Month: May 2025

Test Certificates in Production: KeyPlug’s WolfSSL Misconfiguration Leads to Infrastructure Exposure

Summary

A critical security incident exposed KeyPlug malware infrastructure due to the improper use of wolfSSL test certificates in production. The 24-hour exposure revealed sophisticated attack tools linked to the RedGolf/APT41 threat group, demonstrating how poor certificate management can compromise even advanced threat actors’ operations.

The Certificate Failure

The compromised server was identified through its WolfSSL test certificate:

Subject Common Name: www[.]wolfssl[.]com
Subject Organizational Unit: Support_1024
Issuer Organizational Unit: Consulting_1024
SHA-256: 4C1BAA3ABB774B4C649C87417ACAA4396EBA40E5028B43FADE4C685A405CC3BF

Critical Issues

  • Test Certificate Misuse
    • Production use of wolfssl.com test domain
    • Weak 1024-bit keys (indicated by “_1024” suffix)
    • Certificate sharing across multiple attack servers
  • Security Impact
    • Exposed Fortinet exploitation tools and C2 infrastructure
    • Enabled infrastructure correlation through shared certificates
    • Compromised operational security of advanced threat actors

Best Practices for WolfSSL Implementation

To avoid security lapses like the one described, it’s critical to follow best practices when deploying wolfSSL in production environments. The following guidelines focus on certificate requirements, security controls, and monitoring techniques:

Production Deployments

  • Certificate Requirements
    • Use only trusted CA-issued certificates
    • Implement minimum 2048-bit RSA keys
    • Maintain proper validation chains
  • Security Controls
    • Never use test certificates in production
    • Implement certificate pinning
    • Regular certificate rotation

Monitoring and Detection

  • Certificate Auditing
    • Regular infrastructure scans
    • Certificate inventory management
    • Automated validation checks
  • Warning Signs
    • Domains containing “wolfssl.com”
    • Organizational units with test indicators
    • Key sizes below 2048 bits
    • Invalid trust chains

Recommendations

To mitigate risk and ensure strong certificate hygiene, both WolfSSL users and security teams should take immediate action. Below are tailored recommendations for each group:

Immediate Actions

  1. For WolfSSL Users
    • Audit all certificates
    • Remove test certificates
    • Implement CA-issued certificates
    • Verify proper key lengths
  2. For Security Teams
    • Monitor for test certificate usage
    • Implement certificate validation
    • Regular infrastructure scanning
    • Maintain certificate inventory

Conclusion

Organizations must maintain strict separation between development and production certificates and implement proper certificate management policies to prevent similar exposures.

Please do not use wolfSSL test certificates in production because the corresponding private keys are published as part of the wolfSSL source code package, so by design, these certificates are insecure. The test certificate private keys are public!

Source:

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Announcing wolfMQTT v1.20.0: Now with WebSocket Support

We are excited to announce the release of wolfMQTT v1.20.0, which introduces WebSocket support as its headline feature. This release continues our commitment to providing a lightweight, secure, and feature-rich MQTT client implementation for embedded systems and IoT applications.

What’s New in v1.20.0

The wolfMQTT v1.20.0 release includes several significant enhancements:

WebSocket Support

The most notable addition in this release is comprehensive support for MQTT over WebSockets. This feature allows wolfMQTT clients to connect to MQTT brokers through WebSocket endpoints, which is particularly valuable in environments where traditional MQTT ports might be blocked or when integrating with web applications.

Both standard WebSockets and secure WebSockets (WSS) are now supported, providing flexibility for various security requirements:

  • Standard WebSockets: Connect to brokers using the WebSocket protocol without encryption
  • Secure WebSockets: Use TLS to encrypt the WebSocket connection for enhanced security

Secure WebSocket CI Testing

To ensure the reliability of the new WebSocket functionality, we’ve added continuous integration testing specifically for secure WebSockets. This testing helps maintain the high quality and stability that users expect from wolfMQTT.

Improved CMake Support

This release includes improvements to the CMake build system:

  • Enhanced duplicate component checking in CMake builds
  • Better compatibility with the latest Managed Components

Additional Improvements

  • Updated examples for the latest Managed Components
  • Fixed an issue with OQS’s Mosquitto being out of date

About wolfMQTT

wolfMQTT is a lightweight, embedded MQTT client implementation written in C that supports SSL/TLS via the wolfSSL library. It was built from the ground up to be multi-platform, space conscious, and extensible. The library supports:

  • MQTT v3.1.1 and v5.0 protocols
  • MQTT-SN (MQTT for Sensor Networks)
  • Quality of Service (QoS) levels 0-2
  • TLS encryption via wolfSSL
  • Non-blocking communications
  • Multithreading for parallel operations
  • Integration with popular IoT platforms (AWS IoT, Azure IoT Hub, IBM Watson IoT)

Getting wolfMQTT v1.20.0

The wolfMQTT v1.20.0 release is available now on our download page and GitHub.

Release 1.20.0 has been developed according to wolfSSL’s development and QA process and successfully passed the quality criteria.

Check out the ChangeLog for a full list of features and fixes, or contact us at facts@wolfSSL.com with any questions.

While you’re there, show us some love and give the wolfMQTT project a Star!

You can download the latest wolfMQTT release from our website or clone directly from our GitHub repository.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Live Webinar: Advanced libcurl with Daniel Stenberg

Looking to master libcurl beyond the basics? Join Daniel Stenberg, creator of curl, for a live webinar on May 8th at 10 AM PT, focused on advanced libcurl techniques for real-world use.

This live webinar is ideal for developers integrating libcurl into performance-critical applications or anyone ready to explore libcurl APIs in depth.

Register Now: Advanced libcurl
Date: May 8th | 10 AM PT

What You’ll Learn:

  • Libcurl debugging best practices
  • Setting up complex transfer configurations
  • Using transfer control for precision workflow
  • Managing concurrent transfers with the Multi API
  • Sharing resources through the Share API
  • Simplifying URLs with the URL API
  • Managing HTTP headers through the Headers API

This practical session will help you optimize, debug, and scale your data transfers. Whether you’re looking to manage concurrent transfers or dive into advanced libcurl APIs, this webinar will provide the expert guidance you need.

Register now to reserve your spot and learn from the creator of curl.

As always, our webinar will include Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Chimera Certificate Standards Compliance

In the evolving landscape of cryptographic security, supporting multiple signature algorithms within a single certificate has become increasingly important. These certificates are known as Chimera certificates, a moniker coined by the X9.146 banking standards team. They provide enhanced security, flexibility, and agility, especially for the transition to post-quantum cryptography. As well, wolfSSL also understands the new TLS 1.3 CKS extension as defined by the X9.146 banking standard draft.

Chimera certificates are X.509 certificates that contain two public keys and signatures. These certificates are implemented through the use of three extensions:

  • Subject Alternative Public Key Info (SAPKI): Contains an alternative public key
  • Alternative Signature Algorithm: Specifies the algorithm used for the alternative signature
  • Alternative Signature Value: Contains the actual bitstring of the alternative signature

In X.509 certificates, extensions can be marked as either “critical” or “non-critical.” Critical extensions MUST be understood and processed by the certificate validator. If a validator doesn’t recognize a critical extension, it MUST reject the certificate. Non-critical extensions can be safely ignored if not understood.

Before release 5.8.0, wolfSSL’s dual algorithm certificate implementation did not properly support the parsing of these extensions if they were marked as Critical. This was because the whole purpose of these extensions was to facilitate migration by allowing unmigrated systems to ignore the alternative public key and signatures. In that context, marking these extensions as critical made no sense.

That said, these extensions are standardized in the 2019 edition of the ITU-T X.509 standard. In that document, under recognition that there might be other future applications for these extensions, marking these extensions as critical is permitted.

The addition of critical extension support for Chimera certificates extensions represents an important compliance step. Without standards, interoperability would not be possible.

As the cryptographic landscape continues to evolve, especially with the ongoing transition to post-quantum algorithms, enhancements such as Chimera certificate support will become increasingly valuable. wolfSSL continues to demonstrate its commitment to providing a robust, standards-compliant, and forward-looking cryptographic library.

If you have question about any of the above, please contact us at >a href=”mailto”facts@wolfssl.com”>facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfProvider Integration with nginx: Secure Your Web Server with wolfSSL FIPS Cryptography

Securing web servers with robust cryptography is essential in today’s threat landscape. wolfProvider offers a seamless way to enhance nginx security by integrating wolfSSL’s high-performance cryptographic implementations through OpenSSL’s provider framework. This integration allows nginx to leverage wolfSSL’s FIPS cryptography without modifying code.

What is wolfProvider?

wolfProvider is an OpenSSL provider that integrates the wolfCrypt FIPS cryptographic library with OpenSSL’s provider framework. It allows applications using the OpenSSL API, such as nginx, to seamlessly leverage wolfSSL’s FIPS approved cryptographic implementations without modifying application code.

Supported nginx Versions

Our continuous integration testing confirms compatibility with the following nginx versions:
nginx master branch
nginx release-1.27.4

Key Benefits for nginx users

  • Enhanced Security: Access to wolfSSL’s FIPS 140-2/3 validated cryptographic modules for compliance requirements
  • Optimized Performance: Benefit from wolfSSL’s highly optimized cryptographic implementations
  • Seamless Integration: No modifications to nginx or openssl, a simple config file change enables new wolfProvider integration
  • Comprehensive Algorithm Support: Full suite of modern cryptographic algorithms including:
    • AES (128/192/256-bit with ECB, CBC, CTR, GCM, CCM modes)
    • RSA, RSA-PSS for signing, verification, and key operations
    • ECC with ECDSA and ECDH support
    • SHA-1, SHA-2, and SHA-3 family hash functions

Testing and Verification

Our GitHub Actions workflows automatically test the integration to validate the following functionality:

TLS handshakes complete successfully
HTTP/2 connections work properly
Stream and mail modules function correctly
All cryptographic operations perform as expected

Stay updated with wolfProvider for ongoing enhancements! If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2 3