diff options
author | Jay Satiro <raysatiro@yahoo.com> | 2016-03-29 18:50:12 -0400 |
---|---|---|
committer | Jay Satiro <raysatiro@yahoo.com> | 2016-03-29 18:50:12 -0400 |
commit | 27c99a37ba55a78e3227c7058cf7533bb4aa7296 (patch) | |
tree | 6bc9eedadb86d8c1000c41642f35d9c2e8312f18 /projects | |
parent | d5fc6e14b0b4f240b3b225487637c265471a9fc7 (diff) | |
download | curl-27c99a37ba55a78e3227c7058cf7533bb4aa7296.tar.gz |
build-wolfssl: Allow a broader range of ciphers (Visual Studio)
This is an update to the build-time options used to build wolfSSL in
Visual Studio for greater compatibility, and make it behave similar to
the way OpenSSL 1.0.2 behaves. Starting in wolfSSL v3.6.6 static ciphers
and SSLv3 are disabled by default at build time, but we can use both.
- Enable static cipher suites TLS_ECDH_ and TLS_RSA_.
- Enable SSLv3 hello. Though in libcurl we disable it by default at
runtime, we make it available so the user can manually select it if
necessary.
Diffstat (limited to 'projects')
-rw-r--r-- | projects/wolfssl_options.h | 93 |
1 files changed, 67 insertions, 26 deletions
diff --git a/projects/wolfssl_options.h b/projects/wolfssl_options.h index 40c34e5d7..b668daaf5 100644 --- a/projects/wolfssl_options.h +++ b/projects/wolfssl_options.h @@ -5,27 +5,42 @@ To remedy this issue for libcurl I've generated this options file that build-wolfssl will copy to the wolfSSL include directories and will result in maximum compatibility. -These configure flags were used in MinGW to generate the options in this file: - ---enable-opensslextra ---enable-aesgcm ---enable-ripemd ---enable-sha512 ---enable-dh ---enable-dsa ---enable-ecc ---enable-sni ---enable-fastmath ---enable-sessioncerts ---enable-certgen ---enable-testcert ---enable-alpn -C_EXTRA_FLAGS="-DFP_MAX_BITS=16384 -DTFM_TIMING_RESISTANT" +These are the configure options that were used to build wolfSSL v3.9.0 in mingw +and generate the options in this file: + +C_EXTRA_FLAGS="\ + -Wno-attributes \ + -Wno-unused-but-set-variable \ + -DFP_MAX_BITS=16384 \ + -DTFM_TIMING_RESISTANT \ + -DWOLFSSL_STATIC_DH \ + -DWOLFSSL_STATIC_RSA \ + " \ +./configure --prefix=/usr/local \ + --enable-aesgcm \ + --enable-alpn \ + --enable-certgen \ + --enable-dh \ + --enable-dsa \ + --enable-ecc \ + --enable-fastmath \ + --enable-opensslextra \ + --enable-ripemd \ + --enable-sessioncerts \ + --enable-sha512 \ + --enable-sni \ + --enable-sslv3 \ + --enable-testcert \ + > config.out 2>&1 Two generated options HAVE_THREAD_LS and _POSIX_THREADS were removed since they -are inapplicable for our Visual Studio build. +are inapplicable for our Visual Studio build. Currently thread local storage is +only used by the Fixed Point cache ECC which we're not enabling. However even +if we later may decide to enable the cache it will fallback on mutexes when +thread local storage is not available. wolfSSL is using __declspec(thread) to +create the thread local storage and that could be a problem for LoadLibrary. -Regarding the two options that were added via C_EXTRA_FLAGS: +Regarding the options that were added via C_EXTRA_FLAGS: FP_MAX_BITS=16384 http://www.yassl.com/forums/topic423-cacertorgs-ca-cert-verify-failed-but-withdisablefastmath-it-works.html @@ -38,6 +53,11 @@ https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-2-building-wolfssl.html From section 2.4.5 Increasing Performance, USE_FAST_MATH: "Because the stack memory usage can be larger when using fastmath, we recommend defining TFM_TIMING_RESISTANT as well when using this option." + +WOLFSSL_STATIC_DH: Allow TLS_ECDH_ ciphers +WOLFSSL_STATIC_RSA: Allow TLS_RSA_ ciphers +https://github.com/wolfSSL/wolfssl/blob/v3.6.6/README.md#note-1 +Static key cipher suites are deprecated and disabled by default since v3.6.6. */ /* wolfssl options.h @@ -49,7 +69,9 @@ defining TFM_TIMING_RESISTANT as well when using this option." * */ -#pragma once +#ifndef WOLFSSL_OPTIONS_H +#define WOLFSSL_OPTIONS_H + #ifdef __cplusplus extern "C" { @@ -61,6 +83,12 @@ extern "C" { #undef TFM_TIMING_RESISTANT #define TFM_TIMING_RESISTANT +#undef WOLFSSL_STATIC_DH +#define WOLFSSL_STATIC_DH + +#undef WOLFSSL_STATIC_RSA +#define WOLFSSL_STATIC_RSA + #undef OPENSSL_EXTRA #define OPENSSL_EXTRA @@ -91,15 +119,12 @@ extern "C" { #undef ECC_SHAMIR #define ECC_SHAMIR -#undef NO_PSK -#define NO_PSK +#undef WOLFSSL_ALLOW_SSLV3 +#define WOLFSSL_ALLOW_SSLV3 #undef NO_RC4 #define NO_RC4 -#undef NO_MD4 -#define NO_MD4 - #undef NO_HC128 #define NO_HC128 @@ -124,16 +149,32 @@ extern "C" { #undef HAVE_SNI #define HAVE_SNI +#undef HAVE_TLS_EXTENSIONS +#define HAVE_TLS_EXTENSIONS + +#undef HAVE_ALPN +#define HAVE_ALPN + +#undef HAVE_TLS_EXTENSIONS +#define HAVE_TLS_EXTENSIONS + #undef WOLFSSL_TEST_CERT #define WOLFSSL_TEST_CERT +#undef NO_PSK +#define NO_PSK + +#undef NO_MD4 +#define NO_MD4 + #undef USE_FAST_MATH #define USE_FAST_MATH -#undef HAVE_ALPN -#define HAVE_ALPN #ifdef __cplusplus } #endif + +#endif /* WOLFSSL_OPTIONS_H */ + |