wolfSSL 2.0.8 is Now Available

Version 2.0.8 of the wolfSSL embedded SSL/TLS library has been released and is now available for download.  This release contains bug fixes, some feature enhancements, and is a recommended update for all users:

– A fix for malicious certificates pointed out by Remi Gacogne (thanks!) resulting in NULL pointer use.
– Respond to renegotiation attempt with no_renegoatation alert
– Add basic path support for load_verify_locations()
– Add set Temp EC-DHE key size
– Extra checks on RSA test when porting into 

To download the open source, GPLv2-licensed version of wolfSSL 2.0.8, please visit our Download Page.  If you have any questions or comments or would like more information on commercial versions of wolfSSL, please contact us at info@yassl.com.

For build instructions, a full feature list, API reference, and more, please see the wolfSSL Manual.

CyaSSL working with Nginx

Hi!  We have been asked a number of times about CyaSSL integration with the Nginx web server.  If you are not familiar with Nginx, it is a high performance, high concurrency web server that is becoming extremely popular these days.  You can learn more about Nginx at nginx.com.

Nginx and CyaSSL make a likely pairing because they are both lean, compact, fast, and scale well under high volumes of connections.  The big news today is that CyaSSL is now working with Nginx in the lab, and we expect it to become generally available in the near future.  At this time, we are seeking feedback from those who are particularly interested in using CyaSSL with Nginx and would like to work with us as beta testers.  Let us know what you think at info@yassl.com.

OpenSSL in Devices gets cracked when trying to “enhance” randomness

Hi!  The security world has been buzzing this week about two new sets of research into what we will call statistical key cracking.  The hack is one that we would not expect out of your average script kiddie, because it combines sophisticated scanning with mathematical prowess.  The overview story is the first link below.  The second and third links take you to the researchers previews.

http://arstechnica.com/business/news/2012/02/crypto-shocker-four-of-every-1000-public-keys-provide-no-security.ars?comments=1#comments-bar

http://eprint.iacr.org/2012/064.pdf

https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs

We are particularly interested in the work from Nadia Heninger and her team, given that our user base is skewed towards embedded systems.

Our takeaways from this new research are high entropy seeds are vital to proper key generation.  If a high entropy device is available use it, if not, don`t try to write your own.  Connect securely to a remote server where a high entropy seed can be relayed over the SSL/TLS connection.  And don`t stir the RNG between (p) and (q) generation.  This crack is based on a low entropy seed and the stirring between (p) and (q) generation.  wolfSSL avoids this problem in two ways, by using a high entropy seed from /dev/random and by not stirring between (p) and (q) but before each (p) instead.

wolfSSL and LibSCS

wolfSSL is now available as a crypto provider for KoanLogic’s SCS library, LibSCS. SCS, a small cryptographic protocol layered on top of the HTTP cookie facility [RFC6265], allows its users to produce and consume authenticated and encrypted cookies, as opposed to usual cookies, which are un-authenticated and sent in clear text.

From the LibSCS README, “By having a non-tamperable proof of authorship attached, each SCS cookie can always be validated by the originator, making it possible for a server to handle clients` session state without the need to store it locally. In fact, an SCS enabled server could completely delegate the application state storage to the client (e.g. a web browser) and use it, in all respects, as a remote storage device. The result of the cryptographic transformations applied to state data can be used to ensure that its information authenticity and confidentiality attributes are the same as if they were stored privately on server-side.”

You can build LibSCS with wolfSSL by running the following commands. You must have KoanLogic’s makl installed on your development machine (http://koanlogic.com/makl/) to build the package. See the libscs README and INSTALL files for more detailed instructions.

makl-conf –crypto=cyassl
makl

libscs GitHub repository: https://github.com/koanlogic/LibSCS

If you have any questions about wolfSSL with LibSCS, please contact KoanLogic (info@koanlogic) or yaSSL (info@yassl.com).

The Gravity

yaSSL currently secures over 50 million points on the internet.  We don’t talk about who is using CyaSSL, for obvious reasons, but the numbers are big and growing.

We take our work seriously, and hope you feel comfortable with our efforts.  We endeavor to build a business, a community, and do the right thing.  We welcome your feedback.  If you believe that we have failed at some point, then let us know.  We’ll correct it.  We’re open source and open minded about what you have to say.  Contact us at info@yassl.com and let us know how we’re doing!