You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by kmackay
Pages 1
Our application sends datagrams, some of which are unreliable and may be dropped at any time. Therefore I think we can't easily use TLS.
I'll see if I can figure out what to change to remove the HelloVerifyRequest myself... if I get it working should I submit a patch or something?
-Ken
The usual DTLS handshake requires 3 round trips (from RFC 4347):
Client Server
ClientHello -------->
<------- HelloVerifyRequest
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
However, in certain cases, it is desirable to reduce the number of round trips for connection. For example, when doing satellite communications, round trip time can be 4+ seconds. In these cases, it is nice to be able to disable the HelloVerifyRequest portion of the handshake (the first two steps), so that only 2 round trips are required.
Is there any way to do this with wolfSSL?
-Ken
I have set up wolfSSL to do an asynchronous connect/accept. The idea is that SSL data is sent immediately, and there is no blocking to receive; instead, the SSL data from the other side is handled when it arrives. This is working well; the only thing I had to work out was what happens after the connection is set up, but before any application data has been received. In this case, the last call to SSL_read() finished the connection handshake, and then (since there was no more data), the ssl->error is set to WANT_READ. Now if I call SSL_write, it will succeed, (it returns the number of bytes written, rather than a negative error number). However, when I call SSL_get_error(ssl, result), it still returns SSL_ERROR_WANT_READ (rather than the SSL_ERROR_NONE which would be returned by OpenSSL).
This is not really a bug so much as a difference between wolfSSL and OpenSSL, so I'm not sure if you want to fix it or not. I can just check the return value from SSL_write() and only call SSL_get_error() if SSL_write returns <= 0. Another option is to change the SSL_get_error(ssl, result) function so that it returns SSL_ERROR_NONE if result is > 0.
-Ken
OK, I got it to work. I had to change MAX_UDP_SIZE in addition to MAX_MTU.
-Ken
With gcc warnings turned up to "irritating" (-Wall -Wextra), there are a couple of build warnings in wolfSSL:
cyassl_int.c:171: warning: ‘inline’ is not at beginning of declaration
cyassl_int.c: In function ‘DoCertificateVerify’:
cyassl_int.c:4903: warning: comparison between signed and unsigned
ssl.c: In function ‘ProcessFile’:
ssl.c:663: warning: comparison between signed and unsigned
tls.c:242: warning: ‘inline’ is not at beginning of declaration
not really important, I just noticed because we build with -Werror.
OK, thanks. I will give it a try. We have also tried Mocana (http://www.mocana.com/nanodtls.html) but it looks like wolfSSL embedded SSL could be better in many respects.
The reason we use DTLS is that we have a datagram-oriented system which works over many different protocols. We support both reliable and unreliable data, so one requirement is that data can be dropped. It seemed to me that DTLS was a better fit for these requirements than TLS.
On a separate note, I noticed that there are some defines and stub files for ECC, but the implementation is not present. Is there a separate download for the ECC implementation, or is that planned for the future?
-Ken
I am interested in using wolfSSL for DTLS over arbitrary protocols (eg serial, bluetooth, ... not just UDP). Currently we do this with OpenSSL by setting up the read and write BIOs to be memory BIOs. Then when we send data, we call SSL_write() and then read the encrypted data out of the write BIO to send over whatever the protocol is; when we receive data from the remote side, we write it into the read BIO and then call SSL_read().
Is there a way to do something similar with the wolfSSL API? It seems like maybe the CBIORecv/CBIOSend function pointers could be set up in the SSL context to do what I want; is this correct?
I am also wondering if there is a way to set the MTU so that we can read/write chunks larger than 1500 bytes.
Pages 1
wolfSSL - Embedded SSL Library → Posts by kmackay
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.020 seconds (96% PHP - 4% DB) with 5 queries