RECENT BLOG NEWS
Or sign up to receive weekly email notifications containing the latest news from wolfSSL.
In addition, wolfSSL now has a support-specific blog page dedicated to answering some of the more commonly received support questions.
Happy Holidays! wolfSSL release 3.15.7 is now available!
The holiday release of the wolfSSL embedded SSL/TLS library contains many feature additions, bug fixes, and improvements. Some of these changes include improved API documentation, RSA-verify-only and RSA-public-key-operations-only builds, and several new port additions. More details about what is included with the new version of wolfSSL are listed below.
- New Feature Additions And Ports:
- Support for Espressif ESP-IDF development framework
- PKCS#7 support for generating and verify bundles using a detached signature.
- Port update for Micrium uC/OS-III
- Feature to adjust max fragment size post handshake when compiled with the macro WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST
- The addition of multiple languages in wolfSSL’s bundled examples can cause problems for embedded devices that can not handle the special characters. Having NO_MULTIBYTE_PRINT defined compiles out code used for printing the special characters.
- RSA verify only (--enable-rsavfy) and RSA public only (--enable-rsapub) builds added. These are builds that can be used with --enable-cryptonly that compile out portions of RSA code. Giving the option for an even smaller build of wolfSSL in the case that only RSA public key operations or only RSA verify operations are needed.
One of the many new exciting updates to existing wolfSSL features was the support for the Intel QuickAssist v1.7 driver being added! This enables wolfSSL to be used in asynchronous mode with newer Intel hardware for a massive performance gain over the previous driver. In addition to the driver update, support for RSA key generation and SHA-3 support was added to the wolfSSL QuickAssist port. The following is a list of some of the other notable additional updates and fixes in the release:
- Fix for Xcode build with iPhone simulator on i386
- Fix for building the wolfSSL library with AES-CBC disabled and the opensslextra compatibility layer enabled
- Updates to sniffer for showing session information and handling split messages across records
- Updates for Doxygen documentation, including PKCS#11 API and more
- Enhancements to test cases for increased code coverage
- Updates to VxWorks port for use with Mongoose, including updates to the OpenSSL compatibility layer
- Updating --enable-armasm build for ease of use with autotools
- Lots of improvements were made for ease of use with Yocto. The INSTALL file bundled with wolfSSL has been updated as part of this to help guide users through a Yocto build of wolfSSL.
Some updates and minor fixes were made to the TLS 1.3 code in wolfSSL. Keeping our industry leading TLS 1.3 implementation robust and up to date. These fixes included:
- Updates to internal code checking TLS 1.3 version with a connection
- Removing unnecessary extended master secret from ServerHello if using TLS 1.3
- Fix for TLS v1.3 HelloRetryRequest to be sent immediately and not grouped
This release of wolfSSL also included a fix for 1 security vulnerability. It was a medium level fix for a potential cache attack with a variant of Bleichenbacher’s attack. Earlier versions of wolfSSL leaked PKCS #1 v1.5 padding information during private key decryption that could lead to a potential padding oracle attack. It is recommended that users update to the latest version of wolfSSL if they have RSA cipher suites enabled and have the potential for malicious software to be ran on the same system that is performing RSA operations. Users that have only ECC cipher suites enabled and are not performing RSA PKCS #1 v1.5 Decryption operations are not vulnerable. Users with TLS 1.3-only connections are not vulnerable to this attack. Thanks to Eyal Ronen (Weizmann Institute), Robert Gillham (University of Adelaide), Daniel Genkin (University of Michigan), Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom (University of Adelaide and Data61) for the report. The paper for further reading on the attack along with more details can be found at http://cat.eyalro.net/cat.pdf. To view or apply a patch of the changes this is the exact PR on github with the fix: https://github.com/wolfSSL/wolfssl/pull/1950.
The wolfSSL embedded SSL/TLS library is highly portable, and easy to build on many different platforms. One of these platforms includes the Yocto Project, a project that assists developers with creating Linux-based systems on any architecture.
wolfSSL also includes many recipes and projects that make it easy to build on various platforms, and is maintained in the meta-wolfssl GitHub repository. This repository contains both Yocto and OpenEmbedded recipes for wolfSSL products (wolfSSL, wolfSSH, wolfMQTT, wolfTPM) and wolfSSL example applications. It also includes .bbappend files, which can be used to configure the cURL open-source project with support with the wolfSSL library.
More information about Yocto Linux and wolfSSL can be found in the meta-wolfssl readme, located in the GitHub repository here: https://github.com/wolfSSL/meta-wolfssl/blob/master/README.md
For more information on using wolfSSL, please contact firstname.lastname@example.org.
wolfSSL provides support on four levels, one of which is the 24x7 support level. This support level includes many key features not available on the others, such as an unlimited number of support incidents, around-the-clock support from dedicated members of the wolfSSL support team, and remains in effect for an entire year.
wolfSSL provides three other levels of paid support, which also include some of the same features provided by 24x7 support. More details on the wolfSSL support packages and levels can be viewed here: https://www.wolfssl.com/products/support-packages-options/
wolfSSL also provides support for the latest version of the TLS protocol, TLS 1.3! Read more about wolfSSL's implementation and the protocol itself here: https://www.wolfssl.com/docs/tls13/
For more information, please contact email@example.com.
wolfSSL is a lightweight TLS/SSL library that is targeted for embedded devices and systems. It has support for the TLS 1.3 protocol, which is a secure protocol for transporting data between devices and across the Internet. In addition, wolfSSL uses the wolfCrypt encryption library to handle its data encryption.
Because there is a FIPS 140-2 validated version of wolfCrypt, this means that wolfSSL not only has support for the most current version of TLS, but it also has the encryption backbone to support your FIPS 140-2 needs if required.
Some key benefits of combining TLS 1.3 with FIPS validated software include:
- Software becomes marketable to federal agencies - without FIPS, a federal agency is not able to use cryptographic-based software
- Single round trip
- 0-RTT (a mode that enable zero round trip time)
- After Server Hello, all handshake messages are encrypted.
FIPS 140-2 is a government validation that certifies that an encryption module has successfully passed rigorous testing and meets high encryption standards as specified by NIST. For more information or details on FIPS 140-2, it may be helpful to view this Wikipedia article: https://en.wikipedia.org/wiki/FIPS_140-2
For more details about wolfSSL, TLS 1.3, or if you have any other general inquiries please contact firstname.lastname@example.org
Release 3.15.7 of wolfSSL Async has bug fixes and new features including:
- All wolfSSL v3.15.7 fixes and features.
- Fixes for additional static analysis warnings and async edge cases (https://github.com/wolfSSL/wolfssl/pull/2003).
- Added QAT v1.7 driver support including support for QAT 8970 hardware.
- Added QAT SHA-3 support.
- Added QAT RSA Key Generation support.
- Added support for new usdm memory driver.
- Added support for detecting QAT version and features.
- Added `QAT_ENABLE_RNG` option to disable QAT TRNG/DRBG.
- Added alternate hashing method to cache all updates (avoids using partial updates).
Here are the latest benchmarks with various build configurations:
|Asymmetric ops/sec||SW (CPU)||SW (SP)||HW QAT||HW Nitrox V||Symmetric MB/sec||SW (CPU)||SW (AESNI)||HW QAT||HW Nitrox V|
|RSA 2048 key gen||12||12||147||AES-128-CBC Enc||939||5,028||3,454||238|
|RSA 2048 public||10,679||118,922||271,142||140,699||AES-128-CBC Dec||926||5,585||3,464||238|
|RSA 2048 private||866||3,767||42,460||8,266||AES-128-GCM||22||5,517||3,341||133|
|DH 2048 key gen||2,915||7,559||48,931||MD5||608||3,257||2,095|
|DH 2048 key agree||3,026||7,477||68,351||SHA||394||1,533||2,225|
|ECDHE 256 agree||4,376||54,119||56,805||10,503||SHA-224||157||1,003||2,400|
|ECDSA 256 sign||4,153||140,668||60,038||22,165||SHA-256||152||1,003||2,401|
|ECDSA 256 verify||5,404||43,689||32,853||7,361||SHA-384||256||1,458||2,343|
Performed on an Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz, 16GB RAM, 8 threads, wolfSSL v3.15.7, QuickAssist v1.7 8970 PCIe 16x OR Cavium Nitrox V CNN5560-900-C45
CPU: ./configure --enable-keygen --enable-sha3
SP/AESNI: ./configure --enable-sp --enable-sp-asm --enable-aesni --enable-intelasm --enable-intelrand --enable-keygen --enable-sha3
QAT: ./configure --with-intelqa=../QAT1.7 --enable-asynccrypt --enable-keygen --enable-sha3
Nitrox V: ./configure --with-cavium-v=../CNN55XX-SDK --enable-asynccrypt
If you are interested in evaluating the wolfSSL Asynchronous support for Intel QuickAssist or Cavium Nitrox, please email us at email@example.com.
Are you looking for an SSL/TLS library which will seamlessly integrate into your bare metal or No-OS environment? If so, continue reading to learn why the wolfSSL lightweight SSL library is a perfect fit for such environments.
wolfSSL has been designed with portability and ease of use in mind, allowing developers to easily integrate it into a bare metal or operating systemless environment. As a large percentage of wolfSSL users are running the library on small, embedded devices, we have added several abstraction layers which make tying wolfSSL into these types of environments an easy task.
Available abstraction layers include:
- Custom Input/Output
- Standard C library / Memory
- File system (Able to use cert/key buffers instead)
- Operating System
In addition to abstraction layers, we have tried to keep wolfSSL’s memory usage as low as possible. Build sizes for a complete SSL/TLS stack range from 20-100kB depending on build options, with RAM usage between 1-36kB per connection.
The wolfSSL FAQ page can be useful for information or general questions that need need answers immediately. It covers some of the most common questions that the support team receives, along with the support team's responses. It's a great resource for questions about wolfSSL, embedded TLS, and for solutions to problems getting started with wolfSSL.
To view this page for yourself, please follow this link here.
Here is a sample list of 5 questions that the FAQ page covers:
- How do I build wolfSSL on ... (*NIX, Windows, Embedded device) ?
- How do I manage the build configuration of wolfSSL?
- How much Flash/RAM does wolfSSL use?
- How do I extract a public key from a X.509 certificate?
- Is it possible to use no dynamic memory with wolfSSL and/or wolfCrypt?
Have a question that isn't on the FAQ? Feel free to email us at firstname.lastname@example.org.
wolfSSH is a portable embedded SSH solution developed by wolfSSL. Recently we have made an exciting new feature enhancement to allow for client side support of pseudo terminal connections. This feature can be turned on by using the configure flag --enable-term and running the example client with “-t” ( i.e. ./examples/client/client -t -h <ip> -u <username> -p <port #> ). In addition to the added enhancement of using pseudo terminals, a function was added to support console code translations from Linux to Windows terminals. This allows usage of client side wolfSSH pseudo terminals on a Windows machine when connecting to a Linux server.
Another feature that was added is the ability for sending execution commands from the client to a server. An SSH connection to execute a command can be done by using the “-c” flag with the example SSH client. (i.e. ./examples/client/client -h <ip> -u <username> -p <port #> -c <command> ) There are many use cases for this, one being the case where an embedded system wants to startup a program on another device or server and pipe input / output through the secure wolfSSH connection.
These new features can be found at the wolfSSH github repository https://github.com/wolfSSL/wolfssh and in the next release version of wolfSSH on the wolfSSL website here https://www.wolfssl.com/download/.
For more information contact us at email@example.com.
Recently, wolfSSL released version 3.15.5 of the wolfSSL embedded SSL/TLS library. This new release features many feature additions and updates, one of which is the added support for using public key callbacks with TLS on an STSAFE-A100.
The STSAFE-A100 is a highly secure solution that acts as a secure element providing authentication and data management services to a local or remote host. When paired with wolfSSL, this results in a robust and secure device that is able to effectively prevent external malicious attacks and provide high-strength, fast encryption.
For more information about the release or about wolfSSL, please contact firstname.lastname@example.org.
wolfSSL version 3.15.5 release notes: https://www.wolfssl.com/wolfssl-3-15-5-now-available/
Recently, wolfSSL released version 3.15.5 of the wolfSSL embedded SSL/TLS library. This new release contains various updates and feature additions to the wolfSSL library, including the addition of Renesas RX e2 studio project files.
Renesas e2 studio is a development environment based on the Eclipse IDE. It covers various building tasks (editing, compiling, linking, etc.) and also provides a debug interface. It can use a wide range of compilers, including all Renesas compilers. This tool allows developers to more easily create and manage their project on their Renesas embedded controllers.
The addition of the wolfSSL studio project files for this tool is a great game changer, as it allows developers to use the portable, low-resource use wolfSSL library. wolfSSL uses the most secure and up-to-date encryption schemes that are offered by the wolfCrypt encryption engine, and also provides support for TLS 1.3! This way, Renesas embedded controllers can use high-end encryption with the latest version of the TLS protocol.
To find out more information, please contact email@example.com.
wolfSSL v3.15.5 release notes: https://www.wolfssl.com/wolfssl-3-15-5-now-available/
Recently, wolfSSL released version 3.15.5 of the wolfSSL embedded SSL/TLS library. This new release features many new additions and updates, including the addition of a port for the STM32L4 MCU.
The STM32L4 is an ultra-low-power device with high flexibility, and as a member of the STM32 family, is easily integratable with the wolfSSL library. As wolfSSL is highly portable and the STM32L4 is highly flexible, if your device has any special features that interfere with the wolfSSL port, they are easily remedied.
The new wolfSSL STM32 port functionality was added into the existing STM32 port, and the STM32L4 functionality can be enabled by either defining the "WOLFSSL_STM32L4" option in the user_settings.h file, or by including the option CPPFLAGS="-DWOLFSSL_STM32L4" to the configure script if building the wolfSSL library with autotools.
Additionally, wolfSSL also provides support for the latest version of the TLS protocol, TLS 1.3! Find more information about TLS 1.3 here: https://www.wolfssl.com/docs/tls13/
For more information, please contact firstname.lastname@example.org.
- January 2019 (6)
- December 2018 (24)
- November 2018 (11)
- October 2018 (18)
- September 2018 (18)
- August 2018 (8)
- July 2018 (15)
- June 2018 (29)
- May 2018 (15)
- April 2018 (11)
- March 2018 (19)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (7)
- September 2017 (8)
- August 2017 (6)
- July 2017 (11)
- June 2017 (8)
- May 2017 (10)
- April 2017 (5)
- March 2017 (7)
- February 2017 (1)
- January 2017 (8)
- December 2016 (3)
- November 2016 (2)
- October 2016 (18)
- September 2016 (8)
- August 2016 (5)
- July 2016 (4)
- June 2016 (11)
- May 2016 (4)
- April 2016 (5)
- March 2016 (4)
- February 2016 (12)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (6)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (13)
- January 2015 (6)
- December 2014 (7)
- November 2014 (3)
- October 2014 (2)
- September 2014 (11)
- August 2014 (6)
- July 2014 (9)
- June 2014 (11)
- May 2014 (11)
- April 2014 (9)
- March 2014 (3)
- February 2014 (3)
- January 2014 (6)
- December 2013 (9)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (8)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (9)
- December 2012 (13)
- November 2012 (5)
- October 2012 (7)
- September 2012 (4)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (6)
- April 2012 (7)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (6)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (8)
- May 2011 (12)
- April 2011 (4)
- March 2011 (12)
- February 2011 (9)
- January 2011 (13)
- December 2010 (17)
- November 2010 (12)
- October 2010 (14)
- September 2010 (11)
- August 2010 (20)
- July 2010 (14)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)