Category: wolfProvider

Introduction

Since the release of wolfProvider 1.0.2, the wolfSSL team has been hard at work expanding the ecosystem of open source projects that integrate seamlessly with wolfProvider. As an OpenSSL 3.x provider that brings wolfSSL’s FIPS cryptographic capabilities to OpenSSL-based applications, wolfProvider enables organizations to leverage wolfSSL’s FIPS-certified implementations, optimized performance, and reduced memory footprint—all without modifying existing application code.

Today, we’re excited to announce that wolfProvider now includes comprehensive integration testing for over 35 additional open source projects spanning web infrastructure, networking tools, authentication systems, cryptographic libraries, and system utilities. This massive expansion demonstrates wolfProvider’s production readiness and broad compatibility across the open source ecosystem, providing drop-in replacements to allow FIPS compliance with no changes to the target application.

This post provides a high-level overview of these new integrations. In the coming weeks, we’ll be publishing detailed technical guides for larger projects, covering specific configuration steps, performance considerations, and best practices.

Web and Application Infrastructure

gRPC
gRPC is Google’s high-performance, open source RPC framework used by organizations worldwide for microservices communication. With wolfProvider integration, gRPC applications can now leverage wolfSSL’s cryptographic implementations for TLS connections, enabling FIPS compliance for service-to-service authentication and data encryption.

BIND9
BIND9 is the most widely used DNS server software on the Internet. Our integration enables DNS operators to use wolfProvider for DNSSEC operations, bringing wolfSSL’s cryptographic capabilities to critical Internet infrastructure for secure domain name resolution.

Network and Communication Tools

libwebsockets
libwebsockets is a lightweight C library for implementing WebSocket servers and clients. The wolfProvider integration allows WebSocket applications to use wolfSSL for TLS handshakes and encrypted communications, ideal for real-time applications requiring FIPS-certified cryptography.

socat
socat is a multipurpose relay tool for bidirectional data transfer between two data streams. With wolfProvider, socat can establish TLS-secured connections using wolfSSL, making it valuable for secure tunneling and network debugging scenarios.

iperf
iperf is the industry-standard tool for network performance measurement and tuning. The wolfProvider integration enables network engineers to test TLS performance using wolfSSL’s optimized implementations, providing accurate benchmarks for encrypted network throughput.

rsync
rsync is the ubiquitous file synchronization and transfer tool. Our integration allows rsync to use wolfProvider for securing file transfers over SSH, bringing wolfSSL’s cryptographic capabilities to backup and replication workflows.

tnftp
tnftp (the enhanced FTP client from NetBSD) can now leverage wolfProvider for TLS-enabled FTP connections, allowing secure file transfers with wolfSSL’s FIPS-certified cryptography.

ppp
The Point-to-Point Protocol daemon is fundamental for dial-up and VPN connections. wolfProvider integration enables PPP to use wolfSSL for authentication protocols, supporting secure remote access scenarios.

Authentication and Security

Kerberos (krb5)
MIT Kerberos is the gold standard for network authentication. Our integration allows Kerberos to use wolfProvider for cryptographic operations, enabling enterprises to leverage wolfSSL’s FIPS implementations for their single sign-on infrastructure.

pam-pkcs11
pam-pkcs11 provides smart card authentication for Linux systems. With wolfProvider, organizations can use wolfSSL for certificate validation and cryptographic operations in their smart card-based access control systems.

OpenSC
OpenSC provides a set of libraries and utilities for smart card access. The wolfProvider integration brings wolfSSL’s cryptographic capabilities to smart card operations, supporting various cryptographic tokens and hardware security modules.

libfido2
libfido2 implements the FIDO2/WebAuthn standards for passwordless authentication. Our integration enables FIDO2 implementations to use wolfProvider for cryptographic operations, supporting modern passwordless login flows with wolfSSL.

libtss2
libtss2 is the Trusted Platform Module 2.0 software stack. With wolfProvider, TPM-based applications can leverage wolfSSL for cryptographic operations, ideal for hardware-backed secure boot and attestation scenarios.

OpenLDAP
OpenLDAP is the leading open source LDAP directory server. The wolfProvider integration allows OpenLDAP to use wolfSSL for TLS connections and cryptographic operations, bringing FIPS compliance to enterprise directory services.

SSSD
The System Security Services Daemon provides access to identity and authentication providers. With wolfProvider, SSSD can leverage wolfSSL for secure communications with Active Directory, LDAP, and other authentication backends.

OpenSSH
OpenSSH is the premier connectivity tool for secure remote login. Our integration enables OpenSSH to use wolfProvider for all cryptographic operations, supporting FIPS-compliant SSH connections for system administration and file transfers.

stunnel
stunnel is a proxy designed to add TLS encryption to existing clients and servers. With wolfProvider, stunnel can use wolfSSL’s optimized TLS implementations, ideal for securing legacy applications without code modifications.

Cryptographic Libraries and Tools

cjose
cjose is a C implementation of the JOSE (JSON Object Signing and Encryption) standard. The wolfProvider integration enables JOSE operations using wolfSSL, supporting modern token-based authentication and API security patterns.

xmlsec
xmlsec provides XML Digital Signature and Encryption capabilities. With wolfProvider, applications can use wolfSSL for XML security operations, supporting SAML, WS-Security, and other XML-based security protocols.

libcryptsetup
libcryptsetup manages encrypted block devices in Linux. Our integration allows disk encryption tools to use wolfProvider for cryptographic operations, enabling FIPS-compliant full-disk encryption with wolfSSL.

libeac3
libeac3 implements the Extended Access Control protocol for electronic passports. The wolfProvider integration brings wolfSSL to e-passport applications, supporting secure identity verification scenarios.

liboauth2
liboauth2 is a library for OAuth 2.0 flows. With wolfProvider, OAuth implementations can leverage wolfSSL for cryptographic operations, supporting secure API authentication and authorization.

libssh2
libssh2 is a client-side C library implementing the SSH2 protocol. Our integration enables libssh2 applications to use wolfProvider for SSH connections, bringing wolfSSL’s performance and FIPS capabilities to SSH-based automation and file transfer tools.

System and Utility Tools

systemd
systemd is the init system used by most modern Linux distributions. The wolfProvider integration enables systemd’s cryptographic operations to use wolfSSL, supporting secure boot, TPM integration, and encrypted credentials.

tcpdump
tcpdump is the premier packet analyzer for network troubleshooting. With wolfProvider, tcpdump can decrypt TLS traffic for analysis using wolfSSL’s cryptographic implementations.

x11vnc
x11vnc allows remote desktop access to X11 displays. Our integration enables x11vnc to use wolfProvider for TLS-encrypted remote desktop sessions, supporting secure remote administration with wolfSSL.

sscep
sscep is a Simple Certificate Enrollment Protocol client. With wolfProvider, SCEP operations can use wolfSSL for certificate enrollment and management, supporting automated certificate provisioning workflows.

ipmitool
ipmitool provides command-line access to IPMI-enabled devices for server management. The wolfProvider integration enables secure IPMI communications using wolfSSL, supporting out-of-band management scenarios.

tpm2-tools
tpm2-tools provides utilities for TPM 2.0 management and testing. With wolfProvider, TPM operations can leverage wolfSSL’s cryptographic implementations, supporting hardware-backed security operations.

net-snmp
net-snmp is a suite of applications for SNMP network monitoring. Our integration allows SNMP to use wolfProvider for cryptographic operations, enabling secure network management with SNMPv3.

python3-ntp
The Python NTP implementation can now use wolfProvider for cryptographic operations in Network Time Protocol security extensions, supporting authenticated time synchronization.

Application Frameworks

Qt5 Network
Qt5’s networking module is used by thousands of applications worldwide. The wolfProvider integration enables Qt applications to use wolfSSL for TLS connections, supporting FIPS compliance for cross-platform desktop and mobile applications.

libnice
libnice implements ICE (Interactive Connectivity Establishment) for NAT traversal. With wolfProvider, WebRTC and other real-time communication applications can use wolfSSL for DTLS operations.

libhashkit2
libhashkit2 provides consistent hashing algorithms used in distributed systems. Our integration enables applications to use wolfProvider for cryptographic hashing operations with wolfSSL.

What This Means for the wolfSSL Ecosystem

This extensive integration testing demonstrates wolfProvider’s production readiness and compatibility across diverse open source projects. All integrations use the standard OpenSSL provider framework with minimal modifications, and each includes automated CI testing to ensure reliability. Integration patches are maintained in the wolfSSL OSP repository for community access.

Looking Ahead

We’ll be publishing detailed integration guides for major projects like gRPC, OpenSSH, systemd, and others where deployment considerations are more complex. These guides will cover configuration, performance tuning, and FIPS-specific requirements.

Get Started Today

All integration testing configurations and patches are available in the wolfProvider repository and the OSP repository. The automated workflows in .github/workflows/ provide reference implementations showing exactly how to build and test each integration.
Whether you’re looking to achieve FIPS compliance, optimize cryptographic performance, or reduce memory footprint, wolfProvider’s broad ecosystem support makes it easier than ever to bring wolfSSL’s benefits to your existing OpenSSL-based applications.
For questions or assistance with wolfProvider integration, please contact us at support@wolfssl.com or visit www.wolfssl.com.

Stay tuned for our upcoming integration guides!

wolfProvider is available under the GPLv3 license with commercial licensing options available. For more information, visit the wolfProvider GitHub repository.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call +1 425 245 8247.
Download wolfSSL Now

wolfSSL is proud to announce the release of wolfProvider 1.1.0. This major release represents a significant milestone in our commitment to providing robust OpenSSL 3.x compatibility with FIPS 140-3 validated cryptography. wolfProvider 1.1.0 has been developed according to wolfSSL’s rigorous development and QA process and has successfully passed our quality criteria.

wolfProvider is designed for customers who want FIPS-validated cryptography but are already invested in using OpenSSL. The provider delivers drop-in replacements for cryptographic algorithms used by OpenSSL, leveraging the wolfCrypt engine underneath, which is FIPS 140-3 certified.

New Cryptographic Features

This release introduces several important cryptographic capabilities:

• KBKDF (Key-Based Key Derivation Function): Implementation of NIST SP 800-108 key derivation for secure key generation from existing key material.
• KRB5KDF (Kerberos 5 Key Derivation Function): Support for Kerberos cryptographic operations, enabling enterprise authentication scenarios.
• AES-CTS (Ciphertext Stealing): Additional AES cipher mode for applications requiring specific padding behavior.
• RSA No-Padding Operations: Raw RSA encrypt/decrypt operations for applications with custom padding schemes.

Replace-Default Provider Mode

A groundbreaking feature in this release is the ability to replace OpenSSL’s default provider entirely with wolfProvider. This mode makes wolfProvider the primary cryptographic implementation system-wide, allowing existing OpenSSL applications to transparently use wolfSSL’s FIPS-validated cryptography without any code modifications. This feature includes comprehensive testing to ensure the default swap works as expected across various scenarios.

Enhanced Testing and Quality Assurance

wolfProvider 1.1.0 significantly expands our integration testing with real-world open-source applications. We’ve added automated CI/CD workflows for over 40 popular applications, ensuring wolfProvider works seamlessly with:

Network Infrastructure: gRPC, OpenSSH, libssh2, OpenSC/PKCS11, OpenLDAP, IPMItool, Stunnel, socat, SSSD, net-snmp, liboauth2, tnftp, systemd, X11VNC, sscep, TPM2 tools, libcryptsetup, libtss2, KRB5, bind9, hostap
Development Tools: Python3 NTP, libeac, xmlsec, Qt5 Network, rsync, libwebsockets, tcpdump, cjose, iperf, libfido2, ppp, pam-pkcs11, kmod, libnice

This extensive testing demonstrates wolfProvider’s production-readiness and compatibility with the broader OpenSSL ecosystem.

Command-Line Integration

New command-line integration tests validate wolfProvider’s compatibility with OpenSSL command-line tools for AES, RSA, RSA-PSS, Hash, and ECC operations. This ensures that scripts and automation tools using OpenSSL commands work correctly with wolfProvider.

Debian Package Support

This release includes comprehensive Debian packaging support, making deployment on Debian-based systems straightforward. The packaging includes proper dependency management and integration with system OpenSSL configurations.

Bug Fixes and Stability Improvements

wolfProvider 1.1.0 includes over 100 bug fixes addressing issues across all cryptographic operations:
AES Improvements: Fixed AES-GCM streaming bugs, authentication tag handling, IV management, and CBC consecutive call handling.
RSA Enhancements: Resolved RSA PSS decoding issues, key import edge cases, keygen retry logic, certificate display formatting, and parameter handling.
ECC Fixes: Corrected public key validation, parameter handling, private key operations, signing restrictions, and encoding issues.
DH Corrections: Fixed FIPS build compatibility, parameter handling, private key operations, and decoder registrations.
General Stability: Improved locking around signature operations, NULL reinit handling, core libctx management, and OpenSSL patching detection.

Looking Forward

wolfProvider 1.1.0 represents a major step forward in providing FIPS-validated cryptography to the OpenSSL ecosystem. The extensive integration testing, new cryptographic features, and replace-default mode make this release suitable for production deployment in enterprise environments requiring FIPS compliance.

Refer to the README.md found in the release for usage instructions. We also maintain a ChangeLog.md for a complete list of changes in each release.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now

Securing web servers with robust cryptography is essential in today’s threat landscape. wolfProvider offers a seamless way to enhance nginx security by integrating wolfSSL’s high-performance cryptographic implementations through OpenSSL’s provider framework. This integration allows nginx to leverage wolfSSL’s FIPS cryptography without modifying code.

What is wolfProvider?

wolfProvider is an OpenSSL provider that integrates the wolfCrypt FIPS cryptographic library with OpenSSL’s provider framework. It allows applications using the OpenSSL API, such as nginx, to seamlessly leverage wolfSSL’s FIPS approved cryptographic implementations without modifying application code.

Supported nginx Versions

Our continuous integration testing confirms compatibility with the following nginx versions:
nginx master branch
nginx release-1.27.4

Key Benefits for nginx users

• Enhanced Security: Access to wolfSSL’s FIPS 140-2/3 validated cryptographic modules for compliance requirements
• Optimized Performance: Benefit from wolfSSL’s highly optimized cryptographic implementations
• Seamless Integration: No modifications to nginx or openssl, a simple config file change enables new wolfProvider integration
• Comprehensive Algorithm Support: Full suite of modern cryptographic algorithms including:
  • AES (128/192/256-bit with ECB, CBC, CTR, GCM, CCM modes)
  • RSA, RSA-PSS for signing, verification, and key operations
  • ECC with ECDSA and ECDH support
  • SHA-1, SHA-2, and SHA-3 family hash functions

Testing and Verification

Our GitHub Actions workflows automatically test the integration to validate the following functionality:

TLS handshakes complete successfully
HTTP/2 connections work properly
Stream and mail modules function correctly
All cryptographic operations perform as expected

Stay updated with wolfProvider for ongoing enhancements! If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

With PR #95, wolfProvider now supports command-line integration tests for RSA, RSA-PSS, ECC, AES, and hash functions. This ensures interoperability with the OpenSSL default provider. These tests run important cryptographic operations to ensure that wolfProvider can generate keys, sign and verify messages, encrypt and decrypt data, and compute hashes with full cross-provider compatibility. This feature ensures that wolfProvider has continuous interoperability with OpenSSL in a diverse range of environments.

The test suite includes independent test scripts for RSA, RSA-PSS, ECC, AES, and hash operations, making sure that cryptographic operations are identical across providers. For example, an RSA signature created with OpenSSL’s provider can be successfully verified with wolfProvider and vice versa. Similarly, AES encryption tests make sure that ciphertexts from one provider can be decrypted by the other. With these new automated tests now part of CI workflows, users can rest assured that wolfProvider remains robust and fully interoperable with OpenSSL’s crypto ecosystem.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

The wolfSSL team has released wolfProvider version 1.0.2, introducing several new features and important fixes!

New Features

• RSA Verify Recover Support: Adds functionality for RSA verify recover operations, enhancing compatibility with applications requiring this capability.
• DES3 Implementation: Provides legacy application support with DES3 CBC mode implementation.
• Open Source Integration Testing: New workflows for automated testing with NGINX, cURL, and OpenVPN, ensuring compatibility across applications.

Enhancements and Fixes

• RSA Improvements: Better key type handling during import operations and fixed parameter handling for proper functionality.
• AES-GCM Stream Handling: Enhanced IV handling for compatibility with OpenSSH workflows.
• ECC Parameter Encoding: Fixed encoding for OpenSSL genpkey compatibility, resolving interoperability issues.

Stability Improvements

• FIPS Testing Capabilities: Enhanced testing for FIPS compliance scenarios.
• Error Handling: Improved logging and error reporting throughout the codebase.
• Documentation Updates: Enhanced examples and documentation for easier integration.

Check out the ChangeLog for a full list of features and fixes.

Stay updated with wolfProvider for ongoing enhancements! If you have questions about any of the above, please contact us at facts@wolfSSL.com or call ua at +1 425 245 8247.

Download wolfSSL Now

wolfSSL is proud to announce the release of wolfProvider 1.0.1. This release contains several fixes and improvements. Most notably, we have added AES CFB support. A better logging of code execution has been added to make debugging easier. Scripted compilation of dependencies (such as wolfSSL and OpenSSL) have been added to get started easier.

wolfProvider is intended for use by customers who want to have a FIPS validated module, but are already invested with using OpenSSL. The provider gives drop-in replacements for the cryptographic algorithms used by OpenSSL. The wolfProvider uses the wolfCrypt engine underneath which is FIPS 140-3 certified.

Refer to the README.md found in the release for usage instructions. We also maintain a ChangeLog.md for a list of changes in each release.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfSSL is proud to announce the release of wolfProvider 1.0.0. This release is the first official support for being a Provider for OpenSSL 3.x. Intended for use by customers who want to have a FIPS validated module, but are already invested in using OpenSSL. The provider gives drop-in replacements for the cryptographic algorithms used by OpenSSL. The wolfProvider uses the wolfCrypt engine underneath which is FIPS 140-3 certified.

Refer to the README.md found in the release for usage instructions. We also maintain a ChangeLog.md for a list of changes in each release.

If you have questions about any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247.

Download wolfSSL Now

What Is wolfProvider?

New to meta-wolfssl, wolfProvider marries OpenSSL 3.x with wolfCrypt’s cutting-edge cryptography, empowering Yocto projects to utilize wolfCrypt’s FIPS 140-3 algorithms seamlessly.

Why Choose wolfProvider?

• Effortless Integration: Fuse OpenSSL 3.x with wolfSSL’s algorithms swiftly.
• Superior Security: Access wolfSSL’s lightweight, high-performance cryptography and wide range of supported operating environments.
• FIPS-Ready: Smooth path to FIPS 140-3 compliance, making your project future-proof.

Leveraging wolfProvider

wolfProvider unlocks the potential to incorporate wolfCrypt’s FIPS 140-3 cryptography within your OpenSSL 3.x applications. Kickstart your project now with wolfProvider and our FIPS-Ready bundle, setting the foundation for FIPS 140-3 compliance in your project.

Questions?

If you have questions about any of the above or wish to explore more about FIPS and commercial bundles, contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now