WolfSSL Server on the Galileo

Intel has been kind enough to show us how to use WolfSSL on the Galileo board, but only in a client mode. Turns out that, there are some issues that will be encountered when running a WolfSSL server on the Galileo with the EthernetServer mode.

I’ve had to learn this the hard way.


The EthernetServer will fail to load the server certificate as the internal clock is stuck in the past. Therefore, we need to set the system date of the Galileo board to the present. Since there is no NTP client built into the Galileo 2 board, we are forced to use rdate instead.

So, telnet into the Galileo board and run the following command:

$ rdate tick.greyware.com

I suppose that the best way to do this is to incorporate a system() command into the setup() code of the Arduino sketch to automatically synchronise the date.

ECC Support

WolfSSL has removed static key based cipher-suites since 3.6.6. Therefore, it needs to be configured to support say, ECDHE based cipher-suites. Unfortunately, this is not automatically enabled during library configuration unless you’re using x86_64, which the Galileo board isn’t.

Therefore, the solution is to configure the library with the –enable-ecc option enabled.

$ ./configure --prefix=$HOME/wolfssl/ --target=i586-poky-linux-uclibc --host=i586-poky-linux-uclibc --enable-ecc

Otherwise, we will face the inability to communicate with the Galileo board when debugging using OpenSSL with the Galileo board complaining that there are no matching cipher suites right after receiving a Client Hello. The Galileo board then teminates the handshake without sending a Server Hello.


Garmin GPS Update in Linux

I own a Garmin GPS that I wanted to update. It’s about a year old and the maps are not up-to-date. For example, it does not include the new second Penang bridge. Garmin provides updated maps on its website but the installer runs in Windows. Since I did not have a Windows machine available, I had to find another way.

Turns out that Microsoft gives away time-limited virtual machine images of Windows, primarily for browser testing. So, I downloaded the smallest one – IE6 on WinXP. After that, it had to be extracted from the archive. This can be done by:

$ chmod +x IE6.WinXP.For.LinuxVirtualBox.sfx
$ ./IE6.WinXP.For.LinuxVirtualBox.sfx

Next, the extracted OVA file needs to be imported into VirtualBox and run.

Screenshot - 13092014 - 12:23:52

After that, it’s just a matter of using the browser to download the update from Garmin and running the map.

Note: We just need to make sure that the Garmin is configured as a USB storage device and that it is attached to the virtual machine, instead of the host machine.

Upstream git flow

I’ve been quite happily using git-flow for a while now. It’s a great way to structure and organise code management whether you are making commercial code or otherwise. However, I’ve recently had a need to fork an upstream repository and make local changes to it. However, I also need to track and keep updated with the changes upstream. So, this is my new flow:

Firstly, I’ll create an empty repository and initialise it for git-flow

$ mkdir repos.git
$ cd repos.git
$ git flow init
No branches exist yet. Base branches must be created now.
Branch name for production releases: [master]
Branch name for "next release" development: [develop]
How to name your supporting branch prefixes?
Feature branches? [feature/]
Release branches? [release/]
Hotfix branches? [hotfix/]
Support branches? [support/]
Version tag prefix? []

Next add the upstream remote and specify which remote branch to track, which we will use to pull changes in periodically.

$ git remote add upstream -t master git://sourceware.org/git/newlib.git
$ git fetch upstream

Then, merge the upstream code into the current development branch. Instead of merging the full upstream development, I prefer to merge the last stable release from upstream. This can be done by merging a specific tag identified by a specific commit point.

$ git checkout develop
$ git fetch upstream
$ git show-ref tag_name
$ git merge tag_hash

This should be done periodically to keep the local develop branch in-sync with upstream changes. Since I’m merging in the latest stable upstream code, I would recommend doing this whenever there are new stable versions from upstream.

Otherwise, just use git-flow as before and hopefully, things will hopefully work out automagically.

Typical Server Setup

Since there are so many little tweaks that I do to my regular web-server setup, I felt that I should put down some of my thoughts here, for the purpose of documentation.

Operating System
I invariably go with Debian. If the VPS provider does not provide a Debian option, I will not buy a VPS from them. When choosing between Debian installs, I tend to choose 32-bit images because I do not believe in having a single large server with more than 4GB of RAM. A 32-bit installation allows me to do some wonderful optimisations. I can run a MySQL and web server with PHP5 in under 64MB of RAM on a 32-bit Debian install.

Firstly, security. My firewall of choice is Shorewall because it has been around for ages and I have been using it for just as long. It has only gotten better with age. I am one of those who believes in host-based security. Every person should be vigilant and take care of themselves when going out – same with servers. I will just tweak the example configurations provided with the documentation pack.

Next, I will install Dropbear and remove OpenSSH server. The reason that I do this is largely due to resource consumption. Since the SSH server is rarely used except for administrative work, I just use a light-weight one instead, to conserve RAM. I will set it with the “-w” option to block remote root logins. Other than that, I leave things as they are.

Since most Open Source web applications tend to use MySQL as their database, I need to configure this. Depending on the amount of RAM available, I will select the example configuration provided with the documentation pack. The amount of recommended RAM is stated in the example config files themselves. I will tweak it by adding the skip-networking, skip-bdb, skip-innodb flags to reduce RAM usage.

Web server
I prefer to use Lighttpd because it provides a lean web-server that is easy to configure. IMHO, Nginx is not as friendly to configure while Apache is too resource intensive. There are a number of configurations that I will do with this. I will set server.tag to emit some useful information – typically the name of the actual machine that is serving up the page. I will disable server.dir-listing. I will set the SSL certificates if required and set the algorithm to AES128-SHA to conserve CPU resources. I will also tweak the FastCGI numbers depending on the resources and expected performance of the server.

Web application
I tend to run PHP5 because that is what most Open Source stuff use. I will tweak it by turning on zlib.output_compression, reducing memory_limit and turning off expose_php for security and performance purposes. The actual values to tweak will depend on the resources available on the server.

Some points to note:

If using an opcode cache like XCache, it is important to reduce the number of FastCGI processes and increase the child threads because the cache is stored per-process. Otherwise, it is better to reduce the child threads to zero and increase the FastCGI processes to reduce resource consumption.

Other minor tweaks that I will install would be things like etckeeper that helps to keep track of maintenance issues. I may also install cron-apt to help with some update notifications. I also reduce swappiness to improve memory performance.