wolfSSL support for Lighttpd

wolfSSL v3.15.5 was recently released and features many new additions to the library. One of those options is support for Lighttpd. Lighttpd is an open-source web server that is optimized for speed-critical environments while remaining standards-compliant, portable, and flexible.

The addition of support for Lighttpd is the perfect match for web servers looking to remain lightweight, fast, and portable while providing top-rate security. The wolfSSL embedded SSL/TLS library provides support for TLS 1.3, is available in a FIPS-validated version, and its size ranges from 20-100kB.

To build wolfSSL for use with Lighttpd, simply run the configure script with the option "--enable-lighty".

The most recent version of the wolfSSL library can be downloaded from our download page here: https://www.wolfssl.com/download/
More information about the new release of wolfSSL and its added features can be found here: https://www.wolfssl.com/wolfssl-3-15-5-now-available/

Please contact us at support@wolfssl.com for assistance or questions in compiling wolfSSL for use with Lighttpd!

wolfSSL PKCS#11 support

wolfSSL v3.15.5 was released last week, which features many new additions to the library. One of those options is support for PCKS#11. The PKCS#11 standard defines an API to cryptographic tokens. The API defines most commonly used cryptographic object types (RSA keys, X.509 Certificates, DES/Triple DES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.

Using wolfSSL on your application or your device will now allow you to utilize PKCS#11 for access to hardware security modules, smart cards, and other cryptographic tokens.

To build wolfSSL with PKCS#11 support, the library needs to be downloaded and then built with a specific option. The library can be downloaded from the wolfSSL download page, here: https://www.wolfssl.com/download/. The steps to build wolfSSL with PKCS#11 are detailed below:

# From within wolfSSL's root directory
./autogen.sh
./configure --enable-pkcs11
make
sudo make install

wolfSSL also has its PKCS#11 documentation located within its doxygen pages, here: https://www.wolfssl.com/doxygen/group__PKCS11.htmlThis PKCS#11 documentation provides information on the recently added PKCS#11 API.

More information about the new release of wolfSSL v3.15.5 can be found here: https://www.wolfssl.com/wolfssl-3-15-5-now-available/
wolfSSL v3.15.5 download: https://www.wolfssl.com/download/
Wikipedia article on PKCS#11: https://en.wikipedia.org/wiki/PKCS_11

wolfSSL TLS 1.3-only build (#TLS13)

wolfSSL v3.15.5 was released last week which features many new additions to the library. One of those options is the availability of a TLS 1.3 only build, which enables the wolfSSL embedded SSL/TLS library to built such that use of TLS 1.2 and prior protocols is effectively disabled.

The TLS 1.3 only build is useful when forward secrecy and extra security are desired in embedded systems or applications. This option will cause attempted connections with other clients or servers to fail during the handshake unless they support the use of TLS 1.3, which prevents insecure connections from even being formed in the first place. Additionally, this TLS 1.3 option also streamlines the library. By enabling just TLS 1.3, the portions of the library that provide functionality for prior TLS protocol versions are not included when building the library, reducing the build size.

The newest version of wolfSSL can be downloaded from the download page. To build the wolfSSL library in TLS 1.3 only mode once downloaded, it requires the following options be used when running the configure script:

--enable-tls13
--disable-tlsv12
--disable-oldtls

References

wolfSSL v3.15.5 release notes: https://www.wolfssl.com/wolfssl-3-15-5-now-available/
Differences between SSL/TLS protocol versions: https://www.wolfssl.com/differences-between-ssl-and-tls-protocol-versions-3/

Please contact us at facts@wolfssl.com with questions about using TLS 1.3 with wolfSSL, or compiling the library for your platform.

wolfMQTT support for the 5.0 specification is here!

The wolfMQTT client now supports connecting to v5.0 enabled brokers. Handling properties received from the server is accomplished via a customizable callback. The following v5.0 specification features are supported by the wolfMQTT client:

  • AUTH packet
  • User properties
  • Server connect ACK properties
  • Format and content type for publish
  • Server disconnect
  • Reason codes and strings
  • Maximum packet size
  • Server assigned client identifier
  • Subscription ID
  • Topic Alias

As a side note, wolfMQTT uses the wolfSSL embedded SSL/TLS library for SSL/TLS support.  Since wolfSSL supports TLS 1.3, your wolfMQTT-based projects can now use MQTT with TLS 1.3 with a supported broker!

You can download the latest release from our website or clone on GitHub. For more information please email us at facts@wolfssl.com.

TLS 1.3 combined with FIPS (#FIPS #TLS13)

wolfSSL is a lightweight TLS/SSL library that is targeted for embedded devices and systems. It has support for the TLS 1.3 protocol, which is a secure protocol for transporting data between devices and across the Internet. In addition, wolfSSL uses the wolfCrypt encryption library to handle its data encryption.

Because there is a FIPS 140-2 validated version of wolfCrypt, this means that wolfSSL not only has support for the most current version of TLS, but it also has the encryption backbone to support your FIPS 140-2 needs if required.

Some key benefits of combining TLS 1.3 with FIPS validated software include:

  1. Software becomes marketable to federal agencies - without FIPS, a federal agency is not able to use cryptographic-based software
  2. Single round trip
  3. 0-RTT (a mode that enable zero round trip time)
  4. After Server Hello, all handshake messages are encrypted.

And much more! For more information regarding the benefits of using TLS 1.3 or using the FIPS validated version of wolfCrypt, check out wolfSSL's TLS 1.3 Protocol Support and our wolfCrypt FIPS page.

FIPS 140-2 is a government validation that certifies that an encryption module has successfully passed rigorous testing and meets high encryption standards as specified by NIST. For more information or details on FIPS 140-2, it may be helpful to view this Wikipedia article: https://en.wikipedia.org/wiki/FIPS_140-2

For more details about wolfSSL, TLS 1.3, or if you have any other general inquiries please contact facts@wolfssl.com

To find out more about FIPS, check out the NIST FIPS publications or contact fips@wolfssl.com

wolfMQTT Adds Support for MQTT-SN

The MQTT Sensor Network standard provides a lightweight networking protocol perfectly suited to low cost, low power hardware. The protocol allows using small topic identifiers in place of the full topic name when sending and receiving publish data.

The wolfMQTT SN Client implementation is based on the OASIS MQTT-SN v1.2 specification. The SN API is configured with the --enable-sn option. There is a separate API for the sensor network API, which all begin with the "SN_" prefix. The wolfMQTT SN Client operates over UDP, which is distinct from the wolfMQTT clients that use TCP. The following features are supported by the wolfMQTT SN Client:

  • Register
  • Will topic and message set up
  • Will topic and message update
  • All QoS levels
  • Variable-sized packet length field

You can download the latest release of wolfMQTT from our website or clone on GitHub. For more information please email us at facts@wolfssl.com.

wolfSSL 3.15.5 is Now Available

This release contains many new exciting additions to the wolfSSL embedded IoT library and some fixes to existing features. One of the changes with TLS 1.3 was adding in the capability of doing a TLS 1.3 only build. In addition to having the TLS 1.3 only build, OCSP stapling support with TLS 1.3 was added along with some fixes for asynchronous crypto use with the TLS 1.3 implementation.

Enhancements and fixes were made for PKCS parsing:

  • Added support for dynamic allocation of PKCS7 structure using wc_PKCS7_New and wc_PKCS7_Free functions
  • Support for PKCS#11 added with “--enable-pkcs11
  • Expanded PKCS#7 CMS support with KEKRI, PWRI and ORI
  • Streaming capability for PKCS#7 decoding and sign verify added
  • Added support for constructed OCTET_STRING with PKCS#7 signed data
  • Fix for PKCS8 padding with encryption
  • Added support for generic ECC PEM header/footer with PKCS8 parsing

Additional ports were added and some of the existing ports were updated to make it easy to use wolfSSL in new environments:

  • Port for ASIO added with “--enable-asio” configure flag
  • Port to apache mynewt added in the directory wolfssl-3.15.5/IDE/mynewt/*
  • Added a wolfSSL static library project for Atollic TrueSTUDIO
  • Contiki port added with macro WOLFSSL_CONTIKI
  • AF_ALG and cryptodev-linux crypto support added
  • Added support for the STM32L4 with AES/SHA hardware acceleration
  • Renesas e2studio project files added
  • Renesas RX example project added
  • Added reference STSAFE-A100 public key callbacks for TLS support
  • Added reference ATECC508A/ATECC608A public key callbacks for TLS support

Existing ports that were updated:

  • Update to Intel® SGX port, files included by Windows version and macros defined when using WOLFSSL_SGX
  • Updated support for latest CryptoAuthLib (10/25/2018)
  • Fixes for MQX classic 4.0 with IAR-EWARM
  • Updates to Nucleus version supported
  • Updates to Rowley-Crossworks settings for CMSIS 4
  • Updates to support Lighttpd
  • Fixes for OCSP use with NGINX port
  • Updates to XCODE build with wolfSSL
  • PIC32MZ hardware acceleration buffer alignment fixes
  • Fixes and enhancements for NXP K82 support
  • Relocate compatibility layer functions for OpenSSH port update
  • Updates and enhancements to the GCC-ARM example
  • Updates for wolfcrypt JNI wrapper

Additional Features:

  • Added DTLS either (server/client) side initialization setting
  • Flag to disable AES-CBC and have only AEAD cipher suites with TLS “--disable-aescbc
  • Added “--enable-asn=nocrypt” for certificate only parsing support
  • Benchmark enhancements to print in CSV format and in Japanese
  • Added Japanese output to example server and client with “-1 1” flag
  • Added USE_ECDSA_KEYSZ_HASH_ALGO macro for building to use digest sizes that match ephemeral key size
  • Additional compatibility API’s added, including functions like wolfSSL_X509_CA_num and wolfSSL_PEM_read_X509_CRL
  • Adds checking for critical extension with certificate Auth ID and the macro WOLFSSL_ALLOW_CRIT_SKID to override the check
  • Added public key callbacks to ConfirmSignature function to expand public key callback support
  • Added ECC and Curve25519 key generation callback support
  • Additional support for parsing certificate subject OIDs (businessCategory, jurisdiction of incorporation country, and jurisdiction of incorporation state)
  • Added  wc_ecc_ecport_ex and wc_export_inti API's for ECC hex string exporting
  • Added support for parsing PIV format certificates with the function wc_ParseCertPIV and macro WOLFSSL_CERT_PIV
  • Added APIs to support GZIP
  • Version resource added for Windows DLL builds

Optimizations:

  • Memory free optimizations with adding in earlier free’s where possible
  • ALT_ECC_SIZE use with SP math
  • Stack size reduction with smallstack build
  • Fix for assembly optimized version of Curve25519
  • Fix for DH algorithm when using SP math with ARM assembly

Macro and Behavior Changes:

  • Renamed the macro INLINE to WC_INLINE for inline functions
  • Made modifications to the primality testing so that the Miller-Rabin tests check against up to 40 random numbers rather than a fixed list of small primes
  • Make SOCKET_PEER_CLOSED_E consistent between read and write cases

For a full list of changes see the changelog located at https://www.wolfssl.com/docs/wolfssl-changelog/

wolfSSL Intel SGX (#SGX) + FIPS 140-2 (#FIPS140)!

wolfSSL is pleased to announce the following addition to the wolfSSL FIPS certificate!

Debian 8.7.0 Intel ® Xeon® E3 Family with SGX support Intel®x64 Server System R1304SP
Windows 10 Pro Intel ® Core TM i5 with SGX support Dell LatitudeTM 7480

The wolfCrypt FIPS validated cryptographic module has been validated while running inside an Intel SGX enclave and examples have been setup for both Linux and Windows environments.

Intel ® SGX (Software Guard Extensions) can be thought of as a black-box where no other application running on the same device can see inside regardless of privilege. From a security standpoint this means that even if a malicious actor were to gain complete control of a system including root privileges, that actor, no matter what they tried, would not be able to access data inside of this “black-box”.

An Intel enclave is a form of user-level Trusted Execution Environment (TEE) which can provide both storage and execution. Meaning one can store sensitive information inside and also move sensitive portions of a program or an entire application inside.

While testing, wolfSSL has placed both individual functions and entire applications inside the enclave. One of the wolfSSL examples shows a client inside the enclave with the only entry/exit points being “start_client”, “read”, and “write”. The client is pre-programmed with a peer to connect with and specific functionality. When “start_client” is invoked it connects to the peer using SSL/TLS and executes the pre-programmed tasks where the only data entering and leaving the enclave is the info being sent to and received from the peer. Other examples show placing a single cryptographic operation inside the enclave, passing in plain-text data and receiving back encrypted data masking execution of the cryptographic operations.

If you are working with SGX and need FIPS validated crypto running in an enclave contact us at fips@wolfssl.com or support@wolfssl.com with any questions. We would love the opportunity to field your questions and hear about your project!

Resources:
https://software.intel.com/en-us/blogs/2016/12/20/overview-of-an-intel-software-guard-extensions-enclave-life-cycle

wolfSSL FAQ page

The wolfSSL FAQ page can be useful for information or general questions that need need answers immediately. It covers some of the most common questions that the support team receives, along with the support team's responses. It's a great resource for questions about wolfSSL, embedded TLS, and for solutions to problems getting started with wolfSSL.

To view this page for yourself, please follow this link here.

Here is a sample list of 5 questions that the FAQ page covers:

  1. How do I build wolfSSL on ... (*NIX, Windows, Embedded device) ?
  2. How do I manage the build configuration of wolfSSL?
  3. How much Flash/RAM does wolfSSL use?
  4. How do I extract a public key from a X.509 certificate?
  5. Is it possible to use no dynamic memory with wolfSSL and/or wolfCrypt?

Have a  question that isn't on the FAQ? Feel free to email us at support@wolfssl.com.