1 /*************************************************************************** 2 * _ _ ____ _ 3 * Project ___| | | | _ \| | 4 * / __| | | | |_) | | 5 * | (__| |_| | _ <| |___ 6 * \___|\___/|_| \_\_____| 7 * 8 * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. 9 * 10 * This software is licensed as described in the file COPYING, which 11 * you should have received as part of this distribution. The terms 12 * are also available at https://curl.haxx.se/docs/copyright.html. 13 * 14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 15 * copies of the Software, and permit persons to whom the Software is 16 * furnished to do so, under the terms of the COPYING file. 17 * 18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 19 * KIND, either express or implied. 20 * 21 ***************************************************************************/ 22 /* 23 By default wolfSSL has a very conservative configuration that can result in 24 connections to servers failing due to certificate or algorithm problems. 25 To remedy this issue for libcurl I've generated this options file that 26 build-wolfssl will copy to the wolfSSL include directories and will result in 27 maximum compatibility. 28 29 These are the configure options that were used to build wolfSSL v3.11.0 in 30 mingw and generate the options in this file: 31 32 C_EXTRA_FLAGS="\ 33 -Wno-attributes \ 34 -Wno-unused-but-set-variable \ 35 -DFP_MAX_BITS=16384 \ 36 -DTFM_TIMING_RESISTANT \ 37 -DWOLFSSL_STATIC_DH \ 38 -DWOLFSSL_STATIC_RSA \ 39 " \ 40 ./configure --prefix=/usr/local \ 41 --disable-jobserver \ 42 --enable-aesgcm \ 43 --enable-alpn \ 44 --enable-certgen \ 45 --enable-des3 \ 46 --enable-dh \ 47 --enable-dsa \ 48 --enable-ecc \ 49 --enable-eccshamir \ 50 --enable-fastmath \ 51 --enable-opensslextra \ 52 --enable-ripemd \ 53 --enable-sessioncerts \ 54 --enable-sha512 \ 55 --enable-sni \ 56 --enable-sslv3 \ 57 --enable-supportedcurves \ 58 --enable-testcert \ 59 > config.out 2>&1 60 61 Two generated options HAVE_THREAD_LS and _POSIX_THREADS were removed since they 62 are inapplicable for our Visual Studio build. Currently thread local storage is 63 only used by the Fixed Point cache ECC which we're not enabling. However even 64 if we later may decide to enable the cache it will fallback on mutexes when 65 thread local storage is not available. wolfSSL is using __declspec(thread) to 66 create the thread local storage and that could be a problem for LoadLibrary. 67 68 Regarding the options that were added via C_EXTRA_FLAGS: 69 70 FP_MAX_BITS=16384 71 https://www.yassl.com/forums/topic423-cacertorgs-ca-cert-verify-failed-but-withdisablefastmath-it-works.html 72 "Since root.crt uses a 4096-bit RSA key, you'll need to increase the fastmath 73 buffer size. You can do this using the define: 74 FP_MAX_BITS and setting it to 8192." 75 76 TFM_TIMING_RESISTANT 77 https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-2-building-wolfssl.html 78 From section 2.4.5 Increasing Performance, USE_FAST_MATH: 79 "Because the stack memory usage can be larger when using fastmath, we recommend 80 defining TFM_TIMING_RESISTANT as well when using this option." 81 82 WOLFSSL_STATIC_DH: Allow TLS_ECDH_ ciphers 83 WOLFSSL_STATIC_RSA: Allow TLS_RSA_ ciphers 84 https://github.com/wolfSSL/wolfssl/blob/v3.6.6/README.md#note-1 85 Static key cipher suites are deprecated and disabled by default since v3.6.6. 86 */ 87 88 /* wolfssl options.h 89 * generated from configure options 90 * 91 * Copyright (C) 2006-2015 wolfSSL Inc. 92 * 93 * This file is part of wolfSSL. (formerly known as CyaSSL) 94 * 95 */ 96 97 #ifndef WOLFSSL_OPTIONS_H 98 #define WOLFSSL_OPTIONS_H 99 100 101 #ifdef __cplusplus 102 extern "C" { 103 #endif 104 105 #undef FP_MAX_BITS 106 #define FP_MAX_BITS 16384 107 108 #undef TFM_TIMING_RESISTANT 109 #define TFM_TIMING_RESISTANT 110 111 #undef WOLFSSL_STATIC_DH 112 #define WOLFSSL_STATIC_DH 113 114 #undef WOLFSSL_STATIC_RSA 115 #define WOLFSSL_STATIC_RSA 116 117 #undef OPENSSL_EXTRA 118 #define OPENSSL_EXTRA 119 120 /* 121 The commented out defines below are the equivalent of --enable-tls13. 122 Uncomment them to build wolfSSL with TLS 1.3 support as of v3.11.1-tls13-beta. 123 This is for experimenting only, afaict TLS 1.3 support doesn't appear to be 124 functioning correctly yet. https://github.com/wolfSSL/wolfssl/pull/943 125 126 #undef WC_RSA_PSS 127 #define WC_RSA_PSS 128 129 #undef WOLFSSL_TLS13 130 #define WOLFSSL_TLS13 131 132 #undef HAVE_TLS_EXTENSIONS 133 #define HAVE_TLS_EXTENSIONS 134 135 #undef HAVE_FFDHE_2048 136 #define HAVE_FFDHE_2048 137 138 #undef HAVE_HKDF 139 #define HAVE_HKDF 140 */ 141 142 #undef TFM_TIMING_RESISTANT 143 #define TFM_TIMING_RESISTANT 144 145 #undef ECC_TIMING_RESISTANT 146 #define ECC_TIMING_RESISTANT 147 148 #undef WC_RSA_BLINDING 149 #define WC_RSA_BLINDING 150 151 #undef HAVE_AESGCM 152 #define HAVE_AESGCM 153 154 #undef WOLFSSL_RIPEMD 155 #define WOLFSSL_RIPEMD 156 157 #undef WOLFSSL_SHA512 158 #define WOLFSSL_SHA512 159 160 #undef WOLFSSL_SHA384 161 #define WOLFSSL_SHA384 162 163 #undef SESSION_CERTS 164 #define SESSION_CERTS 165 166 #undef WOLFSSL_CERT_GEN 167 #define WOLFSSL_CERT_GEN 168 169 #undef HAVE_ECC 170 #define HAVE_ECC 171 172 #undef TFM_ECC256 173 #define TFM_ECC256 174 175 #undef ECC_SHAMIR 176 #define ECC_SHAMIR 177 178 #undef WOLFSSL_ALLOW_SSLV3 179 #define WOLFSSL_ALLOW_SSLV3 180 181 #undef NO_RC4 182 #define NO_RC4 183 184 #undef NO_HC128 185 #define NO_HC128 186 187 #undef NO_RABBIT 188 #define NO_RABBIT 189 190 #undef HAVE_POLY1305 191 #define HAVE_POLY1305 192 193 #undef HAVE_ONE_TIME_AUTH 194 #define HAVE_ONE_TIME_AUTH 195 196 #undef HAVE_CHACHA 197 #define HAVE_CHACHA 198 199 #undef HAVE_HASHDRBG 200 #define HAVE_HASHDRBG 201 202 #undef HAVE_TLS_EXTENSIONS 203 #define HAVE_TLS_EXTENSIONS 204 205 #undef HAVE_SNI 206 #define HAVE_SNI 207 208 #undef HAVE_TLS_EXTENSIONS 209 #define HAVE_TLS_EXTENSIONS 210 211 #undef HAVE_ALPN 212 #define HAVE_ALPN 213 214 #undef HAVE_TLS_EXTENSIONS 215 #define HAVE_TLS_EXTENSIONS 216 217 #undef HAVE_SUPPORTED_CURVES 218 #define HAVE_SUPPORTED_CURVES 219 220 #undef HAVE_EXTENDED_MASTER 221 #define HAVE_EXTENDED_MASTER 222 223 #undef WOLFSSL_TEST_CERT 224 #define WOLFSSL_TEST_CERT 225 226 #undef NO_PSK 227 #define NO_PSK 228 229 #undef NO_MD4 230 #define NO_MD4 231 232 #undef USE_FAST_MATH 233 #define USE_FAST_MATH 234 235 #undef WC_NO_ASYNC_THREADING 236 #define WC_NO_ASYNC_THREADING 237 238 239 #ifdef __cplusplus 240 } 241 #endif 242 243 244 #endif /* WOLFSSL_OPTIONS_H */ 245