RECENT BLOG NEWS
Or sign up to receive weekly email notifications containing the latest news from wolfSSL.
In addition, wolfSSL now has a support-specific blog page dedicated to answering some of the more commonly received support questions.
wolfSSL version 4.8.1 is available for download!!
This version of wolfSSL includes many new features, ports, and some great fixes. Some of the new features added includes:
- A tie in for use with wolfSentry.
- wolfSentry is a universal, dynamic, embedded IDPS (intrusion detection and prevention system)
- The build option added to enable the code for use with wolfSentry can be compiled using the autotools flag –enable-wolfsentry. wolfSentry is our new product that can be used in a similar fashion as a firewall but unlike many firewall applications available today wolfSentry is designed for deeply embedded IoT devices with resource constraints.
- Learn more from our webinar: Introducing wolfSentry, an Embeddable IDPS
- A number of API for the compatibility layer
- Helps support replacing OpenSSL using wolfSSL along with updating your crypto for FIPS requirements,
- A QNX CAAM driver for use with NXP’ i.MX devices,
- CAAM stands for Cryptographic Accelerator and Assurance Module. When used, it speeds up the cryptographic algorithms such as ECC and AES, as well as increases security by using encrypted keys and secure memory partitions.
- Support for STM32G0,
- Zephyr project example,
- The Zephyr Project is a scalable real-time operating system (RTOS) supporting multiple hardware architectures, optimized for resource constrained devices, and built with safety and security in mind.
- An easy-to-use Dolphin emulator test for DEVKITPRO
- devkitPro is a set of tool chains for compiling to gaming platforms.
- Fixes for PKCS#7
- PKCS#7 is used to sign, encrypt, or decrypt messages under Public Key Infrastructure (PKI). It is also used for certificate dissemination, but is most commonly used for single sign-on.
- Better parsing and handling of edge cases along with fixes for existing ports.
- Fixes that came from testing with Coverity and fsanitizer tools.
- Coverity is very efficient in finding issues, and is often used as a metric for good code (based on how many issues are found and fixed)
- fsanitizer is a static analysis tool
- Two vulnerabilities announced,
- one dealing with OCSP
- OCSP or “Online Certificate Status Protocol” is an Internet protocol that is used to obtain the revocation status of an X.509 digital certificate.
- the other with a previously fixed base64 PEM decoding side channel vulnerability.
- PEM, or “Privacy Enhanced Mail” is the most common format that certificates are issued in by certificate authorities.
- one dealing with OCSP
For a full list of changes, check out the updated ChangeLog.md bundled with wolfSSL or view our page on GitHub here (https://github.com/wolfSSL/wolfssl). Any questions can be sent directly to firstname.lastname@example.org.
- Requires the Microchip CryptoAuthLib (https://github.com/MicrochipTech/cryptoauthlib.git)
- wolfSSL uses PK (Public Key) callbacks for the TLS crypto operations
- wolfCrypt uses the WOLFSSL_ATECC508A or WOLFSSL_ATECC608A macros to enable native `wc_ecc_*` API support
- The README.md and reference PK callbacks can be found here: https://github.com/wolfSSL/wolfssl/tree/master/wolfcrypt/src/port/atmel
- Additional demos for wolfSSL TLS Client/Server and wolfCrypt test/benchmarks can be found: https://github.com/wolfSSL/microchip-atecc-demos
wolfSSL’s TLS layer PK callbacks expose API’s to set ECC callbacks. These are enabled with:
#define HAVE_PK_CALLBACKS or ./configure --enable-pkcallbacks.
We plan on adding support for the new 608A PRF and HKDF for TLS 1.2 and TLS 1.3 speed improvements.
For more questions please email us at email@example.com.
FIPS validating a crypto library on a resource-constrained device can be more involved than doing a validation on a standard desktop-like platform. Variances in OS, Flash/RAM, filesystem (or lack of), entropy, communication, and more can make things interesting. Going through our past ARM-based validations, we have figured out how to make this process easier with wolfCrypt!
On October 13th & 14th wolfSSL will be hosting two live webinars, one will cover FIPS 140-3 Certification and the other will be on Migrating from OpenSSL to wolfSSL. Read below for more information as well as a links to register.
Oct 13, 9:00 AM PST: FIPS 140-3
Register Here: https://us02web.zoom.us/webinar/register/WN_WCO3LQ5dRiKifbbg5OCnYA
wolfSSL is thrilled to be the first in FIPS 140-3 certification and we want to share it with you! Join the wolfSSL team, Kaleb Himes, Senior Engineer & FIPS authority, as we cover all things FIPS 140-3. There will be a live Q&A so bring all your FIPS-related questions. We will cover the current transition to FIPS 140-3, its importance for cybersecurity, as well as how wolfSSL is implementing it in our products.
Oct 14, 9:00 AM PST: Migrating from OpenSSL to wolfSSL
Register Here: https://us02web.zoom.us/webinar/register/WN_7oyLVSq6Tba5828QvfFzcQ
There are many reasons why a user might want to switch from OpenSSL to wolfSSL. In order to facilitate this transition, wolfSSL has an accessible compatibility layer. Join us as wolfSSL Engineer, Jacob, talks about the top reasons why people migrate from OpenSSL to wolfSSL as well as how to get started. He will cover how to build with the compatibility layer as well as some examples of applications.
Both webinars will include a Q&A section, so please bring any questions you may have.
We’re actually going somewhere! Come see wolfSSL at it-sa ’21 in Nuremberg, Germany this week.
it-sa ‘21: October 12th – 14th, 2021
Get a pass: https://www.mwcbarcelona.com/attend/registration#tab-physical-passes
Exhibition hours: 09:00 – 18:00 (Tuesday and Wednesday) 09:00 – 17:00 (Thursday)
wolfSSL will be at booth 7-611, with Business Directors Wolfram Kusterer and wolfSSL Engineer Juliusz Sosinowicz on the ground to answer all your embedded security questions. Plus, our full sales team will be on standby in the virtual booth to talk to you! Email facts@wolfSSL.com if you’d like to book a meeting ahead of the event.
If you’re new to wolfSSL, here’s how we can help you win big in mobile industry and beyond:
– wolfSSL is up to 20x smaller than OpenSSL
– First commercial implementation of TLS 1.3, with TLS 1.3 Sniffer
– First in FIPS 140-3
– Best tested, most secure, fastest crypto on the market with incomparable certifications and highly customizable modularity
– Access to 24×7 support from a real team of Engineers
– Support for the newest standards (including TLS 1.2, TLS 1.3, DTLS 1.2, and DTLS 1.3 forthcoming)
– Multi-platform, dual-licensed, royalty free, with an OpenSSL compatibility API to ease porting into existing applications which have previously used the OpenSSL package
– Full product suite including MQTT with support up to v5.0, Secure Boot, wolfSentry IDPS, SSHv2 server, TPM 2.0 portable project, Java wrappers and JSSE support, plus commercial curl support at the enterprise level.
To learn more, come meet us at it-sa ’21 or email facts@wolfSSL.com.
Thanks to the portability of our wolfCrypt library, plus our team of expert engineers, wolfSSL is frequently adding new ports. Keep an eye out as we continue showcasing a few of the latest open source project ports over the next few weeks!
We have recently integrated wolfSSL with the socat tool for Linux. This port allows for the use of socat with our FIPS-validated crypto library, wolfCrypt. Socat is a command line based utility that allows for bidirectional data transfers between two independent channels. For more information on socat, please visit the project’s website at www.dest-unreach.org/socat.
As of wolfSSL version 4.8.0, we have enabled socat to be able to call into wolfSSL through the OpenSSL compatibility layer. You can access the GitHub page here: https://github.com/wolfSSL/osp/tree/master/socat
The wolfSSL library is now safe against the “Harvest Now, Decrypt Later” post-quantum threat model with the addition of our new TLS 1.3 post-quantum groups. But where does that leave wolfSSH? It is still only using RSA and elliptic curve key exchange algorithms which are vulnerable to the threat model mentioned above. If you are interested in knowing about our plans to protect wolfSSH using post-quantum key exchanges, please get in contact with us at firstname.lastname@example.org.
Join our live wolfEngine webinar, where we introduce one of our newest products wolfEngine, a separate standalone library which links against wolfSSL (libwolfssl) and OpenSSL. wolfEngine implements and exposes an OpenSSL engine implementation which wraps the wolfCrypt native API internally. Algorithm support matches that as listed on the wolfCrypt FIPS 140-2 certificate #3389.
Learn about about what wolfEngine is, why you should care, and why wolfEngine could be the solution to all of your problems. As always bring your questions for the Q&A following the presentation.
wolfEngine : wolfCrypt as an Engine for OpenSSL
Time: Oct 7, 2021 09:00 AM in Pacific Time
Register here: https://us02web.zoom.us/webinar/register/WN_1gPXMVUgReClAodxe7sTPg
wolfSSL Linux kernel module support has grown by leaps and bounds, with new support for public key (PK) cryptographic acceleration, FIPS 140-3, accelerated crypto in IRQ handlers, portability improvements, and overall feature completeness.
The module provides the entire libwolfssl API natively to other kernel modules, allowing fully kernel-resident TLS/DTLS endpoints with in-kernel handshaking. Configuration and building is turnkey via the
--enable-linuxkm option, and can optionally be configured for cryptographic self-test at load time (POST), including full FIPS 140-3 core hash integrity verification and self-test.
As with library builds, the kernel module can be configured in detail to meet application requirements, while staying within target capabilities and limitations. In particular, developers can opt to link in only the wolfCrypt suite of low level cryptographic algorithms, or can include the full TLS protocol stack with TLS 1.3 support.
For PK operations, the kernel module leverages our new function-complete SP bignum implementation, featuring state of the art performance and side channel attack immunity. AVX2 and AES-NI accelerations are available on x86, and are usable from both normal kernel threads and from interrupt handler contexts. When configured for AES-NI acceleration, the module delivers AES256-GCM encrypt/decrypt at better than 1 byte per cycle.
Kernel module builds of libwolfssl are supported in wolfSSL release 4.6 and newer, and are available in our mainline github repository, supporting the 3.x, 4.x, and 5.x Linux version lines on x86-64, with limited support for ARM and MIPS. Full FIPS 140-3 support on x86-64 will be available in the forthcoming wolfSSL Version 5.0 release.
It came to our attention that OpenSSL just published two new vulnerabilities.
- CVE-2021-3711 – “SM2 decryption buffer overflow” (nakedsecurity)
- CVE-202103712 – “Read buffer overruns processing ASN.1 strings.” (nakedsecurity)
These were specific OpenSSL issues and do not affect wolfSSL. For a list of CVEs that apply to wolfSSL please watch the security page on our website here: https://www.wolfssl.com/docs/security-vulnerabilities/
We wanted to take this opportunity to remind our customers and users that wolfSSL is in no way related to OpenSSL. wolfSSL was written from the ground up and is a unique SSL/TLS implementation.
That being said, wolfSSL does support an OpenSSL compatibility layer allowing OpenSSL users to drop in wolfSSL but continue to use the most commonly found OpenSSL API’s after re-compiling their applications to link against wolfSSL.
One individual also pointed out the time delta between report and fix on the above CVEs and wolfSSL would like to remind our customers and users of how proud we are of our less than 48 hour delta between report and fix. For more on our response time and process regarding vulnerabilities check out https://www.wolfssl.com/everything-wanted-know-wolfssl-support-handles-vulnerability-reports-afraid-ask/
A quick followup to the post “wolfSSLs’ Proprietary ACVP client”.
wolfSSL Inc. is proud to announce a recent addition to the wolfCrypt FIPS cert 3389!
- CMSIS-RTOS2 v2.1.3 running on a Silicon Labs EFM32G (Giant Gecko) chipset with wolfCrypt v4.6.1
Testing and standup for the EFM32 Giant Gecko was done collaboratively between wolfSSL Inc. and one of wolfSSLs’ customers. wolfCrypt had not previously been ported to or run on an EFM32 device so this was an exciting opportunity to both test on an EFM32 for the first time and to take wolfCrypt, running on the EFM32, through FIPS certification!
If you have any questions about getting wolfCrypt or wolfSSL up and running on your EFM32 target, not only is it possible, it is possible with FIPS 140-2 (and soon FIPS 140-3) certification as well!
Other OE’s added since the original ACVP client post are:
- Linux 4.14 running on ARMv8 Cortex A53 with and without PAA (module version 4.5.4)
- Windows CE 6.0 running on ARM Cortex-A8 (module version 4.6.2)
- Linux 4.19 running on ARMv8 Cortex A53 with and without PAA (module version 4.5.4)
At the time of this posting wolfSSL has:
- 10 OE additions (1SUB) in coordination phase with the CMVP to be added to cert 3389
- 4 OE additions (1SUB) that have completed all testing and are ready to be submitted to the CMVP
- 5 OE additions (1SUB) actively in the testing process
- 1 OE addition (1SUB) in the queue to start
While the CMVP is no longer accepting 3SUB and 5SUB submissions for FIPS 140-2 (Cutoff date was 22 Sep 2021) wolfSSL Inc. continues to work on 1SUB OE additions. wolfSSL Inc. will continue to work on 1SUB OE additions to cert 3389 until 7 months before the expiration date of cert 3389.
wolfSSL Inc. was one of the first to submit for FIPS 140-3 and we expect to be one of the first to receive a 140-3 certificate. If you are looking for a commercial FIPS 140-3 solution, then look no further!
If you need FIPS 140-2 or 140-3 please don’t hesitate to reach out to email@example.com anytime.
- October 2021 (9)
- September 2021 (15)
- August 2021 (13)
- July 2021 (21)
- June 2021 (19)
- May 2021 (12)
- April 2021 (12)
- March 2021 (27)
- February 2021 (29)
- January 2021 (22)
- December 2020 (21)
- November 2020 (14)
- October 2020 (7)
- September 2020 (22)
- August 2020 (11)
- July 2020 (8)
- June 2020 (14)
- May 2020 (15)
- April 2020 (14)
- March 2020 (4)
- February 2020 (24)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (24)
- August 2019 (21)
- July 2019 (8)
- June 2019 (13)
- May 2019 (35)
- April 2019 (31)
- March 2019 (20)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (10)
- October 2018 (18)
- September 2018 (18)
- August 2018 (8)
- July 2018 (15)
- June 2018 (29)
- May 2018 (15)
- April 2018 (11)
- March 2018 (19)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (7)
- September 2017 (8)
- August 2017 (6)
- July 2017 (11)
- June 2017 (8)
- May 2017 (10)
- April 2017 (5)
- March 2017 (7)
- February 2017 (1)
- January 2017 (8)
- December 2016 (3)
- November 2016 (2)
- October 2016 (18)
- September 2016 (8)
- August 2016 (5)
- July 2016 (4)
- June 2016 (10)
- May 2016 (4)
- April 2016 (5)
- March 2016 (4)
- February 2016 (12)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (6)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (13)
- January 2015 (6)
- December 2014 (7)
- November 2014 (3)
- October 2014 (2)
- September 2014 (11)
- August 2014 (6)
- July 2014 (9)
- June 2014 (11)
- May 2014 (11)
- April 2014 (9)
- March 2014 (3)
- February 2014 (3)
- January 2014 (5)
- December 2013 (9)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (8)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (9)
- December 2012 (13)
- November 2012 (5)
- October 2012 (7)
- September 2012 (4)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (5)
- April 2012 (7)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (6)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (8)
- May 2011 (12)
- April 2011 (4)
- March 2011 (12)
- February 2011 (8)
- January 2011 (13)
- December 2010 (17)
- November 2010 (12)
- October 2010 (14)
- September 2010 (11)
- August 2010 (20)
- July 2010 (14)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)