Hi rocotocloc -
can say my project is now working and I can connect to my website by using the appropriate root certificate,
Yay! nicely done.
One of the things to be aware of for some CDN / load balanced sites such as `google.com` is that a different ISP may have a different cert chain. My ESP32 was connecting directly, my computer via VPN. For example, each would see a different result for:
openssl s_client -connect www.google.com:443 -showcerts -servername www.google.com < /dev/null
The root cause was the FP_MAX_BITS. I had it set to 4096, but that's for only a 2048 bit (the size needs to hold two operands!)
Since some of the certs use RSA, these are needed:
#define HAVE_RSA
#define FP_MAX_BITS (2 * 4096)
I put back your original curl file and confirmed it is working:
https://curl.se/ca/cacert.pem
I have this all resolved in the latest commit on my sample app:
https://github.com/gojimmypi/wolfssl/tr … ssl_client
I realize this is not at all intuitive, so I put together this PR that should make certificate troubleshooting vastly more easy:
https://github.com/wolfSSL/wolfssl/pull/8902
With the PR, when the `FP_MAX_BITS` is found to be too small at runtime, and when `WOLFSSL_DEBUG_CERTS` is enabled, a message such like this will be displayed:
I (15765) wolfssl: TFM fp_exptmod_nct failed: P.used (128) > (FP_SIZE/2); FP_SIZE: 136; FP_MAX_SIZE: 4096
I (15773) wolfssl: Consider adjusting current FP_MAX_BITS: 4096
Answers to your specific questions:
Where to define custom #define properties in my project?
All settings should be in the `user_settings.h`. There should be only one file, located in
[project]\components\wolfssl\include\user_settings.h
See the reference template project:
https://github.com/wolfSSL/wolfssl/tree … s/template
I am using wolfSSL through ESP Component Registry.
This will be a little tricky, as the registered components don't like to be changed. There will be instruction at build time to convert to a non-managed component.
major problem was related to lack of #define directives in user_settings.h but you have all these:
Oh, some of those were just for testing. Sorry for the confusion there. The one in the working commit, above, should be cleaned up now.
So far so good but I found some examples where this doesn't work and I don't know why.
I'm pretty sure this is the RSA and max bit settings.
For example I can see you already have this config property: "CONFIG_WOLFSSL_ALT_CERT_CHAINS", which is the equivalent of "#define WOLFSSL_ALT_CERT_CHAINS".
The wolfSSL setting is `WOLFSSL_ALT_CERT_CHAINS`. Macros with a `CONFIG_`prefix came from the ESP-IDF menuconfig via Kconfig.
Not clear what this means (in component README):
- The wolfSSL-related `components/[name]/include` directory should be empty for all components except wolfssl.
There are other components such as wolfssh and wolfmqtt; ONLY wolfssl should have a `user_settings.h` in the respective include directory
- Files in this directory are renamed with `.bak` suffixes when performing publish-time build checks.
This is intended for wolfssl maintainers. I'll make this more clear in future releases. It refereces what happens when components are published to the ESP Registry.
Please let me know if this answers all of your questions or if I can be of further assistance.
I'll be working more on additional `WOLFSSL_DEBUG_CERTS` functionality. Open to suggestions for other diagnostics.
Best Regards & Have a great weekend!
Jim