RECENT BLOG NEWS
Or sign up to receive weekly email notifications containing the latest news from wolfSSL.
In addition, wolfSSL now has a support-specific blog page dedicated to answering some of the more commonly received support questions.
wolfSSL Version 4.3.0 is Now Available!
The holiday release of wolfSSL, version 4.3, is now available! This release has fantastic new features, optimizations, and bug fixes. Some of the exciting new features that were added to the wolfSSL library are summarized below:
- The addition of –enable-libwebsockets option for support of libwebsockets build was added in the release!
- Updated support of NGINX 1.15.0 and in addition to that we added support for NGINX version 1.16.1.
- Updates to RSA-PSS salt lengths. Macro WOLFSSL_PSS_SALT_LEN_DISCOVER allows for discovering the salt length. Passing RSA_PSS_SALT_LEN_DISCOVER value into wc_RsaPSS_Verify_ex attempts to discover salt length and can use larger salt lengths.
- wolfSSL is constantly expanding the OpenSSL compatibility API to help people migrate from OpenSSL to wolfSSL. In this release the API wolfSSL_CertManagerGetCerts and wolfSSL_X509_STORE_GetCerts were added for retrieving certificates.
- wolfSSL has an optimized math library for single precision operations. Greatly speeds up some set key sizes with RSA, ECC, and DH operations. In this release support for 4096-bit RSA/DH operations was added!
- Last release (v4.2.0) we came out with support for Google WebRTC, in this release we updated that support to branch m79.
- We added new FREESCALE_MQX_5_0 macro for MQX 5.0 support
- Some users that make use of the OpenSSL compatibility layer like to trim down the bloat while keeping certain API’s. In this release the additional build flag of –disable-errorqueue was added so that the extra error queue is disabled with –enable-opensslextra builds.
- And more…. (check out the README from the download for a full list)
There were some additional optimizations added to this release. A highlight of some of these optimizations include:
- Update to PKCS#11 for determining key type given the private key type
- Increase in performance of Cortex-M RSA/DH assembly code with single precision builds.
- Update to DoVerifyCallback to check verify param hostName and ipasc (–enable-opensslextra builds)
- Additional null sanity checks on input arguments with QSH and Cryptocell builds
- MISRA-C updates for SP math code
- Additional checks on RSA key were added to the function wc_CheckRsaKey
- Updates for EBSNET support, including fseek, revised macros in settings.h, and realloc support
- Optimization when parsing certificate extension name strings
- Adjustment to example server -x runtime behavior when encountering an unrecoverable error case
- Removal of support for Blake2b with HMAC.
- New script to cleanup generated test files, scripts/cleanup_testfiles.sh
- New log messages for SendAlert call and update to send alert after verify certificate callback
- Updates to find CRL by AuthKeyId
- Rework of BER to DER functions to not be recursive
- Removal of requirement for macro NO_SKID when CRL use is enabled
- And more… See the README…
In this release there were also some great fixes!
- Fixes for IAR warnings with IAR-EWARM 7.50.2
- Alignment fixes for mmCAU with AES and hashing algorithms
- Fix for unit tests with NGINX and debug mode
- Fix for Apache want read case with BIO retry flag
- Fix for Curve25519 assembly optimizations with GCC + AVX2, Poly1305 AVX2 assembly optimization fix for carry with large input values
- Fix for memcpy with TLS I/O buffers when using staticmemory pools and loading memory as WOLFMEM_IO_POOL_FIXED
- Fix for freeing mutex for X509 and wolfSSL_EVP_PKEY_free, applies to OPENSSL_EXTRA / –enable-opensslextra builds
- Fixes case where the heap hint is created before WOLFSSL_CTX, when calling wc_LoadStaticMemory instead of wolfSSL_CTX_load_static_memory
- Fix for EVP CipherUpdate decrypt and new test case
- Fix for API visibility of wc_ed25519_check_key which resolves a wolfcrypt-py install issue
- Fix for PKCS7 streaming mode that would error rather than verify bundle
- Fixes and updates for STM32 port, including additional mutex protection, AES-GCM decrypt auth tag, AES-CTR mode with CubeMX, update to OpenSTM32 project
- Sanity check on max ALPN length accepted
- Additional sanity check when parsing CRL’s for copying the structure, fix for bounds checking
- When getting the DH public key, initialize the P, G, and Pub pointers to NULL, then set that we own the DH parameters flag. This allows FreeSSL to correctly clean up the DH key.
- Clear the top bit when generating a serial number
- Fix to add deterministic ECDSA and fix corner cases for add point.
- Fixes for Coverity report including null termination of test case strings and initialization of PKCS#7 variables
- Fix for missing variable declaration with –enable-scep –with-libz build
- ProcessPeerCerts allocating memory for exts with OPENSSL_EXTRA properly
- And more…. A full list can be seen in the README or ChangeLog.md from the download bundle (https://www.wolfssl.com/download/).
In every release we recommend users update to keep the latest security, for all the fixes, and for all the additional features that they get. This release also included some vulnerability fixes that some of our users should consider when looking at whether to update or not. A full listing of the vulnerabilities can be seen in the README, on our website (https://www.wolfssl.com/docs/security-vulnerabilities/) or you can contact the wolfSSL support channel for more information. This is a brief of the vulnerabilities:
- Sanity check on certificate parsing affecting users that have –enable-opensslextra (macro OPENSSL_EXTRA), or build options that turn this on such as –enable-all, when building wolfSSL. The CVE associated with the fix is CVE-2019-18840.
- DTLS max limit on handshake message sizes. This only effects builds that have DTLS turned on and have applications that are using DTLS.
- ECC caching hang fix, affects users that have turned on ECC caching (off by default –enable-fpecc) and are using –enable-fastmath. Does not affect default builds.
- DSA blinding added for more side channel attack resistant. Affects DSA users that are signing with DSA. Does not affect TLS or default builds. Thanks to Daniel Moghimi (@danielmgmi) from Worcester Polytechnic Institute for the report.
- Update to wc_SignatureGenerateHash function for potential fault injection attack. Does not affect TLS users, only users calling the wolfCrypt RSA signature generation wrapper function. Thanks to Daniel Moghimi (@danielmgmi) from Worcester Polytechnic Institute for the report.
- Fix to add additional side channel cache attack resistance to the internal ECC function wc_ecc_mulmod_ex. This function by default is used with ECDSA signing operations. Users should update if performing ECDSA singing operations (server side ECC TLS connections, mutual authentication on client side) or calling wolfCrypt ECC sign functions and have the potential for outside users to perform sophisticated monitoring of the cache.Thanks to Daniel Moghimi (@danielmgmi) from Worcester Polytechnic Institute for the report.
For questions contact us at facts@wolfssl.com. Merry Christmas, Happy New Year, and love to all from wolfSSL!
wolfSSL Support for DO-178 DAL A
wolfSSL now provides support for complete RTCA DO-178C level A certification! wolfSSL will offer DO-178 wolfCrypt as a commercial off -the-shelf (COTS) solution for connected avionics applications. Adherence to DO-178C level A will be supported through the first wolfCrypt COTS DO-178C certification kit release that includes traceable artifacts for the following encryption algorithms:
- SHA-256 for message digest
- AES for encryption and decryption
- RSA to sign and verify a message.
- Chacha20_poly1305 for authenticated encryption and decryption.
The primary goal of this initial release is to provide the proper cryptographic underpinnings for secure boot and secure firmware update in commercial and military avionics. wolfSSL brings trusted, military-grade security to connected commercial and military aircraft. Avionics developers now have a flexible, compact, economical, high-performance COTS solution for quickly delivering FIPS 140-2 validated crypto algorithms can be used in DO-178 mode for combined FIPS 140-2/DO-178 consumption. The wolfCrypt cryptography library FIPS 140-2 validation certificates can be applied to DO-178 uses.
Optimization Support
We understand that securely rebooting avionic systems has rigorous performance requirements. As such, we’re here to help with cryptographic performance optimizations through our services organization.
To download and view the most recent version of wolfSSL, the wolfSSL GitHub repository can be cloned from here: https://github.com/wolfssl/wolfssl.git, and the most recent stable release can be downloaded from the wolfSSL download page here: https://www.wolfssl.com/download/.
wolfSSL DO-178 product page: https://www.wolfssl.com/wolfssl-support-178-dal/.
For more information, please contact facts@wolfssl.com.
wolfSSL FIPS Ready and curl (#wolfSSL #wolfCrypt #curl)
wolfSSL FIPS Ready
Along with the recent release of wolfSSL v4.1.0, wolfSSL has updated its support for the wolfCrypt FIPS Ready version of the wolfSSL library. wolfCrypt FIPS Ready is our FIPS enabled cryptography layer included in the wolfSSL source tree that can be enabled and built. To elaborate on what FIPS Ready really means: you do not get a FIPS certificate and you are not FIPS approved. FIPS Ready means that you have included the FIPS code into your build and that you are operating according to the FIPS enforced best practices of default entry point, and Power On Self Test (POST).
FIPS Ready with curl
(modified from Daniel Stenberg)
The integration of wolfSSL and curl means that the curl library can also be built using the wolfCrypt FIPS ready library. The following outlines the steps for building curl with FIPS Ready:
1. Download wolfSSL fips ready
2. Unzip the source code somewhere suitable:
$ cd $HOME/src $ unzip wolfssl-4.1.0-gplv3-fips-ready.zip $ cd wolfssl-4.1.0-gplv3-fips-ready
3. Build the fips-ready wolfSSL and install it somewhere suitable:
$ ./configure --prefix=$HOME/wolfssl-fips --enable-harden --enable-all $ make -sj $ make install
4. Download curl, the normal curl package.
5. Unzip the source code somewhere suitable:
$ cd $HOME/src $ unzip curl-7.66.0.zip $ cd curl-7.66.0
6. Build curl with the just recently built and installed FIPS ready wolfSSL version:
$ LD_LIBRARY_PATH=$HOME/wolfssl-fips/lib ./configure --with-wolfssl=$HOME/wolfssl-fips --without-ssl $ make -sj
7. Now, verify that your new build matches your expectations by:
$ ./src/curl -V
It should show that it uses wolfSSL and that all the protocols and features you want are enabled and present. If not, iterate until it does!
wolfSSL FIPS ready is open source and dual-licensed. More information about building FIPS ready can be found in the FIPS Ready user guide.
More information about wolfSSL and curl can be found on the curl product page.
Details on wolfSSL support for curl is also located on the support page.
For more information regarding wolfSSL, wolfCrypt, cURL, support packages, or any additional questions, please contact facts@wolfssl.com.
Additional OpenSSL Compatibility API
With each release of the wolfSSL embedded SSL/TLS library, new improvements and feature additions are always included. The wolfSSL team has made sure to improve and update support for various open source projects. This holiday release of wolfSSL 4.3.0, we are happy to include expansions in our OpenSSL Compatibility layer. As many people know, the OpenSSL project is struggling with FIPS, and their new FIPS release is not expected until December 2020. The version of OpenSSL that supports FIPS goes into End Of Life and is no longer supported in December of 2019. As a result we are constantly expanding the OpenSSL compatibility API to help people migrate from OpenSSL to wolfSSL. In this release the API wolfSSL_CertManagerGetCerts() and wolfSSL_X509_STORE_GetCerts() were added for retrieving certificates.
Additionally, should you be using one of the OpenSSL derivatives like BoringSSL, we can also support you.
Contact us at facts@wolfssl.com or support@wolfssl.com if you would like to learn more!
We love you.
Team wolfSSL
wolfSSL + Nginx
The wolfSSL embedded SSL/TLS library provides support for various open source projects, including Nginx. For those who are unfamiliar, Nginx is a high-performance, high-concurrency web server. Like wolfSSL, it is also compact, fast, and highly scalable. Additionally, wolfSSL also provides support for TLS 1.3 and features such as OCSP, so Nginx servers can be configured with the latest and most secure protocols.
Nginx and wolfSSL make a likely pairing because they are both lean, compact, fast, and scale well under high volumes of connections. wolfSSL + Nginx is available in a public GitHub repository. The configure option --enable-nginx will compile the wolfSSL libraries with Nginx support.
wolfSSL also provides FIPS and FIPS ready versions of the wolfCrypt library, meaning Nginx can be built FIPS compliant. More information on wolfCrypt FIPS can be found on the wolfCrypt FIPS FAQ page.
For more information on wolfSSL + Nginx, TLS 1.3, OCSP, FIPS, or for any additional questions, contact facts@wolfssl.com.
Added new support for MQX v5
With each release of the wolfSSL embedded SSL/TLS library, new improvements and feature additions are always included. The wolfSSL team has made sure to incrementally improve and update support for our various partners. In our wolfSSL 4.3.0 holiday release, we are happy to bring improved support for MQX. wolfSSL has added new FREESCALE_MQX_5_0 macro for MQX v5 support!
For those who are unaware MQX v5 is a continuation of the MQX Classic product available under low-cost commercial licensing terms. MQX v4.2 is no longer available and has been superseded by v5. MQX v5 is backward compatible with MQX Classic and includes a multitasking RTOS kernel, a TCP/IP stack (RTCS) with Internet protocol v6 (IPv6), embedded MS-DOS file system (MFS), USB host/device stack and task-aware debugging. MQX v5 board support packages (BSPs) are available for a number of platforms, with other BSPs available upon request.
For more information on wolfSSL + MQX, TLS 1.3, OCSP, FIPS, or for any additional questions, contact facts@wolfssl.com or support@wolfssl.com!
We love you.
Team wolfSSL
Support for Single Precision 4096-bit RSA/DH Operations
With the holiday release of wolfSSL 4.3.0, we have continued to optimize wolfSSL’s math library performance by expanding our single precision math operations. This greatly speeds up some set key sizes with RSA, ECC, and DH operations. In this release support for 4096-bit RSA/DH operations was added!
If you have questions about the performance of the wolfSSL embedded TLS library, or about using our single precision math library, please contact us at facts@wolfssl.com or support@wolfssl.com!
We love you.
Team wolfSSL
Poly1305 AVX2 Assembly Optimization Fix
With each release of the wolfSSL embedded SSL/TLS library, new improvements and feature additions are always included. In the new release of wolfSSL 4.3.0, we are happy to have improved hardware cryptography support including a Poly1305 AVX2 assembly optimization fix for carry with large input values.
ChaCha20-Poly1305 is a relatively new authenticated encryption algorithm. It was designed as an alternative to AES-GCM. The algorithm is simple and fast on CPUs that do not have hardware acceleration for AES and GCM.
If you have questions about the performance of the wolfSSL embedded TLS library, please contact us at facts@wolfssl.com or support@wolfssl.com!
We love you.
Team wolfSSL
wolfSSL Support with Qt5 (#Qt5)
Calling all developers of Qt! wolfSSL is continuously adding new features and support for various open source projects. One of the most recent projects wolfSSL has been working on is support for Qt. We are excited to announce wolfSSL support with Qt version 5.12 and 5.13.
The recent wolfSSL integration with Qt provides a lightweight and performance-minded alternative for the Qt Network backend SSL/TLS. The QSslSocket class makes it easy to add encryption to your application. Now, wolfSSL makes it secure!
If you are interested in receiving a version of Qt that is compatible with wolfSSL, or for more information about using wolfSSL with Qt to build your next application, contact us at facts@wolfssl.com.
To view more open source projects wolfSSL has teamed up with, visit https://www.wolfssl.com/community/.
To learn more about the advantages of using wolfSSL, visit our page on “wolfSSL vs. OpenSSL”.
wolfSSL MQTT Sensor Network (MQTT-SN)
The MQTT Sensor Network standard provides a lightweight networking protocol perfectly suited for low cost, low power hardware. The protocol allows using small topic identifiers in place of the full topic name when sending and receiving publish data.
The wolfMQTT SN Client implementation is based on the OASIS MQTT-SN v1.2 specification. The SN API is configured with the –enable-sn option. There is a separate API for the sensor network API, which all begin with the “SN_” prefix. The wolfMQTT SN Client operates over UDP, which is distinct from the wolfMQTT clients that use TCP. The following features are supported by the wolfMQTT SN Client:
- Register
- Will topic and message set up
- Will topic and message update
- All QoS levels
- Variable-sized packet length field
You can download the latest release of wolfMQTT from our website or clone the repository from GitHub.
For more information please email us at facts@wolfssl.com.
wolfSSL + Apache httpd
In the latest wolfSSL releases, we have added 200+ new API to our OpenSSL compatibility layer. Many of these new API were added for providing support for Apache HTTP Server. We are excited to announce that as of version 4.2.0, wolfSSL now provides support for the Apache web server with the enable option --enable-apachehttpd. This means you can now build Apache with the latest, most robust security provided by the wolfSSL SSL/TLS and wolfCrypt libraries.
If you are interested in building Apache httpd with wolfSSL, please contact us at facts@wolfssl.com for a version of Apache that is compatible.
For comparison between wolfSSL and OpenSSL, visit https://www.wolfssl.com/docs/wolfssl-openssl/.
Weekly updates
Archives
- January 2020 (16)
- December 2019 (9)
- November 2019 (16)
- October 2019 (14)
- September 2019 (24)
- August 2019 (21)
- July 2019 (8)
- June 2019 (13)
- May 2019 (35)
- April 2019 (32)
- March 2019 (20)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (11)
- October 2018 (18)
- September 2018 (18)
- August 2018 (8)
- July 2018 (15)
- June 2018 (29)
- May 2018 (15)
- April 2018 (11)
- March 2018 (19)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (7)
- September 2017 (8)
- August 2017 (6)
- July 2017 (11)
- June 2017 (8)
- May 2017 (10)
- April 2017 (5)
- March 2017 (7)
- February 2017 (1)
- January 2017 (8)
- December 2016 (3)
- November 2016 (2)
- October 2016 (18)
- September 2016 (8)
- August 2016 (5)
- July 2016 (4)
- June 2016 (11)
- May 2016 (4)
- April 2016 (5)
- March 2016 (4)
- February 2016 (12)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (6)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (13)
- January 2015 (6)
- December 2014 (7)
- November 2014 (3)
- October 2014 (2)
- September 2014 (11)
- August 2014 (6)
- July 2014 (9)
- June 2014 (11)
- May 2014 (11)
- April 2014 (9)
- March 2014 (3)
- February 2014 (3)
- January 2014 (5)
- December 2013 (9)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (8)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (9)
- December 2012 (13)
- November 2012 (5)
- October 2012 (7)
- September 2012 (4)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (6)
- April 2012 (7)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (6)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (8)
- May 2011 (12)
- April 2011 (4)
- March 2011 (12)
- February 2011 (9)
- January 2011 (13)
- December 2010 (17)
- November 2010 (12)
- October 2010 (14)
- September 2010 (11)
- August 2010 (20)
- July 2010 (14)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)
Latest Tweets