wolfSSL has long provided solid CRL decode and validation support. This update builds on that foundation by adding CRL generation and signing capabilities, along with certificate extension helpers that improve revocation-aware certificate creation workflows. What is a CRL? A Certificate Revocation List (CRL) is a signed list published by a certificate authority (CA) that identifies […]
Read MoreMore TagCategory: wolfSSL/ wolfCrypt
New! wolfSSL Launches User-Space FIPS VPN Client in Rust
wolfSSL is excited to announce the release of its new user-space VPN client. This client is written entirely in Rust, leveraging the language’s safety and performance characteristics. The implementation is based on the popular open-source boringtun project. Crucially, this new client incorporates FIPS-validated cryptography through the use of the wolfGuard protocol. This solution ensures a […]
Read MoreMore TagwolfSSL’s OCSP and OCSP-Stapling Support
Sometimes, X.509 certificates need to be revoked. One way that can happen is via CRL (Certificate Revocation List), but that’s a topic for another time. Today we’ll focus on OCSP (Online Certificate Status Protocol). The OCSP protocol is designed to allow a client to send a real-time query to a certificate authority’s OCSP responder, which […]
Read MoreMore TagKeeping TLS 1.3 AES-GCM Session Keys Out of RAM
Secure Element Offload via Crypto Callbacks in wolfSSL Modern embedded and security-critical systems increasingly rely on Secure Elements, TPMs, and hardware cryptographic accelerators to protect private keys. In wolfSSL, asymmetric keys such as ECC private keys can already reside entirely inside hardware using Crypto Callbacks. Until now, however, TLS 1.3 AES-GCM session keys were still […]
Read MoreMore TagFrom TLS Blindness to Full Visibility: How eBPF Changes Observability
The Visibility Problem No One Likes to Admit Over the past decade, systems have become more secure, more distributed, and more encrypted. That’s a good thing. But it has also made observability harder than ever. With TLS 1.3 now standard, most production traffic is fully encrypted end-to-end. Traditional packet capture tools, network taps, and middleboxes […]
Read MoreMore TagIs GRPC on Zephyr the Right Choice for You
On Zephyr, which is best for you? GRPC or MQTT You might be wondering if MQTT or GRPC would be best for your use case. Here are 3 questions you might want to ask yourself: Do you have a request-response use case? For example, are you asking for the temperature and then sending a command […]
Read MoreMore TagTLS vs. SSH: When To Use Which (2026 Edition)
TLS and SSH are both widely used protocols for creating secure connections between two systems over an untrusted network. Although they share some fundamental goals, they are designed for different use cases. In this updated guide, we will explore when you should use which, along with a look at the latest developments in both protocols. […]
Read MoreMore TagA Second Helping of Security for the Raspberry Pi Pico
Last year, we wrote about the support we added for the Raspberry Pi Pico in wolfSSL. Since then, we haven’t been sitting idle. The wolf pack has been busy adding even more security goodness to the Pico ecosystem. If you thought TLS on a $1 microcontroller was impressive, wait until you see what we’ve been […]
Read MoreMore TagRSA-PSS Support for PKCS#7 SignedData in wolfSSL
PKCS#7, standardized as Cryptographic Message Syntax (CMS) in RFC 5652, is a common format for signing structured data. Signed firmware updates, signed configuration packages, and certificate-based authentication workflows all rely on PKCS#7 SignedData to ensure integrity and authenticity.wolfSSL now supports RSA-PSS (RSASSA-PSS) signatures in PKCS#7 SignedData, for both generation and verification. This lets applications move […]
Read MoreMore TagExpanded AIA Support in wolfSSL
We recently added new functionality that improves how wolfSSL handles Authority Information Access (AIA) certificate data. AIA is an X.509 certificate extension that tells clients where to find related validation resources, typically OCSP responder URLs (for revocation status checks) and CA Issuers URLs (for downloading issuer certificates), defined in RFC 4325. In practice, this helps […]
Read MoreMore Tag