Fast P-384 in Single Precision (SP)

wolfSSL 4.4.0 introduces new optimised implementations of the elliptic curve P-384. Our Single Precision (SP) math code has been enhanced to support the NIST P-384/secp384r1 curve. If you need higher security public key cryptography then P-384 from wolfSSL is your choice.

wolfSSL now has optimised C implementations that will enhance the performance on any platform while there are assembly optimisations for Intel and ARM chips. As an example of the improvements you will see, take a look at the comparison to OpenSSL when signing and verifying on Intel x64:

AlgorithmBitsOperationwolfSSL SPOpenSSL 1.1.1c
ECC384Verify6025 (14384*)1842


*with pre-computation table caching

That’s right, a 14 times improvement in speed for signing and 3.2 times (or 7.8 when using caching) improvement in verification!

Also take look at the performance of the key agreement operation in comparison with high security DH (also optimised in SP.)

AlgorithmBitsOperationwolfSSL SPOpenSSL 1.1.1c
ECC384Key Agree74771455
DH2048Key Agree5162
DH3072Key Agree2128


The P-384 curve key agreement is even faster than 2048-bit DH! High security and high performance are now in reach with the new SP optimised code.

If you have any questions about the wolfSSL embedded SSL/TLS library or using the P-384 curve with SP in your application, contact us today at

X509 Certificates with wolfSSL C#

Are you interested in incorporating the best tested cryptography with FIPS certification into your C# project? wolfSSL has a C# wrapper that makes it easy to get started with TLS connections in C# projects. We are constantly working on, and expanding the C# wrapper and have recently added wrappers for inspecting X509 certificates. Now users can view peer certificates with verification callback functions. If you have a feature request or need for the C# wrapper with wolfSSL contact us at

Upcoming Webinar: Getting Started with wolfMQTT

Don’t miss this hot topic next week! wolfSSL Engineer Eric Blankenhorn presents:

Getting Started with wolfMQTT
Wednesday, Jun 17, 2020 10:00 AM Pacific Time (US and Canada)

In this webinar, we will talk about how the wolfMQTT library is a client implementation of MQTT written in C for embedded use. It supports SSL/TLS via the wolfSSL library. From this, it can provide the security that the MQTT protocol lacks. wolfMQTT was built from the ground up to be multi-platform, space conscious and extensible. It supports all Packet Types, all Quality of Service (QoS) levels 0-2 and supports SSL/TLS using the wolfSSL library.

What questions do you have around wolfMQTT? Eric Blankenhorn has answers. Email us at with any questions.

wolfSSL 2019 Annual Report

We not only remained far ahead of our competitors in 2019, but we also proceeded to extend our lead with massive success and growth. We grew our business dramatically, primarily based on our technological superiority and ongoing investments in testing and quality. We delivered TLS 1.3 ahead of the market, MISRA-C cryptography for the automotive market, FIPS for our government consumers and DO-178 for avionics. We also remain the best-tested product on the market, as witnessed by our additional fuzz testing resources from both internal and external sources. We have also been through a number of additional code audits from our large consumers. Finally, we engaged some of the best code auditors and testers in the world to review our code. Lots of testing and lots of eyeballs have come together to produce the best-tested TLS and cryptography code on the market today. Thank you for your interest in wolfSSL! We are off to a great start in 2020 and will strive to live up to your expectations again in the rest of 2020!

Reminder: If your TLS and cryptography provider does not do fuzz testing, you are exposed.

wolfSSL Technical Progress

A total of 4 releases of the wolfSSL embedded TLS library were delivered in 2019, each with bug fixes, enhancements, and new feature additions. Highlights of these releases included:

1. New Hardware and OS Ports

2. New Software Ports!

  • Apache web server (–enable-apache-httpd, WOLFSSL_APACHE_HTTPD)
  • OpenVSwitch
  • Google WebRTC
  • Over 198 new OpenSSL compatibility API added
  • Qt (–enable-qt, –enable-qt-test, WOLFSSL_QT)
  • OpenVPN

3. Updates to Existing Ports

  • Arduino (updated/refactored default settings, improved sketch examples)
  • Xilinx (updates to Xilinx FreeRTOS build)
  • Nginx (updated 1.15.0 patch, added 1.16.1 and 1.17.5 support)

4. Operating System Updates

  • Micrium uC/OS-III (port update, adjustments for static and inline macros)
  • Windows (fixes for custom ECC curves, directory functions)
  • NetBSD (default build and mutex usage)
  • SafeRTOS (fixes for build issues)
  • VxWorks (port updates)
  • Yocto Linux (ease of use improvements, updates, build instructions)

5. Compiler and IDE Updates

  • IAR-EWARM (Cortex-M changes, compiler warning fixes)
  • Renesas CS+ (improve user settings support, updated examples)
  • XCode (Project file update, iPhone simulator on i386 build fixes)
  • Visual Studio (fixes for build warnings, wrapper for snprintf)
  • Cygwin (fixes for visibility tags)

6. TLS 1.3 Updates

  • Better Interop
    • Interop fixes and better version negotiation
  • Better Portability
    • Portability improvements (simplify time requirement, XTIME_MS)
  • Better Testing
    • Additional fuzz testing!
    • Automated testing of select Embedded Targets
    • Better customer testing (known use-cases and configurations)
  • More Cipher Suites
    • Addition of NULL cipher suites (TLS_SHA256_SHA256, TLS_SHA384_SHA384)

7. New Hardware Crypto Support

  • ARM CryptoCell-310 on nRF52840
  • Renesas TSIP on RX65N
  • PKCS#11 support for HMAC, AES-CBC, and RNG
  • Intel QuickAssist v1.7 driver support
  • Intel QuickAssist RSA key generation and SHA-3 support
  • STM32WB PKA ECC signature verification

8. Improvements to Existing Hardware Crypto Support

  • STM32 (improved AES-GCM performance)
  • STSAFE (wolfSSL crypto callback support, better error code handling)
  • TI (updates to existing hardware crypto)
  • NXP mmCAU performance improvements (35-78%!)
  • Crypto callbacks (added 3DES support, improved features)
  • Fixes to Microchip ATECC508/608A, AES-NI, AVX2, ARMv8, devcrypto/afalg, ST CubeMX

9. New and Updated Algorithms

  • Addition of Ed25519ctx and Ed25519ph (sign/verify – RFC 8032)
  • Addition of Blake2s (32-bit Blake2 support)
  • CMS / PKCS#7 Improvements

10. Algorithm Performance Optimization

  • ARM Architecture
    • ChaCha20 using SIMD NEON extension
    • Poly1305 using SIMD NEON extension
    • Curve25519/Ed25519
    • SHA-384/512 using SIMD NEON extension

11. New and Updated Build Options

  • “–enable-ecccustcurves=all” – Enable all curve types
  • “–enable-16bit” – Enable 16-bit compiler support
  • “–enable-rsavfy” – RSA verify only build
  • “–enable-rsapub” – RSA public only build
  • “–enable-armasm” – Updated for ease of use with autotools
  • “–enable-fallback-scsv” – Fallback SCSV, server-side
  • “–enable-titancache” – New session cache size, can hold over 2 million sessions

12. TLS Extension Support Additions and Updates

  • Added TLS Trusted CA extension
  • Added Encrypt-then-MAC for TLS 1.2 and below
  • Ability to disable Signature Algorithms extensions
  • Parsing efficiency improvements to SNI extension
  • Additional error checking when parsing ALPN

13. Single Precision Math Updates

  • Cortex-M support
  • Support for prime checking
  • Specialized implementation of mod exp when base is 2
  • Support for 4096-bit RSA and DH operations

14. FIPS 140-2 Validation News!

  • Support for wolfCrypt FIPS v4.0.0 certificate #3389
  • New “FIPS Ready” initiative
  • Addition of wolfRand build option to
  • FIPS 140-2 OE additions
    • HP Imaging & Printing Linux 4.9 running on HP PN 3PZ95-60002 with ARM Cortex-A72 with and without PAA**
      • Includes ARMv8/NEON assembly optimizations w/PPA**
    • Linux 4.4 (Ubuntu 16.04 LTS) running on Intel Ultrabook 2 in 1 with an Intel® Core™ i5-5300U CPU @2.30GHz x 4 with and without PAA**
      • Includes Intel AESNI and RDSEED support w/ PAA**
    • OpenRTOS v10.1.1 running on STMicroelectronics STM32L4R9I-DISCO (Discovery Kit) with a STMicroelectronics STM32L4Rx (no PAA**)
    • Windows 10 Enterprise running on Radar FCL Package Utility with Intel® Core™ i7-7820 @2.9GHz x 4 with and without PAA**
      • Includes Intel AESNI and RDSEED support w/ PAA**
    • Windows 10 running on Intel Ultrabook 2 in 1 with an Intel® Core™ i5-5300U CPU @2.30GHz x 4 with and without PAA**
      • Includes Intel AESNI and RDSEED support w/ PAA**

** (Processor Algorithm Accelerator)

15. Testing

  • Fixes for Coverity, scan-build, and cppcheck reports
  • Enhancements to test cases for increased code coverage
  • More Pull Request and Nightly tests
  • ABI compliance testing for a subset of APIs’

16. Examples

  • New Coldfire MCF5441X NetBurner example
  • New Visual Studio solution for Microsoft Azure Sphere Devices
  • New NXP Kinetis Design Studio (KDS) example project

17. Additional Product Enhancements

  • wolfMQTT (2 releases)
    • Multithreaded support (–enable-mt)
    • Port Updates
      • Visual Studio
      • NXP MQX / RTCS
      • Microchip Harmony
    • Examples
      • New multithread example
      • Azure authentication update
      • Default broker for example
      • New simple client example
      • New non-blocking example
  • wolfSSH (3 releases)
    • Client-side public key authentication support
    • Callback function to the check public key sent
    • SFTP client and server support for Windows CE, Micrium 3, MQX 4.2
    • Port updates for Nucleus and Windows
    • Window size optimizations
    • Better automated and fuzz testing!
    • Updates to non blocking support
    • More examples: Renesas CS+, SFTP
    • Support for AES-CTR connections added
    • Improved interoperability and reliability
    • TCP port forwarding
    • Global request message support
    • Client side pseudo terminal support
  • wolfTPM (3 releases)
    • Support for Microchip ATTPM20
    • Support for Barebox
    • Support for multiple concurrent process
    • Improvements for chip detection, compatibility and startup performance
    • Better testing with new API unit test framework
    • Support for NV with authentication
    • New wrappers and examples for HMAC/AES, ECDHE and PCR
    • Added examples for TLS client/server
    • Stack use reductions
    • Expanded benchmark support
    • Crypto callback flags for FIPS mode and Symmetric options
    • Support for ST33 TPM2_SetMode command (low-power savings)
  • wolfBoot (3 releases)
    • Compile options for Cortex-M0
    • Support for RV32 RISC-V architecture
    • STM32F76x/77x hardware-assisted dual-bank support
    • New HAL support
      • Atmel SAMR21
      • TI CC26X2
      • NXP/Freescale Kinetis SDK
      • RV32 FE310 (SiFive HiFive-1)
      • STM32L0
      • STM32G0
      • STM32F7
      • STM32H7
      • STM32WB55
    • Support for ECC-256 DSA
    • Support for external flash for Update/Swap
    • Anti-rollback protection
    • New Python tools for key generation and signing
    • Ability to move flash-writing functions to RAM
    • Ability for bootloader to update itself
    • TPM2.0 support
      • Integration with wolfTPM
      • Extended STM32 SPI driver to support dual TPM/FLASH communication
      • Tested on STM32 with Infineon 9670
      • RSA 2048 bit digital signature verification
  • cURL
    • New option for commercial support
  • wolfSSL-py (2 releases)
    • Python3 fixes
    • Native feature detection
  • wolfCrypt-py (1 release)
    • Added Ed25519 cipher
    • Added methods for ECC key handling
    • New methods for raw sign/verify on Ed25519
    • RSA new methods: make_key() encode_key()
    • Native feature detection based on wolfSSL build

wolfSSL Top 10 Blog Posts/Technical Announcements

2019 Webinars

  1. The Advantages of Using TLS 1.3
  2. wolfSSL: TLS 1.3, OpenSSL Comparison
  3. Introduction to Secure Boot
  4. Migrating from OpenSSL to wolfSSL
  5. Security in Avionics

wolfSSL Organizational Growth

  • wolfSSL represents one of the largest teams focused on a single implementation of TLS/Crypto worldwide. If you know of anyone who fits the following description, please let us know.
  • We have expanded our customer base considerably, are now securing connections for over 1000 products, have partner relationships with over 30 vendors, and are securing well over 2 Billion connections on any given day, worldwide.
  • wolfSSL increased its presence in Europe with 2 new members to the team in 2019.
  • We got the word out! wolfSSL attended over 62 trade-events (see below). You may ask yourself, why is wolfSSL visiting so many venues? The answer: we are trying to save the world from using bad implementations of Crypto and TLS.

wolfSSL Events and Tradeshows

The wolfSSL team participated in a total of 62 events in 2019, which was up from 50 in 2018 (and 30 in 2017)! As part of these events we were in 44 cities, 18 US states, and 10 countries! The events we participated this last year included:

  1. CES (Las Vegas, NV)
  2. Smart Factory Expo (Tokyo, Japan)
  3. Japan IT Week West (Osaka, Japan)
  4. Embedded Tech India Expo (New Delhi, India)
  5. FOSDEM (Brussels, Belgium)
  6. DistribuTECH (New Orleans, LA)
  7. ET Nagoya (Nagoya, Japan)
  8. Embedded World 2019 (Nuremberg, Germany)
  9. RSA (San Francisco, CA)
  10. Medtec Japan 2019 (Tokyo, Japan)
  11. MtoM Embedded Systems (Paris, France)
  12. Black Hat Asia 2019 (Marina Bay Sands, Singapore)
  13. cURL UP (Prague, Czech Republic)
  14. NXP Tech Days Chicago (Chicago IL)
  15. SIdO (Lyon, France)
  16. Japan IT Week Spring (Tokyo, Japan)
  17. NXP Tech Days MInneapolis (Minneapolis, MN)
  18. IoT Tech Expo Global (London, England)
  19. LinuxFest (Bellingham, WA)
  20. Satellite 2019 (Washington, DC)
  21. NXP Tech Days Seattle (Bellevue, WA)
  22. ICMC (Vancouver, BC)
  23. Internet of Things World (Santa Clara, CA)
  24. ESC Boston (Boston, MA)
  25. Wireless IoT (Tokyo, Japan)
  26. RTCA (Crystal City, VA)
  27. TU Automotive (Zurich, Switzerland)
  28. Risc-V Summit (Zurich, Germany)
  29. NXP Connects (Santa Clara, CA)
  30. Embedded Tech West (Osaka, Japan)
  31. IoT TechExpo Europe (Amsterdam, Netherland)
  32. Sensors Expo West (San Jose, CA)
  33. IoT Security Forum (Tokyo, Japan)
  34. Microchip Master 2019 (Phoenix, AZ)
  35. Black Hat 2019 (Las Vegas, Nevada)
  36. NXP Tech Days (Irvine, CA)
  37. Billington International Cyber Security Summit (Washington, DC)
  38. RIOT Summit (Helsinki, Finland)
  39. NXP Tech Days Boston (Boston, MA)
  40. IoT World Asia 2019 (Singapore)
  41. ST Dev Con (Santa Clara, CA)
  42. FACE Consortium (Dayton, OH)
  43. Federal Identity Forum (Tampa, FL)
  44. ST Tech Tour (Vancouver, BC)
  45. ArmTech Con (San Jose, CA)
  46. NXP Tech Days Detroit (Detroit, MI)
  47. Japan IT Week Autumn (Chiba Makuhari Messe, Japan
  48. ST Tech Tour (Minneapolis, MN)
  49. Xilinx XSWG (Longmont, CO)
  50. Embedded Conference Scandinavia (Stokholm, Sweden)
  51. ETSI/IQC Quantum Safe Cryptography Workshop (Seattle, WA)
  52. ST Tech Tour (Boston, MA)
  53. NXP Tech Days Toronto (Toronto, Canada)
  54. Xilinx XWSG (Herndon, VA)
  55. IoT Tech Expo North America (Stanta Clara, CA)
  56. Embedded Technology/IoT Technology East (Pacifico Yokohama, Japan)
  57. Open Source Conference (Tokyo, Japan)
  58. Embedded Software Engineering Kongress (Sindelfingen, Germany)
  59. Xilinx XWSG (Munich, Germany)
  60. ARM Tech Symposium (Tokyo, Japan)
  61. RSC-V Summit (San Jose, CA)
  62. Tron Show (Tokyo, Japan)

In summary, we had a great year! 2019 was successful on multiple fronts, and we look forward to serving our customers and community with ever more secure and functional software in 2020. As always, your feedback is welcome at

New APIs for running updates to ChaCha20/Poly1305 AEAD

wolfSSL 4.4.0 introduces new ChaCha20/Poly1305 API’s for AEAD to allow “chunked” updates of data followed by a final calculation for the authentication tag. This uses the same “Init”, “Update”, “Final” conventions commonly available with our hash algorithms.

New API’s are available by default and can be disabled using: NO_CHACHAPOLY_AEAD_IUF.


These additions resulted in the following additional enhancements to the wolfSSL library and regression testing:

  1. Refactor of functions wc_ChaCha20Poly1305_Encrypt and wc_ChaCha20Poly1305_Decrypt to use the new ChaChaPoly_Aead context and the new init/update/final functions.
  2. Refactor of the Poly1305 AEAD / MAC to reduce duplicate code (Footprint Optimizations)
  3. Tests for TLS v1.3 interop and ChaCha20/Poly1305 AEAD test vectors.

If you have any questions about the wolfSSL embedded SSL/TLS library, or using ChaCha20/Poly1305 in your application, contact us today at

Building Qt with wolfSSL

wolfSSL 4.4.0 adds support for building Qt 5.12 and 5.13 against the wolfSSL embedded SSL/TLS library instead of the default OpenSSL backend!  Using wolfSSL as a TLS provider in Qt can have many advantages, depending on application and industry.  Some of these may include:

To compile wolfSSL for Qt, we have added a new configure option named “–enable-qt“.  To compile Qt with the wolfSSL patch:

1. Follow the Building Qt Guide to download needed Qt dependencies and initialize the Qt repository.
2. Change directories into the qt5 directory and checkout a branch between 5.12-5.13.

$ cd qt5
$ git checkout [branch_name]

3. Apply the wolfSSL Qt patch file to qt5.

$ cd qt5/qtbase
$ patch -p1 < /path/to/wolfssl_qt_src.patch

4. Link to wolfSSL directly by setting the WOLFSSL_LIBS variable.

$ export WOLFSSL_LIBS="-L/path/to/wolf-install/lib -lwolfssl"

5. Configure Qt using the “-wolfssl-linked” option, and add wolfSSL header directories to the include path.

$ ./configure -wolfssl-linked -I/path/to/wolf-install/include/wolfssl -I/path/to/wolf-install/include

6. Build Qt.

$ make

7. Test the build.

$ make test

8. Or, run tests individually:

$ qtbase/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate
$ qtbase/tests/auto/network/ssl/qasn1element/tst_qasn1element
$ qtbase/tests/auto/network/ssl/qpassworddigestor/tst_qpassworddigestor 
$ qtbase/tests/auto/network/ssl/qsslcipher/tst_qsslcipher
$ qtbase/tests/auto/network/ssl/qssldiffiehellmanparameters/tst_qssldiffiehellmanparameters
$ qtbase/tests/auto/network/ssl/qsslellipticcurve/tst_qsslellipticcurve 
$ qtbase/tests/auto/network/ssl/qsslerror/tst_qsslerror 
$ qtbase/tests/auto/network/ssl/qsslkey/tst_qsslkey 
$ qtbase/tests/auto/network/ssl/qsslsocket/tst_qsslsocket
$ qtbase/tests/auto/network/ssl/qsslsocket_onDemandCertificates_member/tst_qsslsocket_onDemandCertificates_member
$ qtbase/tests/auto/network/ssl/qsslsocket_onDemandCertificates_static/tst_qsslsocket_onDemandCertificates_static

wolfSSL’s port into Qt has not been merged upstream yet, and is currently distributed in patch form.  To request access to the wolfSSL Qt patch file, please email us at!

SSL/TLS in Qt: Introduction to wolfSSL

Don’t miss this hot topic! wolfSSL Chris Conlon, Engineering Manager presents:

Qt has traditionally used OpenSSL as the provider for SSL/TLS in Qt Network for secure network communications. Qt developers who are looking for a lightweight, progressive, and well-tested SSL/TLS implementation will be happy to learn how Qt can be used with the wolfSSL embedded SSL/TLS library.

wolfSSL provides progressive SSL/TLS protocol support up to TLS 1.3, maintains a minimal memory footprint, and focuses on extensive testing to reduce bugs and vulnerabilities. This session provides an overview of wolfSSL and advantages it brings to Qt developers when used in place of OpenSSL. Viewers will gain insight into how they can build Qt with wolfSSL, learn about the current state of SSL/TLS and the cryptography algorithms it uses, and have a chance to ask the experts about their SSL/TLS questions.

Email us at with any questions.

wolfSSH SSH Agent Support

wolfSSL Inc is adding support for the SSH-AGENT authentication to wolfSSH. The SSH-AGENT allows one to log in through multiple machines with a single private key on one’s local terminal. A good example is logging onto a test server and then accessing GitHub with git which uses SSH. Git will ask SSH on the test server to sign its handshake message, and that request is forwarded back to your local terminal over the SSH tunnel where the data is signed with your private key. No fuss, no muss. The wolfSSH agent will interoperate with OpenSSH and Dropbear.

For questions on wolfSSH or SSH agent support contact us at!

Posts navigation

1 2