we were working with when you were using the PlatformIO environment:

https://github.com/gojimmypi/wolfssl/bl … settings.h

I'm able to add that to a sample project and build successfully. I assume the error you are seeing is occurring in your codebase, outside of wolfSSL? Any additional details would be helpful, although OpenSSL is not one of my specialties. I may need to reach out for additional help on that.

Best Regards,

Jim

Go to forum: wolfSSL

20 Reply by gojimmypi

(27 replies, posted in wolfSSL)

Hi Adam,

Oh, I see. One more change is needed. I will append the pull request.

That place where you edited the "FOUND_WOLFSSL"... add these two lines in the "if" that you just edited (the "set" and "return"):

        if( FOUND_WOLFSSL )
            message(STATUS "Found WOLFSSL_ROOT via Environment Variable: ${CURRENT_SEARCH_DIR}")
            set(${OUTPUT_FOUND_WOLFSSL_DIRECTORY} ${CURRENT_SEARCH_DIR} PARENT_SCOPE)
            return()
        else()

I had not noticed that even when finding the environment variable, the logic kept looking anyhow. In may case, it would find wolfSSL, but not because of the environment variable, rather where it was in the parent directory tree.

The problem was the missing "return()" once the environment variable setting was confirmed to be a wolfssl directory.

The log should now look like this:

-- USERNAME = gojimmypi
-- THIS_USER = gojimmypi
-- ************************************************************************************************
-- wolfssl component config:
-- ************************************************************************************************
-- Starting FIND_WOLFSSL_DIRECTORY
-- Found WOLFSSL_ROOT via Environment Variable: C:/test/adam/wolfssl
-- NEW Found wolfssl directory at: C:/test/adam/wolfssl

Let's see if that works for you. Thank you so much for your patience. and persistence.

Cheers

Jim

Go to forum: wolfSSL

21 Reply by gojimmypi

(27 replies, posted in wolfSSL)

Hi Adam -

Oh! An excellent find. Thank you for pointing that out. I'll get a PR together right away to fix it.

TL;DR: There's a mistake in the component cmake file: 

 [project]/components/wolfssl/CMakeLists.txt

Change line 85 of the template CMakeLists.txt file:

https://github.com/wolfSSL/wolfssl/blob … ts.txt#L85

Specifically: replace the 

if("${FOUND_WOLFSSL}")

with:

if( FOUND_WOLFSSL )

In more detail, Here's what I did:

In my C:\test directory, I created an "Adam" directory, and cloned wolfSSL into it: 

c:\test\adam\wolfssl

Also in my C:\test directory, I created a "MyProject" directory:  

c:\test\myproject.

(for now, let's make sure there are no spaces in any of the paths)

I copied the contents of the sample template project:

C:\test\adam\wolfssl\IDE\Espressif\ESP-IDF\examples\template

to the c:\test\myproject directory.

There should now be a VisualGDB directory, here:

C:\test\myproject\VisualGDB

I used the system control panel applet to set the environment variables:

Variable Name:
WOLFSSL_ROOT

Variable Value:
C:\test\adam\wolfssl

make sure there are no embedded spaces, particularly if using commandline:

WOLFSSL_ROOT=C:\test\adam\wolfssl

Open the VisualGDB project:

C:\test\myproject\VisualGDB\wolfssl_template_IDF_v5.1_ESP32.vgdbproj

(observe error at project load time)

Edit the cmake file as described above.

C:\test\myproject\components\wolfssl\CMakeLists.txt

Right click and reload the project. All should be well now.

Please give that a try and let me know how it goes.

My sincere apologies for this problem. Best Regards.

Jim

edit: I've created GitHub issue 7148 to fix this.

https://github.com/wolfSSL/wolfssl/pull/7148

Go to forum: wolfSSL

22 Reply by gojimmypi

(27 replies, posted in wolfSSL)

Hi Adam -

I'm so sorry to hear you are still struggling with the setup. I'll make the instructions more clean on GitHub.

I'll also check the setup script later today.

Can you tell me the exact error you are seeing?

In the meantime, I think the best method is to use the existing examples.

I suggest:

1) Remove the wolfSSL compoenent that was installed to the ESP-IDF with the script.

2) Copy the sample project component directory tree and all files to your `[project root]/components/` directory:

https://github.com/wolfSSL/wolfssl/tree … ts/wolfssl

3) Set an environment variable called WOLFSSL_ROOT (or edit the CMakeLists.txt variable of the same name) to point to the wolfssl source.

For example if you've git-cloned wolfssl from a d:\workspace directory and used the default repo name:

WOLFSSL_ROOT="d:\workspace\wolfssl"

Or see cmake examples:

https://github.com/wolfSSL/wolfssl/blob … ts.txt#L53

Your wolfSSL user_settings.h file would then be in your:

[project]/components/wolfssl/include

Like this one:

https://github.com/wolfSSL/wolfssl/tree … sl/include

Let me know how that goes.  If you still see errors, please post them here or open a GitHub issue.

Best Regards,

Jim

Go to forum: wolfSSL

23 Reply by gojimmypi

(27 replies, posted in wolfSSL)

Hi Adam -

Good to hear about your progress and continued interest!

At the moment, I don't yet have any good instructions for VS Code & PlatformIO. But I do have a major update in the works to publish an official wolfSSL to both Ardiuno and PlatformIO sites, along with improved Arduino examples. Stay tuned. smile

Would you happen to be using Windows? If so, I highly recommend the VisualGDB extension for Visual Studio. I've found it to be an incredibly productive development environment tool. Couple that with the Tigard JTAG board and there's an excellent ESP32 debugger for single step, breakpoints, variable inspection, memory & register peeking and more.

I gave a YouTube webinar last year on this topic that you may find helpful:

https://www.youtube.com/watch?v=CzwA3ZBZBZ8

Although the ESP Registry is awesome for getting started, it is not as robust as I want for ongoing development. I need to further develop the KConfig to make changes via the ESP-IDF menuconfig, as otherwise the user_settings.h file in a managed component cannot be edited.

There are some Espressif examples to help get started with the ESP-IDF here:

https://github.com/wolfSSL/wolfssl/tree … F/examples

Note in particular that wolfSSL does not need to be installed in the local project. See the CMakeLists.txt file in components/wolfssl directory.

The user_settings.h is then found in this directory:

[your project]/components/wolfssl/include

As you move forward, please note that wolfSSL offers special pre-sales support to help get your project kickstarted.

Cheers

Jim

Go to forum: wolfSSL

24 Reply by gojimmypi

(27 replies, posted in wolfSSL)

Hi Adam -

wolfSSL is that we can tailor the SSL/TLS requirements per geographic region or client base

Indeed! That's definitely an awesome feature of wolfSSL.

The odd build problems are not a surprise. The source on PlatformIO is not official, and I cannot even confirm it is genuine wolfSSL source. Without seeing your source code, it is hard to say for sure what's going on. I'd like to help.

I'm certain the hardware random number generator is implemented for all of the ESP32 devices. I suspect he problem you are encountering is related to the user_settings.h values.

Is there a serious and compelling reason to use the Arduino platform? I'd like to again emphasize the robustness of the Espressif ESP-IDF. I noticed at project creation time that PlatformIO will use either Arduino or ESP-IDF. If you use the ESP-IDF, we'd be able to help you much more. I'll be working on improving Arduino integration, that's admittedly not great at the moment.

I'd also like to invite you to open any issues on GitHub as appropriate, including one regarding your request for Arduino support:

https://github.com/wolfSSL/wolfssl/issues

Regarding your migration from OpenSSL: we have several engineers on staff that have a great amount of experience with that. Professional engineering and consulting services are available to help you with your implementation.

I'm glad you are making progress on your evaluation and look forward to learning more.

Best Regards

Jim

Go to forum: wolfSSL

25 Reply by gojimmypi

(27 replies, posted in wolfSSL)

Hi Adam -

How's your evaluation coming along? Will you have any customers in China? One of the things to consider is wolfSSL SM Chinese ShangMi support:

https://www.wolfssl.com/wolfssl-adds-sh … wolfcrypt/

I have that working for the ESP32, but the samples need just a little fine tuning with regards to the static sample certs.

Heads up I received approval to work on an official wolfssl repository for PlatformIO.

Status will be tracked at GitHub issue #85 for platformio/platformio-registry here:

https://github.com/platformio/platformi … /issues/85

I need to wrap up a few other items before I get started on that, but in the meantime please let me know if there's anything else I can do to help you.

Cheers

Go to forum: wolfSSL