Hi Arne,
wolfSSL does not support Ed25519 certificates in the compatibility layer.
I added the EKM signaling locally. I can submit the patch with this
modification if you would like me to.
Sincerely
Juliusz
On 17/03/2021 18:13, Arne Schwabe wrote:
Am 12.03.21 um 16:12 schrieb Juliusz Sosinowicz:
Hi Arne,
I found that the connecting issue is that
wolfSSL_CTX_set_min_proto_version will fail when the user (in this case
OpenVPN) tries to set a protocol version that was not compiled in. I
modified our configure.ac script when building for OpenVPN along with
some additional fixes in this pull request:
https://github.com/wolfSSL/wolfssl/pull/3871
I also found an error in one of OpenVPN's unit tests. I submitted a
patch for that test in a separate email.
Using an Ed25519 certificate results in
2021-03-17 14:57:23 us=212254 OpenSSL: unknown error number
2021-03-17 14:57:23 us=212262 Cannot load certificate file
/Users/arne/tmp/alice.pem
2021-03-17 14:57:23 us=212265 Exiting due to fatal error
The configure.ac of WolfSSL should be updated to signal EKM support:
AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header
wolfssl/options.h not found!])])
fi
+ # Wolfssl emulate OpenSSL and has EKM
+ have_export_keying_material="yes"
+
AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS
since these are defined as macros])
AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS
since these are defined as macros])
AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS
since these are defined as macros])
Other than it seem to work in the tests that I threw at it.
I would consider this an ACK. @Gert do you want a new version with the
configure.ac fixed?
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
