RECENT BLOG NEWS

So, what’s new at wolfSSL? Take a look below to check out the most recent news.
Or sign up to receive weekly email notifications containing the latest news from wolfSSL.
In addition, wolfSSL now has a support-specific blog page dedicated to answering some of the more commonly received support questions.

wolfSSL 3.15.3 Now Available

wolfSSL is proud to announce release version 3.15.3 of the wolfSSL embedded TLS library.  This release contains bug fixes and new features, which include:

  • ECDSA blinding added for hardening against side channel attacks
  • Fix for OpenSSL compatibility layer build with no server (NO_WOLFSSL_SERVER) and no client (NO_WOLFSSL_CLIENT) defined
  • Intel assembly instructions support for compatible AMD processors
  • wolfCrypt port for Mentor Graphics Nucleus RTOS
  • Fix added for MatchDomainName() with additional tests added
  • Fixes for building with ‘WOLFSSL_ATECC508A’ defined
  • Fix for verifying a PKCS7 files in BER format with indefinite size

This release of wolfSSL fixes 2 security vulnerability fixes:

Medium level fix for PRIME + PROBE attack combined with a variant of Lucky 13.  Constant time hardening was done to avoid potential cache-based side channel attacks when verifying the MAC on a TLS packet. CBC cipher suites are susceptible on systems where an attacker could gain access and run a parallel program for inspecting caching. Only wolfSSL users that are using TLS/DTLS CBC cipher suites need to update. Users that have only AEAD and stream cipher suites set, or have built with WOLFSSL_MAX_STRENGTH (--enable-maxstrength), are not vulnerable. Thanks to Eyal Ronen, Kenny Paterson, and Adi Shamir for the report.

Medium level fix for a ECDSA side channel attack. wolfSSL is one of over a dozen vendors mentioned in the recent Technical Advisory “ROHNP” by author Ryan Keegan. Only wolfSSL users with long term ECDSA private keys using our fastmath or normal math libraries on systems where attackers can get access to the machine using the ECDSA key need to update. An attacker gaining access to the system could mount a memory cache side channel attack that could recover the key within a few thousand signatures. wolfSSL users that are not using ECDSA private keys, that are using the single precision math library, or that are using ECDSA offloading do not need to update. (blog with more information: https://www.wolfssl.com/wolfssl-and-rohnp/)

For more information, please contact info@wolfssl.com. You can see the full change log in the source archive from our website at www.wolfssl.com or at our GitHub repository.

wolfSSL Renesas CS+ Support

Are you a user of Renesas CS+?  If so, you will be happy to know that wolfSSL recently added support and example project files to the wolfSSL embedded SSL/TLS library for CS+!

Renesas CS+ (formerly CubeSuite+) integrated development environment provides simplicity, security, and ease of use in developing software through iterative cycles of editing, building, and debugging.

CS+ IDE project files for building the wolfSSL library, as well as a project file to build and run the wolfCrypt test app have been included in the wolfSSL package, specifically in the “IDE/Renesas/cs+/Projects” directory.

For instructions on how to build the projects, please see the README, located at “IDE/Renesas/cs+/Projects/README”.  This support is currently located in our GitHub master branch, and will roll into the next stable release of wolfSSL as well.  For any questions or help getting wolfSSL up and running on your Renesas environment, please contact us at support@wolfssl.com.  wolfSSL also now supports the most current version of TLS, TLS 1.3!  Learn more here!

OpenSSL Compatibility Layer Expands with 15 New Functions

As many of our readers know, the wolfSSL embedded SSL/TLS library includes an OpenSSL compatibility layer.  This layer makes it easier to replace OpenSSL with wolfSSL in applications that have previously been using OpenSSL.

As wolfSSL is ported into more and more projects that have previously used OpenSSL, our compatibility layer expands.  As part of a recent project, we have added 15 new functions to the OpenSSL compatibility layer, including:

OpenSSL_add_all_algorithms_noconf()
RAND_poll()
d2i_X509_fp()
X509_check_ca()
X509_CRL_free()
X509_STORE_add_crl()
d2i_X509_CRL_fp()
PEM_read_X509_CRL()
ASN1_GENERALIZEDTIME_free()
ASN1_STRING_print_ex()
ASN1_TIME_to_generalizedtime()
d2i_PKCS12_fp()
i2d_RSAPublicKey()
d2i_RSAPublicKey()
i2c_ASN1_INTEGER()

We also added 4 helper functions related to these new compatibility layer functions:

int wolfSSL_ASN1_TIME_get_length(WOLFSSL_ASN1_TIME *t)
  Get length member data of WOLFSSL_ASN1_TIME structure.

unsigned char* wolfSSL_ASN1_TIME_get_data(WOLFSSL_ASN1_TIME *t)
  Get data member data of WOLFLSSL_ASN1_TIME structure and return pointer of ASN1_TIME data.

int wolfSSL_X509_CA_num(WOLFSSL_X509_STORE* store)
  Return number of signer in cert manager of WOLFSSL_X509_STORE.

long wolfSSL_X509_get_version(const WOLFSSL_X509 *x509)
  Return version number of X509.

There are several reasons that users switch from OpenSSL to wolfSSL, including memory usage, portability, algorithm support, CAVP and FIPS 140-2 validations, and the availability of excellent commercial support.  To learn more about the advantages of using wolfSSL, visit our page on “wolfSSL vs. OpenSSL”.  If you have any questions about using wolfSSL in your application, or replacing OpenSSL with wolfSSL, please reach out to our support team at support@wolfssl.com!

Renesas e2studio Support

Are you a user of Renesas e² studio?  If so, you will be happy to know that wolfSSL recently added support and example project files to the wolfSSL embedded SSL/TLS library for e² studio!

Renesas e² studio is a development environment based on the popular Eclipse CDT (C/C++ Development Tooling), covers build (editor, compiler and linker control), as well as debug interface.

e² studio project files for building the wolfSSL library, as well as a project file to build and run the wolfCrypt test app have been included in the wolfSSL package, specifically in the “IDE/Renesas/e2studio” directory.  When working with Renesas e² studio, wolfSSL worked with e² studio version 6.3.0 and the Renesas C compiler.

For instructions on how to build the projects, please see the README, located at “IDE/Renesas/e2studio/Projects/README”.  This support is currently located in our GitHub master branch, and will roll into the next stable release of wolfSSL as well.  For any questions or help getting wolfSSL up and running on your Renesas environment, please contact us at support@wolfssl.com.

Live webinar – Testing and Security Vulnerability

Please join wolfSSL Engineer, Kaleb Himes, for the live webinar, "Testing and Security Vulnerability". We'll explore vulnerabilities, why testing is a mission, the testing life cycle and why wolfSSL is the best! This webinar may be a useful resource for learning more about how wolfSSL is tested and how security vulnerabilities are determined.

Please register for one of the following times:

When: Oct 24, 2018 10:00AM Singapore, 11:00AM Japan
Register in advance for this webinar:
https://zoom.us/webinar/register/WN_qQU3OC6IRLeOopfyIYMOAg

When: Oct 25, 2018 3:00 PM Central European Time
Register in advance for this webinar:
https://zoom.us/webinar/register/WN_lNxPdI8FTP6bksk-tiVx4w

When: Oct 25, 2018 10:00 AM Pacific Time (US and Canada)
Register in advance for this webinar:
https://zoom.us/webinar/register/WN_xrQu_mx0TXGzQyL1858c1A

After registering, you will receive a confirmation email containing information about joining the webinar.

We look forward to seeing you there!

For more information, please feel free to contact support@wolfssl.com or view our FAQ page. Additionally, information about previous wolfSSL webinars is available here: https://www.wolfssl.com/?s=webinar

wolfSSL at Sensors Midwest

wolfSSL will be attending Sensors Midwest 2018 next week in Rosemont, IL. Stop by to talk with engineering manager Chris Conlon and sales & marketing director Christin Casperson.

Sensors Midwest will be held on October 16th and 17th, at the Donald E. Stephens Convention Center, and wolfSSL will be attending on both of these days.

Additionally, Chris Conlon will be giving a speech titled "An Overview of TLS 1.3" on Tuesday, October 16th, from 10:10am to 11:00am.

Stop by booth #212 to have questions about wolfSSL/licensing answered in person, to learn more about the benefits of a TLS 1.3 implementation written in C combined with FIPS, to hear Chris's speech, or to pick up some nifty stickers. We look forward to seeing you there!

wolfSSL at ARM TechCon

wolfSSL will be attending at ARM TechCon 2018 next week, in San Jose, CA. Stop by to talk with business director Rich Kelm, software engineer Tesfa Mael, and intern Rylie DeGarmo.

ARM TechCon 2018 will be held from October 16th to October 18th, at the San Jose Convention Center (directions), and wolfSSL will be attending on October 17th and 18th.

Stop by booth #1026 to have questions about wolfSSL/licensing answered in person, to learn more about the benefits of an all C TLS 1.3 implementation with FIPS, or to pick up some nifty stickers. We look forward to seeing you there!

TLS 1.3 combined with FIPS (#FIPS #TLS13)

wolfSSL is a lightweight TLS/SSL library that is targeted for embedded devices and systems. It has support for the TLS 1.3 protocol, which is a secure protocol for transporting data between devices and across the Internet. In addition, wolfSSL uses the wolfCrypt encryption library to handle its data encryption.

Because there is a FIPS 140-2 validated version of wolfCrypt, this means that wolfSSL not only has support for the most current version of TLS, but it also has the encryption backbone to support your FIPS 140-2 needs if required.

Some key benefits of combining TLS 1.3 with FIPS validated software include:

  1. Software becomes marketable to federal agencies - without FIPS, a federal agency is not able to use cryptographic-based software
  2. Single round trip
  3. 0-RTT (a mode that enable zero round trip time)
  4. After Server Hello, all handshake messages are encrypted.

And much more! For more information regarding the benefits of using TLS 1.3 or using the FIPS validated version of wolfCrypt, check out wolfSSL's TLS 1.3 Protocol Support and our wolfCrypt FIPS page.

FIPS 140-2 is a government validation that certifies that an encryption module has successfully passed rigorous testing and meets high encryption standards as specified by NIST. For more information or details on FIPS 140-2, it may be helpful to view this Wikipedia article: https://en.wikipedia.org/wiki/FIPS_140-2

For more details about wolfSSL, TLS 1.3, or if you have any other general inquiries please contact info@wolfssl.com

To find out more about FIPS, check out the NIST FIPS publications or contact fips@wolfssl.com

Lighttpd support for wolfSSL

Lighttpd master now supports wolfSSL with autoconf, meson, CMake, and SCons.

Build wolfSSL using:

./configure --enable-lighty
make
sudo make install

Build Lighttpd using:

./configure --with-wolfssl=yes

or

cmake -DWITH_WOLFSSL=ON ..

This work was submitted via: https://github.com/lighttpd/lighttpd1.4/pull/92

Current documentation can be found here:
https://github.com/dgarske/lighttpd1.4/tree/lighttpd_wolfssl/doc/wolfssl

For more questions please email us at info@wolfssl.com.

Securing MySQL (#mysql) with wolfSSL SSL/TLS

MySQL logo             wolfSSL logo

MySQL (#mysql) currently comes bundled with yaSSL to provide an option for SSL/TLS connections when using a database. A patch for securing MySQL with the wolfSSL embedded SSL/TLS library is available for MySQL version 8.0.0 here https://github.com/wolfSSL/mysql-patch.

Along with an increased level of security comes the potential to use progressive features offered by wolfSSL – such as TLS 1.3 and ChaCha20 / Poly1305 AEAD cipher suites (ex: ECDHE-RSA-CHACHA20-POLY1305). Another great feature is that wolfSSL cryptography is FIPS 140-2 validated! Additionally, these features of wolfSSL are not mutually exclusive. For example, the FIPS 140-2 validation can be combined with wolfSSL’s support for TLS 1.3 for a lethal combination of security. The change from yaSSL to wolfSSL will fit nicely into both Open Source and commercial applications, as it is dual licensed under both GPLv2 and standard commercial license terms.

For more information about the port, or to provide us feedback, contact us at info@wolfssl.com!

wolfSSL Intel SGX (#SGX) + FIPS 140-2 (#FIPS140)!

wolfSSL is pleased to announce the following addition to the wolfSSL FIPS certificate!

Debian 8.7.0 Intel ® Xeon® E3 Family with SGX support Intel®x64 Server System R1304SP
Windows 10 Pro Intel ® Core TM i5 with SGX support Dell LatitudeTM 7480

The wolfCrypt FIPS validated cryptographic module has been validated while running inside an Intel SGX enclave and examples have been setup for both Linux and Windows environments.

Intel ® SGX (Software Guard Extensions) can be thought of as a black-box where no other application running on the same device can see inside regardless of privilege. From a security standpoint this means that even if a malicious actor were to gain complete control of a system including root privileges, that actor, no matter what they tried, would not be able to access data inside of this “black-box”.

An Intel enclave is a form of user-level Trusted Execution Environment (TEE) which can provide both storage and execution. Meaning one can store sensitive information inside and also move sensitive portions of a program or an entire application inside.

While testing, wolfSSL has placed both individual functions and entire applications inside the enclave. One of the wolfSSL examples shows a client inside the enclave with the only entry/exit points being “start_client”, “read”, and “write”. The client is pre-programmed with a peer to connect with and specific functionality. When “start_client” is invoked it connects to the peer using SSL/TLS and executes the pre-programmed tasks where the only data entering and leaving the enclave is the info being sent to and received from the peer. Other examples show placing a single cryptographic operation inside the enclave, passing in plain-text data and receiving back encrypted data masking execution of the cryptographic operations.

If you are working with SGX and need FIPS validated crypto running in an enclave contact us at fips@wolfssl.com or support@wolfssl.com with any questions. We would love the opportunity to field your questions and hear about your project!

Resources:
https://software.intel.com/en-us/blogs/2016/12/20/overview-of-an-intel-software-guard-extensions-enclave-life-cycle

Posts navigation

1 2 3 4 78 79 80

Weekly updates

Archives

Latest Tweets