[OpenWrt-Devel] [PATCH ustream-ssl v2 0/3] wolfssl updates

Eneas U de Queiroz cotequeiroz at gmail.com
Wed Sep 18 22:18:00 EDT 2019

ustream-ssl does not currently work with client apps.  They fail to
connect immediately.  uclient-fetch, for example, just show a
'Connection failed' message.  This was due to a change in the SSL
session struct.

While making small changes to my first attempt, I realized my testing
was not completely flawed.

Because of that, I failed to realize that while the struct change
happened in in v3.13.2, but the API to change it at the SSL struct was
only created in v4.1.0.

Keeping some of the calls using CyaSSL, but then having to add new
calls, only available as wolfSSL would become messy.  So, I started
by cleaning up the code, removing old CyaSSL remnants.

After fixing that, uclient-fetch failed to run unless
--no-check-certificate is used, which is not ideal.  So I added the
calls to perform CN validation. r

Note that even wolfssl has a X509_check_host function, which could
be used for openssl and wolfssl, they are  not 100% compatible, and its
definition is not really consistent from version to version.

X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS is not defined, and even though
wolfSSL_X509_check_host apparently only exists to implement the openssl
function, they are not both enabled by --enable-opensslextra.
The wolfSSL function is, but the openssl isn't.  So I'm using the
wolfssl call.

As for testing, I run-tested each commit with wolfssl versions 3.10.4,
3.12.2, 3.15.3, and 4.1.0.  Since the fist commit does not fix
client-mode, I tested it using the example client/server apps (using a
client built with a different version).  Version 3.15.3 did not work
with the server app, so I checked the current HEAD, and it does not work
either, so it is not somehting I introduced.  It works after the next
fix is applied.

Everything works as expected from the next commit on.



Eneas U de Queiroz (3):
  Remove CyaSSL, WolfSSL < 3.10.4 support
  ustream-io-cyassl.c: fix client-mode connections
  wolfssl: enable CN validation

 CMakeLists.txt                              | 25 +++++++----
 ustream-internal.h                          |  3 --
 ustream-io-cyassl.c => ustream-io-wolfssl.c | 47 +++++----------------
 ustream-openssl.c                           | 14 +++---
 ustream-openssl.h                           |  4 ++
 ustream-ssl.c                               |  3 ++
 6 files changed, 43 insertions(+), 53 deletions(-)
 rename ustream-io-cyassl.c => ustream-io-wolfssl.c (62%)

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list