[Ovmsdev] TLS CA question

[Stephen Casner]

Michael and anyone else who's game:

I now have an updated mongoose-wolfssl branch ready to be tested.  The
reason for the 90-second lockup mentioned in the previous post is a
whole lot of math for a prime-number validation that's part of the
Diffie-Hellman step.  It was actually 87 seconds for Mark's server and
28 seconds for Michael's due to differences in certificates.  That
prime-number validation is required for FIPS compliance, which WolfSSL
supports, but we don't need it.  I spent quite a while digging into
this to find where the process was getting stuck.  Finally I got help
from WolfSSL support suggesting a configuration option that avoids
this extra check.

So now I have an implementation using mongoose with wolfssl that
connects successfully to both servers with a 3-4 second delay.  (I
don't recall what the delay was for the MBEDTLS-based implementation.)
I think the memory usage looks OK.  I still have not taken any steps
to reduce any resources used by the MBEDTLS code as accessed for other
purposes.

Included in the debugging was another version update on the Wolf code
to wolfssh 1.4.6 and wolfssl 4.7.0.

                                                        -- Steve

On Wed, 3 Mar 2021, Stephen Casner wrote:

> Mark,
>
> Thanks.  That fix avoids the signature error.  I still have the
> problem that the TLS handshake gets only part way through and then the
> network task gets locked up for 90 seconds.  It's not always in the
> same place in the log, but since ~100 log messages get lost when this
> occurs, I can't be sure where it happens.  It could be a timing
> dependency between a couple of events such that in some circumstances
> a blocking operation is executed.
>
>                                                         -- Steve