Month: May 2025

curl-up 2025 Recap

Special thanks to Apify for sponsoring curl-up 2025!

The much-anticipated curl-up 2025 has wrapped up, bringing developers. Open-source enthusiasts, and industry leaders together in Prague.

Over the weekend, sixteen insightful curl-related presentations were delivered, sparking discussions not only during the sessions but also over lunches, coffee breaks, and evening gatherings.

If you missed it or want to rewatch your favorite moments, the entire event is available on the YouTube Playlist. You can also explore the Agenda Page for slides and session details.

We appreciate the dedication of the curl community and the project sponsors that made this event possible. Plans are already in motion for curl-up 2026! Stay tuned for updates!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Announcing STM32WBA Support in wolfSSL

We’re excited to announce that wolfSSL now officially supports the STM32WBA series of microcontrollers from STMicroelectronics! This addition broadens our commitment to providing lightweight, robust, and high-performance SSL/TLS solutions across a wide range of embedded platforms.

What is the STM32WBA Series?

The STM32WBA series is a family of ultra-low-power wireless microcontrollers designed to bring advanced Bluetooth® Low Energy (LE) connectivity to IoT and embedded devices. Built around the Arm Cortex-M33 core with TrustZone security and integrated radio, STM32WBA microcontrollers are optimized for secure, connected applications in healthcare, industrial, and smart home environments.

Why This Matters

By integrating wolfSSL with STM32WBA, developers now have:

  • Seamless TLS/SSL support for Bluetooth LE and IP-based connectivity.
  • Optimized performance with wolfSSL’s small footprint and STM32’s hardware acceleration features.
  • Ease of integration with STM32Cube ecosystem tools and examples to get started quickly.

Key Highlights:

  • Full TLS 1.3 and DTLS 1.3 support.
  • Hardware crypto acceleration using STM32WBA’s on-chip crypto engine.
  • Support for wolfCrypt’s entire crypto-suite (including Post-Quantum Cryptography).
  • Example projects for STM32CubeIDE and STM32CubeMX to simplify setup.

To explore wolfSSL on STM32WBA, check out our STM32 Cube Pack instructions and examples here.

For more information on wolfSSL and how it integrates with the STM32WBA, visit our documentation or reach out to our team at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfSSL’s µITRON support and HSM integration

We have received many inquiries about wolfSSL’s µITRON support for years.
The fact that µITRON is used so widely by wolfSSL customers is unique to Japan, but wolfSSL supports µITRON in all wolfSSL products to meet the needs of Japanese customers.

ITRON is an RTOS specification definition, so it is available in many commercial versions, including the open source TOPPERS/ASP, eT-Kernel (eSOL), µC3 (eForce), NORTi (MISPO), and many others. There are also cases where companies have developed their own µITRON-compliant RTOS and are using it, and there are many derivative versions of µITRON that have their own functional enhancements and specification changes.

wolfSSL supports all µITRON versions, including these derivatives.
wolfBoot is available for secure boot, and wolfHSM is available for more robust systems using HSMs (hardware security modules), which have recently been gaining attention.

HSM is a technology that isolates the root of trust functions, such as signature verification and encryption processing, into a physically independent processor or isolated execution context, dramatically improving the security of encryption keys and encryption processing. While HSM’s may make it easier to achieve physical robust security, there is also the issue that the functions such as encryption algorithms provided by the HSM processor are limited. wolfHSM is a framework that makes it possible to expand the encryption algorithm functions as needed by integrating software encryption processing with the basic functions provided by such chips. It is also possible to use the latest quantum-resistant encryption algorithms developed by wolfSSL, as well as algorithms such as SM2, SM3, and SM4.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Live Webinar: What’s New in wolfBoot – Tailored for the Asia-Pacific Time Zone

Learn how wolfBoot revolutionizes secure boot for embedded systems with groundbreaking features designed for quantum resistance and hybrid authentication.

wolfBoot is a lightweight, OS-independent secure bootloader designed specifically for embedded systems. It ensures trusted firmware verification, supports a wide range of architectures, and is optimized for resource-constrained environments. With FIPS 140-3 validation and post-quantum readiness, wolfBoot is essential for securing devices in a future-proof manner.

Join us for a secure boot webinar tailored for Asia-Pacific time zones and discover the latest updates in wolfBoot.

Register today: What’s New in wolfBootTailored for the Asia-Pacific Time Zone
Date: May 15th | 7 PM PT / May 16th | 11 AM JST

As quantum computing capabilities advance, securing your boot process with post-quantum cryptography becomes increasingly critical. This session will explore how wolfBoot meets that challenge with hybrid cryptographic authentication, expanded hardware support, and compliance with industry standards like FIPS 140-3 and CNSA 2.0.

This webinar will cover:

  • Introduction to wolfBoot: secure boot principles, specifications, and architecture support
  • Boot strategies, trust anchor management, and TPM integration
  • Recent updates including FIPS 140-3 and the Intel Tiger Lake port
  • Keystore and keyvault management enhancements
  • Post-quantum migration strategies, including ML-DSA and hybrid authentication

Register now!

As always, our webinar will include Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Post-Quantum Benchmark Comparison: ML-KEM wolfSSL 5.8.0 vs. OpenSSL 3.5

Recently, both OpenSSL 3.5 and wolfSSL 5.8.0 have been released. We thought we’d run some benchmarks on an x86_64 Linux PC.

Note: output has been edited for brevity and clarity.

OpenSSL

Configuration and build:

$ ./Configure
$ make all

Benchmarking Output:

47317 ML-KEM-512 KEM keygen ops in 0.99s
72114 ML-KEM-512 KEM encaps ops in 1.00s
46625 ML-KEM-512 KEM decaps ops in 1.00s
31811 ML-KEM-768 KEM keygen ops in 1.00s
55855 ML-KEM-768 KEM encaps ops in 0.99s
35390 ML-KEM-768 KEM decaps ops in 1.00s
20942 ML-KEM-1024 KEM keygen ops in 1.00s
42164 ML-KEM-1024 KEM encaps ops in 0.99s
27043 ML-KEM-1024 KEM decaps ops in 1.00s

wolfSSL

Configuration and build:

$ ./configure  --enable-mlkem=yes,cache-a --enable-dilithium \
               --enable-all-asm
$ make all

Benchmarking Output:

ML-KEM 512    128  key gen    293900 ops took 1.000 sec
ML-KEM 512    128    encap    271900 ops took 1.000 sec
ML-KEM 512    128    decap    237300 ops took 1.000 sec
ML-KEM 768    192  key gen    163900 ops took 1.000 sec
ML-KEM 768    192    encap    152500 ops took 1.000 sec
ML-KEM 768    192    decap    200700 ops took 1.000 sec
ML-KEM 1024   256  key gen    109200 ops took 1.000 sec
ML-KEM 1024   256    encap    106200 ops took 1.000 sec
ML-KEM 1024   256    decap    143600 ops took 1.001 sec

Analysis & Conclusions

It can be observed that wolfSSL is faster than OpenSSL by a wide margin at every operation and parameter set. Here at wolfSSL, we are extremely proud of our long tradition of excellence when it comes to efficiency and performance.

Now, it is worth pointing out that this is not an apples-to-apples comparison. The build configuration for wolfSSL does indicate that assembly optimizations are enabled while to date, OpenSSL does not have such optimizations. Similarly, we are enabling the “Cache A” optimization which is described as:

Stores the matrix A during key generation for use in encapsulation when performing decapsulation. The key is 8KB larger but decapsulation is significantly faster. Turn on when performing make key and decapsulation with the same object.

We would be happy to re-run these comparisons once OpenSSL has such optimizations enabled.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Hybrid Post-Quantum Key Exchange in wolfSSL 5.8.0

Release 5.8.0 of our wolfSSL library implements hybrid key exchange algorithms that combine conventional elliptic curve cryptography with post-quantum key encapsulation mechanisms (KEMs).

New Hybrid Groups: Combining elliptic curves (SECP256/384/521, X25519, X448) with ML-KEM. This provides compatibility with Chromium and other organizations that are together with wolfSSL leading the way in post-quantum migration. Some of the new hybrid groups were already done in previous releases. Here is the complete list of hybrid key exchange groups in TLS 1.3:

  • WOLFSSL_P256_ML_KEM_512
  • WOLFSSL_P384_ML_KEM_768
  • WOLFSSL_P256_ML_KEM_768
  • WOLFSSL_P521_ML_KEM_1024
  • WOLFSSL_P384_ML_KEM_1024
  • WOLFSSL_X25519_ML_KEM_512
  • WOLFSSL_X25519_ML_KEM_768
  • WOLFSSL_X448_ML_KEM_768

The new release includes comprehensive test configurations demonstrating how to use these new hybrid groups in TLS 1.3 connections. Go ahead and start thwarting the “Harvest Now, Decrypt Later” threat model that is currently in play.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Live Webinar: wolfHSM with PQC: Preparing Hardware Security Modules for the Post-Quantum Era

Join wolfSSL Senior Software Developer Anthony Hu for a deep dive into how Hardware Security Modules (HSMs) must evolve to meet the challenges of the post-quantum era.

Register Today: wolfHSM with PQC: Preparing Hardware Security Modules for the Post-Quantum Era
Date: May 14th | 9 AM PT

The world is moving toward post-quantum cryptography (PQC), and embedded security can’t afford to fall behind. Even HSMs—built to provide strong, hardware-level protection—now face new risks. Systems with long product lifecycles and fixed cryptographic algorithms are especially vulnerable to future quantum threats.

In this webinar, wolfSSL Senior Software Developer Anthony Hu will help explore what it takes to implement post-quantum readiness in embedded HSMs, and how to transition your systems to stay secure in the years ahead.

What you’ll learn in this PQC webinar:

  • Explore the “harvest now, decrypt later” threat and the risks quantum computers pose to existing cryptographic algorithms.
  • Discover how HSMs support PQC algorithms and ensure secure key management for embedded systems.
  • Learn best practices for integrating post-quantum readiness into your HSMs and staying ahead of evolving cryptographic standards.
  • Learn how wolfHSM architecture meets both current and future cryptographic standards to safeguard your embedded systems.

Learn how to prepare your embedded systems for quantum-resistant encryption and stay ahead of emerging security standards.

Register Now!

As always, our webinar will include Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSL visits Radiona in Zagreb

We at wolfSSL would like to thank Goran Mahovlic and the entire Radiona team for inviting us to their headquarters in Zagreb, Croatia! We enjoyed the opportunity to present information on one of our flagship products, wolfBoot, during the recent OpenHardware Meet-up. The hospitality was outstanding and greatly appreciated!

Radiona is home to the awesome ULX3S FPGA + ESP32 board, first introduced to the general public by our friends over at the Crowd Supply Campaign and now available from Mouser Electronics.

Radiona embodies the true STEAM Spirit. So much more than the open source hardware is the community of passionate makers, students, engineers, and more. These people from all over the world participate in the Zagreb Makerspace and FER: the Faculty of Electrical Engineering and Computing at the University of Zagreb in Croatia.

A new and exciting board is also in the works from the collaboration between Radiona and Intergalaktik: the ULX4M! This is another open source FPGA board that has a CM4 connector for the many Raspberry Pi Carrier boards that accept a Compute Module.

The ULX3S is the only board (that we know of!) that is not only open source, but includes both open source FPGA and ESP32 projects, all on one board. Check out some of the many projects available.

New and exciting features will soon be added to the ULX3S, leveraging some of the features of the ESP32-S3. See the development README doc.

There’s extensive wolfSSL support for the ESP32, including not only Espressif ESP-IDF with optional Managed Components but also Arduino, PlatformIO, and more.

[gojimmypi] has several blogs on using wolfSSL with the ULX3S: Perhaps you’d like to SSH into the ESP32 on your ULX3S? That example leverages the core Espressif wolfSSH in the wolfssl-examples SSH-to-UART project.

The ULX3S could also be integrated into the Apple HomeKit ecosystem.

Interested in getting Started with wolfSSL on the ESP32? Check out our YouTube video:

See our prior blog about using the ULX3S FPGA to create your own soft-core RISC-V, the same Hazard3 core used on the Raspberry Pi Pico 2 RP2350.

Meet Us at Events:

For more information:

Post Quantum

Do you have code that can be upgraded to Post Quantum? Read our recent blog to learn more!

FIPS Certified!

When you are ready to move on to the next step, wolfSSL will be there for you! Need to have your project NIST Certified? Recently we announced that wolfSSL is the First in the World to offer FIPS 140–3 Automated Submission with our NIST Certificate #4718.

Find out more:

If you have any feedback, questions, or require support, please don’t hesitate to reach out to us via facts@wolfSSL.com, call us at +1 425 245 8247, or open an issue on GitHub

Download wolfSSL Now

wolfBoot release: v.2.5.0

We are pleased to announce the release of wolfBoot 2.5.0, the newest version of our universal secure bootloader. This release marks another milestone in the continued evolution of wolfBoot, reinforcing its relevance as a cutting-edge secure boot solution for embedded systems. WolfBoot 2.5.0 brings expanded hardware support, major new features, and a host of improvements to performance and security, all while maintaining the simplicity and robustness our users expect.

New hardware targets and platform enhancements

wolfBoot 2.5.0 expands its hardware compatibility, adding support for several new platforms and improving existing targets. Notable additions and enhancements include:

  • New target support: wolfBoot now supports the Raspberry Pi RP2350 microcontroller, NXP’s MCX family (including the MCXA153 and MCXW716 series), and the STMicroelectronics STM32F1 series. These additions extend wolfBoot’s reach from the latest Pi Pico 2 board to NXP’s advanced Cortex-M33 based MCUs and even legacy STM32F1 devices (like the popular “blue-pill” board), demonstrating once again our team’s commitment to maximize device coverage.
  • Enhanced support: Existing platform ports have been refined for better stability and performance, notably for the Xilinx UltraScale+ MPSoC (ZynqMP), Renesas RX family, and Infineon AURIX TriCore TC3xx microcontrollers. Developers using ZynqMP devices will benefit from smoother integration (e.g. improved standalone boot support and exception level handling), while updates to the Renesas RX and AURIX TC3xx ports include more efficient flash management and boot-time reliability improvements. These platform enhancements make it easier and more efficient to deploy wolfBoot on a wider range of hardware.

Major new features and enhancements

Version 2.5.0 introduces several important features aimed at both simplifying the developer experience and strengthening security:

  • Non-contiguous ELF section support: wolfBoot can now load and verify firmware images with non-contiguous (scattered) ELF sections. In practical terms, this means the bootloader handles images that are split across multiple memory regions, accommodating complex memory maps and multi-part firmware layouts. This feature adds flexibility for projects that utilize segmented flash or RAM areas for their application code and data.
  • Streamlined PQC integration: Post-Quantum Cryptography support in wolfBoot has been simplified and updated. WolfBoot 2.5.0 includes the latest PQC algorithm support from wolfCrypt (such as the recently standardized ML-DSA) and makes it easier to configure PQC-based signature verification. By refining the integration of PQC algorithms, we continue to help users prepare for a post-quantum future without sacrificing ease of use.
  • Static library build option: In addition to the traditional standalone bootloader binary, wolfBoot can now be built as a static library (libwolfboot.a). This gives developers the flexibility to integrate wolfBoot’s secure boot functionality directly into their applications or custom boot frameworks. The static-lib build simplifies certain use cases — for example, linking wolfBoot into a monolithic firmware image or using wolfBoot features in an RTOS environment — by allowing wolfBoot to be called like a library rather than a separate bootloader image.
  • Glitch attack mitigation (IAR toolchain): Security against hardware fault-injection attacks (glitches) has been further hardened in this release. We’ve extended our glitch mitigation techniques to better support the IAR Embedded Workbench toolchain, ensuring that builds compiled with IAR include additional countermeasures against timing and voltage glitch attacks. These low-level improvements make the secure boot process even more resilient to physical attack attempts, protecting the integrity of the firmware verification steps.

Build system and documentation improvements

wolfBoot 2.5.0 comes with numerous build system refinements and documentation updates to streamline development. We have refactored the CMake build system to improve cross-platform support and clarity, making it easier to compile wolfBoot for various targets and toolchains. This includes cleaner integration for IAR and other compilers, as well as a more organized project structure for out-of-the-box builds. Additionally, our documentation has been improved across the board – from updated user manuals and API references to new examples and guides – to help both new and experienced users get the most out of wolfBoot. Whether you’re configuring a multi-slot update scheme or integrating wolfBoot with a TPM, the clearer documentation will guide you through the process more smoothly. (As always, detailed change logs and usage instructions can be found in the README and docs accompanying the release.)

Bug fixes and updated modules

As with every release, wolfBoot 2.5.0 includes key bug fixes that enhance stability and reliability. Various minor issues identified in the previous version have been addressed, resulting in a more robust bootloader across all supported platforms. In particular, fixes were applied to edge cases in flash memory handling and update workflows to ensure consistent behavior in all update scenarios.

Moreover, the cryptographic and secure hardware modules underlying wolfBoot have been updated to their latest versions. wolfBoot 2.5.0 is powered by wolfSSL 5.8.0 – bringing in the newest optimizations and post-quantum enhancements from the wolfCrypt engine – and it can integrate with wolfTPM 3.9.0 for TPM-based secure boot use cases. By using the latest wolfSSL v5.8.0 and wolfTPM v3.9.0 releases, wolfBoot ensures compatibility with the most up-to-date security features and fixes from those libraries. This means developers get improved performance, up-to-date cryptographic algorithms, and continued FIPS 140-3 readiness through wolfCrypt.

wolfBoot’s security is, as always, built on wolfCrypt, which allows the boot process to leverage FIPS-certified crypto and even meet safety standards like DO-178C when required. Upgrading to wolfBoot 2.5.0 brings all these benefits into your secure boot process.

Getting wolfBoot 2.5.0 and support

wolfBoot 2.5.0 is available for download now, and we encourage everyone to try out the new features and improvements. You can find the source code and release package on our GitHub repository and the wolfSSL download page. Documentation for this release, including an updated user manual and examples, is available on our website to help you get started quickly.

If you have any questions about wolfBoot 2.5.0 or need help with integration, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247. The wolfSSL team offers commercial support and consulting services for those who require dedicated assistance or custom features. Whether you are upgrading an existing project or designing a new device with wolfBoot, our team is here to ensure your secure boot implementation is successful.

Download wolfSSL Now

Test Certificates in Production: KeyPlug’s WolfSSL Misconfiguration Leads to Infrastructure Exposure

Summary

A critical security incident exposed KeyPlug malware infrastructure due to the improper use of wolfSSL test certificates in production. The 24-hour exposure revealed sophisticated attack tools linked to the RedGolf/APT41 threat group, demonstrating how poor certificate management can compromise even advanced threat actors’ operations.

The Certificate Failure

The compromised server was identified through its WolfSSL test certificate:

Subject Common Name: www[.]wolfssl[.]com
Subject Organizational Unit: Support_1024
Issuer Organizational Unit: Consulting_1024
SHA-256: 4C1BAA3ABB774B4C649C87417ACAA4396EBA40E5028B43FADE4C685A405CC3BF

Critical Issues

  • Test Certificate Misuse
    • Production use of wolfssl.com test domain
    • Weak 1024-bit keys (indicated by “_1024” suffix)
    • Certificate sharing across multiple attack servers
  • Security Impact
    • Exposed Fortinet exploitation tools and C2 infrastructure
    • Enabled infrastructure correlation through shared certificates
    • Compromised operational security of advanced threat actors

Best Practices for WolfSSL Implementation

To avoid security lapses like the one described, it’s critical to follow best practices when deploying wolfSSL in production environments. The following guidelines focus on certificate requirements, security controls, and monitoring techniques:

Production Deployments

  • Certificate Requirements
    • Use only trusted CA-issued certificates
    • Implement minimum 2048-bit RSA keys
    • Maintain proper validation chains
  • Security Controls
    • Never use test certificates in production
    • Implement certificate pinning
    • Regular certificate rotation

Monitoring and Detection

  • Certificate Auditing
    • Regular infrastructure scans
    • Certificate inventory management
    • Automated validation checks
  • Warning Signs
    • Domains containing “wolfssl.com”
    • Organizational units with test indicators
    • Key sizes below 2048 bits
    • Invalid trust chains

Recommendations

To mitigate risk and ensure strong certificate hygiene, both WolfSSL users and security teams should take immediate action. Below are tailored recommendations for each group:

Immediate Actions

  1. For WolfSSL Users
    • Audit all certificates
    • Remove test certificates
    • Implement CA-issued certificates
    • Verify proper key lengths
  2. For Security Teams
    • Monitor for test certificate usage
    • Implement certificate validation
    • Regular infrastructure scanning
    • Maintain certificate inventory

Conclusion

Organizations must maintain strict separation between development and production certificates and implement proper certificate management policies to prevent similar exposures.

Please do not use wolfSSL test certificates in production because the corresponding private keys are published as part of the wolfSSL source code package, so by design, these certificates are insecure. The test certificate private keys are public!

Source:

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2