wolfSSL FAQ Top Questions / Problems
Q: How do I find the correct CA certificate to load into a client for authenticating a SSL/TLS server? Category: Certificates
How to find and load the correct CA (root) certificate into a client application or device can be tricky at first. First, users need to understand how wolfSSL verifies certificate chains. Section 7.3 of the wolfSSL Manual explains wolfSSL’s certificate validation process: wolfSSL requires that only the top or “root” certificate in a chain to be loaded as a trusted certificate in order to verify a certificate chain. This means that if you have a certificate chain (A -> B -> C), where C is signed by B, and B is signed by A, wolfSSL only requires that certificate A be loaded as a trusted certificate in order to verify the entire chain (A->B->C).
Let’s look at a simple example. If a server certificate chain looks like this:
A | ---- > B | ---- > C
The wolfSSL client should already have at least root cert “A” loaded as a trusted root. When the client receives the server cert chain, it uses the signature of A to verify B, and if B has not been previously loaded into wolfSSL as a trusted root, B gets stored in wolfSSL's internal cert chain (wolfSSL just stores what is necessary to verify a certificate: common name hash, public key and key type, etc.). If B is valid, then it is used to verify C.
Following this model, as long as root cert "A" has been loaded as a trusted root into the wolfSSL server, the server certificate chain will still be able to be verified if the server sends (A->B->C), or (B->C). If the server just sends (C), and not the intermediate certificate, the chain will not be able to be verified unless the wolfSSL client has already loaded B as a trusted root.
Q: How do I put my certificate into a buffer? Category: Certificates
To generate a certificate buffer you will find a perl script
#2 Modify the above mentioned perl script and add your new certificate(s) to the appropriate @fileList (1024 for 1024 bit RSA certs, 256 for ECC 256-bit certs... etc)
#3 Re-run that script to re-generate the header file
The primary factors in peak resource usage are key size and the math library used. Fast math and a larger key size increases resource utilization.
Q: Is it possible to use no dynamic memory with wolfSSL and/or wolfCrypt? Category: Memory Usage wolfSSL provides two options to control the usage of dynamic memory. You can configure wolfSSL with --enable-static-memory however this is limited to basic TLS connections and currently is not supported in wolfCrypt. You can also define the macro USER_MALLOC to have wolfSSL use your own malloc function.
Q: How do I build wolfSSL on… (*NIX, Windows, Embedded device)? Category: Operating Systems
Please see section 2 of the wolfSSL Manual located HERE which covers building wolfSSL Q: How do I pull wolfSSL into my IDE project? What files and headers do I need? Category: IDE / Compilers wolfSSL provides the necessary project files for many popular IDEs. You can find instructions for these IDEs in the /IDE/ directory of the wolfSSL source. src\*.c wolfcrypt\src\*.c wolfssl\*.h Include path wolfssl root.
Further documentation on building wolfSSL on various platforms can be found in Section 2.4 wolfSSL Manual. Q: Do you have benchmarks for my specific platform? Category: Benchmarks wolfSSL provides a benchmark application that can be compiled for any platform wolfSSL supports. The benchmark application will run benchmarks on enabled algorithms. The application source is located in wolfcrypt/benchmark/benchmark.c. For *nix platforms, the benchmark can be ran using ./wolfcrypt/benchmark/benchmark. The benchmark is compiled by default.
If benchmarking on an embedded platform, define BENCH_EMBEDDED .
For more details regarding benchmarking wolfSSL, please reference the wolfSSL and wolfCrypt Benchmarks webpage. Q: Why are there no common cipher suites found between my client/server when connecting? Category: Connection Details
Ensure that wolfSSL was configured and built with common cipher suites on both the client and server. You can add additional cipher suites with configure options. You can view configure options on *nix systems with ./configure --help
To view default cipher suite on *nix system use this command from
To view default cipher suites on windows system use this command from the directory where client.exe is located: ./client.exe -e nmap --script ssl-enum-ciphers -p 443 www.google.com Q: Can I use a smaller maximum I/O record size than 16kB? Category: Connection Details
TLS specifies a fixed maximum record length of 2^14 bytes (~16kB). wolfSSL provides two options to use a smaller maximum record size. The first option is to configure wolfSSL with --enable-maxfragment . This requires the client to make an additional call when connecting to a server. The client needs to use either wolfSSL_CTX_UseMaxFragment or wolfSSL_UseMaxFragment. The client should use the CTX method if they plan on making multiple connections to the same server.
The other option is to define MAX_RECORD_SIZE. In order to use this, however, both the client and server needs to have the option set. If the client is connecting to servers outside of your control, this is not an option to use.
Q: How do I extract a public key from a X.509 certificate? Category: Certificates wolfSSL provides this functionality in its public API. You can call wolfssl_x509_get_pubkey() to return a WOLFSSL_EVP_PKEY pointer. WOLFSSL_EVP_PKEY is a struct with several data members related to the key. You can access the key directly from this pointer. The declaration of the struct can be found in
There are currently examples of using algorithms (3DES, AES, and Camellia), examples of using TLS client and server, wolfSSL CertManager, and signatures and verification.
Q: Why won’t my application connect to a server, I have enabled required ciphers and protocol version…? Category: Extensions
Some servers require specific TLS extensions and specific ECC curves to be enabled or they will ignore any connection attempt outright regardless of supported ciphers and protocol version. If you are building wolfSSL without the configure script (Makefile project, IDE project, etc), please make sure you have defined HAVE_TLS_EXTENSIONS and HAVE_SUPPORTED_CURVES
Document Revision Log
Version Date Notes Person
1.0 12/09/2015 Document Created Chris Conlon
1.1 08/07/2016 Content Update Michael Shihrer
1.2 07/02/2017 Added new questions Kaleb Himes
1.3 03/02/2017 Refactor for first distribution Kaleb and Chris