1 /* 2 By default wolfSSL has a very conservative configuration that can result in 3 connections to servers failing due to certificate or algorithm problems. 4 To remedy this issue for libcurl I've generated this options file that 5 build-wolfssl will copy to the wolfSSL include directories and will result in 6 maximum compatibility. 7 8 These are the configure options that were used to build wolfSSL v3.11.0 in 9 mingw and generate the options in this file: 10 11 C_EXTRA_FLAGS="\ 12 -Wno-attributes \ 13 -Wno-unused-but-set-variable \ 14 -DFP_MAX_BITS=16384 \ 15 -DTFM_TIMING_RESISTANT \ 16 -DWOLFSSL_STATIC_DH \ 17 -DWOLFSSL_STATIC_RSA \ 18 " \ 19 ./configure --prefix=/usr/local \ 20 --disable-jobserver \ 21 --enable-aesgcm \ 22 --enable-alpn \ 23 --enable-certgen \ 24 --enable-des3 \ 25 --enable-dh \ 26 --enable-dsa \ 27 --enable-ecc \ 28 --enable-eccshamir \ 29 --enable-fastmath \ 30 --enable-opensslextra \ 31 --enable-ripemd \ 32 --enable-sessioncerts \ 33 --enable-sha512 \ 34 --enable-sni \ 35 --enable-sslv3 \ 36 --enable-supportedcurves \ 37 --enable-testcert \ 38 > config.out 2>&1 39 40 Two generated options HAVE_THREAD_LS and _POSIX_THREADS were removed since they 41 are inapplicable for our Visual Studio build. Currently thread local storage is 42 only used by the Fixed Point cache ECC which we're not enabling. However even 43 if we later may decide to enable the cache it will fallback on mutexes when 44 thread local storage is not available. wolfSSL is using __declspec(thread) to 45 create the thread local storage and that could be a problem for LoadLibrary. 46 47 Regarding the options that were added via C_EXTRA_FLAGS: 48 49 FP_MAX_BITS=16384 50 https://www.yassl.com/forums/topic423-cacertorgs-ca-cert-verify-failed-but-withdisablefastmath-it-works.html 51 "Since root.crt uses a 4096-bit RSA key, you'll need to increase the fastmath 52 buffer size. You can do this using the define: 53 FP_MAX_BITS and setting it to 8192." 54 55 TFM_TIMING_RESISTANT 56 https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-2-building-wolfssl.html 57 From section 2.4.5 Increasing Performance, USE_FAST_MATH: 58 "Because the stack memory usage can be larger when using fastmath, we recommend 59 defining TFM_TIMING_RESISTANT as well when using this option." 60 61 WOLFSSL_STATIC_DH: Allow TLS_ECDH_ ciphers 62 WOLFSSL_STATIC_RSA: Allow TLS_RSA_ ciphers 63 https://github.com/wolfSSL/wolfssl/blob/v3.6.6/README.md#note-1 64 Static key cipher suites are deprecated and disabled by default since v3.6.6. 65 */ 66 67 /* wolfssl options.h 68 * generated from configure options 69 * 70 * Copyright (C) 2006-2015 wolfSSL Inc. 71 * 72 * This file is part of wolfSSL. (formerly known as CyaSSL) 73 * 74 */ 75 76 #ifndef WOLFSSL_OPTIONS_H 77 #define WOLFSSL_OPTIONS_H 78 79 80 #ifdef __cplusplus 81 extern "C" { 82 #endif 83 84 #undef FP_MAX_BITS 85 #define FP_MAX_BITS 16384 86 87 #undef TFM_TIMING_RESISTANT 88 #define TFM_TIMING_RESISTANT 89 90 #undef WOLFSSL_STATIC_DH 91 #define WOLFSSL_STATIC_DH 92 93 #undef WOLFSSL_STATIC_RSA 94 #define WOLFSSL_STATIC_RSA 95 96 #undef OPENSSL_EXTRA 97 #define OPENSSL_EXTRA 98 99 /* 100 The commented out defines below are the equivalent of --enable-tls13. 101 Uncomment them to build wolfSSL with TLS 1.3 support as of v3.11.1-tls13-beta. 102 This is for experimenting only, afaict TLS 1.3 support doesn't appear to be 103 functioning correctly yet. https://github.com/wolfSSL/wolfssl/pull/943 104 105 #undef WC_RSA_PSS 106 #define WC_RSA_PSS 107 108 #undef WOLFSSL_TLS13 109 #define WOLFSSL_TLS13 110 111 #undef HAVE_TLS_EXTENSIONS 112 #define HAVE_TLS_EXTENSIONS 113 114 #undef HAVE_FFDHE_2048 115 #define HAVE_FFDHE_2048 116 117 #undef HAVE_HKDF 118 #define HAVE_HKDF 119 */ 120 121 #undef TFM_TIMING_RESISTANT 122 #define TFM_TIMING_RESISTANT 123 124 #undef ECC_TIMING_RESISTANT 125 #define ECC_TIMING_RESISTANT 126 127 #undef WC_RSA_BLINDING 128 #define WC_RSA_BLINDING 129 130 #undef HAVE_AESGCM 131 #define HAVE_AESGCM 132 133 #undef WOLFSSL_RIPEMD 134 #define WOLFSSL_RIPEMD 135 136 #undef WOLFSSL_SHA512 137 #define WOLFSSL_SHA512 138 139 #undef WOLFSSL_SHA384 140 #define WOLFSSL_SHA384 141 142 #undef SESSION_CERTS 143 #define SESSION_CERTS 144 145 #undef WOLFSSL_CERT_GEN 146 #define WOLFSSL_CERT_GEN 147 148 #undef HAVE_ECC 149 #define HAVE_ECC 150 151 #undef TFM_ECC256 152 #define TFM_ECC256 153 154 #undef ECC_SHAMIR 155 #define ECC_SHAMIR 156 157 #undef WOLFSSL_ALLOW_SSLV3 158 #define WOLFSSL_ALLOW_SSLV3 159 160 #undef NO_RC4 161 #define NO_RC4 162 163 #undef NO_HC128 164 #define NO_HC128 165 166 #undef NO_RABBIT 167 #define NO_RABBIT 168 169 #undef HAVE_POLY1305 170 #define HAVE_POLY1305 171 172 #undef HAVE_ONE_TIME_AUTH 173 #define HAVE_ONE_TIME_AUTH 174 175 #undef HAVE_CHACHA 176 #define HAVE_CHACHA 177 178 #undef HAVE_HASHDRBG 179 #define HAVE_HASHDRBG 180 181 #undef HAVE_TLS_EXTENSIONS 182 #define HAVE_TLS_EXTENSIONS 183 184 #undef HAVE_SNI 185 #define HAVE_SNI 186 187 #undef HAVE_TLS_EXTENSIONS 188 #define HAVE_TLS_EXTENSIONS 189 190 #undef HAVE_ALPN 191 #define HAVE_ALPN 192 193 #undef HAVE_TLS_EXTENSIONS 194 #define HAVE_TLS_EXTENSIONS 195 196 #undef HAVE_SUPPORTED_CURVES 197 #define HAVE_SUPPORTED_CURVES 198 199 #undef HAVE_EXTENDED_MASTER 200 #define HAVE_EXTENDED_MASTER 201 202 #undef WOLFSSL_TEST_CERT 203 #define WOLFSSL_TEST_CERT 204 205 #undef NO_PSK 206 #define NO_PSK 207 208 #undef NO_MD4 209 #define NO_MD4 210 211 #undef USE_FAST_MATH 212 #define USE_FAST_MATH 213 214 #undef WC_NO_ASYNC_THREADING 215 #define WC_NO_ASYNC_THREADING 216 217 218 #ifdef __cplusplus 219 } 220 #endif 221 222 223 #endif /* WOLFSSL_OPTIONS_H */ 224