RECENT BLOG NEWS

So, what’s new at wolfSSL? Take a look below to check out the most recent news.
Or sign up to receive weekly email notifications containing the latest news from wolfSSL.
In addition, wolfSSL now has a support-specific blog page dedicated to answering some of the more commonly received support questions.

wolfSSL 4.1.0 Now Available

wolfSSL is excited to announce its summer release of the wolfSSL embedded SSL/TLS library version 4.1.0! As with each release, wolfSSL 4.1.0 comes with many feature additions, bug fixes, and improvements to the wolfSSL library. 

The list below outlines some of the new features and notable fixes added for version 4.1.0:

  • Fixes and updates for TLS 1.3:
    • Added additional sanity checks and alert messages for TLS 1.3
    • Major version TLS Draft is now ignored and an alert is sent if version negotiation occurs but no versions were matched
    • Added WOLFSSL_PSK_ONE_ID macro for indicating that only one identity in TLS 1.3 PSK is available and will be cached
    • Added XTIME_MS macro to simplify the tls13.c time requirement
    • Improved and refactored code related to parsing and creating TLS 1.3 client hello packets
    • TLS 1.3 version renegotiation now happens before interpreting ClientHello message
  • Fixes and additions for PCKS7:
    • Added a fix for a check on the return value when verifying PKCS7 bundle signatures (users with applications using the function wc_PKCS7_VerifySignedData should update)
    • Added the function wc_PKCS7_GetSignerSID for PKCS7 firmware bundles
    • Added PKCS7 callback functions for unwrapping of CEK and for decryption
  • Increased performance on ARM architecture:
    • Optimizations for Poly1305 and SHA-512/384 on ARM architecture using SIMD NEON extension
    • Optimizations for ChaCha20, Curve25519 and Ed 25519 on ARM architecture for performance increase
  • Added Sniffer updates:
    • Added support for the null cipher and static ECDH key exchange and new SSLWatchCb callback
    • Added cipher suite TLS_RSA_WITH_NULL_MD5 (off by default)
    • Sniffer statistics print out with the macro WOLFSSL_SNIFFER_STATS defined
  • Fixes, updates, and new functions added for OpenSSL Extra
  • Added the build flag –enable-ecccustcurves=all to enable all curve types
  • Added Java Secure Sockets Extension (JSSE) support
  • Added additional TLS alert messages sent with the macro WOLFSSL_EXTRA_ALERTS defined
  • Added CryptoCell-310 support on nRF52840
  • Added SiFive HiFive E31 RISC?V core family port
  • Added Telit IoT AppZone SDK port
  • Added the build flag –enable-blake2s for 32-bit Blake2s support
  • Added support for Ed25519ctx and Ed25519ph sign/verify algorithms as per RFC 8032

Stay tuned for more information regarding notable features and updates included with the wolfSSL 4.1.0 release. The following lists other various fixes and improvements that have been included with wolfSSL 4.1.0:

  • Compile time fixes for build case with SP math and RSA only
  • Fixes for Coverity static analysis report including explicit initialization of reported stack variables, as well as additional Coverity fixes thanks to Martin
  • Fixes for scan build warnings (i.e possible null dereference in ecc.c)
  • Resetting verify send value with a call to wolfSSL_clear function
  • Fix for extern with sp_ModExp_2048 when building with –cpp option
  • Fix for typo issue with –enable-sp=cortexm
  • Adding #pragma warning disable 4127 for tfm.c when building with Visual Studio
  • Improvements to the maximum ECC signature calculations
  • Improvements to TLS write handling in error cases which helps user application not go through with a wolfSSL_write attempt after a wolfSSL_read failure
  • Fix for read directory functions with Windows (wc_ReadDirFirst and wc_ReadDirNext)
  • Sanity check on index before accessing domain component buffer in call to wolfSSL_X509_NAME_get_entry
  • Sending fatal alert from client side on version error
  • Fix for static RSA cipher suite with PK callback and no loaded private key
  • Fix for potential memory leak in error case with the function wc_DsaKeyToDer, thanks to Chris H. for the report
  • Adjusting STRING_USER macro to remove includes of standard lib <string.h> or <stdio.h>
  • Bug fix for checking wrong allocation assignment in the function wc_PBKDF2 and handling potential leak on allocation failure. This case is only hit when the specific call to malloc fails in the function wc_PBKDF2. Thanks to Robert Altnoeder (Linbit) for the report
  • Improved length checks when parsing ASN.1 certificates
  • Improved checking of return values with TLS extension functions and error codes
  • Removing redundant calls to the generate function when instantiating and reseeding DRBG
  • Improvements for handling error return codes when reading input from transport layer
  • Improvements to efficiency of SNI extension parsing and error checking with ALPN parsing

This release of wolfSSL also includes a fix for 2 security vulnerabilities. A full detailed list of additions and bug fixes can be found in the wolfSSL README

To download and view the most recent version of wolfSSL, the wolfSSL GitHub repository can be cloned from here: https://github.com/wolfssl/wolfssl.git, and the most recent stable release can be downloaded from the wolfSSL download page here: https://www.wolfssl.com/download/.

For more information, please contact facts@wolfssl.com.

wolfCrypt as an engine for OpenSSL

As many people know, the OpenSSL project is struggling with FIPS, and their new FIPS release is not expected until December 2020. The version of OpenSSL that supports FIPS goes into End Of Life and is no longer supported in December of 2019.

This means that OpenSSL users will not have a supported package for over a year. This is a big issue for companies that rely on security.

To fill this breach, wolfSSL has integrated our FIPS certified crypto module with OpenSSL as an OpenSSL engine. This means that:

1. OpenSSL users can get a supported FIPS solution, with packages available up to the 24×7 level,

2. The new wolfCrypt FIPS solution also supports the TLS 1.3 algorithms, so your package can support TLS 1.3,

3. You can support hardware encryption with your package, as the new wolfCrypt solution has full hardware encryption support.

Additionally, should you be using one of the OpenSSL derivatives like BoringSSL, we can also support you.

Contact us at facts@wolfssl.com if you would like to learn more!

We love you.

Team wolfSSL

Quantum Safety and wolfSSL

At wolfSSL we try to be progressive with our support of new cryptography technology. We were the first TLS implementation to support DTLS v1.2 and we were the first embedded TLS implementation to support TLS v1.3.

There has been a lot of buzz in the media recently about “post-quantum” cryptography. This is mostly about which public key algorithms we will use in the near future. Soon, a large enough quantum computer will be built that can run Shor’s algorithm. It will almost instantaneously find factors for really large numbers, like RSA keys or points on elliptic curves. This is a serious problem for network security that is a matter of when it will happen, not if. We will need new algorithms that don’t depend on multiplying large numbers.

One contender for the future of public key cryptography immune to Shor’s algorithm and quantum computers is in the field of lattice mathematics. There exists a set of algorithms based on the work done by Security Innovation and their algorithm NTRU. You can configure wolfSSL to take advantage of Security Innovation’s NTRU library.

To take advantage of NTRU and other quantum safe public key operations in TLS, some extensions have been proposed for inclusion with TLS v1.3 and TLS v1.2 for Quantum Safe Hybrid, or QSH. These allow one to use one-time quantum-safe key pairs in addition to existing certificates.

The future on the cryptography landscape is scary and exciting. We at wolfSSL Inc want to help you navigate these dangers with cutting edge technologies like NTRU and other quantum computing safe algorithms. Please visit our website at https://www.wolfssl.com or email our sales team, sales _(at)_ wolfssl dot calm. The email address has been obfuscated for spam reasons, but calm is what you’ll be feeling with wolfSSL in your corner.

wolfSSL MQTT Sensor Network (MQTT-SN)

The MQTT Sensor Network standard provides a lightweight networking protocol perfectly suited for low cost, low power hardware. The protocol allows using small topic identifiers in place of the full topic name when sending and receiving publish data.

The wolfMQTT SN Client implementation is based on the OASIS MQTT-SN v1.2 specification. The SN API is configured with the --enable-sn option. There is a separate API for the sensor network API, which all begin with the “SN_” prefix. The wolfMQTT SN Client operates over UDP, which is distinct from the wolfMQTT clients that use TCP. The following features are supported by the wolfMQTT SN Client:

  • Register
  • Will topic and message set up
  • Will topic and message update
  • All QoS levels
  • Variable-sized packet length field

You can download the latest release of wolfMQTT from our website or clone the repository from GitHub.

For more information please email us at facts@wolfssl.com.

wolfSSL FIPS-Ready

With the recent release of wolfSSL 4.1.0, the wolfSSL team has also updated the wolfSSL FIPS Ready library. This product features new, state of the art concepts and technology. In a single sentence, wolfSSL FIPS Ready is a testable and free to download open source embedded SSL/TLS library with support for FIPS validation, with FIPS enabled cryptography layer code included in the wolfSSL source tree. To further elaborate on what FIPS Ready really means, you do not get a FIPS certificate and you are not FIPS approved. FIPS Ready means that you have included the FIPS code into your build and that you are operating according to the FIPS enforced best practices of default entry point, and Power On Self Test (POST).

FIPS validation is a government certification for cryptographic modules that states the module in question has undergone thorough and rigorous testing to be certified. FIPS validation specifies that a software/encryption module is able to be used within or alongside government systems. The most recent FIPS specification is 140-2, with various levels of security offered (1-5). Currently, wolfCrypt has FIPS 140-2 validation with certificates #2425 and #3389. When trying to get software modules FIPS validated, this is often a costly and time-consuming effort and as such causes the FIPS validated modules to have high price tags.

Since the majority of wolfSSL products use the wolfCrypt encryption engine, this also means that if wolfSSH, wolfMQTT (with TLS support), wolfBoot, and other wolfSSL products are in place, they can be tested using FIPS validated code with their software before committing.

wolfSSL FIPS Ready can be downloaded from the wolfSSL download page, here: https://www.wolfssl.com/download/

For more information about wolfSSL and its FIPS Ready initiative, please contact facts@wolfssl.com.

wolfSSL not affected by CVE-2019-1547, CVE-2019-1549, nor CVE-2019-1563

It came to our attention that OpenSSL just published three new vulnerabilities.

ECDSA remote timing attack (CVE-2019-1547)
Fork Protection (CVE-2019-1549)
Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)

These were implementation specific issues and do not affect wolfSSL. For a list of CVEs that apply to wolfSSL please watch the security page on our website here: https://www.wolfssl.com/docs/security-vulnerabilities/

We wanted to take this opportunity to remind our customers and users that wolfSSL is in no way related to OpenSSL. wolfSSL was written from the ground up and is a unique SSL/TLS implementation.

That being said, wolfSSL does support an OpenSSL compatibility layer allowing OpenSSL users to drop in wolfSSL but continue to use the most commonly found OpenSSL API’s after re-compiling their applications to link against wolfSSL.

One individual also pointed out the time delta between report and fix on the above CVEs and wolfSSL would like to remind our customers and users of how proud we are of our less than 48 hour delta between report and fix. For more on our response time and process regarding vulnerabilities check out https://www.wolfssl.com/everything-wanted-know-wolfssl-support-handles-vulnerability-reports-afraid-ask/

If you have any other questions or concerns please reach out to facts@wolfssl.com or support@wolfssl.com anytime.

wolfSSL RIOT OS port with Examples

Since December 2016, wolfSSL has been collaborating with the “Revolutionary Internet of Things Operating System” (RIOT-OS) community to bring security to the embedded IoT devices supported by RIOT OS.

wolfSSL is pleased to announce that as of September 11, 2019 the pull request containing our port and examples has been merged into the RIOT master repository! We would like to extend our gratitude to the team at RIOT-OS who worked on this effort with wolfSSL engineers! https://github.com/RIOT-OS/RIOT/pull/10308 

The port contains the library modules for wolfCrypt and wolfSSL, and comes with examples that work on most 32-bit platforms supported by RIOT-OS. 

Building secure applications in RIOT-OS has never been this easy: just include the modules in your application makefile and start using wolfSSL right away!

If you would like to see the port extended to other platforms or if you have any questions, please send us a note at support@wolfssl.com or contact us via https://github.com/wolfssl/wolfssl or the support domain at https://wolfssl.zendesk.com.

wolfSSL with #curl and #tiny-curl

wolfSSL’s embedded SSL/TLS library comes with support for many tools and libraries, one of which is curl! In addition to providing support and maintenance for curl, wolfSSL has also integrated the curl library in conjunction with Daniel Stenberg (an original author of curl and one of the founders). With this integration, wolfSSL now provides support and consulting for the curl library.

In addition, a modified version of the curl library, tiny-curl, is also available through wolfSSL. tiny-curl is a patch applied on top of curl to reduce its code size, which makes it favorable for embedded and real-time environments. Version 0.10 of tiny-curl is based on curl version 7.65.3, and is available for download from the wolfSSL download page: https://www.wolfssl.com/download/.

More information about wolfSSL and curl can be found on the curl product page: https://www.wolfssl.com/products/curl/. Details on wolfSSL support for curl and tiny-curl is also located on the support page here: https://www.wolfssl.com/products/support-packages/.

wolfSSL also provides support for the latest versions of the TLS protocol, including TLS 1.3! As such, wolfSSL is considering adding TLS 1.3 support to cURL in the future. More information about wolfSSL and TLS 1.3 can be found here: https://www.wolfssl.com/docs/tls13/.

For more information regarding wolfSSL, TLS 1.3, cURL, support packages, or any additional questions, please contact facts@wolfssl.com.

wolfSSL at ST Developers Conference

Come visit wolfSSL at ST Developers Conference! wolfSSL will be in Santa Clara this week exhibiting at ST Developers Conference. Stop by our booth on September 12th to speak with one of our embedded security experts on TLS 1.3, embedded security, embedded TLS/SSL, MQTT, SSH, curl + tiny-curl, and more!

Where wolfSSL will be located for ST Developers Conference:

Venue: Santa Clara Convention Center / Santa Clara, CA
When: September 12, 2019
Directionshttps://www.st.com/content/st_com/en/campaigns/developers-conference-2019/venue.html

Stop by to hear more about the wolfSSL embedded SSL/TLS library, the wolfCrypt encryption engine, to meet the wolfSSL team, or to get some free stickers and swag!

For more information about wolfSSL, its products, or future events, please contact facts@wolfssl.com.

More information about ST Developers Conference can be found here: https://www.st.com/content/st_com/en/campaigns/developers-conference-2019.html.

wolfSSL at IoT World Asia (#IoTWorldAsia)

Come visit wolfSSL at IoT World Asia! wolfSSL will be exhibiting next week at Marina Bay Sands in Singapore. Stop by our booth on September 11th and 12th to talk to one of our experts on TLS 1.3, embedded security, embedded TLS/SSL, MQTT, SSH, curl + tiny-curl, and more!

Where wolfSSL will be located for IoT World Asia 2019:

Venue: Marina Bay Sands / Singapore
Booth #: IoT200
When: September 11-12, 2019
Directions: https://tmt.knect365.com/iot-world-asia/plan-your-visit

Stop by to hear more about the wolfSSL embedded SSL/TLS library, the wolfCrypt encryption engine, to meet the wolfSSL team, or to get some free stickers and swag!

For more information about wolfSSL, its products, or future events, please contact facts@wolfssl.com.

More information about IoT World Asia 2019 can be found here: https://tmt.knect365.com/iot-world-asia/.

wolfSSL MQTT Sensor Network (MQTT-SN)

The MQTT Sensor Network standard provides a lightweight networking protocol perfectly suited for low cost, low power hardware. The protocol allows using small topic identifiers in place of the full topic name when sending and receiving publish data.

The wolfMQTT SN Client implementation is based on the OASIS MQTT-SN v1.2 specification. The SN API is configured with the --enable-sn option. There is a separate API for the sensor network API, which all begin with the “SN_” prefix. The wolfMQTT SN Client operates over UDP, which is distinct from the wolfMQTT clients that use TCP. The following features are supported by the wolfMQTT SN Client:

  • Register
  • Will topic and message set up
  • Will topic and message update
  • All QoS levels
  • Variable-sized packet length field

You can download the latest release of wolfMQTT from our website or clone the repository from GitHub.

For more information please email us at facts@wolfssl.com.

Posts navigation

1 2 3 4 99 100 101

Weekly updates

Archives

Latest Tweets