Here`s the third part in a four part series giving a more detailed report on some of the new features present in the recent wolfSSL release.
• Runtime hooks for logging. The wolfSSL embedded SSL library has had the ability to do logging when debug is enabled for some time. Now, logging callback functions can be registered at runtime to provide some more flexibility with how logging is done. The logging callback can be registered with:
int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb log_function);
typedef void (*wolfSSL_Logging_cb)(const int logLevel,
const char *const logMessage);
The log levels can be found in logging.h and the implementation is in logging.c. By default, wolfSSL logs to stderr with fprintf.
• More informative error codes. With the new logging facility an effort was made to change generic errors (-1) to more informative ones. This should aid in the debugging of SSL problems in general and particularly during the SSL handshake.
• More informative logging messages. As with the above feature, an effort was made to have more descriptive logging messages both in error cases and for informational output. These should aid debugging and tracking as well.
• EDH on server side. A wolfSSL server can now do Ephemeral Diffie-Hellman. No build changes are needed to add this feature. Though an application will have to register the ephemeral group parameters on the server side to enable the EDH cipher suites. A new API can be used to do this:
int wolfSSL_SetTmpDH(SSL* ssl, unsigned char* p,int pSz,unsigned char* g,int gSz);
The example server and echoserver use this function from SetDH().
• More robust server downgrade. Both wolfSSL clients and servers now have robust version downgrade capability. If a specific version method is used on either side then only that version will be negotiated or an error will be returned. A client that uses TLSv1 and tries to connect to a SSLv3 only server will fail, likewise connecting to a TLSv1.1 will fail as well. On the other hand, a client that uses SSLv23 (use the highest version supported and downgrade to SSLv3 if needed) will connect to a server running SSLv3 – TLSv1.2. The only version it can`t connect to is SSLv2 which has been insecure for years. Similarly, a server using SSLv23 can handle clients from SSLv3 – TLSv1.2. A wolfSSL server can`t accept a connection from SSLv2 because no security is provided.