RECENT BLOG NEWS

So, what’s new at wolfSSL? Take a look below to check out the most recent news.
Or sign up to receive weekly email notifications containing the latest news from wolfSSL.
In addition, wolfSSL now has a support-specific blog page dedicated to answering some of the more commonly received support questions.

wolfSSL 3.15.7 Now Available

Happy Holidays! wolfSSL release 3.15.7 is now available!

The holiday release of the wolfSSL embedded SSL/TLS library contains many feature additions, bug fixes, and improvements. Some of these changes include improved API documentation, RSA-verify-only and RSA-public-key-operations-only builds, and several new port additions. More details about what is included with the new version of wolfSSL are listed below.

  • New Feature Additions And Ports:
  • Support for Espressif ESP-IDF development framework
  • PKCS#7 support for generating and verify bundles using a detached signature.
  • Port update for Micrium uC/OS-III
  • Feature to adjust max fragment size post handshake when compiled with the macro WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST
  • The addition of multiple languages in wolfSSL’s bundled examples can cause problems for embedded devices that can not handle the special characters. Having NO_MULTIBYTE_PRINT defined compiles out code used for printing the special characters.
  • RSA verify only (--enable-rsavfy) and RSA public only (--enable-rsapub) builds added. These are builds that can be used with --enable-cryptonly that compile out portions of RSA code. Giving the option for an even smaller build of wolfSSL in the case that only RSA public key operations or only RSA verify operations are needed.

One of the many new exciting updates to existing wolfSSL features was the support for the Intel QuickAssist v1.7 driver being added! This enables wolfSSL to be used in asynchronous mode with newer Intel hardware for a massive performance gain over the previous driver. In addition to the driver update, support for RSA key generation and SHA-3 support was added to the wolfSSL QuickAssist port. The following is a list of some of the other notable additional updates and fixes in the release:

  • Fix for Xcode build with iPhone simulator on i386
  • Fix for building the wolfSSL library with AES-CBC disabled and the opensslextra compatibility layer enabled
  • Updates to sniffer for showing session information and handling split messages across records
  • Updates for Doxygen documentation, including PKCS#11 API and more
  • Enhancements to test cases for increased code coverage
  • Updates to VxWorks port for use with Mongoose, including updates to the OpenSSL compatibility layer
  • Updating --enable-armasm build for ease of use with autotools
  • Lots of improvements were made for ease of use with Yocto. The INSTALL file bundled with wolfSSL has been updated as part of this to help guide users through a Yocto build of wolfSSL.

Some updates and minor fixes were made to the TLS 1.3 code in wolfSSL. Keeping our industry leading TLS 1.3 implementation robust and up to date. These fixes included:

  • Updates to internal code checking TLS 1.3 version with a connection
  • Removing unnecessary extended master secret from ServerHello if using TLS 1.3
  • Fix for TLS v1.3 HelloRetryRequest to be sent immediately and not grouped

This release of wolfSSL also included a fix for 1 security vulnerability. It was a medium level fix for a potential cache attack with a variant of Bleichenbacher’s attack. Earlier versions of wolfSSL leaked PKCS #1 v1.5 padding information during private key decryption that could lead to a potential padding oracle attack. It is recommended that users update to the latest version of wolfSSL if they have RSA cipher suites enabled and have the potential for malicious software to be ran on the same system that is performing RSA operations. Users that have only ECC cipher suites enabled and are not performing RSA PKCS #1 v1.5 Decryption operations are not vulnerable. Users with TLS 1.3-only connections are not vulnerable to this attack. Thanks to Eyal Ronen (Weizmann Institute), Robert Gillham (University of Adelaide), Daniel Genkin (University of Michigan), Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom (University of Adelaide and Data61) for the report. The paper for further reading on the attack along with more details can be found at http://cat.eyalro.net/cat.pdf. To view or apply a patch of the changes this is the exact PR on github with the fix: https://github.com/wolfSSL/wolfssl/pull/1950.

 

wolfSSH SFTP Performance

wolfSSL provides many different products, one of which is the wolfSSH library. wolfSSH itself provides a lightweight embedded SFTP solution. SFTP can be used to securely transfer files, and to manage the filesystem of a peer. wolfSSH’s implementation of SFTP uses less than a third of the memory that OpenSSH does for a SFTP connection. The following figures outline the performance of wolfSSH's SFTP solution compared with OpenSSH's performance.

wolfSSH v1.3.0 configured with " ./configure --enable-static --disable-shared --enable-sftp CFLAGS="-DDEFAULT_WINDOW_SZ=4096" ":

In comparison the default OpenSSH SFTP on the system used 103 KiB of memory. “OpenSSH_7.2p2 Ubuntu-4ubuntu2.6, OpenSSL 1.0.2g”:

For more information about using wolfSSH and its features, please contact info@wolfssl.com.

Additionally, wolfSSL also provides support for using TLS 1.3! More information is available here: https://www.wolfssl.com/docs/tls13/.

Differences between TLS 1.2 and TLS 1.3 (#TLS13)

wolfSSL's embedded SSL/TLS library has included support for TLS 1.3 since early releases of the TLS 1.3 draft. Since then, wolfSSL has remained up-to-date with the TLS 1.3 specification. In this post, the major upgrades of TLS 1.3 from TLS 1.2 are outlined below:

TLS 1.3

This protocol is defined in RFC 8446. TLS 1.3 contains improved security and speed. The major differences include:

  • The list of supported symmetric algorithms has been pruned of all legacy algorithms. The remaining algorithms all use Authenticated Encryption with Associated Data (AEAD) algorithms.
  • A zero-RTT (0-RTT) mode was added, saving a round-trip at connection setup for some application data at the cost of certain security properties.
  • Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms now provide forward secrecy.
  • All handshake messages after the ServerHello are now encrypted.
  • Key derivation functions have been re-designed, with the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) being used as a primitive.
  • The handshake state machine has been restructured to be more consistent and remove superfluous messages.
  • ECC is now in the base spec  and includes new signature algorithms. Point format negotiation has been removed in favor of single point format for each curve.
  • Compression, custom DHE groups, and DSA have been removed, RSA padding now uses PSS.
  • TLS 1.2 version negotiation verification mechanism was deprecated in favor of a version list in an extension.
  • Session resumption with and without server-side state and the PSK-based ciphersuites of earlier versions of TLS have been replaced by a single new PSK exchange.

More information about the TLS 1.3 protocol can be found here: https://www.wolfssl.com/docs/tls13/. Additionally, please contact info@wolfssl.com for any questions.

wolfSSL 24×7 support

wolfSSL provides support on four levels, one of which is the 24x7 support level. This support level includes many key features not available on the others, such as an unlimited number of support incidents, around-the-clock support from dedicated members of the wolfSSL support team, and remains in effect for an entire year.

wolfSSL provides three other levels of paid support, which also include some of the same features provided by 24x7 support. More details on the wolfSSL support packages and levels can be viewed here: https://www.wolfssl.com/products/support-packages-options/

wolfSSL also provides support for the latest version of the TLS protocol, TLS 1.3! Read more about wolfSSL's implementation and the protocol itself here: https://www.wolfssl.com/docs/tls13/

For more information, please contact info@wolfssl.com.

TLS 1.3 combined with FIPS (#FIPS #TLS13)

wolfSSL is a lightweight TLS/SSL library that is targeted for embedded devices and systems. It has support for the TLS 1.3 protocol, which is a secure protocol for transporting data between devices and across the Internet. In addition, wolfSSL uses the wolfCrypt encryption library to handle its data encryption.

Because there is a FIPS 140-2 validated version of wolfCrypt, this means that wolfSSL not only has support for the most current version of TLS, but it also has the encryption backbone to support your FIPS 140-2 needs if required.

Some key benefits of combining TLS 1.3 with FIPS validated software include:

  1. Software becomes marketable to federal agencies - without FIPS, a federal agency is not able to use cryptographic-based software
  2. Single round trip
  3. 0-RTT (a mode that enable zero round trip time)
  4. After Server Hello, all handshake messages are encrypted.

And much more! For more information regarding the benefits of using TLS 1.3 or using the FIPS validated version of wolfCrypt, check out wolfSSL's TLS 1.3 Protocol Support and our wolfCrypt FIPS page.

FIPS 140-2 is a government validation that certifies that an encryption module has successfully passed rigorous testing and meets high encryption standards as specified by NIST. For more information or details on FIPS 140-2, it may be helpful to view this Wikipedia article: https://en.wikipedia.org/wiki/FIPS_140-2

For more details about wolfSSL, TLS 1.3, or if you have any other general inquiries please contact info@wolfssl.com

To find out more about FIPS, check out the NIST FIPS publications or contact fips@wolfssl.com

wolfSSL Integration with cURL

wolfSSL's embedded SSL/TLS library comes with support for many other tools and libraries, one of which is cURL. cURL is a computer software project that produces two products (libcurl and cURL) that are used for transferring data using various protocols. In addition to support for cURL, wolfSSL will also be integrating the cURL library in conjunction with Daniel Stenberg (an original author of cURL and one of the founders) joining the wolfSSL team.

With this integration and Daniel Stenberg joining wolfSSL, wolfSSL will now also be providing support and consulting for the cURL library.

wolfSSL also provides support for the latest versions of the TLS protocol, including TLS 1.3! As such, wolfSSL is considering adding TLS 1.3 support to cURL in the future. More information about wolfSSL and TLS 1.3 can be found here: https://www.wolfssl.com/docs/tls13/.

For more information regarding wolfSSL, TLS 1.3, cURL, or all of the above, please contact info@wolfssl.com.

wolfSSL FAQ page

The wolfSSL FAQ page can be useful for information or general questions that need need answers immediately. It covers some of the most common questions that the support team receives, along with the support team's responses. It's a great resource for questions about wolfSSL, embedded TLS, and for solutions to problems getting started with wolfSSL.

To view this page for yourself, please follow this link here.

Here is a sample list of 5 questions that the FAQ page covers:

  1. How do I build wolfSSL on ... (*NIX, Windows, Embedded device) ?
  2. How do I manage the build configuration of wolfSSL?
  3. How much Flash/RAM does wolfSSL use?
  4. How do I extract a public key from a X.509 certificate?
  5. Is it possible to use no dynamic memory with wolfSSL and/or wolfCrypt?

Have a  question that isn't on the FAQ? Feel free to email us at support@wolfssl.com.

wolfSSL Support for OCSP and NGINX

With each release of the wolfSSL embedded SSL/TLS library, new improvements and feature additions are always included. With recent releases, the wolfSSL team has improved existing Online Certificate Status Protocol (OCSP) support when using wolfSSL with NGINX. These improvements include items such as more detailed/stronger error reporting and updated certificate management.

NGINX is a high-performance, high-concurrency web server, that is increasing in popularity. Like wolfSSL, it is also compact, fast, and highly scalable. OCSP is an alternative to Certificate Revocation Lists (CRL), and is used to validate certificates for HTTPS connections. OCSP addresses problems involving Public Key Infrastructure (PKI) and typically has improved speed over CRL. Combining two high-performance aspects - NGINX and OCSP - yields another high-performance mark for wolfSSL. Additionally, wolfSSL also provides support for the latest and most secure TLS protocol, TLS 1.3. NGINX servers can use OCSP with wolfSSL while also providing TLS 1.3 support.

For more information on wolfSSL updates, the wolfSSL changelog can be viewed here: https://www.wolfssl.com/docs/wolfssl-changelog/. For any other questions, feel free to contact info@wolfssl.com.

wolfSSL Support Statistics

wolfSSL provides one of the most secure embedded SSL/TLS libraries, a high-powered and lightweight encryption engine, and other products. wolfSSL also provides various services, one of which is the exemplary support offered by the wolfSSL support team.

wolfSSLs' support is continuously improving in its quality and speed. This is shown by the average customer ratings that the wolfSSL support team receives, and through other additional feedback. When wolfSSL support closes a ticket, customers are given the option to either rate the support received as "Good, I'm satisfied," or "Bad, I'm unhappy,". For the year 2018, wolfSSL received a 98.6% overall satisfaction rating from hundreds of support cases. The average satisfaction rating for wolfSSL has been improving over the years, as a result of our continued efforts to provide not only the best tested cryptography in the world, but also the best customer support available from any crypto provider. We will continue to strive and deliver the best possible customer experience via our support department and look forward to assisting all of our users in any way we can.

To have your own questions answered by the wolfSSL support team, please contact support@wolfssl.com. We also provide some more general information about wolfSSL products which can be obtained by contacting info@wolfssl.com.

Did you know that wolfSSL supports TLS 1.3!? More information can be found here: https://www.wolfssl.com/docs/tls13/.

wolfSSH Supported Platforms

wolfSSL offers many different products, including the wolfSSH Lightweight SSH Library. The wolfSSH library is ideal for both IoT embedded devices and desktop use cases. It is an implementation of the SSHv2 protocol and features a small footprint size, an extensive feature set, and excellent cross platform support. A list of some of these supported platforms are listed below:

  • Cavium NITROX
  • STM32F2, STM32F4
    • With hardware cryptography support
  • FreeScale CAU, mmCAU, SEC
  • Microchip PIC32MZ
  • Linux
  • macOS
  • Microsoft Windows

Additionally, wolfSSH also provides support for many of its example applications on these platforms. For example, the wolfSSH SFTP client example can be run on Microsoft Windows and also on macOS.

To test the wolfSSH library and its applications on your platform, wolfSSH can be downloaded by cloning the wolfSSH repository (here: https://github.com/wolfSSL/wolfssh), or by visiting the wolfSSL download page (here: https://www.wolfssl.com/download/).

For more information on wolfSSH or its supported platforms, please contact info@wolfssl.com.

OpenSSL Compatibility Layer Expansion

As many of our readers know, the wolfSSL embedded SSL/TLS library includes an OpenSSL compatibility layer. This layer makes it easier to replace OpenSSL with wolfSSL in applications that have previously been using OpenSSL.

As wolfSSL is ported into more and more projects that have previously used OpenSSL, our compatibility layer expands.  As new versions of wolfSSL are released, the OpenSSL compatibility layer continues to expand. The following list some recent additions, along with other OpenSSL compatibility layer functions:

 

  • OpenSSL_add_all_algorithms_noconf()
  • RAND_poll()
  • d2i_X509_fp()
  • X509_check_ca()
  • X509_CRL_free()
  • X509_STORE_add_crl()
  • d2i_X509_CRL_fp()
  • PEM_read()
  • PEM_write()
  • PEM_read_X509_CRL()
  • ASN1_GENERALIZEDTIME_free()
  • ASN1_STRING_print_ex()
  • ASN1_TIME_to_generalizedtime()
  • d2i_PKCS12_fp()
  • i2d_RSAPublicKey()
  • d2i_RSAPublicKey()
  • i2c_ASN1_INTEGER()
  • d2i_ECDSA_SIG()
  • i2d_ECDSA_SIG()
  • EVP_DigestVerifyInit()
  • EVP_DigestVerifyUpdate()
  • EVP_DigestVerifyFinal()
  • EVP_PKEY_id()
  • PEM_read_bio_PUBKEY()

There are several reasons that users switch from OpenSSL to wolfSSL, including memory usage, portability, algorithm support, CAVP and FIPS 140-2 validations, and the availability of excellent commercial support.  To learn more about the advantages of using wolfSSL, visit our page on “wolfSSL vs. OpenSSL”.

If you have any questions about using wolfSSL in your application, or replacing OpenSSL with wolfSSL, please reach out to our support team at support@wolfssl.com!

Posts navigation

1 2 3 4 84 85 86

Weekly updates

Archives

Latest Tweets