2 By default wolfSSL has a very conservative configuration that can result in
3 connections to servers failing due to certificate or algorithm problems.
4 To remedy this issue for libcurl I've generated this options file that
5 build-wolfssl will copy to the wolfSSL include directories and will result in
8 These are the configure options that were used to build wolfSSL v3.11.0 in
9 mingw and generate the options in this file:
13 -Wno-unused-but-set-variable \
15 -DTFM_TIMING_RESISTANT \
17 -DWOLFSSL_STATIC_RSA \
19 ./configure --prefix=/usr/local \
30 --enable-opensslextra \
32 --enable-sessioncerts \
36 --enable-supportedcurves \
40 Two generated options HAVE_THREAD_LS and _POSIX_THREADS were removed since they
41 are inapplicable for our Visual Studio build. Currently thread local storage is
42 only used by the Fixed Point cache ECC which we're not enabling. However even
43 if we later may decide to enable the cache it will fallback on mutexes when
44 thread local storage is not available. wolfSSL is using __declspec(thread) to
45 create the thread local storage and that could be a problem for LoadLibrary.
47 Regarding the options that were added via C_EXTRA_FLAGS:
50 http://www.yassl.com/forums/topic423-cacertorgs-ca-cert-verify-failed-but-withdisablefastmath-it-works.html
51 "Since root.crt uses a 4096-bit RSA key, you'll need to increase the fastmath
52 buffer size. You can do this using the define:
53 FP_MAX_BITS and setting it to 8192."
56 https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-2-building-wolfssl.html
57 From section 2.4.5 Increasing Performance, USE_FAST_MATH:
58 "Because the stack memory usage can be larger when using fastmath, we recommend
59 defining TFM_TIMING_RESISTANT as well when using this option."
61 WOLFSSL_STATIC_DH: Allow TLS_ECDH_ ciphers
62 WOLFSSL_STATIC_RSA: Allow TLS_RSA_ ciphers
63 https://github.com/wolfSSL/wolfssl/blob/v3.6.6/README.md#note-1
64 Static key cipher suites are deprecated and disabled by default since v3.6.6.
68 * generated from configure options
70 * Copyright (C) 2006-2015 wolfSSL Inc.
72 * This file is part of wolfSSL. (formerly known as CyaSSL)
76 #ifndef WOLFSSL_OPTIONS_H
77 #define WOLFSSL_OPTIONS_H
85 #define FP_MAX_BITS 16384
87 #undef TFM_TIMING_RESISTANT
88 #define TFM_TIMING_RESISTANT
90 #undef WOLFSSL_STATIC_DH
91 #define WOLFSSL_STATIC_DH
93 #undef WOLFSSL_STATIC_RSA
94 #define WOLFSSL_STATIC_RSA
100 The commented out defines below are the equivalent of --enable-tls13.
101 Uncomment them to build wolfSSL with TLS 1.3 support as of v3.11.1-tls13-beta.
102 This is for experimenting only, afaict TLS 1.3 support doesn't appear to be
103 functioning correctly yet. https://github.com/wolfSSL/wolfssl/pull/943
109 #define WOLFSSL_TLS13
111 #undef HAVE_TLS_EXTENSIONS
112 #define HAVE_TLS_EXTENSIONS
114 #undef HAVE_FFDHE_2048
115 #define HAVE_FFDHE_2048
121 #undef TFM_TIMING_RESISTANT
122 #define TFM_TIMING_RESISTANT
124 #undef ECC_TIMING_RESISTANT
125 #define ECC_TIMING_RESISTANT
127 #undef WC_RSA_BLINDING
128 #define WC_RSA_BLINDING
133 #undef WOLFSSL_RIPEMD
134 #define WOLFSSL_RIPEMD
136 #undef WOLFSSL_SHA512
137 #define WOLFSSL_SHA512
139 #undef WOLFSSL_SHA384
140 #define WOLFSSL_SHA384
143 #define SESSION_CERTS
145 #undef WOLFSSL_CERT_GEN
146 #define WOLFSSL_CERT_GEN
157 #undef WOLFSSL_ALLOW_SSLV3
158 #define WOLFSSL_ALLOW_SSLV3
170 #define HAVE_POLY1305
172 #undef HAVE_ONE_TIME_AUTH
173 #define HAVE_ONE_TIME_AUTH
179 #define HAVE_HASHDRBG
181 #undef HAVE_TLS_EXTENSIONS
182 #define HAVE_TLS_EXTENSIONS
187 #undef HAVE_TLS_EXTENSIONS
188 #define HAVE_TLS_EXTENSIONS
193 #undef HAVE_TLS_EXTENSIONS
194 #define HAVE_TLS_EXTENSIONS
196 #undef HAVE_SUPPORTED_CURVES
197 #define HAVE_SUPPORTED_CURVES
199 #undef HAVE_EXTENDED_MASTER
200 #define HAVE_EXTENDED_MASTER
202 #undef WOLFSSL_TEST_CERT
203 #define WOLFSSL_TEST_CERT
212 #define USE_FAST_MATH
214 #undef WC_NO_ASYNC_THREADING
215 #define WC_NO_ASYNC_THREADING
223 #endif /* WOLFSSL_OPTIONS_H */