Join wolfSSL at Embedded World 2023 and Satellite 2023

WolfSSL will attend two major tradeshows from March 14 to 16: Embedded World 2023 in Nuremberg, Germany, and Satellite 2023 in Washington D.C. At Embedded World, attendees will explore the latest trends in embedded systems, IoT, and edge computing. At Satellite 2023, the focus is on new developments in satellite technology, ground stations, and launch services.

WolfSSL offers highly optimized TLS and cryptography libraries that secure IoT devices and embedded systems against cyber attacks. At both tradeshows, the wolfSSL team will meet with attendees and discuss how their products can support their projects. They have the expertise and experience to help you achieve your security goals and enhance system performance.

By scheduling a meeting with the wolfSSL team at Embedded World 2023 or Satellite 2023, attendees can gain valuable insights into the latest trends and technologies in embedded and satellite systems security. . Don’t miss out on this opportunity to meet with wolfSSL and explore the latest advancements in embedded and satellite systems security.

Email facts@wolfssl.com to schedule a meeting with the wolfSSL team at either tradeshow.

Take advantage of the opportunity to enhance your embedded security knowledge with wolfSSL’s free two-day training. Be sure to register for both days as day 2 will build off the content from day 1.

Day 1 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_OZ3yQPubRBqrtxhHsOm3ug

Day 2 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_8eIUIe_yRtCiaS1yKGKwJQ

wolfSSL, wolfSentry, and the UN Cybersecurity Regulations for Vehicles

Under UN Regulations 155 and 156, auto makers and their contractors take on the daunting responsibility for security across the entire lifecycle of the vehicle.  To meet this challenge, designers must consider security from the start of product planning, and at every stage thereafter, designing in sustainable, best-in-class solutions.

The two crucial approaches to secure the endpoint are access controls and cryptographic encapsulation.  wolfSSL offers best-in-class enabling technology for both.  wolfCrypt, wolfSSL, wolfSSH, and wolfBoot are turnkey embedded solutions to secure software and messaging in the embedded endpoint with best-in-class cryptography.  The wolfSentry embedded IDPS, in turn, secures the embedded endpoint with a flexible, field-configurable policy engine, and facilitates integration into central cybersecurity monitoring solutions.

wolfSentry, and the rest of the wolf suite, align with the specific mitigations directed by R155:

  • “Measures to detect and recover from a denial of service attack shall be employed”
  • “Security controls shall be applied to systems that have remote access”
  • “Access control techniques and designs shall be applied to protect system data/code.”
  • “Measures to prevent and detect unauthorized access shall be employed”
  • “Measures to detect malicious internal messages or activity should be considered”
  • “The vehicle shall verify the authenticity and integrity of messages it receives”
  • “Security controls shall be implemented for storing cryptographic keys (e.g. use of Hardware Security Modules)”

wolfSentry, in concert with other wolf suite components and application-specific plugin logic, implements these mitigations in a fully embeddable, easily integrated, highly portable form.  And the foundational requirements of R156, which relates to software update management systems for vehicles, are fully met by the wolf suite.

By adopting the wolf suite of solutions as key components of a comprehensive security architecture, designers can assure the sustainability of their engineering investment, with all major algorithms, target silicon, and runtime environments supported.

Further reading:

Full text of R155 (30 pages): https://unece.org/sites/default/files/2021-03/R155e.pdf

R156 (16 pages): https://unece.org/sites/default/files/2021-03/R156e.pdf

wolfSSL 2022 Annual Report

wolfSSL’s progress continued at a fantastic pace in 2022! New people, new products, new customers, new code, and new testing marked another excellent year for the project and the company. We are particularly pleased with the amount of integration work that we completed in conjunction with our open source and commercial partners. Additionally, our FIPS 140-3 certificate moved closer to completion. Finally, as our readers know, we are laser focused on producing the best tested TLS 1.3 and cryptography. Our latest advancements in testing are covered later in this report.

We also want to give our thanks to all of our wonderful customers, open source users, and partners. You’ve been tremendous and we look forward to serving you in 2023.

wolfSSL Technical Progress

A total of 9 releases of the wolfSSL embedded TLS library were delivered in 2022, each with bug fixes, enhancements, and new feature additions. Highlights of these releases included:

  1. New Hardware and OS Ports
    1. Hardware
    2. OS Ports
      • wolfBoot support for NXP T2080 on DEOS (an avionics RTOS w/ DO-178C cert)
  1. New Open Source Software Ports!
    1. chrony – Versatile implementation of the Network Time Protocol (NTP)
    2. FFmpeg – Video manipulation utility. wolfSSL used to access remote files over HTTPS.
    3. git – Version control system. Requires other dependencies to also be built with wolfSSL (curl + ssh).
    4. Kerberos 5 (krb5) – Network authentication service.
    5. libspdm – DMTF’s Security Protocols and Data Models. Enables authentication, attestation, and key exchange to assist in providing infrastructure security enablement.
    6. NXP SE05X Middleware – Adds a HostCrypto option for using wolfSSL. Establish an authenticated SCP03 channel to SE050.
    7. Liboqs – Patched to use different SPHINCS+ variants and liboqs version.
  1. Updates to Existing Ports
    1. StrongSwan VPN (libstrongswan) – Updates to build errors with latest release. Tested with wolfCrypt FIPS.
    2. lighttpd – Enable post-quantum algorithms with liboqs
    3. stunnel – Enable post-quantum algorithms with stunnel
    4. Version Updates
      • stunnel 5.61
      • net-snmp 5.9.1
      • bind 9.18.0
      • OpenSSH 8.2p1
      • OpenSSH 8.5p1
      • OpenSSH 9.0 – First post-quantum OpenSSH release. Streamlined NTRU Prime key encapsulation mechanism with X25519 ECDH KEM fallback
      • Qt 5.15.8
      • OpenResty 1.19.9.1
      • OpenResty fixes with wolfCrypt FIPS
      • Python 3.8.14
  1. Compiler and IDE Updates
    1. Added IAR example for the MSP430, located in IDE/IAR-MSP430.
    2. Update VxWorks Workbench example to support the latest VxWorks.
    3. Added example Visual Studio project for FIPS v5 ready
    4. Added support for SEGGER embOS and emNET with an IAR Workbench example in IDE/IAR-EWARM/embOS.
    5. Added support for Infineon AURIX IDE.
    6. Added support for the nRF5340 with CryptoCell-312 to Zephyr.
    7. Added support for NuttX.
    8. Added example MCUXpresso IDE project.
  1. Post Quantum Algorithm Support
    1. wolfSSL KEMs: Kyber – liboqs, pqm4, and wolfSSL proprietary.
    2. wolfSSL Authentication: Dilithium/Falcon/Sphincs+ – liboqs.
    3. wolfSSH: hybrid ECDHE-Kyber (P256 with Level1).
    4. wolfMQTT KEMs: Kyber Level1 and hybrid ECDHE-Kyber (P256 with Level1).
    5. wolfMQTT Authentication: Falcon Level1.
  1. New Hardware Crypto Support
    1. Apple M1 (ARMv8.2-A)
    2. NXP SE050 – Expanded support
    3. NXP CAAM SECO HSM (secure controller)
    4. NXP CAAM QNX – Expanded support
    5. Renesas TSIP RX65N and RX72N
    6. Analog Devices MAXQ1080 and MAXQ1065
    7. Platform Security Architecture (PSA) Interface
    8. Xilinx Versal Hardened Crypto
    9. ARM32 and x86 assembly support expanded
    10. CryptoCell-312
  1. Improvements to Existing Hardware Crypto Support
    1. SHA-3 performance with x86_64 assembly
    2. AES CBC/GCM x86 ASM performance
    3. AES ARM32 without crypto hardware instructions
    4. AES GCM assembler optimization for ARMv7
    5. X448 and Ed448 performance
  1. New and Updated Algorithms
    1. SP Math ECC 521-bit support
    2. Support for RSA-PSS signed certificates
    3. Added CSR custom OID generation support
    4. TLS support for ISO-TP transport over CAN Bus
    5. Non-blocking ECC key generation and shared secret for P-256/384/521 including with TLS/DTLS
    6. ECIES geniv=Generate IV, more AES options, comp pub keys
  1. Algorithm Performance Optimization
    1. SP Math is now default and provides better performance!
    2. SHA-3 on ARMv8.2-A and later using SHA-3 instructions
    3. SHA-3 assembly for Intel x64
    4. Intel x86 AES using AES-NI
    5. ARMv7 SHA2-256 in assembly
    6. SP implementation of P384 improved performance
    7. X448 and Ed448 improved performance for 64-bit platforms
  1. New and Updated Build Options (as if you didn’t have enough already!)
    1. --enable-entropy-memuse
    2. --enable-sys-ca-certs
    3. --enable-quic
    4. --enable-srtp
    5. --enable-kyber
    6. --enable-psa
    7. --enable-psa-lib-static
    8. --enable-dtls13
    9. --enable-dtlscid
    10. --enable-eccencrypt=geniv
    11. --enable-secure-renegotiation-info
    12. --enable-ticket-nonce-malloc
    13. --enable-chrony
    14. --enable-openldap
    15. --enable-ffmpeg
    16. --enable-strongswan
    17. --enable-heapmath
    18. --enable-aessiv
    19. --enable-amdrand
    20. --with-seco=PATH
  1. TLS Additions and Updates
    1. Added DTLS v1.3 support
    2. Added DTLS-SRTP support
    3. Added QUIC support
    4. Added system CA Certificate Store support (Linux, Mac, Win, Android)
    5. Implemented a software-based entropy gatherer
    6. Added sniffer asynchronous support (with Intel QuickAssist)
    7. Expanded wolfSSL’s OpenSSL compatibility layer: added 72 new API’s (now over 1,600 API’s)
    8. Expanded wolfSSL’s safe ABI support by 50 API’s (to 113 in total)
    9. Constant time improvements
    10. ForceZero improvements
    11. Glitching protection by hardening the TLS encrypt operations
    12. Added additional TLS state checking
    13. Session cache refactoring
    14. (Dear reader, if you are curious about any of the above items, feel free to ask us about the details at facts@wolfssl.com)
  1. The first ever DTLS 1.3 Release in the wild
    1. DTLS 1.3 support added in June 2022!
    2. Added version negotiation support
    3. Added Connection ID support
    4. (Narrator: Please try this out and test it, we need feedback)
  1. Single Precision Math Updates
    1. SP Math ECC 384-bit speed improvements
    2. SP support for ARMv3, ARMv6, and ARMv7a
    3. SP Math ECC 521-bit support
  1. FIPS 140-2 and 140-3 Validation News!
    1. FIPS 140-2 News
      • SP 800-56A Revision 3 compliance requirements were received from the lab in fall of 2021. All testing was updated to account for the revision 3 requirements in late 2021 and early 2022.
      • February 14th, 2022 – 10 new Operational environments added to wolfCrypt FIPS cert #3389 (All had been tested prior to SP 800-56A Revision 3 requirements)
      • March 14th, 2022 – 12 new Operational environments added to wolfCrypt FIPS cert #3389 (Some but not all tested with the new SP800-56A Revision 3 compliance in place)
      • March 15th, 2022 – 20 of the past Operational Environments were retested bringing them up to the latest SP800-56A Revision 3 compliance so that they would not be dropped from cert #3389 on July 1st of 2022, the stated transition date handed down by the CMVP
      • wolfSSL has completed testing for 14 additional Operating Environments while waiting for SP800-56A Revision 3 submissions to be reviewed, with 12 new Operational Environments in the testing process that will soon be ready for submission
      • wolfSSL completed CAVP-only algorithm certificates for select OE’s that had no plans to go through CMVP validation
      • wolfSSL takes a hard stance on “Vendor Affirmation” abuse by software module vendors (not hardware vendors) making affirmation claims on hardware and software Operational Environments that are wholly different from tested configurations on the associated certificate
      • wolfSSL proposed an update to “tested configurations” and how they get listed on a FIPS certificate(s)
    2. FIPS 140-3 News
      • wolfSSL’s 140-3 submission changed to “In Review” status on October 28th of 2022 and we are hopeful to see a certificate sometime in Q1 or Q2 of 2023!
  1. Testing
    1. Our primary focus for 2022 was migrating all existing tests capable of running in the cloud to Google Compute Engine for scalability and capability
    2. Greatly expanded coverage of DTLS testing to include the latest DTLS 1.3
      • Added fuzzing targets for the DTLS 1.2 and DTLS 1.3 protocols using wolfSSL’s in-house fuzzing solution
      • Added 100’s of DTLS configurations that are tested on every GitHub pull request and again against the master code repository every night
    3. Greatly expanded coverage of Single Precision math testing
      • Added fuzzing targets for the Single Precision math library using wolfSSL’s in-house fuzzer
      • Added 100’s of SP configurations to both GitHub Pull Request testing and nightly testing
    4. Added automated testing of the FIPS 140-3 submission candidate code with wolfCLU (command line utility) (narrator: wolfCLU is really coming along)
    5. Added automated testing of the wolfSSL’s in-house proprietary ACVP harness, including testing of:
      • wolfCrypt FIPS 140-2 validated module
      • wolfCrypt FIPS 140-3 submission candidate
      • wolfSSL FIPS Ready
      • wolfSSL non-FIPS master
    6. Added TLS regression tests to guard against:
      • Performance degradation in TLS handshake times
      • Throughput degradation in TLS record layer transactions
      • Cryptographic algorithm performance degradation
      • Footprint size bloat (Narrator: Nobody enjoys their TLS bloated)
    7. Added new supplementary coverage through the “wolfssl-multi-test” framework:
      • Added cppcheck static analysis
      • Added clang-tidy static analysis
      • Added fully automated nightly runs of all scenarios, with rich text result emails targeted using git blame
      • Added wolfCrypt benchmark coverage, checked nightly against per-config per-algorithm baselines
      • Added cross target building+testing (qemu-based) for all asm-supported targets (ARM, MIPS, PPC, RISC-V, S390, 68k), including all 32/64 bit and endian variants, and sanitizer scenarios on all ARM variants
      • Added shellcheck static analysis for shell scripts
      • Added integrated test runtime isolation using bubblewrap and unshare
      • Expanded Linux kernel module testing to mainline (prerelease) kernels
      • Added per-line git blame for test output
      • Added FIPS 140-3 “–disable-sha” test scenarios
      • Added wolfSentry, WireGuard, QUIC, DTLS13, and PQ coverage
      • Added “super-quick-check” 15 minute meta-scenario
      • Numerous consistency/usability improvements – 10 new command line options, including –dry-run, –enable-bwrap, and –verbose-analyzers
  1. Examples
    1. New wolfSSL examples and wolfssl-examples repository additions included:
      • Renesas RX72N examples with FreeRTOS+IoT
      • Example C# PSK client
      • Example of adding the wolfSSL library as a subdirectory to a project and using CMake to build
      • Analog Devices MAXQ10xx example client
      • NXP SE050 EdgeLock example
      • OCSP non-blocking async example
      • wolfCrypt API example use of SPHINCS+ key for sign/verify
      • Expanded Android examples to include native wolfCrypt test and benchmark plus SP Math configurations
      • Script to generate example Dlithium Cert-chains
      • DTLS 1.3 examples
      • wolfSSL + CAAM using SECO HSM and NVM examples
      • ESP32 with VisualGDB examples
      • AES key update examples
      • Example of certificate generation and parsing with custom extensions
      • NXP SECO cryptodev examples
      • CSR example using crypto callbacks (HSM)
      • Trusted Firmware-M TLS1.3 example
    2. Updated examples included:
      • Updated certificate generation examples to create CA key and cert
      • ESP32 test and benchmark example clean-up
      • ESP32 TLS1.3 WiFi station client/server example
      • PQM4 library example to enable optimizations
      • (Narrator: Ask us for more examples if you need them at facts@wolfssl.com)
  1. Additional Product Enhancements
    1. Documentation
      • wolfSSL product documentation received a facelift, with improved Markdown sources, a new nightly build system, and public GitHub repository
      • All product manuals are now re-built nightly and available on wolfSSL’s Documentation web page in both HTML and PDF formats!
    2. wolfMQTT (6 releases)
      • Fixes for multithreading use with non-blocking
      • Documentation expansion
      • GitHub Action testing
      • MQTTv5 property handling fixes
      • CMake support and fixes to vcpkg build
      • ST NUCLEO F767ZI with TOPPERS OS support
      • Post-Quantum algorithm support
      • Addition of a GitHub CIFuzz action
      • MQTTv5 and MQTT-SN disconnect fixes
    3. wolfSSH (3 releases)
      • wolfSSHd
        • Server daemon targeting embedded Linux
        • Allows users to log into a shell on their device
        • Allows users to SFTP files to and from the filesystem
      • X.509 Certificates
        • Uses X.509 certificates for public key authentication
        • Allows for CRL and OSCP checking
        • Support for certificate chains
      • PQA Support with Hybrid ECDH-P256 Kyber-Level1
      • Better Interoperability
        • winSCP
        • Filezilla
      • More RTOS Support
        • Green Hills INTEGRITY
        • FreeRTOS with LwIP
        • Espressif ESP-IDF configuration
        • Linux on PowerPC
      • wolfCrypt FIPS 140-3 integration
    4. wolfTPM (4 releases)
      • Added C# wrappers for key handling, CSR/Cert generation, RSA encrypt/decrypt and sign/verify
      • Added Infineon SLB9672 support
      • Added Infineon TriCore HAL support
      • Added examples for Keyed Hash / NV counter increment
      • Added keygen example for creating a primary key
      • Added ST33 GetRandom2 support
      • Add CMake support
      • Fixes for C++ compilers
      • (Narrator: This is the tool to add a TPM to your embedded systems project)
    5. wolfBoot (4 releases)
      • New signature algorithm: ED448
      • New encryption algorithm: AES (128 and 256 in CTR mode)
      • Mitigations against fault injections (collaboration with newAE)
      • Support for multiple partitions/multiple keys
      • Encryption extended to delta updates and self updates
      • New target: STM32G0
      • New target: STM32U5
      • New target: i.MX-RT1050
      • New target: NXP T2080
      • New target: NXP QoriQ p1021
      • New target: x86 (via UEFI)
      • SPI refactoring and support for QSPI on STM32
      • Improved tests (new cloud CI + GitHub actions using renode)
      • DO-178C code cropping (dry run) in preparation for certification
    6. wolfSentry (5 releases)
      • User-defined key-value pairs, allowing user plugins to store configuration data in the unified wolfSentry config (JSON). Supports binary objects in base64, custom K-V validators, and freeform user-defined JSON tree values.
      • User-defined address families, for plugin support of any address family, with idiomatic addresses in the unified JSON config.
      • JSON DOM helper routines, for easy app-level use of JSON.
      • New automatic penalty-boxing logic in the core, driven by the “derogatory” and “commendable” counts in each route state.
      • An example app with dynamic rules and realtime notifications.
      • Completed readwrite lock “kernel” layered on counting semaphores, developed on POSIX, ported to Mac OSX and FreeRTOS – supports complex semantics including cheap recursion and lock promotion/demotion with promotion reservations. Implements error checking and acquisition deadlines.
      • Added autolocking to all public APIs that need it – on multicore targets with multithreaded accept handlers, most filtration/processing of traffic by wolfSentry is concurrent using shared locks. With high-complexity plugins this can be important.
      • Final beta release (0.8.0) staged our first production release in January 2023.
    7. wolfEngine (Narrator: or how to plug wolfCrypt into OpenSSL) (Release of stable 1.0.0 version)
      • Added compatibility with wolfCrypt FIPS 140-3
      • Added examples of loading wolfEngine via config file or programmatically
      • Improved RNG, AES-GCM, AES-CTR, RSA, ECC, and DH support
      • Added engine control commands
      • Improved Windows and Visual Studio build support
    8. wolfCLU (2 releases)
      • Expanded x509 command to handle
        • -subject
        • -issuer
        • -serial
        • -dates
        • -email
        • -fingerprint
        • -purpose
        • -hash
        • -modulus
      • Expanded enc command with -pass
      • Expanded verify command to include -partial_chain
      • Expanded req command to handle
        • -text
        • -noout
        • -extensions
        • -verify
        • Print out of additional req attributes
      • Added -text support to ecparam command
      • Add -passout flag to req command
      • Additional commands added
        • Add ca command
        • Add dsaparam command
        • Add dhparam command
        • Add a basic s_client command for simple TLS client connections
        • Add rand command
        • Add PKCS#12 parsing support and command
        • Add CRL verify command
      • Add print out of private key to PKEY command
      • ??Support for parsing multiple organization names with conf file
      • Add disable filesystem configure
      • Support for building on FreeRTOS
      • Support for building on Windows
      • Testing additions
        • Tied in GitHub Actions for continuous integration testing
        • Testing with FIPS 140-3 wolfCrypt
        • Increased unit tests ran with ‘make check’
        • Improve error logging
      • Support for creating a CSR with attributes
      • (Narrator: Thar be dragons attacking that aircraft when you’re sleeping, and we’re fighting them for you. Some of them are big.)
    9. cURL (8 releases)
    10. wolfSSL JNI/JSSE (3 releases)
      • Improved SSLEngine for better compatibility with Undertow, Jetty, and Tomcat
      • Added support for Java 17 and 18, and testing with Amazon Coretto
      • Improved threading and synchronization support
      • Improved SSLSocket timeout and shutdown support
      • Added support for loading system CA certificates, ALPN, keyStore system properties, and RPM packaging
      • Improved example code and documentation
    11. wolfCrypt JNI/JCE (2 releases)
      • Added security provider test example
      • Added test cases and fixes for ChaCha20 support
      • Improvements for compatibility with wolfCrypt FIPS 140-3
      • Added build compatibility with Java 7
      • Added support for “SHA” algorithm string, RPM packaging support, and improvements to MessageDigest implementation
    12. wolfSSL Python (4 releases)
      • Initialization fixes (calling wolfSSL_init())
      • Improvements in the build system
      • Support for TLS 1.3
      • Added support for DTLS up to DTLS 1.3
    13. wolfCrypt Python (4 releases)
      • Improved support for building in Windows
      • Fixed build/package generation process
      • Support for AES-GCM streaming
      • Support for AES-CTR
      • Support for RSA_OAEP and PSS padding
    14. wolfCrypt DO-178C
      • Completed two certification data packages.
        1. NXP S32V234 (on A53)
          • ARM Developer Studio version 2019.0-1, with armclangcompiler version 6.12.1 using an optimization level of -0s
          • Algorithms: SHA-256, SHA-384, HMAC (SHA-256), HMAC (SHA-384), HASH-DRBG (SHA-256), AES-GCM, AES-CMAC, ECC P384 (sign/verify/shared secret), X.509 certificate verify
        2. Xilinx Ultrazed-EG(on A53), little endian
          • GCC compiler that comes with Xilinx SDK 2017.4
            Run Azure RTOS ThreadX SMP version 5.8 on the A53 cores
          • Algorithms: AES-256-GCM assembly with NEON instructions

wolfSSL Top 10 Blog Posts / Technical Announcements

  1. wolfCrypt FIPS 140-3 IUT Update
  2. Top 10 wolfSSL Library Configurations
  3. wolfSSL adds QUIC Support
  4. wolfSSL Support for NXP SE050 with SCP03
  5. Top Ten Things you should know about Secure Boot
  6. wolfSSL running on Xilinx Versal Hardware Encryption
  7. Building wolfSSL with Yocto explained in only 2 minutes!
  8. DTLS 1.3 Beta, What’s New, Benchmarks, and Examples
  9. wolfSSL adds Rust Bindings and Wrappers
  10. Avoid building a “Billion Dollar Brick” with wolfSSL Satellite Cybersecurity Solutions

2022 Webinars

The wolfSSL team hosted and/or participated in a total of 58 webinars this year. Check out our top 5 webinars of the year:

  1. Everything you need to know about FIPS 140-3
  2. Getting Started with wolfSSL in 2022
  3. Secure Element or TPM with wolfSSL
  4. Looking Under the Hood – wolfSSL Automotive Stories and Examples!
  5. Securing BTLE with wolfSSL and TLS v1.3

We host at least one webinar per week, make sure you are checking out our blog page to find out about our webinars! Check out our YouTube channel for all of our previous webinars!

wolfSSL Organizational Growth

  • wolfSSL added 7 new team members in 2022. Additions included salespeople, engineers, and administrators.
  • We expanded our customer base considerably, are now securing connections for over 2,000 products, have partner relationships with over 40 vendors, and are securing well over 2 Billion connections on any given day, worldwide.
  • wolfSSL represents one of the largest teams focused on a single implementation of TLS/Crypto worldwide. If you know of anyone who fits the following description, please let us know.

wolfSSL Events and Tradeshows

The wolfSSL team participated in a total of 49 events in 2022! As part of these events we were in 39 cities, 15 US states, and 7 countries! We participated in one virtual event and were fortunate to attend 48 in-person events. The events we participated this last year included:

CESCyberLEOBlack Hat USAIoT TechExpo North AmericaST Tech Tour - Burlington
West 2022Global Connected Aircraft (Connected Aviation Intelligence Summit)ST Tech Tour - Southern CaliforniaST Tech Tour - MontrealAMD-Xilinx XSWG - Washington DC
Satellite 2022NXP Tech Days - MinneapolisNXP Tech Days - Silicon ValleyHIS 2022Aerospace Tech Week AMERICAS
DoD Information Warfare SymposiumcURL UpICMCST Developers ConferenceAutomotive Computing Conference
Quad-A 2022 SummitEmbedded Tech ConventionAIR, SPACE & CYBER CONFERENCEAUSA 2022AAAA Cribbins Army Aviation Conference
ST Tech Tour - SchaumburgAutomotive Tech Detroit 2022Air Force FACE and SOSA TIM and ExpoMilSat SymposiumESCAR Europe
RWC/HACSESCAR USA 2022International Cyber ExpoNXP Tech Days - DetroitMilitary & Aviation Exhibition 2022
Cyber Physical Systems Security SummitEmbedded World 2022MWC Las VegasNBAA-BACEEmbedded Software Engineering Kongress
IoT Solutions World CongressAutomobile Elektronik KongressNXP Tech Days - Bostonit-saXSWG (Xilinx) - Germany
Forum 78NXP Tech Days - IrvineXSWG (Xilinx) - ColoradoCyberSatGov

(Narrator: We are talkative)

In summary, we had a great year! 2022 was successful on multiple fronts, and we look forward to serving our customers and community with ever more secure and functional software in 2023. As always, your feedback is welcome at facts@wolfssl.com.

Support for System Certificate Store

In our recent wolfSSL v5.5.2 (Oct 28, 2022) release we added support for loading the system trusted certificates on several platforms. This makes it easier to leverage the operating system’s built-in trust mechanism for connecting to websites.

The support is enabled by default when using autoconf (./configure). The new option is “–enable-sys-ca-certs” or “#define WOLFSSL_SYS_CA_CERTS”.

The platforms supported and tested are:
Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL)
Apple Mac OS X / iOS
Windows 10/11
Android

To enable this feature we added an API “wolfSSL_CTX_load_system_CA_certs” to load these into our certificate manager.

To test, use our example client “examples/client/client” with the “–sys-ca-certs” argument to load the trusted certificates.

Example:

$ ./configure –enable-sys-ca-certs
$ make

$ ./examples/client/client -h www.google.com -p 443 –sys-ca-certs -g
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL curve name is SECP256R1
SSL connect ok, sending GET…
HTTP/1.0 200 OK
Date: Tue, 07 Mar 2023 22:05:41 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
P3P: CP=”This is not a P3P policy! See g.co/p3phelp for more info.”
Server: gws
X-XSS-Protection: 0
X-Fra

For questions email facts@wolfssl.com.

Cybersecurity in Person! Protect the sky with Daniele Lacamera and wolfSSL at Aerospace TechWeek Europe

Listen to us talk in person!

We will be at Aerospace TechWeek Europe in Munich on 29th-30th March 2023.

Senior Software Engineer Daniele Lacamera will be giving a fantastic presentation in the Tech Workshops, on the expo floor. Titled “Cybersecurity attacks in avionics: countermeasures and mitigations”; listen to Daniele introduce a range of potential risks related to digital and physical attacks targeting avionic systems, and illustrate the best strategies and technical countermeasures to mitigate and/or prevent these attacks.

Feel free to stop by our booth at Stand 815 to talk to our security experts including the man of the hour Daniele Lacamera, as well as our Business Directors Wolfram Kusterer and Martin Engstrom.

If you’re new to wolfSSL, here’s how we can help you secure all of your aerospace assets:

  • wolfSSL new features
  • wolfSSL with TLS 1.3, and DTLS 1.3
  • wolfCrypt with FIPS 140-3 support
  • wolfCrypt as an engine for OpenSSL
  • MISRA-C versions of wolfCrypt
  • DO-178 cert kits for wolfCrypt
  • wolfBoot Secure Bootloader
  • wolfSSL MQTT-SN and the latest version
  • wolfTPM
  • wolfSSH
  • cURL and tinycURL

If interested, please feel free to email us at facts@wolfssl.com so we can find a time to meet. We hope to see to you soon!

Support for Parsing Indefinite Length PKCS#12

wolfSSL’s cryptography engine wolfCrypt is a lightweight crypto library written in ANSI C and known for its speed, small size, and feature set. This feature set now includes the ability to parse BER encoded PKCS#12 certificates.

To test out the implementation, simply configure wolfSSL with --enable-indef and load your indefinite length PKCS#12 cert the same way you would a definite length one.

Are you looking to see any specific additions to wolfCrypt?

Contact us at facts@wolfssl.com with any questions, comments, or suggestions!

Secure the Skies and Space with wolfSSL at Satellite 2023

Be our guest at Satellite 2023 with a FREE Exhibit Hall Pass!

Come talk to the wolfSSL team at booth #1440, March 13-16 in Washington D.C!

We would love to talk with you about:

  • wolfSSL new features
  • wolfSSL with TLS 1.3, and DTLS 1.3
  • wolfCrypt with FIPS 140-3 support
  • wolfCrypt as an engine for OpenSSL
  • MISRA-C versions of wolfCrypt
  • DO-178 cert kits for wolfCrypt
  • wolfBoot Secure Bootloader
  • wolfSSL MQTT-SN and the latest version
  • wolfTPM
  • wolfSSH
  • cURL and tinycURL

We are also FIPS compatible! Learn more here: https://www.wolfssl.com/wolfssl-fips-ready-8/

The wolfSSL discounted registration code is: WOL1440

This code entitles your guests to a FREE Exhibit Hall Pass or $350 0ff conference passes with the link: https://satellite23.nvytes.co/sat23lp/WOL1440.html

Satellite 2023 will be an amazing opportunity to be a part of the revolutionary introduction of technology and satellites to countless industries. The demand and functionalities of satellites are constantly expanding and this event is an amazing opportunity to explore these possibilities. This event is an amazing way to have personal face-to-face interactions with individuals you may never meet otherwise and provides countless ways to expand your network.

To learn more about the tradeshow, visit: https://www.satshow.com/

If interested, please feel free to email us at facts@wolfssl.com so we can find a time to meet. We hope to speak to you soon!

Espressif and wolfSSL at Embedded World

Embedded World Nuremberg is this month! We’ll be there talking about security, encryption and everything in between. Stop by and say hello! We’ll be giving away plenty of awesome wolfSSL swag and we’d love to hear about your project.

One of the platforms we fully support is of course the ubiquitous Espressif ESP32. We have dedicated staff focusing exclusively on the ESP32 to make our encryption libraries easy to get started and easy to implement in your project.  

Our recent updates to the Core Espressif Examples are now “no install”: simply clone wolfssl and run the projects in the IDE/Espressif/ESP-IDF examples directory. We also have more examples in the wolfssl-examples repository and some Espressif SSH Server examples, too.

The examples can be used on any platform: Windows, Mac, Linux. For Windows users, we also have VisualGDB project files. For Espressif chipsets without a built-in JTAG, the projects are pre-configured to use the open source Tigard JTAG adapter.

All of the Espressif chipsets are supported. Both Xtensa and RISC-V: including the ESP32 classic, as well as the ESP32-C3, ESP32-S3, and more.

We welcome everyone from the largest corporate environments to the student hobbyists. We’re FIPS certified and ready to provide a serious, commercial grade, open source encryption solution.

wolfSSL will be at booth 4-610, with Business Directors Wolfram Kusterer and Martin Engstrom as well as our Senior Software Engineers David Garske and Juliusz Sosinowicz on the ground to answer all your embedded security questions. Plus, our full sales team will be on standby in the virtual booth to talk to you! Email facts@wolfSSL.com if you’d like to book a meeting ahead of the event. 

If you’re new to wolfSSL, here’s how we can help you win big in the embedded industry and beyond:

  • wolfSSL is up to 20x smaller than OpenSSL 
  • First commercial implementation of TLS 1.3, with TLS 1.3 Sniffer
  • On of the first in FIPS 140-3 
  • Best tested, most secure, fastest crypto on the market with incomparable certifications and highly customizable modularity 
  • Access to 24×7 support from a real team of Engineers 
  • Support for the newest standards (including TLS 1.2, TLS 1.3, DTLS 1.2, and DTLS 1.3) 
  • Multi-platform, dual-licensed, royalty free, with an OpenSSL compatibility API to ease porting into existing applications which have previously used the OpenSSL package 
  • Full product suite including MQTT with support up to v5.0, Secure Boot, wolfSentry IDPS, SSHv2 server, TPM 2.0 portable project, Java wrappers and JSSE support, plus commercial curl support at the enterprise level. 

To learn more, come meet us at Embedded World or email facts@wolfSSL.com.  

 

Love it? Star wolfSSL on GitHub.

Discover Embedded World here.

Follow @wolfSSL on Twitter for daily updates!

wolfSSL ADA/Spark language bindings

Exciting news in wolfSSL language bindings: we are currently exploring the possibility of adding bindings for the Ada and Spark languages!

Ada is a programming language known for its explicitness, strong typing, and abundance of compile-time checks. It is widely used in safety-critical and high-integrity software. Spark, on the other hand, is a smaller subset of Ada that offers the invaluable ability to formally prove the correctness of your software.

We believe that wolfSSL bindings would be immensely valuable to the Ada and Spark communities. These bindings would provide a production-ready, robust, and well-tested TLS stack that supports the latest protocols (TLS1.3/DTLS1.3). Additionally, it would open the door to obtaining FIPS 140-3 and DOI-178C certifications for Ada and Spark applications that use TLS for their encrypted communications, or that want to use our wolfCrypt implementation for their cryptographic operations, such as encrypting data at rest.

As wolfSSL already supports post-quantum TLS 1.3 and DTLS 1.3, these bindings would also naturally allow you to make your Ada and SPARK applications quantum-safe.

Are you interested in an Ada/Spark wrapper? If so, please do not hesitate to contact us at facts@wolfssl.com with any questions, comments, or suggestions.

wolfSSH Coming Attractions: Algorithm Updates

It’s been a while since wolfSSH had any new algorithms. I think it is time we had more. wolfCrypt supports a few algorithms wolfSSH doesn’t take advantage of.

For encryption and message authentication, wolfCrypt has Poly1305 and CHACHA20 available. There is not a published RFC for using “poly-chacha” with the SSH protocol, but OpenSSH has its own implementation of this algorithm. wolfSSH shall be able to interoperate with it.

To sign your user authentication or prove the identity of your server, you will be able to use SHA2-256 and SHA2-512 hashing with your RSA keys. We shall add the algorithms rsa-sha2-256 and rsa-sha2-512 described in RFC 8332.

RFC 8709 describes how to use Ed25519 and Ed448 public key signature algorithms with the SSH protocol. wolfCrypt supports these algorithms. wolfSSH should and will as well.

In the area of key exchange, we are bringing wolfSSH into the present by adding KEX algorithms using SHA2-256 and SHA2-512 per RFC 8268. Oakley group 14 is a set of 2048-bit DH group parameters, and can be used with SHA2-256 hashing. The RFC describes how to use larger groups using SHA2-512.

The key exchange algorithms x25519 and x448 will be available along with a taste of the future using a key exchange hybrid with Kyber, the post-quantum key exchange standard.

What is getting left behind?

Network security is an ever evolving landscape. Things change constantly. While we develop new, faster, better algorithms, some of the existing algorithms get broken or brittle and need to be let go.

The digest algorithm SHA1 has been sunset. Since the SSH protocol pairs SHA1 with other algorithms, they are going to be removed as well. Say good-bye to ssh-rsa signing of the server’s KEX public key message and allowing users to authenticate using SHA1 signatures.

SSH uses ECDHE and DHE for key exchange. While ECDHE uses SHA2-256 or better, DHE uses SHA1 with Oakley groups 1 and 14, and Oakley group 1 is only 1024-bit. In this day and age, 1024-bits isn’t good enough and SHA1 shouldn’t be used anymore. The algorithms diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1 will be removed.

wolfSSH is lovingly crafted by wolfSSL Inc in the Pacific Northwest. If you have any questions or comments please contact us at facts@wolfssl.com

Posts navigation

1 2 3