RECENT BLOG NEWS
Securing MySQL (#mysql) with wolfSSL
MySQL (#mysql) currently comes bundled with yaSSL to provide an option for SSL/TLS connections when using a database. A patch for securing MySQL with the wolfSSL embedded TLS/SSL library is available for MySQL version 8.0.0 here https://github.com/wolfSSL/mysql-patch.
Along with an increased level of security comes the potential to use progressive features offered by wolfSSL – such as TLS 1.3 and ChaCha20 / Poly1305 AEAD cipher suites (ex: ECDHE-RSA-CHACHA20-POLY1305). Another great feature is that wolfSSL cryptography is FIPS 140-2 validated! The change from yaSSL to wolfSSL will fit nicely into both Open Source and commercial applications, as it is dual licensed under both GPLv2 and standard commercial license terms.
For more information about the port contact us at facts@wolfssl.com
wolfSSH v1.2.0 SSH Server Now Available
wolfSSH v1.2.0 has dropped! We have just added support for Elliptic Curve algorithms and AES-GCM. The following key exchange and public key algorithms are now available:
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
The wolfSSH SSH server provides the encryption algorithm “aes128-gcm@openssh.com”, which is an implementation of RFC 5647 using the MAC algorithm implied with using the AEAD algorithm AES-GCM. The wolfSSH library provides the messages for including in a client application. Also included is a build solution for MS Visual Studio.
wolfSSH v1.2.0 works best with wolfCrypt v3.12.2. The wolfCrypt/wolfSSL configure script has a wolfSSH enable option to simplify building. Download wolfSSH from the wolfSSL download page today!
Securing SMTP with wolfSSL using STARTTLS
STARTTLS is a way of protecting email communications from malicious users (insiders or otherwise) by upgrading a plaintext SMTP connection to one secured by SSL/TLS. SMTP using STARTTLS allows encryption of emails in transit between email clients and servers. Without encryption email messages can easily be intercepted and read at any point between the sender and the receiver.
wolfSSL has had multiple inquiries about STARTTLS and how to use wolfSSL for the TLS encryption in this protocol. Due to the volume of inquiries over the past few months, we have added an example of using STARTTLS with wolfSSL to the wolfSSL example client. To try it out download wolfSSL from the wolfSSL download page.
Instructions to build and run the examples included with the library can be found at:
Below is a quick example of connecting to GMail’s SMTP server with the wolfSSL example client. This will open a plaintext communication, use STARTTLS to convert to a SSL/TLS-encrypted channel, then close the connection.
Linux/Unix: ./examples/client/client -h smtp.gmail.com -p 587 -M smtp -d
Windows: client.exe -h smtp.gmail.com -p 587 -M smtp -d
-h specifies the host server to connect to (smtp.gmail.com)
-p specifies the port to connect on (587 for email submission)
-M tells the example client to use STARTTLS with protocol (smtp in this case)
-d tells the client not to authenticate the peer
( to do peer authentication you can download Google’s CA and replace -d option with: “-A /path/to/google-CA”)
If you have any questions or comments please contact wolfSSL at facts@wolfssl.com or visit the wolfSSL support forums.
– The wolfSSL Team
Fuzz Testing Research, Keeping up with the Times
A recent paper titled “Exploiting Dissent: Towards Fuzzing-based Differential Black-Box Testing of TLS Implementations” was published by Axel Sikora and Andreas Walz. wolfSSL found the paper both well composed and informative. We would like to congratulate Andreas and Axel on a well composed piece of literature and we would highly recommend reading it if you have the time!
This paper details a new differential testing method for fuzz testing and we will follow their research closely in the coming year. We hope to see more from Axel and Andreas soon. Until then, CHEERS and keep up the great work!
If you have any questions, comments, or feedback please contact us anytime at support@wolfssl.com or facts@wolfssl.com
TLS-Attacker, making the online world a safer place!
wolfSSL has a goal: “wolfSSL will provide the best security in the world for all to benefit”! We are very passionate about keeping our users safe and secure in an increasingly connected online world. To that end the wolfSSL product is the most thoroughly tested cryptography and TLS solution on the market today. wolfSSL appreciates and admires those who take the time and effort to implement tools that assist in making our goal a reality!
We recently were made aware of a tool being actively developed called “TLS-Attacker”. TLS-Attacker accomplishes “Systematic Fuzzing and Testing of TLS Libraries”. This tool was developed by the Ruhr University Bochum and the Hackmanit GmbH . wolfSSL is evaluating this tool for integration with our Jenkins/Hudson continuous integration server and we wanted to give a “SHOUT OUT” to all the developers who worked on this or other similar fuzzing tools! Tools like this help to ensure secure SSL/TLS implementations and we look forward to working with TLS-Attacker. We want to say, “THANK YOU” to the Ruhr University Bochum staff and Hackmanit staff for their efforts!
For any questions, concerns or comments please contact us anytime at support@wolfssl.com or facts@wolfssl.com!
wolfSSL 3.12.2 Now Available
wolfSSL 3.12.2 is now available for download! This release includes many performance improvements with Intel ASM (AVX/AVX2) and AES-NI. wolfSSL has implemented a new single precision math option to speed up RSA, DH and ECC in this release. Embedded hardware support has been expanded for STM32, PIC32MZ and ATECC508A, and AES-XTS mode support has been added for use with disk encryption.
There have been improvements to some of our certificate API’s that allow for setting the serial number, key usage and extended key usage. A refactor of the `SSL_` API’s and hash types has been performed to allow OpenSSL coexistence. There have been improvements made for TLS 1.3 support in this release. A fix was implemented for OCSP stapling to prevent sending the extension unexpectedly, WOLFSSL specific user contexts were added for callbacks, and there were fixes for some OpenSSL and MySQL compatibility functions. The wolfSSL Micrium port was updated for Micrium uC/OS-III, and there were fixes implemented for asynchronous modes as well.
Continue reading below for a summary of the features and fixes included in this release!
General Improvements:
- Speedups for SHA2, ChaCha20/Poly1035 using AVX/AVX2
- Speedups for AES GCM with AES-NI (–enable-aesni)
- New Single Precision math option for RSA, DH and ECC (See –enable-sp) (all off by default).
- Math updates and added TFM_MIPS speedup
- Fixes for HAVE_INTEL_MULX
- Added AES XTS mode (–enable-xts)
- Rename the file io.h/io.c to wolfio.h/wolfio.c
- Cleanup the wolfIO_Send function
- Improvements to Visual Studio DLL project/solution
- Added function to generate public ECC key from private key
- Added async blocking support for sniffer tool
- Updated Micrium uC/OS-III Port
TLS v1.3:
- Fixes for various TLS 1.3 disable options (RSA, ECC and ED/Curve 25519)
- Fix to disallow upgrading to TLS v1.3
- Fixes for wolfSSL_EVP_CipherFinal() when message size is a round multiple of a block size
- Add HMAC benchmark and expanded AES key size benchmarks
- Added simple GCC ARM Makefile example (see IDE/GCC-ARM)
- Add tests for 3072-bit RSA and DH
- Fixed DRAFT_18 define and fixed downgrading with TLS v1.3
Certificates:
- Alternate certificate chain support with WOLFSSL_ALT_CERT_CHAINS defined enables checking a cert against multiple CA’s
- Fixes to allow custom serial number during certificate generation
- Added method to get WOLFSSL_CTX certificate manager
- Improvement to wolfSSL_SetOCSP_Cb to allow a context per WOLFSSL object
- Updated root certs for OCSP scripts
- Added ASN Extended Key Usage Support. (See wc_SetExtKeyUsage)
- Fix for creation of the KeyUsage BitString
Extensions:
- Added TLS extension for Supported Point Formats (ec_point_formats)
- Fix to not send OCSP stapling extensions in client_hello when not enabled
OCSP Stapling:
- Added new API’s for disabling OCSP stapling
- Add check for SIZEOF_LONG with Sun and LP64
Settings Updates:
- Added new –disable-oldnames option to allow for using openssl alongside wolfssl headers (without OPENSSL_EXTRA)
- Refactor SSL_ and hashing types to use wolf specific prefix (WOLFSSL and WC_) to allow OpenSSL coexistence
- Added configure option for building library for wolfSSH (–enable-wolfssh)
- Added ability to use wolf implementation of strtok using USE_WOLF_STRTOK
MySQL Support:
- Cleanup include paths for MySQL cmake build
- Fix for 8k keys with MySQL compatibility
OpenSSL compatibility:
- OpenSSL compatibility layer improvements, additions, and fixes
Testing:
- Expanded API unit tests
- Update HASH_DRBG Reseed mechanism and add test case
- Added wolfCrypt hash tests for empty string and large data
Hardware Support:
- Fixes for STM32 crypto hardware acceleration
- Fixes for ATECC508A
- Fixes for PIC32MZ hashing
- Fixes and improvements to asynchronous modes for Intel QuickAssist and Cavium Nitrox V
Embedded SSL/TLS in the Holiday Spirit
Team wolfSSL is preparing for Halloween with a pumpkin carving! Our embedded security products are continually evolving. We encourage you to check our our wolfSSL embedded SSL/TLS library here, wolfMQTT, wolfSSH, or visit our product page for a complete list of lightweight Open Source security products.
As always if you have any questions, or would like more information about our products, please contact us at facts@wolfssl.com.
Thanks,
Team wolfSSL
ALT_ECC_SIZE, low visibility but highly useful!
It recently came to our attention that the preprocessor macro ALT_ECC_SIZE was missing in our documentation. As a result we decided to post a blog about this to help inform customers of the value for using this in space constrained devices using the fastmath math library with RSA/DH and ECC in wolfSSL.
ALT_ECC_SIZE:
The fastmath code uses an array of a fixed size to store the big integers. By default, the array is big enough for RSA 2048-keys. The FP_MAX_BITS option can be used to make the array smaller if just using ECC. If using both RSA/DH and ECC, the define ALT_ECC_SIZE provides an alternate smaller size for the ecc_point structure. The size can be manually adjusted using FP_MAX_BITS_ECC, otherwise it will be calculated automatically based on the enabled curves.
Without ALT_ECC_SIZE, the ecc_point has three single item arrays of mp_ints for the components of the point. With ALT_ECC_SIZE, the components of the point are pointers that are set to each of a three item array of alt_fp_ints. While an mp_int will have 4096 bits of digit inside the structure, the alt_fp_int will only have 528 bits. A size value was added in the ALT case, as well, and is set by mp_init() and alt_fp_init(). The functions fp_zero() and fp_copy() use the size parameter. An int needs to be initialized before using it instead of just fp_zeroing it, the init will call zero. FP_MAX_BITS_ECC defaults to 528, but can be set to change the number of bits used in the alternate FP_INT.
The ALT_ECC_SIZE option can only be enabled with USE_FAST_MATH.
More details can be found in the wolfssl/wolfcrypt/ecc.h file.
If you have any questions, concerns, comments or feedback please contact us anytime at facts@wolfssl.com or support@wolfssl.com.
wolfSSL at Docker Hub
We at wolfSSL are pleased to announce that now you can use wolfSSL directly from Docker!
In a few words, Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers are like virtual machines, but way more lighter as the container shares some resources with the hosting machine.
We created a collection of wolfSSL containers targeting the following OSs: Debian, Ubuntu, Alpine Linux, CentOS
There are 3 different flavors of containers we have created based on each OS, they are: lib, test and examples
wolfssl/wolfssl ubuntu-examples 9198e6d82596 127MB wolfssl/wolfssl ubuntu-test ba5ca8ca4359 351MB wolfssl/wolfssl ubuntu-lib 125125eea7ab 126MB ubuntu latest 2d696327ab2e 122MB wolfssl/wolfssl debian-examples cd066ee3b5db 106MB wolfssl/wolfssl debian-test 5a3edb3a2a20 356MB wolfssl/wolfssl debian-lib 3086ef0f07b6 105MB debian latest 72ef1cf971d1 100MB wolfssl/wolfssl centos-examples 37687e96d5b9 222MB wolfssl/wolfssl centos-test 359d4195ca53 392MB wolfssl/wolfssl centos-lib a8c6cafd6205 221MB centos latest 196e0ce0c9fb 197MB wolfssl/wolfssl alpine-examples 490120f86d61 8.74MB wolfssl/wolfssl alpine-test 52b698631bec 228MB wolfssl/wolfssl alpine-lib 692a0c26cda6 7.97MB alpine latest 76da55c8019d 3.97MB
The -lib images contains only the wolfSSL binaries, while -examples also contains the test examples and -test also contains wolfSSL’s source code.
You can find further information on how to run wolfSSL examples on a docker container in our docker hub page: https://hub.docker.com/u/wolfssl/
And here is a quick example, server in the left tab and the client in the right tab:
wolfSSL at XSWIG
wolfSSL recently presented at the XSWIG (Xilinx Security Working Group) in Longmont Colorado. Covering the topics of building wolfSSL for an Ultrazed EG starter kit and collecting benchmark values with hardware acceleration. If you would like more details of what we talked about, or are looking to add security to an FPGA embedded board contact us at facts@wolfssl.com!
Weekly updates
Archives
- April 2024 (23)
- March 2024 (21)
- February 2024 (18)
- January 2024 (21)
- December 2023 (20)
- November 2023 (20)
- October 2023 (23)
- September 2023 (17)
- August 2023 (25)
- July 2023 (39)
- June 2023 (13)
- May 2023 (11)
- April 2023 (6)
- March 2023 (23)
- February 2023 (7)
- January 2023 (7)
- December 2022 (15)
- November 2022 (11)
- October 2022 (9)
- September 2022 (7)
- August 2022 (12)
- July 2022 (11)
- June 2022 (15)
- May 2022 (11)
- April 2022 (14)
- March 2022 (12)
- February 2022 (22)
- January 2022 (13)
- December 2021 (13)
- November 2021 (29)
- October 2021 (15)
- September 2021 (15)
- August 2021 (13)
- July 2021 (21)
- June 2021 (19)
- May 2021 (12)
- April 2021 (13)
- March 2021 (27)
- February 2021 (29)
- January 2021 (22)
- December 2020 (21)
- November 2020 (14)
- October 2020 (7)
- September 2020 (22)
- August 2020 (11)
- July 2020 (8)
- June 2020 (14)
- May 2020 (15)
- April 2020 (14)
- March 2020 (4)
- February 2020 (24)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (24)
- August 2019 (21)
- July 2019 (8)
- June 2019 (13)
- May 2019 (35)
- April 2019 (31)
- March 2019 (20)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (10)
- October 2018 (18)
- September 2018 (18)
- August 2018 (8)
- July 2018 (15)
- June 2018 (29)
- May 2018 (15)
- April 2018 (11)
- March 2018 (19)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (7)
- September 2017 (8)
- August 2017 (6)
- July 2017 (11)
- June 2017 (8)
- May 2017 (10)
- April 2017 (5)
- March 2017 (7)
- February 2017 (1)
- January 2017 (8)
- December 2016 (3)
- November 2016 (2)
- October 2016 (18)
- September 2016 (8)
- August 2016 (5)
- July 2016 (4)
- June 2016 (10)
- May 2016 (4)
- April 2016 (5)
- March 2016 (4)
- February 2016 (12)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (6)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (13)
- January 2015 (6)
- December 2014 (7)
- November 2014 (3)
- October 2014 (2)
- September 2014 (11)
- August 2014 (6)
- July 2014 (9)
- June 2014 (11)
- May 2014 (11)
- April 2014 (9)
- March 2014 (3)
- February 2014 (3)
- January 2014 (5)
- December 2013 (9)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (8)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (9)
- December 2012 (13)
- November 2012 (5)
- October 2012 (7)
- September 2012 (4)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (5)
- April 2012 (7)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (6)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (8)
- May 2011 (12)
- April 2011 (4)
- March 2011 (12)
- February 2011 (8)
- January 2011 (13)
- December 2010 (17)
- November 2010 (12)
- October 2010 (14)
- September 2010 (11)
- August 2010 (20)
- July 2010 (14)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)