2015-08-06 14:08:58 +08:00
|
|
|
/*
|
|
|
|
By default wolfSSL has a very conservative configuration that can result in
|
|
|
|
connections to servers failing due to certificate or algorithm problems.
|
|
|
|
To remedy this issue for libcurl I've generated this options file that
|
|
|
|
build-wolfssl will copy to the wolfSSL include directories and will result in
|
|
|
|
maximum compatibility.
|
|
|
|
|
2017-05-31 13:40:39 +08:00
|
|
|
These are the configure options that were used to build wolfSSL v3.11.0 in
|
2016-12-25 02:49:25 +08:00
|
|
|
mingw and generate the options in this file:
|
2016-03-30 06:50:12 +08:00
|
|
|
|
|
|
|
C_EXTRA_FLAGS="\
|
|
|
|
-Wno-attributes \
|
|
|
|
-Wno-unused-but-set-variable \
|
|
|
|
-DFP_MAX_BITS=16384 \
|
|
|
|
-DTFM_TIMING_RESISTANT \
|
|
|
|
-DWOLFSSL_STATIC_DH \
|
|
|
|
-DWOLFSSL_STATIC_RSA \
|
|
|
|
" \
|
|
|
|
./configure --prefix=/usr/local \
|
2016-12-25 02:49:25 +08:00
|
|
|
--disable-jobserver \
|
2016-03-30 06:50:12 +08:00
|
|
|
--enable-aesgcm \
|
|
|
|
--enable-alpn \
|
|
|
|
--enable-certgen \
|
2016-12-25 02:49:25 +08:00
|
|
|
--enable-des3 \
|
2016-03-30 06:50:12 +08:00
|
|
|
--enable-dh \
|
|
|
|
--enable-dsa \
|
|
|
|
--enable-ecc \
|
2016-12-25 02:49:25 +08:00
|
|
|
--enable-eccshamir \
|
2016-03-30 06:50:12 +08:00
|
|
|
--enable-fastmath \
|
|
|
|
--enable-opensslextra \
|
|
|
|
--enable-ripemd \
|
|
|
|
--enable-sessioncerts \
|
|
|
|
--enable-sha512 \
|
|
|
|
--enable-sni \
|
|
|
|
--enable-sslv3 \
|
2016-03-30 07:06:55 +08:00
|
|
|
--enable-supportedcurves \
|
2016-03-30 06:50:12 +08:00
|
|
|
--enable-testcert \
|
|
|
|
> config.out 2>&1
|
2015-08-06 14:08:58 +08:00
|
|
|
|
|
|
|
Two generated options HAVE_THREAD_LS and _POSIX_THREADS were removed since they
|
2016-03-30 06:50:12 +08:00
|
|
|
are inapplicable for our Visual Studio build. Currently thread local storage is
|
|
|
|
only used by the Fixed Point cache ECC which we're not enabling. However even
|
|
|
|
if we later may decide to enable the cache it will fallback on mutexes when
|
|
|
|
thread local storage is not available. wolfSSL is using __declspec(thread) to
|
|
|
|
create the thread local storage and that could be a problem for LoadLibrary.
|
2015-08-06 14:08:58 +08:00
|
|
|
|
2016-03-30 06:50:12 +08:00
|
|
|
Regarding the options that were added via C_EXTRA_FLAGS:
|
2015-08-06 14:08:58 +08:00
|
|
|
|
|
|
|
FP_MAX_BITS=16384
|
2018-06-03 20:14:45 +08:00
|
|
|
https://web.archive.org/web/20150218183550/www.yassl.com/forums/topic423-cacertorgs-ca-cert-verify-failed-but-withdisablefastmath-it-works.html
|
2015-08-06 14:08:58 +08:00
|
|
|
"Since root.crt uses a 4096-bit RSA key, you'll need to increase the fastmath
|
|
|
|
buffer size. You can do this using the define:
|
|
|
|
FP_MAX_BITS and setting it to 8192."
|
|
|
|
|
|
|
|
TFM_TIMING_RESISTANT
|
|
|
|
https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-2-building-wolfssl.html
|
|
|
|
From section 2.4.5 Increasing Performance, USE_FAST_MATH:
|
|
|
|
"Because the stack memory usage can be larger when using fastmath, we recommend
|
|
|
|
defining TFM_TIMING_RESISTANT as well when using this option."
|
2016-03-30 06:50:12 +08:00
|
|
|
|
|
|
|
WOLFSSL_STATIC_DH: Allow TLS_ECDH_ ciphers
|
|
|
|
WOLFSSL_STATIC_RSA: Allow TLS_RSA_ ciphers
|
|
|
|
https://github.com/wolfSSL/wolfssl/blob/v3.6.6/README.md#note-1
|
|
|
|
Static key cipher suites are deprecated and disabled by default since v3.6.6.
|
2015-08-06 14:08:58 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
/* wolfssl options.h
|
|
|
|
* generated from configure options
|
|
|
|
*
|
|
|
|
* Copyright (C) 2006-2015 wolfSSL Inc.
|
|
|
|
*
|
|
|
|
* This file is part of wolfSSL. (formerly known as CyaSSL)
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
2016-03-30 06:50:12 +08:00
|
|
|
#ifndef WOLFSSL_OPTIONS_H
|
|
|
|
#define WOLFSSL_OPTIONS_H
|
|
|
|
|
2015-08-06 14:08:58 +08:00
|
|
|
|
|
|
|
#ifdef __cplusplus
|
|
|
|
extern "C" {
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#undef FP_MAX_BITS
|
|
|
|
#define FP_MAX_BITS 16384
|
|
|
|
|
|
|
|
#undef TFM_TIMING_RESISTANT
|
|
|
|
#define TFM_TIMING_RESISTANT
|
|
|
|
|
2016-03-30 06:50:12 +08:00
|
|
|
#undef WOLFSSL_STATIC_DH
|
|
|
|
#define WOLFSSL_STATIC_DH
|
|
|
|
|
|
|
|
#undef WOLFSSL_STATIC_RSA
|
|
|
|
#define WOLFSSL_STATIC_RSA
|
|
|
|
|
2015-08-06 14:08:58 +08:00
|
|
|
#undef OPENSSL_EXTRA
|
|
|
|
#define OPENSSL_EXTRA
|
|
|
|
|
2017-05-31 13:40:39 +08:00
|
|
|
/*
|
|
|
|
The commented out defines below are the equivalent of --enable-tls13.
|
|
|
|
Uncomment them to build wolfSSL with TLS 1.3 support as of v3.11.1-tls13-beta.
|
|
|
|
This is for experimenting only, afaict TLS 1.3 support doesn't appear to be
|
|
|
|
functioning correctly yet. https://github.com/wolfSSL/wolfssl/pull/943
|
|
|
|
|
|
|
|
#undef WC_RSA_PSS
|
|
|
|
#define WC_RSA_PSS
|
|
|
|
|
|
|
|
#undef WOLFSSL_TLS13
|
|
|
|
#define WOLFSSL_TLS13
|
|
|
|
|
|
|
|
#undef HAVE_TLS_EXTENSIONS
|
|
|
|
#define HAVE_TLS_EXTENSIONS
|
|
|
|
|
|
|
|
#undef HAVE_FFDHE_2048
|
|
|
|
#define HAVE_FFDHE_2048
|
|
|
|
|
|
|
|
#undef HAVE_HKDF
|
|
|
|
#define HAVE_HKDF
|
|
|
|
*/
|
|
|
|
|
2016-12-25 02:49:25 +08:00
|
|
|
#undef TFM_TIMING_RESISTANT
|
|
|
|
#define TFM_TIMING_RESISTANT
|
|
|
|
|
|
|
|
#undef ECC_TIMING_RESISTANT
|
|
|
|
#define ECC_TIMING_RESISTANT
|
|
|
|
|
|
|
|
#undef WC_RSA_BLINDING
|
|
|
|
#define WC_RSA_BLINDING
|
|
|
|
|
2015-08-06 14:08:58 +08:00
|
|
|
#undef HAVE_AESGCM
|
|
|
|
#define HAVE_AESGCM
|
|
|
|
|
|
|
|
#undef WOLFSSL_RIPEMD
|
|
|
|
#define WOLFSSL_RIPEMD
|
|
|
|
|
|
|
|
#undef WOLFSSL_SHA512
|
|
|
|
#define WOLFSSL_SHA512
|
|
|
|
|
|
|
|
#undef WOLFSSL_SHA384
|
|
|
|
#define WOLFSSL_SHA384
|
|
|
|
|
|
|
|
#undef SESSION_CERTS
|
|
|
|
#define SESSION_CERTS
|
|
|
|
|
|
|
|
#undef WOLFSSL_CERT_GEN
|
|
|
|
#define WOLFSSL_CERT_GEN
|
|
|
|
|
|
|
|
#undef HAVE_ECC
|
|
|
|
#define HAVE_ECC
|
|
|
|
|
|
|
|
#undef TFM_ECC256
|
|
|
|
#define TFM_ECC256
|
|
|
|
|
|
|
|
#undef ECC_SHAMIR
|
|
|
|
#define ECC_SHAMIR
|
|
|
|
|
2016-03-30 06:50:12 +08:00
|
|
|
#undef WOLFSSL_ALLOW_SSLV3
|
|
|
|
#define WOLFSSL_ALLOW_SSLV3
|
2015-08-06 14:08:58 +08:00
|
|
|
|
|
|
|
#undef NO_RC4
|
|
|
|
#define NO_RC4
|
|
|
|
|
|
|
|
#undef NO_HC128
|
|
|
|
#define NO_HC128
|
|
|
|
|
|
|
|
#undef NO_RABBIT
|
|
|
|
#define NO_RABBIT
|
|
|
|
|
|
|
|
#undef HAVE_POLY1305
|
|
|
|
#define HAVE_POLY1305
|
|
|
|
|
|
|
|
#undef HAVE_ONE_TIME_AUTH
|
|
|
|
#define HAVE_ONE_TIME_AUTH
|
|
|
|
|
|
|
|
#undef HAVE_CHACHA
|
|
|
|
#define HAVE_CHACHA
|
|
|
|
|
|
|
|
#undef HAVE_HASHDRBG
|
|
|
|
#define HAVE_HASHDRBG
|
|
|
|
|
|
|
|
#undef HAVE_TLS_EXTENSIONS
|
|
|
|
#define HAVE_TLS_EXTENSIONS
|
|
|
|
|
|
|
|
#undef HAVE_SNI
|
|
|
|
#define HAVE_SNI
|
|
|
|
|
2016-03-30 06:50:12 +08:00
|
|
|
#undef HAVE_TLS_EXTENSIONS
|
|
|
|
#define HAVE_TLS_EXTENSIONS
|
|
|
|
|
|
|
|
#undef HAVE_ALPN
|
|
|
|
#define HAVE_ALPN
|
|
|
|
|
|
|
|
#undef HAVE_TLS_EXTENSIONS
|
|
|
|
#define HAVE_TLS_EXTENSIONS
|
|
|
|
|
2016-03-30 07:06:55 +08:00
|
|
|
#undef HAVE_SUPPORTED_CURVES
|
|
|
|
#define HAVE_SUPPORTED_CURVES
|
|
|
|
|
2016-12-25 02:49:25 +08:00
|
|
|
#undef HAVE_EXTENDED_MASTER
|
|
|
|
#define HAVE_EXTENDED_MASTER
|
|
|
|
|
2015-08-06 14:08:58 +08:00
|
|
|
#undef WOLFSSL_TEST_CERT
|
|
|
|
#define WOLFSSL_TEST_CERT
|
|
|
|
|
2016-03-30 06:50:12 +08:00
|
|
|
#undef NO_PSK
|
|
|
|
#define NO_PSK
|
|
|
|
|
|
|
|
#undef NO_MD4
|
|
|
|
#define NO_MD4
|
|
|
|
|
2015-08-06 14:08:58 +08:00
|
|
|
#undef USE_FAST_MATH
|
|
|
|
#define USE_FAST_MATH
|
|
|
|
|
2017-05-31 13:40:39 +08:00
|
|
|
#undef WC_NO_ASYNC_THREADING
|
|
|
|
#define WC_NO_ASYNC_THREADING
|
|
|
|
|
2015-08-06 14:08:58 +08:00
|
|
|
|
|
|
|
#ifdef __cplusplus
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2016-03-30 06:50:12 +08:00
|
|
|
|
|
|
|
#endif /* WOLFSSL_OPTIONS_H */
|
|
|
|
|