RECENT BLOG NEWS

The threat of cyber security attacks exist in every industry simply because the need/want of intelligent devices has increased. From the data aspect – we need to address data at rest, data in transit and firmware updates. These three key factors have been wolfSSL’s wheel house for the last 10 years. In the last few years, industries that have safety-critical and/or functional-safety standards are also having to implement Cyber Security Standards; Commercial Aviation (DO-178B/DO-178C) and Automotive (ISO-26262). As we write this blog, these new Cyber Security Industry Standards are still being drafted.

Cyber Security industry standards such as ISO-21434 (Automotive) seems to be somewhat ahead of DO-326A (Airworthiness Security Process Specification) and have kept engineering cyber security teams guessing on how they need to address their architectures and processes. We believe that wolfSSL can help these teams move forward NOW in their planning, coding and implementation because we provide the products that help you meet whatever cyber security process or industry standard you’re trying to meet. Afterall, we do have a DO-178C DAL A certifiable crypto and support FIPS 140-3 today.

Whether you’re trying to address data at rest (SSL/TLS, SSH), data in transit (secure crypto) or firmware updates (SSL/TLS, crypto, MQTT), wolfSSL has a product portfolio that can meet your architecture needs. Our products are dual-licensed for those that need something “Open” or for Commercial use and we support virtually every Operating System and microprocessor on the market. If we don’t support your operating environment we have a world-class engineering team to do so. We even support bare metal!So, don’t wait for standards to be finalized. Don’t wait for a data security breach to be the reason to address cyber security.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Users and customers build the wolfSSL embedded SSL/TLS library in all kinds of build environments, one of those being Cygwin on Windows.

To build wolfSSL for Cygwin, here are the current steps to do so. These instructions can also be found in the wolfSSL Manual.

1. Go to https://www.cygwin.com/install.html and download setup-x86_64.exe
2. Run setup-x86_64.exe and install however you choose. Click through the installation menus until you reach the “Select Packages” stage.
3. Click on the “+” icon to expand “All”
4. Now go to the “Archive” section and select “unzip” drop down, change “Skip” to 6.0-15 (or some other version).
5. Under “Devel” click “autoconf” drop down and change “Skip” to “10-1” (or some other version)
6. Under “Devel” click “automake” drop down and change “Skip” to “10-1” (or some other version)
7. Under “Devel” click the “gcc-core” drop down and change “Skip” to 7.4.0-1 (NOTE: wolfSSL has not tested GCC 9 or 10 and as they are fairly new does not recommend using them until they have had a bit more time to be fine-tuned for development).
8. Under “Devel” click the “git” drop down and change “Skip” to 2.29.0-1 (or some other version)
9. Under “Devel” click “libtool” drop down and change “Skip” to “2.4.6-5” (or some other version)
10. Under “Devel” click the “make” drop down and change “Skip” to 4.2.1-1 (or some other version)
11. Click “Next” and proceed through the rest of the installation.

Post Install:

1. Open a Cygwin terminal and clone wolfSSL “git clone https://github.com/wolfssl/wolfssl.git”
2. “cd wolfssl”
3. “./autogen.sh”
4. “./configure”
5. “make”
6. “make check”

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

In addition to portable builds, wolfSSL includes TLS 1.3 and has variants available for FIPS 140-2/140-3, DO-178, and MISRA!

Even FPGA softcore microprocessors need security. wolfSSL supports Xilinx MicroBlaze and Altera Nios II as well as Zynq SoCs with acceleration using XilSecure. For new and legacy projects, efficient security is available with first-class support.

See the Xilinx Vitis and Vivado README. For Nios II, from the Quartus developer environment run ./configure --host=nios2-elf

wolfSSL provides leading TLS 1.3 capabilities in a small memory footprint, and also offers FIPS 140-2/140-3 and DO-178 certified versions.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

FIPS 140-2 requires the use of validated cryptography in the security systems implemented by federal agencies to protect sensitive information. The wolfCrypt Module is a comprehensive suite of FIPS Approved algorithms. All key sizes and modes have been implemented to allow flexibility and efficiency.

The National Institute of Standards and Technology (NIST) is sending FIPS cert #2425 into sunset June 2021. For customers who will be impacted, the wolfCrypt Cryptographic Module maintains its #3389 certificate and can be used in conjunction with the wolfSSL embedded SSL/TLS library for full TLS 1.3 client and server support. Upgrade your FIPS cert with wolfSSL to stay afloat and benefit from: 

• Algorithm support for TLS 1.3!
• New algorithms such as AES (CBC, GCM, CTR, ECB), CVL, Hash DRBG, DSA, DHE, ECDSA (key generation, sign, verify), HMAC, RSA (key generation, sign, verify), SHA-3, SHA-2, SHA-1, and Triple-DES
• Hardware encryption support for NXP’s Cryptographic Assistance and Assurance Module (CAAM), NXP Memory-Mapped Cryptographic Acceleration Unit (mmCAU), Intel’s AES-NI, and more
• Support for secure elements and TPM’s
• Interoperability with wolfBoot, wolfSSH, and wolfTPM
• Integration support for third party libraries such as strongswan, nginx, python and more

Contact us to upgrade to FIPS cert #3389 at fips@wolfssl.com. 

Additional Resources 

Learn more about wolfSSL support for FIPS cert #3389: https://www.wolfssl.com/wolfcrypt-fips-certificate-3389-3/ 

For a list of supported Operating Environments for wolfCrypt FIPS, check our FIPS page: https://www.wolfssl.com/license/fips/ 

Our FIPS Story

wolfSSL is currently the leader in embedded FIPS certificates. We have a long history in FIPS starting with wolfCrypt FIPS 140-2 Level 1 Certificate #2425 as well as wolfCrypt v4 FIPS 140-2 Level 1 Certificate #3389. wolfSSL partners with FIPS experts KeyPair to bring you FIPS consulting services, and high assurance along each step of your FIPS certification process. Additionally, wolfSSL will be the first implementation of FIPS 140-3.

wolfSSL also provides support for a wolfCrypt FIPS Ready version of the library! wolfCrypt FIPS Ready is our FIPS enabled cryptography layer code included in the wolfSSL source tree that you can enable and build. You do not get a FIPS certificate, you are not FIPS approved, but you will be FIPS Ready. FIPS Ready means that you have included the FIPS code into your build and that you are operating according to the FIPS enforced best practices of default entry point, and power on self test.

wolfCrypt FIPS Ready can be downloaded from the wolfSSL download page located here: https://www.wolfssl.com/download/. More information on getting set up with wolfCrypt FIPS Ready can be found in our FIPS Ready User guide here: https://www.wolfssl.com/docs/fips-ready-user-guide/

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Version 1.7.0 of wolfSSL JNI and JSSE is now available for download! wolfSSL JNI and JSSE provides Java applications with a convenient Java API to the widely-used wolfSSL embedded SSL/TLS library, including support for TLS 1.3!  This package provides both a Java JSSE Provider as well as a thin JNI wrapper around native wolfSSL.

Release 1.7.0 has bug fixes and new features including:

• Fixes for Infer analysis warnings
• Throw exception in DEFAULT_Context creation if engineInit() fails
• Defer creating DEFAULT WolfSSLContext until first use
• Check if Socket is open before doing TLS shutdown in WolfSSLSocket.close()
• Only load X509TrustStore issuers when needed by native wolfSSL verification
• Fix compiler warnings when used with older versions of native wolfSSL
• Verify and load intermediate CA certs in WolfSSLTrustX509.certManagerVerify()
• Add support for setSoTimeout() in WolfSSLSocket
• Fix suites length check in WolfSSLEngineHelper.setLocalCiphers()
• Check for connection closed before completing handshake in SSLSocket.read/write

wolfSSL JNI and JSSE 1.7.0 can be downloaded from the wolfSSL download page and the wolfSSL JNI Manual can be found here.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

The wolfSSL embedded SSL/TLS library includes three different math libraries which can be used to support wolfCrypt’s cryptographic operations – the Normal Math library, the fastmath library, and SP math.  To help our users decide which math library is right for them, we have put together a helpful comparison matrix!

The wolfSSL Math Library Comparison Matrix, included below, shows the strengths and weaknesses of the 3 math options offered by wolfSSL.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

A major release for wolfTPM came out at the end of 2020 and is now available for download from our website. This release brings many new features:

• Native support for using TPM2.0 hardware with wolfTPM under Microsoft Windows
• TPM simulator support for even easier development with wolfTPM and MacOS users
• Protection from MITM (man-in-the-middle) attacks using TPM2.0 Parameter Encryption. wolfTPM supports both TPM2.0 options for MITM protection, XOR encryption and AES CFB.
• HMAC Session support for verification of peer authenticity and integrity.

This release also adds multiple new examples: TPM key generation and key loading examples with options to store the key to disk and use parameter encryption to protect from MITM. Added is support for importing external private keys and easy re-loading. And for those who use the internal TPM clock for reference, there is now a TPM clock increment example.

Among the other enhancements of our portable TPM2.0 library are the use of HMAC sessions and new wolfTPM wrappers for easier work with TPM sessions and authorization of TPM objects.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Back in January of 2018 wolfSSL added support for use with the Open Whisper Systems Signal Protocol C Library! This means that you can now develop Signal applications using wolfCrypt as the underlying cryptography provider.

For those unfamiliar with the Signal Protocol, it is described on their GitHub page as “A ratcheting forward secrecy protocol that works in synchronous and asynchronous messaging environments.”

wolfSSL also has a JSSE provider that can be used with Android. This can seamlessly replace the default provider, giving all the benefits that come with using wolfSSL. Such as; extra performance boosts, access to our stellar support, and FIPS certifications to name a few items. Instructions on using the wolfSSL JSSE with Android can be found here https://www.wolfssl.com/docs/installing-a-jsse-provider-in-android-osp/.

wolfCrypt Signal Protocol Integration

By design, the Signal Protocol C Library does not depend on any SSL/TLS or cryptography library.  Instead, Signal allows the application to register a crypto provider at runtime.  We recently ported the wolfCrypt cryptography library into the “libsignal-protocol-c” test code and added a CMake configuration to build the libsignal-protocol-c test programs using cryptography from wolfSSL.

With this build option and wolfCrypt integration, Signal application developers can choose to use cryptography from wolfSSL instead of OpenSSL.  Thanks to wolfSSL’s small footprint size, low memory usage, and broad platform support, application developers can more easily use the Signal Protocol C Library on small resource-constrained platforms and embedded systems.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

The team here at wolfSSL is putting together a Sparkplug example that we’d like to share with you! The Sparkplug specification is useful for Industrial IoT system developers building on top of MQTT. Sparkplug defines a set of device states, adds topic naming structures, and defines payload formats. The wolfMQTT client library is perfectly suited to help secure your IIoT project since it is already integrated with wolfSSL!

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

You can download the latest release here: https://www.wolfssl.com/download/
Or clone directly from our GitHub repository: https://github.com/wolfSSL/wolfMQTT
While you’re there, show us some love and give the wolfMQTT project a Star!

Last year wolfSSL fixed 8 vulnerabilities and documented them in the wolfSSL embedded SSL/TLS library release notes. Thanks to all of the researcher reports, and to the dedicated wolfSSL team, the fixes were identified and resolved rapidly. How rapidly you may ask? The average time to get a fix submitted for review on the vulnerabilities listed in 2020 was just over 26 hours.

Thanks to the researchers that submitted reports!

• Gerald Doussot from NCC group
• Lenny Wang of Tencent Security Xuanwu LAB
• Ida Bruhns from Universität zu Lübeck and Samira Briongos from NEC Laboratories Europe
• Alejandro Cabrera Aldaya, Cesar Pereida García and Billy Bob Brumley from the Network and Information Security Group (NISEC) at Tampere University
• Paul Fiterau of Uppsala University and Robert Merget of Ruhr-University Bochum
• Pietro Borrello at Sapienza University of Rome

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.