-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
change(esp-wolfssl): allow to enable OCSP support #24
Conversation
Hi @frankencode and thank you for your interest in wolfssl. Please note that this espressif/esp-wolfssl is stale and not managed by wolfssl as mentioned in espressif/esp-idf#13618 (comment). We'd like to invite you to instead open pull requests or issues at wolfSSL/wolfssl. Additionally, please note that we have wolfSSL available as a Managed Component as well as some examples using a GitHub clone of wolfssl as a component in the ESP-IDF with only a CMakeLists.txt. |
Hi gojimmypi! I know. I just watched your video on setting up wolfssl on esp yesterday. It didn't help much though. I need to have wolfSSL work as a proper esp-idf component. When I use your esp-wolfssl from espressif component store it won't allow me to select wolfSSL as an esp-tls backend in God speed, |
Hi Frank!
Ah yes, have you tried copying the wolfssl component directory to the ESP-IDF directory? For me using VisualGDB on Windows this would be: In the components directory, the respective This might be the best solution if you are using the ESP-IDF. The Managed Component will of course not be appropriate as the
You are correct and I need to give more attention to this. In the meantime, is it possible for you to use the TLS capabilities from wolfSSL directly and avoid the
The wolfSSL libraries can certainly be configured for small memory footprints. Recently I was able to get wolfSSL TLS working on the Arduino Nano 33 IoT SAMD21 in only 32KB RAM + 256KB flash. See X/Tweet micro-blog. There's also an example Arduino user_settings.h over in examples/configs. That said, you are also correct about the default
Cool. I'd like to help. On a somewhat related note, I've been working on wolfSSL for Arduino as well as wolfSSL for PlatformIO (currently only the Arduino version) and staging wolfSSL for PlatformIO with the latest code to help with rapid prototyping for many different environments and platorms. Also, if you are interested in Post Quantum, I have an Open PR wolfSSL/wolfssl#7392 that updates the Espressif Examples, including adding support for Kyber KEM. Can you share more details of your project? Feel free to contact us at support@wolfssl.com In the meantime I'll take a look at the Cheers |
YES. Tried that copy script. Like I said it is missing the Kconfig providing the TLS_STACK_WOLFSSL variable. Without I cannot select wolfSSL in the
That's unneeded I think. I'm not sure why doing it different from any other esp-idf component.
Yes. I used the user_settings from this repository and updated it to reflect changes up to 5.7.
(There are a lot of platforms you have to keep track of;-)
ABSOLUTELY NOT. Espressif's network protocol implementations are build on top of esp-tls.
Yes, I will/have to trim it. My customer wants to use it primarily because of OCSP support (and because they are already happy customer at wolfSSL;-)
Like I said I was just testing the esp_websocket_client library. I would be cool if its client example would work out of the box with the wolfSSL from components.espressif.com . I also posted some fixes on the espressif side to better support wolfSSL, have a look: |
Hi @frankencode Thank you so much for the details.
I'll definitely get that fixed right away.
The primary reason this is different than other ESP-IDF components is licensing and upstream owners. In particular, I designed the This way, when changes are made to the wolfSSL code, it is already in place and ready to commit and create a PR. The current examples in the wolfSSL recurse up the directory tree looking for wolfSSL source code. To really appreciate this, you should have seen the convoluted process that I had which copied code from the local install back and forth with the actual repository code. That became quite unreasonable, at least for me.
For most users that do not intend on editing the wolfSSL source code, you are probably correct. Perhaps there's a benefit of being able to easily change source versions... or ensure that all projects are using exactly the same version.
Ah yes, good point if you need to use the web sockets rather than the lower-level lwip/sockets, see how the wolfSSL component needs to be seen by ESP-IDF. I'm not sure if wolfSSL has a web sockets layer. Let me check into that and get back to you.
A name you can share? Feel free to contact me directly: jim (at) wolfssl.com, or support@wolfssl.com Depending on the customer and respective support level, we might be able to dedicate more resources to help you. In the meantime, I'll be taking a closer look at the esp-tls, Kconfig files, any your other suggestions which are all completely valid and I would definitely like to have working. Thanks again. Cheers |
Hi Frank - First, regarding websockets, check out https://github.com/wolfssl/osp, in particular wolfSSL/osp/websocketpp. I do not personally have any experience with that, but let me know if you are interested in using something other than the Regarding the esp-tls.... My example wolfssl_client has been updated with a Kconfig that has the esp-tls I would have used your ESP-IDF fork at frankencode/esp-idf but I got into quite a tangle with the ESP-IDF v5.2 vs the v5.3 in I do have the
As such, for now I've made some in-place edits in my ESP-IDF v5.2 and commented below. Here are the steps to use: 1. Rename the local project
|
@frankencode Thanks for making the changes, just one small comment other wise the changes look good to me. |
@frankencode Can you please merge the last two commits into one? |
@AdityaHPatwardhan: Sure, no problem. See updated head. |
Hi @frankencode - there will be an increased effort at improving the wolfSSL integration with the Espressif ESP-IDF. I've opened this anchor issue espressif/esp-idf#13966 to track progress. |
I've added an option (default off) to allow to enable OCSP with esp-wolfssl.
In particular it makes wolfSSL process the OCSP status forwarded in stabling v1 format
during TLS handshake.
See also: espressif/esp-idf#13618 .