wolfMQTT Releases v1.11.0

The New Year release of wolfMQTT, v1.11.0, is now available! This release has several bug fixes and optimizations including:

  • Return correct error code in SN_Client_Connect (PR #268)
  • Removing unsupported TLS and SNI options in sn-client (PR #266)
  • Fixes for multithreading with non-blocking (PR #252)
  • Doxygen work removing depreciated command and fixing other warnings (PR #264)
  • Fix overwriting TLS error in connect (PR #259)
  • Add GitHub Actions (PR #256 #260 #263)
  • Fix wm_Sem on Windows (PR #255 #261)
  • Fix scripts for host without mosquitto (PR #257 #265)
  • Trim whitespace and convert tab to spaces (PR #251)
  • Refactor of write length (PR #250)
  • Fixes for publish edge cases (PR #248)
  • Remove unused sub_id element, add support for local test broker (PR #249)
  • Fix to make sure MqttClient_DecodePacket called in all cases (PR #246)
  • Known bug with multithread and without nonblocking enabled in this release.

Check out the changelog from the download for a full list of features and fixes, or contact us at facts@wolfssl.com with any questions:


While you’re there, show us some love and give the wolfMQTT project a Star!

You can download the latest release here: https://www.wolfssl.com/download/

Or clone directly from our GitHub repository: https://github.com/wolfSSL/wolfMQTT

wolfSSL Adds Support for the Arm® TrustZone® CryptoCell-310

Are you a user of the ARM CryptoCell acceleration hardware?  If so, you will be happy to know that wolfSSL has support for CryptoCell with wolfCrypt and benchmark examples to the wolfSSL embedded SSL/TLS library!

The wolfSSL port supports the following features:

  • SHA-256
  • Elliptic Curve Digital Signature Algorithm (ECDSA) – sign and verify
  • Elliptic Curve Diffie Hellman (ECDH) – shared secret
  • ECC key generation support
  • RSA sign and verify
  • RSA key generation support
  • RSA encrypt and decrypt

These features are tested on nRF52840 hardware platform with Nordic nRF5_SDK_15.2.0.

You can use the WOLFSSL_CRYPTOCELL macro to activate the CryptoCell support in wolfSSL. For instructions on how to build and run the examples on your projects, please see the “<wolfssl-root>/IDE/CRYPTOCELL/README” file.  This support is currently located in our GitHub master branch, and will roll into the next stable release of wolfSSL.

wolfSSL provides support for the latest and greatest version of the TLS protocol, TLS 1.3! Using the wolfSSL port will allow your device to connect to the internet in one of the most secure ways possible.

For more information, please contact facts@wolfssl.com.


The most recent version of wolfSSL can be downloaded from our download page, here: https://www.wolfssl.com/download/
wolfSSL GitHub repository: https://github.com/wolfssl/wolfssl.git
wolfSSL support for TLS 1.3: https://www.wolfssl.com/docs/tls13/

Upcoming Webinar: Getting Started with wolfMQTT

wolfSSL is holding an upcoming webinar on January 20th, 2022! Join wolfSSL engineer Eric Blankenhorn to learn more about our wolfMQTT library, built to be multi-platform, space conscious and extensible. The wolfMQTT library is a client implementation of the MQTT written in C for embedded use, and supports SSL/TLS via the wolfSSL library. Bring your questions for the Q&A session to follow!

When: Jan 20, 2022 10:00 AM Pacific Time (US and Canada)
Topic: Getting Started with wolfMQTT

Register in advance for this webinar:

After registering, you will receive a confirmation email containing information about joining the webinar. We look forward to seeing you there!

Questions? Please contact us at facts@wolfssl.com.

Deprecation of Rabbit, HC128, IDEA, Camellia

Here at wolfSSL, we like to be on the cutting edge of things. Sometimes that means supporting algorithms before they are widely adopted which can lead to supporting algorithms that do not get wide adoption. This has been the case for the following algorithms:

– Rabbit
– HC128
– Camellia

To reduce code complexity, we have decided to deprecate support for these algorithms. Sometime in a future release, these algorithms will no longer be present in wolfSSL. If this poses a problem for you or your customers, please get in contact with your sales representative or email us at facts@wolfssl.com as soon as possible.

cTLS: Compact TLS

Here at wolfSSL we are at the cutting edge of cryptography and protocols.  For example, even before TLS 1.3 was fully standardized, we were implementing it in line with the draft RFCs. Also, with the progress that is being made in the quantum computing space, we are keeping abreast of post-quantum cryptography and the standardization process for post-quantum algorithms.  If you want, you can even experiment with the new algorithms  by configuring wolfSSL using `–with-liboqs`.

We would like all our customers to know that we are also aware of and actively watching the standardization process of cTLS. It has the following features:

– Omitting unnecessary values that are a holdover from previous versions of TLS.
– Omitting handshake messages and field required for backwards-compatibility with earlier TLS versions.
– More compact encodings.
– A template-based specialization mechanism that allows pre-populating information at both endpoints without the need for negotiation.
– Alternative cryptographic techniques, such as semi-static Diffie-Hellman.

The protocol specification claims to ensure security by mapping the data from the wire protocol back to a full TLS 1.3 transcript with the same features used.

If you are interested in cTLS then please let us know by sending a message to facts@wolfssl.com so you can be the first to know when we have completed the implementation of this feature!

wolfSSL at CES 2022

wolfSSL will be attending CES 2022! This onsite conference takes place in Las Vegas on January 5–7 from 9:00AM – 5:00PM PST. Join us at the exhibition to connect with wolfSSL Business Directors Stephen Siderewicz and Paul Dennison, who are ready to answer all your embedded security questions!

For location details, guidelines, and more information, visit www.ces.tech.

Email us at facts@wolfssl.com to schedule a meeting!
Love it? Star wolfSSL on GitHub!

wolfSSL v5.1.1 Release

Happy Holidays!

The wolfSSL holiday release is available for download!

This release includes more compatibility layer expansions, updates to the version of open source projects supported, post quantum additions, and new hardware port additions to name some of what was included. As well as 2 vulnerabilities fixed in the release bundle. 

A major performance upgrade was added to wolfSSL SP C implementation for ECC. In some cases increasing the performance with the C implementation by over 20%. SP (single precision) performance is turned on by using the enable option –enable-sp.

New Feature Additions


  • Curve25519 support with NXP SE050 added
  • Renesas RA6M4 support with SCE Protected Mode and FSP 3.5.0
  • Renesas TSIP 1.14 support for RX65N/RX72N

Post Quantum

  • Post quantum resistant algorithms used with Apache port
  • NIST round 3 FALCON Signature Scheme support added to TLS 1.3 connections
  • FALCON added to the benchmarking application
  • Testing of cURL with wolfSSL post quantum resistant build

Compatibility Layer Additions

  • Updated NGINX port to NGINX version 1.21.4
  • Updated Apache port to Apache version 2.4.51
  • Add support for SSL_OP_NO_TLSv1_2 flag with wolfSSL_CTX_set_options function
  • Support added for the functions
    • SSL_CTX_get_max_early_data
    • SSL_CTX_set_max_early_data
    • SSL_set_max_early_data
    • SSL_get_max_early_data
    • SSL_CTX_clear_mode
    • SSL_CONF_cmd_value_type
    • SSL_read_early_data
    • SSL_write_early_data


PORT Fixes

  • Building with Android wpa_supplicant and KeyStore
  • Setting initial value of CA certificate with TSIP enabled
  • Cryptocell ECC build fix and fix with RSA disabled 
  • IoT-SAFE improvement for Key/File slot ID size, fix for C++ compile, and fixes for retrieving the public key after key generation

Math Library Fixes

  • Check return values on TFM library montgomery function in case the system runs out of memory. This resolves an edge case of invalid ECC signatures being created.
  • SP math library sanity check on size of values passed to sp_gcd.
  • SP math library sanity check on exponentiation by 0 with mod_exp
  • Update base ECC mp_sqrtmod_prime function to handle an edge case of zero
  • TFM math library with Intel MULX multiply fix for carry in assembly code


Build Options and Warnings

  • Bugfix: could not build with liboqs and without DH enabled
  • Build with macro NO_ECC_KEY_EXPORT fixed
  • Fix for building with the macro HAVE_ENCRYPT_THEN_MAC when session export is enabled
  • Building with wolfSentry and HAVE_EX_DATA macro set

Math Libraries

  • Improvement for performance with SP C implementation of montgomery reduction for ECC (P256 and P384) and SP ARM64 implementation for ECC (P384)
  • With SP math handle case of dividing by length of dividend
  • SP math improvement for lo/hi register names to be used with older GCC compilers


  • [Low]  Potential for DoS attack on a wolfSSL client due to processing hello packets of the incorrect side. This affects only connections using TLS v1.2 or less that have also been compromised by a man in the middle attack. Thanks to James Henderson, Mathy Vanhoef, Chris M. Stone, Sam L. Thomas, Nicolas Bailleut, and Tom Chothia (University of Birmingham, KU Leuven, ENS Rennes for the report.
  • [Low] Client side session resumption issue once the session resumption cache has been filled up. The hijacking of a session resumption has been demonstrated so far with only non verified peer connections. That is where the client is not verifying the server’s CA that it is connecting to. There is the potential though for other cases involving proxies that are verifying the server to be at risk, if using wolfSSL in a case involving proxies use wolfSSL_get1_session and then wolfSSL_SESSION_free when done where possible. If not adding in the session get/free function calls we recommend that users of wolfSSL that are resuming sessions update to the latest version (wolfSSL version 5.1.0 or later). Thanks to the UK’s National Cyber Security Centre (NCSC) for the report.

A full list of what was changed can be found in the wolfSSL ChangeLog (https://www.wolfssl.com/docs/wolfssl-changelog/).
For questions about wolfSSL or about the latest release contact us at facts@wolfssl.com

Upcoming Webinar: Getting started with wolfSSL

Join us for our upcoming webinar on January 5th, 2022! This webinar will provide attendees with the basics and best practices needed to get started using the wolfSSL TLS library in products and projects into 2022. Topics will include a brief overview of TLS 1.3, wolfSSL package structure, how to build wolfSSL, running the wolfCrypt cryptography test and benchmark applications, wolfSSL basic API usage, tips on debugging, and more. Bring your questions for the Q&A session to follow!

When: Jan 5, 2022 10:00 AM Pacific Time (US and Canada)
Topic: How to Get Started with wolfSSL in 2022

Register in advance for this webinar:

After registering, you will receive a confirmation email containing information about joining the webinar. We look forward to seeing you there!

Questions? Please contact us at facts@wolfssl.com.

wolfSSL Supports SNI and TLSx options for CMake builds

We’re pleased to announce that we’ve added support for SNI and TLSx options for CMake builds in wolfSSL v5.0.0! Server Name Indication (SNI) is useful when a server hosts multiple “virtual” servers at a single underlying network address. It may be desirable for clients to provide the name of the server which it is contacting. 

For more details, visit our blog post on using SNI with TLS here: https://www.wolfssl.com/ssl-termination-and-ssl-inspection-with-wolfssl-sni/

More information on building wolfSSL and configuring options can be found in the wolfSSL manual.

Access the wolfSSL GitHub page here: https://github.com/wolfSSL/wolfssl
Need more? Subscribe to our YouTube channel for access to wolfSSL webinars!

Configuring wolfSSL With Alternate Certificate Chain Feature Enabled

WolfSSL v5.0.0 includes an added build option to configure wolfSSL with the alternate certificate chain feature enabled! Default wolfSSL behavior is to require validation of all presented peer certificates. This also allows loading intermediate Certificate Authorities (CA’s) as trusted and ignoring no signer failures for CA’s up the chain to root. Enabling alternate certificate chain mode only requires that the peer certificate validate to a trusted CA. 

The newly added build improvement allows the option --enable-altcertchains to be appended to the ./configure script to build the wolfSSL library with alternate certificate chain mode enabled.

More information on building wolfSSL can be found in the wolfSSL manual.

Access the wolfSSL GitHub page here: https://github.com/wolfSSL/wolfssl
Need more? Subscribe to our YouTube channel for access to wolfSSL webinars!

Posts navigation

1 2 3 4 144 145 146