wolfSSL Version 3.9.8 is Here!

wolfSSL’s progressive embedded TLS/SSL library has a new release available for download by our community. This new release contains new features, updates to existing code, and bug fixes. Some of the additional features added to wolfSSL version 3.9.8 are the use of custom ECC curves, support for Brainpool curves, and RSA blinding for private key operations. With the addition of RSA binding comes increased protection against timing attacks for users that have static RSA suites on their server. Static RSA cipher suites are not recommended and are turned off by default with wolfSSL.

Some fixes were also made to the IoT wolfSSL library. A few of these fixes were dealing with sanity checks on malformed certificates outside of a TLS connection, revisions to the recent static memory feature, and updated handling of math operations with compressed ECC keys. It is recommended that users update to the most recent wolfSSL release. Users that have server side static RSA cipher suites enabled should update to this version of wolfSSL for RSA blinding, and create new RSA private keys.

Here is a full list of highlighted changes for this release of our embedded SSL library.

– Add support for custom ECC curves. This allows use of non-standard ECC curves.
– Add cipher suite ECDHE-ECDSA-AES128-CCM.
– Add compkey enable option. This option is for enabling and disabling compressed ECC keys.
– Add in the option to use test.h without gettimeofday function using the macro WOLFSSL_USER_CURRTIME. This makes test.h more portable.
– Add RSA blinding for private key operations. Enable option of harden which is on by default. This negates timing attacks.
– Add ECC and TLS support for all SECP, Koblitz and Brainpool curves.
– Add helper functions for static memory option to allow getting optimum buffer sizes. This calculates the size of the needed buffer to have it completely used with no excess unused memory at the end.
– Update wolfSSL for use with MYSQL v5.6.30.
– Update LPCXpresso eclipse project to not include misc.c when not needed.
– Updates to DTLS 1.2.
– Fixes for code in math sections with compressed ECC keys. This includes edge cases for buffer size on allocation and adjustments for compressed curves build.
– Fix function argument mismatch for build with secure renegotiation.
– X.509 bug fixes for reading in malformed certificates, reported by researchers at Columbia University
– Fix GCC version 6 warning about hard tabs in poly1305.c. This was a warning produced by GCC 6 trying to determine the intent of code.
– Fixes for static memory option. These fixes include avoiding potential race conditions with
counters and decrementing handshake counter in the case of a failed client connection attempt.
– Fix for a possible output buffer overrun when using anonymous cipher and Diffie Hellman key exchange on the server side.

For more information contact wolfSSL at facts@wolfssl.com.  Support questions can be directed to support@wolfssl.com.

Announcing wolfSSH v0.2.0!

wolfSSL Inc., makers of the wolfSSL (formerly CyaSSL) and wolfCrypt libraries for embedded applications and the IoT, are proud to announce our new library: wolfSSH. Do you have an embedded device using a serial port for configuration or logging? How would you like a secure tunnel into it to get at the logs and configuration, or even copy new firmware into it? wolfSSH is the solution for you!

wolfSSH keeps a small footprint by using the wolfCrypt cryptography library. If you need FIPS 140-2, wolfCrypt has you covered.

wolfSSH is currently dual licensed. You may download from our website and use it for free, so long as you abide by the GPLv3 licensing terms. Commercial licensing terms are also available. Please contact our sales team for more information.

Updated TLS 1.3 Draft on GitHub

Hi!  The IETF TLS Working Group released the next draft of the TLS 1.3 protocol specification on July 12th, 2016. We wanted to update our users with this for those interested in tracking the protocol’s progress with us.

The updated specification can be found on GitHub at:

We are eager to implement TLS 1.3 as it gets closer to its final specification!  We think this new protocol iteration will add a lot of improvement!  As such, we`re excited to get going and need user feedback.  Please contact us to let us know what parts of the spec are most important to you.  We will consider adding pieces of TLS 1.3  to our current TLS 1.2 implementation, should users of wolfSSL need them.  Let us know your thoughts at facts@wolfssl.com.


wolfSSL Inc has received 3 more FIPS certifications for wolfSSL’s wolfCrypt Implementation on ATMEL’s SAM4L w/ OpenRTOS v9.0.0!! These certificates can be viewed here: SHS (SHA) certificate #3310, HMAC certificate #2617, AES certificate #4012.

wolfSSL Inc is in the process of certifying CMAC, AES, SHS, and HMAC on NXP’s LPC43S20 w/ OpenRTOS v8.2.3.  The lab tests have all passed and we are simply awaiting our CAVP certificates to be given a number and publish on the NIST site!

wolfSSL has successfully tested FIPS on NXP’s LPC43S37 w/ FreeRTOS v8.0.1 and previously wolfSSL received FIPS certifications on STMicro’s STM32F w/ FreeRTOS 7.6: SHS (SHA) certificate #2882, HMAC certificate #2228, AES certificate #3490, Triple DES certificate #1966, RSA certificate #1791, DRBG certificate #863

If you have a need for FIPS on FreeRTOS/OpenRTOS please do not hesitate to contact us.