Privoxy / Support Requests / #1765 Building Privoxy using wolfssl

Fabian Keil - 2024-03-31

status: open --> pending

assigned_to: Fabian Keil
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Fabian Keil - 2024-03-31

Thanks a lot for the report.

"Subject Alternative Name" support is required so you have to use a wolfSSL build that has been compiled with WOLFSSL_ALT_NAMES.

If you rebuild wolfSSL anyway you may want to compare your defines with mine:
https://lists.privoxy.org/pipermail/privoxy-devel/2024-March/000751.html

I just added another header which should also help so please try to recompile after pulling the current git master branch.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

I built wolfssl with your config. There is still an error when compiling:

gcc -c -pipe -march=native -mtune=native -O2 -pipe -fno-plt -DNDEBUG   -pthread -Wall  wolfssl.c -o wolfssl.o
grep -v '^#MASTER#' default.action.master > default.action
wolfssl.c:78:2: warning: #warning wolfSSL has been compiled without WOLFSSL_ALT_CERT_CHAINS [-Wcpp]
   78 | #warning wolfSSL has been compiled without WOLFSSL_ALT_CERT_CHAINS
      |  ^~~~~~~
wolfssl.c:1739:2: error: #error wolfSSL lacks Subject Alternative Name support (WOLFSSL_ALT_NAMES) which is mandatory
 1739 | #error wolfSSL lacks Subject Alternative Name support (WOLFSSL_ALT_NAMES) which is mandatory
      |  ^~~~~
wolfssl.c: In function ‘set_subject_alternative_name’:
wolfssl.c:1771:15: error: ‘struct Cert’ has no member named ‘altNames’
 1771 |    certificate->altNames[0] = 0x30; /* Sequence */
      |               ^~
wolfssl.c:1772:15: error: ‘struct Cert’ has no member named ‘altNames’
 1772 |    certificate->altNames[1] = (unsigned char)hostname_length + 2;
      |               ^~
wolfssl.c:1774:15: error: ‘struct Cert’ has no member named ‘altNames’
 1774 |    certificate->altNames[2] = 0x82; /* DNS name */
      |               ^~
wolfssl.c:1775:15: error: ‘struct Cert’ has no member named ‘altNames’
 1775 |    certificate->altNames[3] = (unsigned char)hostname_length;
      |               ^~
wolfssl.c:1776:23: error: ‘struct Cert’ has no member named ‘altNames’
 1776 |    memcpy(&certificate->altNames[4], hostname, hostname_length);
      |                       ^~
wolfssl.c:1778:15: error: ‘struct Cert’ has no member named ‘altNamesSz’
 1778 |    certificate->altNamesSz = (int)hostname_length + 4;
      |               ^~
make: *** [GNUmakefile:314: wolfssl.o] Error 1
make: *** Waiting for unfinished jobs....
==> ERROR: A failure occurred in build().
    Aborting...

The version I'm using (5.7) doesn't have the WOLFSSL_ALT_NAMES option.
My config:

  ./configure \
        --prefix=/usr \
        --bindir=/usr/bin \
        --libdir=/usr/lib \
        --includedir=/usr/include \
        --datarootdir=/usr/share \
        --disable-dependency-tracking \
        --enable-certgen \
        --enable-des3 \
        --disable-des3-ciphers \
        --enable-ip-alt-name \
        --enable-altcertchains \
        --enable-dh \
        --enable-dsa \
        --enable-dtls \
        --enable-ecc \
        --enable-fastmath \
        --enable-fasthugemath \
        --enable-ipv6 \
        --enable-keygen \
        --enable-opensslall \
        --enable-opensslextra \
        --enable-renegotiation-indication \
        --enable-ripemd \
        --enable-sessioncerts \
        --enable-session-ticket \
        --enable-sp \
        --enable-sp-asm \
        --enable-sp-math-all \
        --enable-sha512 \
        --enable-shared \
        --enable-sni \
        --enable-ssh \
        --enable-static \
        --enable-tls13 \
        --enable-tls13-draft18
  make

Last edit: withoutname 2024-03-31

Fabian Keil - 2024-04-01

WOLFSSL_ALT_NAMES is not a configure option but has to be set with the CFLAGS.

I use:
CFLAGS+= -DWOLFSSL_ALT_NAMES -DFP_MAX_BITS=8192 -DNO_WOLFSSL_STUB -DWOLFSSL_ALT_CERT_CHAINS -DHAVE_IO_TIMEOUT

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

withoutname - 2024-04-01

Unfortunately, my knowledge is not enough to do this.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Lee - 2024-04-02
  
  Unfortunately, my knowledge is not enough to do this.
  
  Same here. And the wolfssl support forum isn't any help:
  https://www.wolfssl.com/forums/post7561.html
  
  Fabian,
  Could you show how you built wolfssl and then privoxy?
  
  Thanks
  Lee
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

As an ElectroBSD user I use the FreeBSD ports system with a modified security/wolfssl port:

PORTNAME=   wolfssl
PORTVERSION=    5.7.0
PORTREVISION=   2
CATEGORIES= security devel
MASTER_SITES=   https://www.wolfssl.com/ \
        LOCAL/fox

MAINTAINER= fox@FreeBSD.org
COMMENT=    Embedded SSL C-Library
WWW=        https://www.wolfssl.com/

LICENSE=    GPLv2+
LICENSE_FILE=   ${WRKSRC}/COPYING

USES=       autoreconf cpe libtool zip
USE_LDCONFIG=   yes

GNU_CONFIGURE=  yes
CONFIGURE_ARGS= --disable-dependency-tracking \
        --enable-certgen \
        --enable-des3 \
        --disable-des3-ciphers \
        --enable-dh \
        --enable-dsa \
        --enable-dtls \
        --enable-ecc \
        --enable-fastmath \
        --enable-fasthugemath \
        --enable-ipv6 \
        --enable-keygen \
        --enable-opensslall \
        --enable-opensslextra \
        --enable-renegotiation-indication \
        --enable-ripemd \
        --enable-sessioncerts \
        --enable-session-ticket \
        --enable-sp \
        --enable-sp-asm \
        --enable-sp-math-all \
        --enable-sha512 \
        --enable-shared \
        --enable-sni \
        --enable-ssh \
        --enable-static \
        --enable-tls13 \
        --enable-tls13-draft18
TEST_TARGET=    check
CFLAGS+=    -DWOLFSSL_ALT_NAMES -DFP_MAX_BITS=8192 -DNO_WOLFSSL_STUB -DWOLFSSL_ALT_CERT_CHAINS -DHAVE_IO_TIMEOUT

OPTIONS_DEFINE= DEBUG DOCS
#OPTIONS_DEFAULT= DEBUG

DEBUG_CONFIGURE_ON= --enable-debug

post-configure:
    @${REINPLACE_CMD} \
        -e 's|$${prefix}/cyassl/include|$${prefix}/include/cyassl|' \
        -e 's|$${prefix}/cyassl/lib|$${prefix}/lib/cyassl|' \
        -e '/^pkgconfigdir/s|(libdir)|&data|' \
        ${WRKSRC}/Makefile

post-install-DEBUG-off:
    @${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libwolfssl.so

.include <bsd.port.mk>

I use poudriere to build the package.

When building Privoxy I use the --with-wolfssl option.

Manually using the autotools build works for me as well:

./autogen.sh
export CFLAGS="-DWOLFSSL_ALT_NAMES -DFP_MAX_BITS=8192 -DNO_WOLFSSL_STUB -DWOLFSSL_ALT_CERT_CHAINS -DHAVE_IO_TIMEOUT"
./configure --disable-dependency-tracking \
            --enable-certgen \
            --enable-des3 \
            --disable-des3-ciphers \
            --enable-dh \
            --enable-dsa \
            --enable-dtls \
            --enable-ecc \
            --enable-fastmath \
            --enable-fasthugemath \
            --enable-ipv6 \
            --enable-keygen \
            --enable-opensslall \
            --enable-opensslextra \
            --enable-renegotiation-indication \
            --enable-ripemd \
            --enable-sessioncerts \
            --enable-session-ticket \
            --enable-sp \
            --enable-sp-asm \
            --enable-sp-math-all \
            --enable-sha512 \
            --enable-shared \
            --enable-sni \
            --enable-ssh \
            --enable-static \
            --enable-tls13 \
            --enable-tls13-draft18 \
            --enable-debug
gmake

To get all the tests working I have to patch some of them but upstream rejected the PR:
https://github.com/wolfSSL/wolfssl/pull/5704

withoutname - 2024-06-30

I managed to build a version with wolfssl. But some domains don’t work, the log shows the message “Error: X509 certificate verification for i.kommersant.ru failed with error -308: error state on socket”, while it works with openssl.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Fabian Keil - 2024-07-06

Which WolfSSL version do you use?

When I try i.kommersant.ru it doesn't seem to respond to requests to port 443 so it doesn't work with either OpenSSL or WolfSSL for me.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

withoutname - 2024-07-07

WolfSSL 5.7
i.kommersant.ru works when you click the button (if there is one) under the news. The site that definitely does not work for me with WolfSSL: traxxas.com, instead of opening it I see the message:

Server certificate verification failed Privoxy was unable to securely connect to the destination server. Reason: received alert fatal error

In the log there is a message "Error: X509 certificate verification for traxxas.com failed with error -313: received alert fatal error"
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Fabian Keil - 2024-07-09

i.kommersant.ru remains unreachable for me but I can reproduce the problem with https://traxxas.com/ with both Privoxy and curl linked against wolfSSL 5.7.

I consider this a wolfSSL bug worth reporting upstream. Do you want to do it or should I?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

withoutname - 2024-07-10

If it's not too much trouble for you, please spread the word.
Regarding i.kommersant.ru, if you open this link "https://www.kommersant.ru/doc/6821399#comments" and click the blue button under the message, user comments should load, but instead you will see that message in the log, and the comments will not load.

Last edit: withoutname 2024-07-10

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Fabian Keil - 2024-07-10

I can reproduce the issue that the comments don't load on https://www.kommersant.ru/ but on my systems the problem seems to be that connections to i.kommersant.ru already fail before the TLS handshake:

fk@elektrobier ~ $curl -v --head https://i.kommersant.ru/ * Host i.kommersant.ru:443 was resolved. * IPv6: (none) * IPv4: 185.147.37.72 * Trying 185.147.37.72:443... * connect to 185.147.37.72 port 443 from 95.211.138.7 port 63777 failed: Operation timed out * Failed to connect to i.kommersant.ru port 443 after 75102 ms: Couldn't connect to server * Closing connection curl: (28) Failed to connect to i.kommersant.ru port 443 after 75102 ms: Couldn't connect to server

For the other issue I filed wolfSSL bug #7735: Can't establish TLS connections to https://traxxas.com/.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Thank you!
Regarding i.kommersant.ru, geoblocking is possible, but not sure, because... curl works for me:

curl -v --head https://i.kommersant.ru/

* Host i.kommersant.ru:443 was resolved.
* IPv6: (none)
* IPv4: 185.147.37.72
*   Trying 185.147.37.72:443...
* Connected to i.kommersant.ru (185.147.37.72) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384 / secp256r1 / rsaEncryption
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=RU; ST=Moscow; L=Moscow; O=JSC Kommersant; CN=*.kommersant.ru
*  start date: Feb 13 15:30:28 2024 GMT
*  expire date: Mar 16 15:30:27 2025 GMT
*  subjectAltName: host "i.kommersant.ru" matched cert's "*.kommersant.ru"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> HEAD / HTTP/1.1
> Host: i.kommersant.ru
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Connection: Keep-Alive
Connection: Keep-Alive
< Content-Length: 39
Content-Length: 39
< Date: Thu, 11 Jul 2024 18:50:31 GMT
Date: Thu, 11 Jul 2024 18:50:31 GMT
< Server: Microsoft-IIS/10.0
Server: Microsoft-IIS/10.0
< X-AspNetMvc-Version: 5.2
X-AspNetMvc-Version: 5.2
< X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
<


* Connection #0 to host i.kommersant.ru left intact

Fabian Keil - 2026-04-09

status: pending --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Fabian Keil - 2026-04-09

The wolfSSL issue has been fixed upstream a while ago.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Building Privoxy using wolfssl

HTTP proxy to block ads and customize webpages

Group

Searches

Help

#1765 Building Privoxy using wolfssl

Discussion