Welcome to the wolfSSL Forums!

2025-12-15 17:13:01

The wolfSSL team is pleased to announce the release of wolfBoot 2.7.0, the latest version of our portable secure bootloader for embedded systems. This release focuses on three main areas:

Expanding hardware coverage to radiation-hardened platforms

Unifying and hardening TrustZone-M and dual-bank update flows

Making update state tracking and integration easier with filesystem and MTD-backed helpers

As always, the full changelog is available in the wolfBoot repository and on the github v2.7.0 release page.
_________________________________________________________________________________________________________

New Platform Support

Vorago VA416x0: Secure Boot in Radiation-Hardened Systems
See also our recent blog post about it

wolfBoot 2.7.0 adds full support for Vorago’s VA416x0 series (VA41620 / VA41630), bringing our secure boot and firmware update flow to radiation-hardened Cortex-M4 microcontrollers.

The new port includes:

A dedicated HAL implementation (hal/va416x0.c) integrated with the Vorago SDK

Example configuration (config/examples/vorago_va416x0.config) with ECC384/SHA384 as the default signing and hashing combination

Test application and factory image helpers that build wolfBoot, the test firmware, sign it, and assemble a flashable image for VA416x0 boards

On these devices, wolfBoot leverages the external SPI FRAM configuration and the board’s radiation-tolerant design to provide a robust secure boot chain for space and high-reliability applications, where authenticated updates and rollback-safe behavior are essential.

Nordic nRF5340 with TrustZone-M

Support for the Nordic nRF5340 dual-core SoC was introduced in earlier wolfBoot releases; version 2.7.0 extends this further with a dedicated TrustZone build and configuration for the application core.

Highlights include:

TrustZone-aware build options for the nRF5340 application core (Cortex-M33 with TrustZone)

Improved configuration for pairing secure and non-secure firmware images in a wolfBoot managed update flow

Combined with wolfBoot’s existing support for ML-DSA, LMS/XMSS, and hybrid authentication, this makes the nRF5340 a strong platform for post-quantum aware secure boot in IoT and wireless devices.
_________________________________________________________________________________________________________

Unified TrustZone-M and Dual-Bank Behavior
In 2.7.0, we’ve taken another step in making TrustZone-M support consistent across all ARMv8-M targets:

Unified TrustZone-M handling across supported ARMv8-M platforms, so you get the same high-level behavior on devices like STM32H5, RP2350, nRF5340, and others.

A TrustZone-aware dual-bank configuration, where redundant-slot updates respect secure/non-secure boundaries and provide better isolation between the running image and the candidate update.

For STM32H5 specifically, wolfBoot 2.7.0 brings:

An improved SPI driver path

Integration of TPM-based secure storage with updated TrustZone Non-Secure Callable (NSC) APIs

Multiple fixes for dual-bank and TPM-enabled builds to make them more predictable and robust during updates

The simulator target has also been updated with dual-bank flow and a new bank-swap test script, so you can validate redundant-slot update scenarios and rollback logic without touching hardware. Adding features to the simulated platform allows us to test more scenarios in CI.

On the RP2350 (Raspberry Pi Pico 2), wolfBoot now uses a RAM cache for flash writes, increasing robustness against partial writes and power faults during updates.

For Infineon AURIX TC3xx, we’ve moved away from an IDE-centric example to a cleaner HAL module integration, fixing UART and boot-flag handling along the way. This brings the TriCore port in line with other wolfBoot HAL-based targets.
_________________________________________________________________________________________________________

Filesystem-Backed and MTD-Backed Update State Management

A key theme in 2.7.0 is better visibility and control over boot partition state, especially when integrating wolfBoot into larger systems and CI pipelines.

library_fs target and CLI tools

wolfBoot now exposes filesystem-backed partition state access via the new library_fs target and a companion CLI application often referred to as lib-fs.

With this setup, you can:

Build libwolfboot as a library with a backend that maps partitions onto regular files

Use the CLI to query boot partitions, inspect active/inactive slots, and track which image is pending or confirmed

Trigger update operations and simulate swaps without hardware, which is ideal for automated testing and offline integration flows

This is particularly useful when you want to exercise wolfBoot’s state machine and update logic in a host-driven environment, for example, in a CI job that signs images and verifies that rollback and confirmation flows behave as expected.

MTD-backed update status in libwolfboot

For systems that use libwolfboot inside an OS and rely on raw flash / MTD devices, 2.7.0 introduces MTD-backed tracking of update status.

At a high level, this allows libwolfboot to:

Store update state directly on MTD-backed partitions, so progress and status survive resets

Integrate with standard MTD layers often found in Linux and RTOS-based designs (e.g. raw NOR/NAND layouts)

This makes it easier to build robust OTA flows where the application or an update agent interacts with libwolfboot to coordinate staged images and confirmation logic on raw flash devices.
_________________________________________________________________________________________________________

Build System, Tools, and Configuration Improvements

CMake presets and out-of-tree builds
Continuing the build system work from previous releases, wolfBoot 2.7.0 adds CMake presets, improves list handling, and further stabilizes out-of-tree builds, particularly for multi-target configurations.

The goal here is straightforward: make it easier for teams to:

Maintain a single CMake-based project that targets multiple boards or SoCs

Keep a clean source tree by building in separate directories

Automate builds in CI with reproducible preset configurations

Key tools and post-quantum test coverage
The key generation and signing tools have also been refined:

keygen --no-overwrite lets you protect existing key material by refusing to overwrite files, a small but important safety feature in production build pipelines.

Stricter checks on image header and sector size help catch misconfigurations earlier in the build process instead of at boot time.

Expanded ML-DSA test configurations improve coverage for post-quantum signatures, building on the PQC support introduced in earlier wolfBoot releases (ML-DSA, LMS, XMSS, and hybrids).

WOLFBOOT_RESTORE_CLOCK configuration

A new configuration option, WOLFBOOT_RESTORE_CLOCK, gives integrators more fine-grained control over clock behavior around the boot process. When enabled, the HAL can explicitly restore or adjust system clocks as part of its wake-up/exit path, improving compatibility with platforms that expect a particular clock tree configuration before the application starts.

This is especially useful on STM32 and Nordic devices where the clock configuration during boot ROM execution might differ from what the application expects.
_________________________________________________________________________________________________________

Security and Reliability Fixes
As usual, 2.7.0 includes important hardening and bug fixes across the code base:

Encrypted and delta updates
- Additional protection against IV reuse in encrypted update flows
- Fallback and regression fixes
- Expanded unit test coverage around encrypted and delta path handling

Flash and STM32 improvements
- Fixed SPI flash protocol edge cases and strengthened write verification
- Corrected STM32 internal flash page erase masks
- Multiple fixes in STM32H5 update paths, including dual-bank and TPM-enabled builds

PowerPC / NXP P1021
- Resolved stage1 and MMU build issues to keep the PowerPC port aligned with modern toolchains

Warning cleanup and quality-of-life improvements
- Cleanup of compiler warnings across several targets, including STM32WB55 PKA and non-TrustZone nRF5340 builds

These changes improve reliability across a wide range of configurations and reduce friction when enabling more advanced features like dual-bank updates, encrypted delivery, and TPM-based boot flows.
_________________________________________________________________________________________________________

Updated Module Versions
wolfBoot 2.7.0 aligns with the latest wolfSSL ecosystem components, pulling in updated versions of the underlying crypto and HSM libraries:

wolfSSL: v5.8.4-stable (59f4fa568)

wolfTPM: v2.4.0-594-g6d5df60

wolfPKCS11: v2.0.0-stable-33-g81af264

wolfHSM: v1.3.0 (8ac56d7)

By being in sync with the latest version of the components, wolfBoot benefits from the latest performance optimizations, algorithm updates, and security fixes shipped in the wolfSSL family.
_________________________________________________________________________________________________________

Getting wolfBoot 2.7.0 and Next Steps
wolfBoot 2.7.0 is available today:

Download the release package from the wolfSSL download page (select wolfBoot 2.7.0).

Clone the latest tag from the wolfBoot GitHub repository for direct source access and integration.

Refer to the updated documentation and docs/lib.md for details on the library/library_fs targets, libwolfboot integration, and example flows.

If you’d like help integrating wolfBoot 2.7.0 with your platform—whether it’s a Vorago VA416x0 design, a TrustZone-enabled MCU like nRF5340 or STM32H5, or an architecture such as PowerPC or x86—reach out to the wolfSSL team at facts@wolfssl.com. We’re happy to assist with design reviews, custom ports, and compliance-driven secure boot deployments.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call +1 425 245 8247.

Download wolfSSL Now

2025-12-09 09:57:53

wolfTPM 3.10.0 delivers a critical security fix, expanded embedded platform support, and enterprise-grade TPM resource management—empowering developers to build secure, scalable IoT and edge computing solutions with hardware-backed cryptography.

Password Handling Fix
A bug in the wolfTPM2_SetKeyAuthPassword() function introduced in v3.9.2 has been resolved. This API, primarily used by the C# wrapper, was incorrectly truncating passwords to 2 bytes.

Impact: Users of the wolfTPM2_SetKeyAuthPassword API or C# wrapper on v3.9.2

Resolution: Password handling now correctly stores the full authentication credential, with regression tests added

PR: #439

Note: If you are using this API or the C# wrapper with v3.9.2, we recommend updating.

Espressif ESP32 HAL Support
wolfTPM now natively supports ESP32-S3, ESP32-C6, and other ESP32 variants via SPI and I2C interfaces—bringing TPM 2.0 security to millions of IoT devices.

Key Features

Native ESP-IDF integration with pre-configured pin mappings

SPI speeds up to 22 MHz for high-performance cryptographic operations

I2C support for Infineon SLB9673 TPM modules

Hardware-backed key storage, secure boot, and device attestation

PR: #386

Enhanced CMake Build System & TPM Module Selection
Streamlined build configuration with new TPM hardware targeting:

Interface Options: SPI, I2C, MMIO, Linux devtpm, Windows TBS, Software TPM

cmake .. -DWOLFTPM_MODULE=slb9672 -DWOLFTPM_INTERFACE=DEVTPM

PR: #438, #430

Linux TPM Resource Manager Support
New support for /dev/tpmrm0 enables automatic TPM session virtualization and multi-process coordination.

Enable with: WOLFTPM_USE_TPMRM

| Feature | Raw Device (/dev/tpm0) | Resource Manager (/dev/tpmrm0) |
------------------------------------------------------------------------------------------------------------------------
| Multi-process access | Manual coordination | Automatic isolation |
------------------------------------------------------------------------------------------------------------------------
| Session management | Application handles | Kernel manages |
------------------------------------------------------------------------------------------------------------------------
| Cleanup on exit | Must be explicit | Automatic |
------------------------------------------------------------------------------------------------------------------------

PR: #435, #434

Additional Improvements

| Feature | PR |
-----------------------------------------------------------------------------------------------
| Fixed crypto callback hash algorithm selection | #433 |
-----------------------------------------------------------------------------------------------
| Improved signature verification hash detection | #432 |
-----------------------------------------------------------------------------------------------
| Improved TLS bidirectional shutdown | #431 |
-----------------------------------------------------------------------------------------------
| Coverity static analysis fixes | #441 |
-----------------------------------------------------------------------------------------------
| Added make cppcheck option | Various |
-----------------------------------------------------------------------------------------------

Why wolfTPM?

Portable: Runs on bare-metal RTOS, Linux, Windows, and macOS

Lightweight: Small footprint for resource-constrained embedded systems

Standards-compliant: Full TPM 2.0 specification support

Production-ready: Trusted by automotive, aerospace, and industrial customers

Open source: GPLv3 with commercial licensing available

Supported TPM Hardware
Infineon OPTIGA™ SLB9670/9672/9673 • STMicro ST33 • Microchip ATTPM20 • Nuvoton NPCT75x • Nations Tech Z32H330/NS350 • Software TPM simulators

Get Started

git clone https://github.com/wolfSSL/wolfTPM.git
cd wolfTPM && ./autogen.sh && ./configure && make

Resources

GitHub Repository

Full Changes

Documentation

Support

wolfTPM is developed by wolfSSL Inc., the leading provider of lightweight, portable security solutions for embedded systems, IoT, automotive, and enterprise applications.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 424 245 8247.

Download wolfSSL Now

2025-12-04 11:00:02

We are excited to announce the release of wolfMQTT v1.21.0, which introduces support for NetX and ThreadX RTOS platforms as its headline feature. This release continues our commitment to providing a lightweight, secure, and feature-rich MQTT client implementation for embedded systems and IoT applications.

What's New in v1.21.0
The wolfMQTT v1.21.0 release includes several significant enhancements:

NetX and ThreadX RTOS Support
The most notable addition in this release is support for NetX networking stack and ThreadX RTOS. This enables wolfMQTT to be used on a wider range of embedded platforms, particularly those using Azure RTOS (formerly ThreadX) environments. These additions make wolfMQTT an excellent choice for industrial IoT applications and real-time embedded systems.

License Update to GPLv3
Starting with this release, wolfMQTT is now available under the GPLv3 license. This update aligns wolfMQTT with the broader wolfSSL product family licensing model, providing clearer terms for open source usage while commercial licensing remains available for proprietary applications.

Security Improvements
This release includes important security enhancements:

Fixed a heap buffer overflow vulnerability in MqttDecode_Num with improved bounds checking

Enhanced MQTT v5 property-packet protocol validation and decode safety

Corrected state transition checks in MqttClient_Auth for more robust authentication handling

Post-Quantum Cryptography Updates
The ML-KEM hybrid key exchange names have been updated to match the latest IETF Draft specifications. This ensures compatibility with evolving post-quantum cryptography standards and maintains interoperability with other implementations following the IETF naming conventions.

ESP-IDF v5.5 Support
The Espressif ESP-IDF examples have been updated and pinned to ESP-IDF v5.5, ensuring compatibility with the latest Espressif development framework. This update also includes workflow improvements and line ending fixes for better cross-platform development.

Additional Improvements

Updated test certificates to replace expired ones

Restored instructions for testing against OQS Mosquitto integration

Added fflush to mqtt-sub example for improved output handling

Various bug fixes for MQTT property decode error checks

About wolfMQTT
wolfMQTT is a lightweight, embedded MQTT client implementation written in C that supports SSL/TLS via the wolfSSL library. It was built from the ground up to be multi-platform, space conscious, and extensible. The library supports:

MQTT v3.1.1 and v5.0 protocols

MQTT-SN (MQTT for Sensor Networks)

Quality of Service (QoS) levels 0-2

TLS encryption via wolfSSL

Non-blocking communications

Multithreading for parallel operations

Integration with popular IoT platforms (AWS IoT, Azure IoT Hub, IBM Watson IoT)

Getting wolfMQTT v1.21.0
The wolfMQTT v1.21.0 release is available now on our download page and GitHub.

Release 1.21.0 has been developed according to wolfSSL's development and QA process and successfully passed the quality criteria.

Check out the ChangeLog for a full list of features and fixes, or contact us at facts@wolfSSL.com with any questions.

While you're there, show us some love and give the wolfMQTT project a Star!

You can download the latest wolfMQTT release from our website or clone directly from our GitHub repository.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

2025-11-21 15:26:16

wolfSSL 5.8.4 introduces several updates, including the addition of a GPLv3 exceptions list. This allows specific GPLv3-licensed codebases linking against wolfSSL to continue using wolfSSL under GPLv2.

Current GPLv3 Exception:

MariaDB Server

MariaDB Client Libraries

OpenVPN-NL

Fetchmail

OpenVPN

Security Fixes

This release includes multiple fixes across TLS 1.2, TLS 1.3, X25519, XChaCha20-Poly1305, and PSK processing. Highlights include:

A timing-side-channel issue in X25519 specifically affecting Xtensa-based ESP32 devices. Low-memory X25519 implementations are now the default for Xtensa.

A medium-severity TLS 1.3 server-side DoS risk from repeated KeyShareEntry values in malicious ClientHello messages.

Several TLS 1.3 downgrade-related issues (PFS downgrades, signature algorithm downgrades, and duplicate extension parsing).

A memory leak risk in TLS 1.2 certificate digest handling.

XChaCha20-Poly1305 decryption bounds-check fix and constant-time improvements in PSK binder verification.

Special thanks to Adrian Cinal, Jaehun Lee, and Kyungmin Bae (POSTECH), Luigino Camastra (Aisle Research), and all researchers who contributed.

New Features

This release includes focused improvements and additions:

ML-KEM / ML-DSA: new APIs, PKCS8 seed/import support, and improved key management.

FreeBSD kernel module: initial support for wolfCrypt in the FreeBSD kernel.

PKCS7/CMS: expanded decoding capabilities, additional callbacks, and more flexible builds.

Rust wrapper enhancements: broader algorithm coverage, optional heap/dev_id support, and conditional compilation based on C build options.

Hardware platform updates: STM32 and PSoC6 improvements, including STM32U5 SAES support.

New –enable-curl=tiny option for smaller cURL-linked builds.

Improvements & Optimizations

Key improvements include:

Broader and more consistent testing across TLS 1.3/1.2, libssh2, Arduino, ESP-IDF, and nightly workflows.

Documentation updates, expanded crypto-callback support, and improved AES/HW offload functionality.

ESP32, Renesas FSP/RA, and SGX build enhancements.

Build-system refinements across Autotools, CMake, Apple platforms, and Debian packaging.

RISC-V and PPC32 assembly introspection helpers and benchmarking updates.

Bug Fixes

Notable fixes:

C# wrapper correction for Ed25519 raw public-key import.

Sniffer stability fixes and X.509 path-length and certificate-chain improvements.

DTLS ordering, cookie handling, and replay protection updates.

Kernel-mode, FIPS, and PIE-related build fixes.

ML-KEM/ML-DSA correctness and safety fixes.

Various static-analysis, warning cleanup, memory-management, and undefined-behavior fixes.

For a more detailed list of changes, check out the ChangeLog.md bundled with wolfSSL. To download the latest release, go to the download page. For any questions, reach out to us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

2025-11-04 14:20:57

wolfSSL is proud to announce the release of wolfProvider 1.1.0. This major release represents a significant milestone in our commitment to providing robust OpenSSL 3.x compatibility with FIPS 140-3 validated cryptography. wolfProvider 1.1.0 has been developed according to wolfSSL’s rigorous development and QA process and has successfully passed our quality criteria.

wolfProvider is designed for customers who want FIPS-validated cryptography but are already invested in using OpenSSL. The provider delivers drop-in replacements for cryptographic algorithms used by OpenSSL, leveraging the wolfCrypt engine underneath, which is FIPS 140-3 certified.

New Cryptographic Features
This release introduces several important cryptographic capabilities:

KBKDF (Key-Based Key Derivation Function): Implementation of NIST SP 800-108 key derivation for secure key generation from existing key material.

KRB5KDF (Kerberos 5 Key Derivation Function): Support for Kerberos cryptographic operations, enabling enterprise authentication scenarios.

AES-CTS (Ciphertext Stealing): Additional AES cipher mode for applications requiring specific padding behavior.

RSA No-Padding Operations: Raw RSA encrypt/decrypt operations for applications with custom padding schemes.

Replace-Default Provider Mode
A groundbreaking feature in this release is the ability to replace OpenSSL’s default provider entirely with wolfProvider. This mode makes wolfProvider the primary cryptographic implementation system-wide, allowing existing OpenSSL applications to transparently use wolfSSL’s FIPS-validated cryptography without any code modifications. This feature includes comprehensive testing to ensure the default swap works as expected across various scenarios.

Enhanced Testing and Quality Assurance
wolfProvider 1.1.0 significantly expands our integration testing with real-world open-source applications. We’ve added automated CI/CD workflows for over 40 popular applications, ensuring wolfProvider works seamlessly with:

Network Infrastructure: gRPC, OpenSSH, libssh2, OpenSC/PKCS11, OpenLDAP, IPMItool, Stunnel, socat, SSSD, net-snmp, liboauth2, tnftp, systemd, X11VNC, sscep, TPM2 tools, libcryptsetup, libtss2, KRB5, bind9, hostap
Development Tools: Python3 NTP, libeac, xmlsec, Qt5 Network, rsync, libwebsockets, tcpdump, cjose, iperf, libfido2, ppp, pam-pkcs11, kmod, libnice

This extensive testing demonstrates wolfProvider’s production-readiness and compatibility with the broader OpenSSL ecosystem.

Command-Line Integration
New command-line integration tests validate wolfProvider’s compatibility with OpenSSL command-line tools for AES, RSA, RSA-PSS, Hash, and ECC operations. This ensures that scripts and automation tools using OpenSSL commands work correctly with wolfProvider.

Debian Package Support
This release includes comprehensive Debian packaging support, making deployment on Debian-based systems straightforward. The packaging includes proper dependency management and integration with the system OpenSSL configurations.

Bug Fixes and Stability Improvements
wolfProvider 1.1.0 includes over 100 bug fixes addressing issues across all cryptographic operations:
AES Improvements: Fixed AES-GCM streaming bugs, authentication tag handling, IV management, and CBC consecutive call handling.
RSA Enhancements: Resolved RSA PSS decoding issues, key import edge cases, keygen retry logic, certificate display formatting, and parameter handling.
ECC Fixes: Corrected public key validation, parameter handling, private key operations, signing restrictions, and encoding issues.
DH Corrections: Fixed FIPS build compatibility, parameter handling, private key operations, and decoder registrations.
General Stability: Improved locking around signature operations, NULL reinit handling, core libctx management, and OpenSSL patching detection.

Looking Forward
wolfProvider 1.1.0 represents a major step forward in providing FIPS-validated cryptography to the OpenSSL ecosystem. The extensive integration testing, new cryptographic features, and replace-default mode make this release suitable for production deployment in enterprise environments requiring FIPS compliance.

Refer to the README.md found in the release for usage instructions. We also maintain a ChangeLog.md for a complete list of changes in each release.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

2025-10-23 15:35:32

Version 1.4.21 of wolfSSH is now available! This update includes a critical security fix, improved interoperability, and enhancements for embedded and hardware-backed key use cases.

Security Updates
This release addresses two security issues:

CVE-2025-11625: Fixed a client-side host verification bypass that could expose credentials. (PR#840)

CVE-2025-11624: Fixed an SFTP server stack overflow triggered by malformed input. Thanks to Stanislav Fort of Aisle Research for the report

Feature Additions

TPM key authentication for hardware-based identity protection.

ED25519 key generation support added to the API.

Curve25519 alias compatibility with curve25519-sha256@libssh.org for improved interoperability.

Keyboard-interactive authentication can now be enabled at build time (--enable-keyboard-interactive).

AES-CBC is now disabled by default, shifting focus toward stronger default cipher suites.

Added Microchip ATSAMV71Q21B example with harmony filesystem integration.

This version refines FATFS support, enhances user authentication handling, and improves SFTP and rekeying operations. Post quantum hybrid support was also touched up along with numerous Coverity findings, warning cleanups, and minor API consistency fixes.

Users of the wolfSSH client code or SFTP server should upgrade, particularly those relying on host verification.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

2025-08-18 10:19:56

The wolfSSL team has released version 2.6.0 of wolfBoot, the lightweight and portable secure bootloader for embedded systems. This update expands platform coverage, improves support for external memory layouts, and adds key performance optimizations for a range of architectures. It also includes critical fixes and brings updated module integration across the wolfSSL ecosystem.

New Platform Support
PIC32CZ CA (Cortex-M7) and PIC32CK (Cortex-M33) devices from Microchip are now supported. The PIC32CZ family targets high-performance secure connected applications with integrated HSM and extended memory. The PIC32CK line brings TrustZone support for secure partitioning on Armv8-M systems. wolfBoot can now provide verified secure boot and firmware updates across both families.

External Flash Support with ELF Scattering
wolfBoot now supports external flash configurations when using ELF scattering mode. This enables firmware sections to be distributed between internal and external flash, useful in scenarios where internal flash is limited or where larger applications are split across multiple memory regions.

Encrypted Updates on Renesas RX
Encrypted firmware updates are now supported for the Renesas RX family. When paired with Renesas TSIP (Trusted Secure IP), wolfBoot can handle encrypted update packages, with decryption performed securely on-chip using hardware-managed keys. This provides strong protection for sensitive firmware in the field.

PowerPC 32-bit Optimizations
New assembly-level optimizations for SHA and AES are now available on 32-bit PowerPC platforms. These improvements reduce boot-time cryptographic processing overhead and improve performance during image verification and decryption operations.

STM32F4 Enhancements
wolfBoot v2.6.0 includes updated clock configuration logic for the STM32F4 series, ensuring compatibility across the full device family. In addition, support has been added for the STM32F411 variant, commonly used in development and prototyping platforms.

Fixes and Improvements
This release includes several important bug fixes:

Fixed unaligned memory access on Cortex-A5

Corrected compile flags to allow execution from RAM on ARM targets

Proper handling of VTOR_NS when staging non-secure images in TrustZone-M mode

Removed redundant flash write-after-erase cycle in wolfBoot_update_trigger

Multiple TrustZone-related fixes for STM32H5 devices

These changes improve stability, reduce flash wear, and ensure correct behavior on secure platforms.

Updated Module Versions
The following components have been updated in this release:

wolfSSL version 5.8.2 or later

wolfTPM version 3.9.1 or later

wolfPKCS11 latest revision

wolfHSM latest revision

More Information
To download the latest version of wolfBoot, visit our download page or clone it from the wolfBoot GitHub repository. For questions about commercial support, licensing, or integration assistance, please contact us at facts@wolfssl.com or +1 425 245 8247.

2025-07-29 14:22:41

wolfCLU version 0.1.9 is now available! This command-line utility, built on the wolfSSL embedded TLS library, helps with admin tasks and common use cases such as key generation and certificate parsing to human human-readable form.

Among the most notable changes to this release is the addition of support for PKCS8 and Base64 commands, introduced in PR #178. These features make it easier to handle common encoding formats and key conversions directly from the command line, streamlining workflows involving PEM or DER-encoded data.

The update also includes important fixes to macro definitions related to client and server Key Encapsulation Mechanisms (KEM), as noted in PR #177. These corrections ensure proper configuration and usage when working with post-quantum cryptographic modes and hybrid TLS key exchange scenarios.

To support users working in FIPS-approved environments, wolfCLU now better aligns with FIPS 140-3 expectations. In PR #183, tests were adjusted to reflect the removal of DES in FIPS mode, and new output was added to indicate when FIPS is enabled. These changes help clarify operational state and support auditability during validation efforts.

This release also updates the license from GPLv2 to GPLv3 (PR #184).

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now
wolfSSL is the best tested TLS library.

2025-07-18 13:11:22

wolfSSL 5.8.2 is now available! We are excited to announce the release of wolfSSL 5.8.2, packed with significant enhancements, introducing new functionalities, and refining existing features!

Important Notes for this Release

GPLv3 Licensing: wolfSSL has transitioned from GPLv2 to GPLv3.

Deprecated Feature: `–enable-heapmath` is now deprecated.

MD5 Disabled by Default: For enhanced security, MD5 is now disabled by default.

Key Highlights of wolfSSL 5.8.2

Vulnerability Mitigations:

ECC and Ed25519 Fault Injection Mitigation (Low): (Thanks to Kevin from Fraunhofer AISEC)

Apple Native Cert Validation Override (High – CVE-2025-7395): (Thanks to Thomas Leong from ExpressVPN)

Predictable `RAND_bytes()` after `fork()` (Medium – CVE-2025-7394): (Thanks to Per Allansson from Appgate)

Curve25519 Blinding Enabled by Default (Low – CVE-2025-7396): (Thanks to Arnaud Varillon, Laurent Sauvage, and Allan Delautre from Telecom Paris)

New Features:

Sniffer Enhancements: Support for multiple sessions and a new `ssl_RemoveSession()` API for cleanup.

New ASN.1 X509 API: `wc_GetSubjectPubKeyInfoDerFromCert` for retrieving public key information.

PKCS#12 Improvements: `wc_PKCS12_create()` now supports PBE_AES(256|128)_CBC key and certificate encryptions.

PKCS#7 Decoding: Added `wc_PKCS7_DecodeEncryptedKeyPackage()` for decoding encrypted key packages.

Linux Kernel Module Expansion: All AES, SHA, and HMAC functionality now implemented within the Linux Kernel Module.

OpenSSL Compatibility Layer Additions: New APIs for X.509 extensions and RSA PSS: `i2d_PrivateKey_bio`, `BN_ucmp`, and `X509v3_get_ext_by_NID`.

Platform Support: Added support for STM32N6.

Assembly Optimizations: Implemented SHA-256 for PPC 32 assembly.

Improvements & Optimizations

This release includes a wide range of improvements across various categories, including:

Extensive Linux Kernel Module (LinuxKM) Enhancements: Numerous minor fixes, registrations, and optimizations for cryptography operations within the Linux Kernel Module.

Post-Quantum Cryptography (PQC) & Asymmetric Algorithms: Updates to Kyber, backward compatibility for ML_KEM IDs, fixes for LMS building and parameters, and OpenSSL format support for ML-DSA/Dilithium.

Build System & Portability: General build configuration fixes, improvements for older GCC versions, new CMakePresets, and default MD5 disabling.

Testing & Debugging: Enhanced debugging output, additional unit tests for increased code coverage, and improved benchmark help options.

Certificates & ASN.1: Improved handling of X509 extensions, fixed printing of empty names, and better error handling.

TLS/DTLS & Handshake: Corrected group handling, improved DTLS record processing, and refined TLS 1.3 key derivation.

Memory Management & Optimizations: Stack refactors, improved stack size with MLKEM and Dilithium, and heap math improvements.

Cryptography & Hash Functions: Added options to disable assembly optimizations for SipHash and SHA3, and improved Aarch64 XFENCE.

Platform-Specific & Hardware Integration: Explicit support for ESP32P4, public `wc_tsip_*` APIs, and enhanced PlatformIO certificate bundle support.

General Improvements & Refactoring: Updated libspdm, fixed PEM key formatting, and improved API accessibility for certificate failure callbacks.

wolfSSL 5.8.2 also includes some nice bug fixes, addressing issues across various modules, ensuring greater stability and reliability. For a complete and detailed list of all changes, please refer to the full release notes.

We encourage all users to upgrade to wolfSSL 5.8.2 to take advantage of these important security updates, new features, and performance enhancements. Download the latest release.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now
wolfSSL is the best tested TLS

2025-05-08 15:13:35

We are pleased to announce the release of wolfBoot 2.5.0, the newest version of our universal secure bootloader. This release marks another milestone in the continued evolution of wolfBoot, reinforcing its relevance as a cutting-edge secure boot solution for embedded systems. wolfBoot 2.5.0 brings expanded hardware support, major new features, and a host of improvements to performance and security, all while maintaining the simplicity and robustness our users expect.

New hardware targets and platform enhancements
wolfBoot 2.5.0 expands its hardware compatibility, adding support for several new platforms and improving existing targets. Notable additions and enhancements include:

New target support: wolfBoot now supports the Raspberry Pi RP2350 microcontroller, NXP’s MCX family (including the MCXA153 and MCXW716 series), and the STMicroelectronics STM32F1 series. These additions extend wolfBoot’s reach from the latest Pi Pico 2 board to NXP’s advanced Cortex-M33 based MCUs and even legacy STM32F1 devices (like the popular “blue-pill” board), demonstrating once again our team’s commitment to maximize device coverage.

Enhanced support: Existing platform ports have been refined for better stability and performance, notably for the Xilinx UltraScale+ MPSoC (ZynqMP), Renesas RX family, and Infineon AURIX TriCore TC3xx microcontrollers. Developers using ZynqMP devices will benefit from smoother integration (e.g. improved standalone boot support and exception level handling), while updates to the Renesas RX and AURIX TC3xx ports include more efficient flash management and boot-time reliability improvements. These platform enhancements make it easier and more efficient to deploy wolfBoot on a wider range of hardware.

Major new features and enhancements
Version 2.5.0 introduces several important features aimed at both simplifying the developer experience and strengthening security:

Non-contiguous ELF section support: wolfBoot can now load and verify firmware images with non-contiguous (scattered) ELF sections. In practical terms, this means the bootloader handles images that are split across multiple memory regions, accommodating complex memory maps and multi-part firmware layouts. This feature adds flexibility for projects that utilize segmented flash or RAM areas for their application code and data.

Streamlined PQC integration: Post-Quantum Cryptography support in wolfBoot has been simplified and updated. wolfBoot 2.5.0 includes the latest PQC algorithm support from wolfCrypt (such as the recently standardized ML-DSA) and makes it easier to configure PQC-based signature verificationwolfssl.com. By refining the integration of PQC algorithms, we continue to help users prepare for a post-quantum future without sacrificing ease of use.

Static library build option: In addition to the traditional standalone bootloader binary, wolfBoot can now be built as a static library (libwolfboot.a). This gives developers the flexibility to integrate wolfBoot’s secure boot functionality directly into their applications or custom boot frameworks. The static-lib build simplifies certain use cases — for example, linking wolfBoot into a monolithic firmware image or using wolfBoot features in an RTOS environment — by allowing wolfBoot to be called like a library rather than a separate bootloader image.

Glitch attack mitigation (IAR toolchain): Security against hardware fault-injection attacks (glitches) has been further hardened in this release. We’ve extended our glitch mitigation techniques to better support the IAR Embedded Workbench toolchain, ensuring that builds compiled with IAR include additional countermeasures against timing and voltage glitch attacks. These low-level improvements make the secure boot process even more resilient to physical attack attempts, protecting the integrity of the firmware verification steps.

Build system and documentation improvements
wolfBoot 2.5.0 comes with numerous build system refinements and documentation updates to streamline development. We have refactored the CMake build system to improve cross-platform support and clarity, making it easier to compile wolfBoot for various targets and toolchains. This includes cleaner integration for IAR and other compilers, as well as a more organized project structure for out-of-the-box builds. Additionally, our documentation has been improved across the board – from updated user manuals and API references to new examples and guides – to help both new and experienced users get the most out of wolfBoot. Whether you’re configuring a multi-slot update scheme or integrating wolfBoot with a TPM, the clearer documentation will guide you through the process more smoothly. (As always, detailed change logs and usage instructions can be found in the README and docs accompanying the release.)

Bug fixes and updated modules
As with every release, wolfBoot 2.5.0 includes key bug fixes that enhance stability and reliability. Various minor issues identified in the previous version have been addressed, resulting in a more robust bootloader across all supported platforms. In particular, fixes were applied to edge cases in flash memory handling and update workflows to ensure consistent behavior in all update scenarios.
Moreover, the cryptographic and secure hardware modules underlying wolfBoot have been updated to their latest versions. wolfBoot 2.5.0 is powered by wolfSSL 5.8.0 – bringing in the newest optimizations and post-quantum enhancements from the wolfCrypt engine – and it can integrate with wolfTPM 3.9.0 for TPM-based secure boot use cases. By using the latest wolfSSL v5.8.0 and wolfTPM v3.9.0 releases, wolfBoot ensures compatibility with the most up-to-date security features and fixes from those libraries. This means developers get improved performance, up-to-date cryptographic algorithms, and continued FIPS 140-3 readiness through wolfCrypt.
wolfBoot’s security is, as always, built on wolfCrypt, which allows the boot process to leverage FIPS-certified crypto and even meet safety standards like DO-178C when required. Upgrading to wolfBoot 2.5.0 brings all these benefits into your secure boot process.

Getting wolfBoot 2.5.0 and support
wolfBoot 2.5.0 is available for download now, and we encourage everyone to try out the new features and improvements. You can find the source code and release package on our GitHub repository and the wolfSSL download page. Documentation for this release, including an updated user manual and examples, is available on our website to help you get started quickly.

If you have any questions about wolfBoot 2.5.0 or need help with integration, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247. The wolfSSL team offers commercial support and consulting services for those who require dedicated assistance or custom features. Whether you are upgrading an existing project or designing a new device with wolfBoot, our team is here to ensure your secure boot implementation is successful.

Download wolfSSL Now
wolfSSL is the best tested TLS

2025-05-05 12:03:09

We are excited to announce the release of wolfMQTT v1.20.0, which introduces WebSocket support as its headline feature. This release continues our commitment to providing a lightweight, secure, and feature-rich MQTT client implementation for embedded systems and IoT applications.

What’s New in v1.20.0
The wolfMQTT v1.20.0 release includes several significant enhancements:

WebSocket Support
The most notable addition in this release is comprehensive support for MQTT over WebSockets. This feature allows wolfMQTT clients to connect to MQTT brokers through WebSocket endpoints, which is particularly valuable in environments where traditional MQTT ports might be blocked or when integrating with web applications.

Both standard WebSockets and secure WebSockets (WSS) are now supported, providing flexibility for various security requirements:

Standard WebSockets: Connect to brokers using the WebSocket protocol without encryption

Secure WebSockets: Use TLS to encrypt the WebSocket connection for enhanced security

Secure WebSocket CI Testing
To ensure the reliability of the new WebSocket functionality, we’ve added continuous integration testing specifically for secure WebSockets. This testing helps maintain the high quality and stability that users expect from wolfMQTT.

Improved CMake Support
This release includes improvements to the CMake build system:

Enhanced duplicate component checking in CMake builds

Better compatibility with the latest Managed Components

Additional Improvements

Updated examples for the latest Managed Components

Fixed an issue with OQS’s Mosquitto being out of date

About wolfMQTT
wolfMQTT is a lightweight, embedded MQTT client implementation written in C that supports SSL/TLS via the wolfSSL library. It was built from the ground up to be multi-platform, space conscious, and extensible. The library supports:

MQTT v3.1.1 and v5.0 protocols

MQTT-SN (MQTT for Sensor Networks)

Quality of Service (QoS) levels 0-2

TLS encryption via wolfSSL

Non-blocking communications

Multithreading for parallel operations

Integration with popular IoT platforms (AWS IoT, Azure IoT Hub, IBM Watson IoT)

Getting wolfMQTT v1.20.0
The wolfMQTT v1.20.0 release is available now on our download page and GitHub.
Release 1.20.0 has been developed according to wolfSSL’s development and QA process and successfully passed the quality criteria.
Check out the ChangeLog for a full list of features and fixes, or contact us at facts@wolfSSL.com with any questions.
While you’re there, show us some love and give the wolfMQTT project a Star!
You can download the latest wolfMQTT release from our website or clone directly from our GitHub repository.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now
wolfSSL is the best tested TLS

2025-04-28 09:44:00

We are excited to announce that wolfSSL version 5.8.0 is now available. This release brings several important new features and improvements. Below are the key new additions:

New Features

Implemented various fixes to support building for Open Watcom, including OS/2 support and Open Watcom 1.9 compatibility (PR 8505, 8484).

Added support for STM32H7S (tested on NUCLEO-H7S3L8) (PR 8488).

Added support for STM32WBA (PR 8550).

Added Extended Master Secret Generation Callback to the –enable-pkcallbacks build (PR 8303).

Implemented AES-CTS (–enable-aescts) in wolfCrypt (PR 8594).

Added support for libimobiledevice commit 860ffb (PR 8373).

Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 IPD (PR 8307).

Added blinding option when using a Curve25519 private key by defining the macro WOLFSSL_CURVE25519_BLINDING (PR 8392).

ML-DSA and Post-Quantum Cryptography Enhancements
In line with NIST’s latest documentation, wolfSSL has updated its Kyber implementation to ML-DSA (Multi-Lattice Digital Signature Algorithm), which is fully supported in this release. Additionally, the release includes updates to further optimize ML-DSA and LMS (Lattice-based Signature) schemes, reducing memory usage and improving performance.

Linux Kernel Module (linuxkm) Updates
wolfSSL 5.8.0 expands support for the Linux Kernel Module (linuxkm), with several important enhancements to improve kernel-level cryptographic integration. This includes extended LKCAPI registration support for rfc4106(gcm(aes)), ctr(aes), ofb(aes), ecb(aes), and the legacy one-shot AES-GCM backend. Compatibility improvements have been added for newer kernels (?6.8), and calls to scatterwalk_map() and scatterwalk_unmap() have been updated for Linux 6.15. The release also registers ECDSA, ECDH, and RSA algorithms with the kernel crypto API and introduces safeguards for key handling, including forced zeroing of shared secrets. These changes make it possible to use more wolfSSL functionality in the kernel space.

For a full list of fixes and optimizations check out the ChangeLog.md bundled with wolfSSL. Download the latest release from the download page. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now
wolfSSL is the best tested TLS

2025-03-26 12:25:36

The wolfSSL team has released wolfProvider version 1.0.2, introducing several new features and important fixes!

New Features

RSA Verify Recover Support: Adds functionality for RSA verify recover operations, enhancing compatibility with applications requiring this capability.

DES3 Implementation: Provides legacy application support with DES3 CBC mode implementation.

Open Source Integration Testing: New workflows for automated testing with NGINX, cURL, and OpenVPN, ensuring compatibility across applications.

Enhancements and Fixes

RSA Improvements: Better key type handling during import operations and fixed parameter handling for proper functionality.

AES-GCM Stream Handling: Enhanced IV handling for compatibility with OpenSSH workflows.

ECC Parameter Encoding: Fixed encoding for OpenSSL genpkey compatibility, resolving interoperability issues.

Stability Improvements

FIPS Testing Capabilities: Enhanced testing for FIPS compliance scenarios.

Error Handling: Improved logging and error reporting throughout the codebase.

Documentation Updates: Enhanced examples and documentation for easier integration.

Check out the ChangeLog for a full list of features and fixes.

Stay updated with wolfProvider for ongoing enhancements! If you have questions about any of the above, please contact us at facts@wolfSSL.com or call ua at +1 425 245 8247.

Download wolfSSL Now

wolfSSL is the best tested TLS

2025-02-20 15:51:03

The wolfSSL team has released wolfSSH version 1.4.20, introducing some new features and nice fixes!

New Features:

DH Group 16 and HMAC-SHA2-512 Support: This addition gives more options for algorithms used when connecting and more interoperability with other implementations.

Keyboard-Interactive Authentication: Providing a more versatile authentication method implementing RFC 4256.

Enhancements and Fixes:

Memory Management Improvements: wolfSSH now handles memory more efficiently, particularly in RNG initialization and the SCP example, ensuring cleaner resource management.

Stability Enhancements: Updates to wolfSSHd include better handling of failures and connections, making the server more robust and reliable.

Resolved Issues: Fixes address SFTP compilation problems with WOLFSSH_FATFS and simplify the autogen script for easier integration.

Check out the ChangeLog for a full list of features and fixes.

Stay updated with wolfSSH for ongoing enhancements! If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now
wolfSSL is the best tested TLS

2025-02-14 15:27:22

In the realm of lightweight MQTT (Message Queuing Telemetry Transport) implementations, wolfMQTT maintains its commitment to reliability and performance. With the release of version 1.19.2, wolfMQTT strengthens its core functionality through targeted improvements and enhanced testing infrastructure.

Key Improvements:

Enhanced Connection Reliability
The implementation of improved error handling in the “mqttsimple” client ensures more robust connection management, particularly beneficial for embedded applications where connection stability is crucial.

Optimized Keep-Alive Mechanism
A significant enhancement to the ping response handling improves the reliability of MQTT keep-alive functionality, ensuring more stable long-term connections and better resource management.

Strengthened Testing Infrastructure
- Modernized continuous integration workflow with Ubuntu 22.04
- Enhanced artifact testing procedures for more comprehensive quality assurance
- Improved Zephyr platform compatibility through targeted build fixes

Release 1.19.2 has been developed according to wolfSSL's development and QA process and successfully passed the quality criteria.

Check out the ChangeLog for a full list of features and fixes, or contact us at facts@wolfssl.com with any questions.

While you're there, show us some love and give the wolfMQTT project a Star!

You can download the latest wolfMQTT release from our website or clone directly from our GitHub repository.

If you have questions about any of the above, please contact us at facts@wolfssl.com or callus at +1 425 245 8247.

Download wolfSSL Now
wolfSSL is the best tested TLS

2025-01-30 13:56:28

We are pleased to announce the release of wolfTPM 3.8.0, our latest version with several important enhancements.

What's New
This release includes a range of fixes and improvements that enhance the overall quality and reliability of wolfTPM. These changes are designed to support the delivery of high-quality production-grade products that meet the needs of our customers.

Key Change

Session Auth Improvements: We've fixed an issue with bound session authentication, ensuring that TPM 2.0 authenticated sessions with binding work correctly. Additionally, we've added comprehensive test cases to verify the functionality.

Bus Protection: Our implementation of the TCG "bus protection guidance" now includes a comprehensive example, making it easier for developers to ensure their applications meet these critical security standards. For more information on our bus protection guidance, please refer to the TCG's bus protection guidance document.

Build Support: We've improved support for building wolfTPM against older wolfCrypt versions, including updated CI tests.

HAL IO Improvements: We've added HAL IO support for Microchip I2C bit-bang driver

TPM 2.0 Use Cases
wolfTPM is designed to provide a robust and secure foundation for a wide range of applications, from IoT devices to high-end servers. Here are some examples of how wolfTPM 3.8.0 can help:

Secure Boot: wolfTPM provides a robust secure boot mechanism, ensuring that only authorized firmware can be loaded on the platform.

Platform Firmware Updates: Our implementation of bus protection guidance includes support for secure firmware updates, making it easier to keep platforms up-to-date and secure.

Key Management: wolfTPM can be used to manage cryptographic keys securely, providing a reliable and efficient way to handle sensitive data.

Hardware-Level Isolation: wolfTPM’s hardware-level isolation features provide a robust security foundation for applications that require high levels of isolation.

Trusted Execution Environments (TEEs): wolfTPM is designed to work seamlessly with TEEs, providing a secure environment for executing critical functions.

Getting Started
Download the latest version of wolfTPM 3.8.0 today! Check out the complete ChangeLog for full details.

As always, we appreciate your contribution and feedback. If you have any questions or suggestions, please email facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now
wolfSSL is the best tested TLS.

2025-01-28 14:00:33

We are excited to announce the release of wolfBoot 2.4.0, the latest version of our universal secure bootloader. This update brings enhanced platform support, new features, and performance improvements to keep offering the best secure boot solution for all embedded systems.

Integration with wolfHSM and Improved delta updates
A major highlight of this release is the integration with wolfHSM, enabling secure key management through an externally-managed HSM. This integration allows for the transparent management and revocation of the stored public key, as well as support for post-quantum algorithms (ML-DSA).

Delta update detection mechanism has been improved and is now more reliable, with the addition of extra procedures for identifying base image versions.

New hardware targets and platform enhancements
wolfBoot 2.4.0 adds support for the NXP Layerscape LS1028A platform, extending compatibility with high-performance devices.

Support for existing platforms, including ARMv7-M/ARMv8-M, x86-FSP and Xilinx UltraScale+, has been updated with enhanced ARMASM integration, and improved QSPI DMA for efficient memory interaction. Support for Intel TigerLake has improved, with the addition of GDT table support.

New assembly optimizations introduced in latest wolfCrypt have introduced a significant improvement in boot time performance across all ARM family, from Cortex-M devices such as STM32 microcontroller up to the most powerful microprocessors supported.

Bug fixes and updated modules

Key fixes address potential issues in flash write-once mode. Moreover, the core modules have been updated to the latest versions, including wolfSSL 5.7.6 and wolfTPM 3.8.0.

wolfBoot security is powered by wolfCrypt. This means that the secure boot process can be certified to meet FIPS 140-3 requirements and DO-178C safety regulations.

Looking Ahead: Exciting Roadmap for 2025

This year, we’re setting our sights on expanding wolfBoot’s capabilities even further. Planned features include support for running wolfBoot as a supervisor in TrustZone-A, platform support for i.MX-8, and integration with the STM32 MP1 series. Stay tuned for these and more as we continue to innovate and enhance secure boot for all embedded systems.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now
wolfSSL is the best tested TLS

2025-01-24 21:07:17

wolfSSL JNI/JSSE 1.15.0 is now available for download! This release contains a number of bug fixes and changes to the JNI and JSSE layers.

wolfSSL JNI/JSSE allows for easy use of the native wolfSSL SSL/TLS library from Java. The thin JNI wrapper can be used for direct JNI calls into native wolfSSL, or the JSSE provider (wolfJSSE) can be registered as a Java Security provider for seamless integration underneath the Java Security API. wolfSSL JNI/JSSE provides TLS 1.3 support and can also support running on top of the wolfCrypt FIPS 140-3 validated cryptography module.

Changes in this release are summarized below, but please see ChangeLog.md for a full list.

JSSE System/Security Property Support:

wolfssljni.debug – a new System property that enables JNI-level debug logging. This will add debug logs for the lower-level “com.wolfssl.*” classes that are part of the thin wolfSSL JNI wrapper. This is helpful for those users who are using the thin wolfSS JNI wrapper, or for JSSE-level users who need additional low-level debug logging support.

JSSE Changes:

Close the underlying Socket when SSLSocket startHandshake() fails before an exception is thrown and returned to the caller.

Fix a potential NullPointerException in SSLSocket Input/OutputStream that could happen in a threaded environment with some threads blocked in select()/poll().

Add support for SSLSession.getRequestedServerNames() to return the client’s SNI (Server Name Indication) request on the server side.

Add checks for legacy DHE keys for cipher suites using keys less than 1024 bits.

Optimize Java byte array creation in SSLEngine objects when receiving app data. This has a positive impact on performance by reducing garbage collector pressure.

Add the ability for SSLSocket.close() to interrupt read()/write() operations waiting in select()/poll(). This can speed up the return of threads blocked in read or write operations when the socket is closed, instead of waiting for the socket timeout to occur.

JNI Changes:

Always call wolfSSL_get1_session() inside WolfSSLSession.getSession() for more consistent native memory handling and cleanup.

Call wc_RunAllCast_fips() with wolfCrypt FIPS builds if available. This will run all FIPS Conditional Algorithm Self Tests (CAST) up front when the wolfJSSE provider is registered.

Add the ability to pass CFLAGS to java.sh (ie: CFLAGS=”-DTEST_DEFINE” ./java.sh)

Remove incorrect ATOMIC_USER preprocessor gate around native wolfSSL_GetSide() inside JNI glue code.

Example Changes:

Updates the example Android Studio project, defining WOLFSSL_CERT_REQ and WOLFSSL_CUSTOM_CONFIG. These defines are either not needed, or automatically set when building native wolfSSL on a Linux/Unix platform with “./configure –enable-jni”.

Testing Changes:

Add GitHub Actions PRB test for Maven (Linux, macOS) builds

Add JUnit tests for SSLSession state at various points throughout the handshake

Add GitHub Actions PRB test for native wolfSSL with NO_SESSION_CACHE_REF defined

Add GitHub Actions PRB test for WOLFJNI_USE_IO_SELECT

wolfSSL JNI/JSSE 1.15.0 can be downloaded from the wolfSSL download page, and an updated version of the wolfSSL JNI/JSSE User Manual can be found here. For any questions, or to get help using wolfSSL products in your projects, contact us at support@wolfSSL.com.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now
wolfSSL is the best tested TLS

2025-01-24 20:38:00

wolfCrypt JNI/JCE 1.8.0 is now available for download! This release contains a number of bug fixes, changes and new features to help better support usage from applications and 3rd party frameworks that consume wolfJCE internally.

wolfCrypt JNI/JCE allows for easy use of the native wolfCrypt cryptography library from Java. The thin JNI wrapper can be used for direct JNI calls into native wolfCrypt, or the JCE provider (wolfJCE) can be registered as a Java Security provider for seamless integration underneath the Java Cryptography API. wolfCrypt JNI/JCE can also support running on top of the wolfCrypt FIPS 140-3 validated cryptography module.

Changes in this release are summarized below, but please see ChangeLog.md for a full list.

New JCE Functionality:

Support for two new Java Security properties designed for use in edge cases where wolfJCE is being used with wolfCrypt FIPS 140-2/3 and the wolfJCE WKS KeyStore is replacing JKS and/or PKCS12 type KeyStore usage from applications for more complete FIPS compliance. Setting these properties to “true” will result in wolfJCE fake registering support for JKS and/or PKCS12 KeyStore support, but will automatically map it down to WKS KeyStore support internally. This can be helpful if using wolfJCE underneath Java code that hard-codes JKS/PKCS12 KeyStore types which cannot be changed, but the actual KeyStore files on disk can be updated to WKS type.
- wolfjce.mapJKStoWKS
- wolfjce.mapPKCS12toWKS

JNI and JCE Changes:

FIPS Conditional Algorithm Self Tests (CASTs) are now run once up front if wolfJCE is used with wolfCrypt FIPS 140-3, to prevent threaded app errors.

Example Changes:

Updated Android Studio example project CMakeLists.txt, defining WOLFSSL_CUSTOM_CONFIG

Addition of a JCE cryptography benchmark app (examples/provider/CryptoBenchmark.java). Basic AES-CBC/GCM benchmarks are in place now, but will be expanded to other algorithms in the near future.

Testing Changes:

Addition of GitHub Action testing for Maven (pom.xml) builds on macOS and Linux

wolfCrypt JNI/JCE 1.8.0 can be downloaded from the wolfSSL download page, and an updated version of the wolfCrypt JNI/JCE User Manual can be found here. For any questions, or to get help using wolfSSL products in your projects, contact us at support@wolfssl.com.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now
wolfSSL is the best tested TLS

2024-12-31 15:41:06

Welcome 2025 with boundless possibilities and stronger security! We are excited to introduce wolfSSL 5.7.6, the latest update in open-source cybersecurity! Designed with the cleanest code, this release is packed with exciting enhancements:

Expanded Hardware Support: wolfSSL hardware support now includes RP2350 and STM32MP135F, with enhanced capabilities for RP2040 and Renesas TSIP.

Enhanced APIs: APIs introduced for simplified Curve25519 key decoding, stateless DTLS CID on the server side, and CRL callbacks.

Post-Quantum Cryptography Advances: Updated Post-Quantum ML-DSA features include parsing security levels from the DER encoding and expanded build options.

Dive into the ChangeLog for complete details on what wolfSSL 5.7.6 has to offer and start your year with a solution that works seamlessly right out of the box!

If you have questions about any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247.

Download wolfSSL Now

2024-11-18 09:12:33

wolfCLU release 0.1.6 is available! wolfSSL’s command line utility (wolfCLU) is a drop in replacement for the OpenSSL command line utility. It’s a handy swiss army knife of common operations used, often great for system admins or test developers. Doing things such as creating and signing certificates, generating new keys, parsing X509 certificates into human readable form, and much more. This release has seen some fixes to wolfCLU along with exciting new features. One of the new features being the addition of support for post quantum Dilithium signature generation and verification. For a full list of changes check out the ChangeLog.md.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

2024-11-14 11:47:30

wolfCrypt JNI/JCE 1.7.0 is now available for download! This release contains a number of bug fixes, changes and new features to help better support usage from applications and 3rd party frameworks that consume wolfJCE internally.
wolfCrypt JNI/JCE allows for easy use of the native wolfCrypt cryptography library from Java. The thin JNI wrapper can be used for direct JNI calls into native wolfCrypt, or the JCE provider (wolfJCE) can be registered as a Java Security provider for seamless integration underneath the Java Cryptography API. wolfCrypt JNI/JCE can also support running on top of wolfCrypt FIPS 140-2 and 140-3 validated modules.
Changes in this release are summarized below, but please see ChangeLog.md for a full list. Watch for individual future blogs on some of these topics as well for a more in depth description.

New JCE Functionality:

Addition of a new WolfSSLKeyStore (WKS) KeyStore implementation to help conform to FIPS 140-2 / 140-3 compliant KeyStore use

JNI and JCE Changes:

Build compatibility has been fixed with older Java versions that do not support BigInteger.longValueExact()

Detection of native RSA minimum key size (RSA_MIN_SIZE), and exposure of this minimum to Java via Rsa.RSA_MIN_SIZE

Fixes to pointer use when calling the native X509CheckPrivateKey() API

Example Changes:

Addition of a new Android Studio example IDE project, located under the “IDE/Android” directory. This can be useful as an example to see how CMakeLists.txt should be structured to build native wolfSSL and wolfCrypt JNI/JCE.

Testing Changes:

Facebook Infer is now run on all GitHub pull requests using GitHub Actions

Android Gradle builds are now tested on all GitHub pull requests using GitHub Actions

wolfCrypt JNI/JCE 1.7.0 can be downloaded from the wolfSSL download page, and an updated version of the wolfCrypt JNI/JCE User Manual can be found here. For any questions, or to get help using wolfSSL products in your projects, contact us at support@wolfssl.com.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

2024-11-14 11:29:25

wolfSSL JNI/JSSE 1.14.0 is now available for download! This release contains a number of bug fixes, changes and new features to help better support usage from applications and 3rd party frameworks that consume wolfJSSE internally.
wolfSSL JNI/JSSE allows for easy use of the native wolfSSL SSL/TLS library from Java. The thin JNI wrapper can be used for direct JNI calls into native wolfSSL, or the JSSE provider (wolfJSSE) can be registered as a Java Security provider for seamless integration underneath the Java Security API. wolfSSL JNI/JSSE provides TLS 1.3 support and can also support running on top of wolfCrypt FIPS 140-2 and 140-3 validated modules.
Changes in this release are summarized below, but please see ChangeLog.md for a full list. Watch for individual future blogs on some of these topics as well for a more in depth description.

New JNI and JSSE Functionality:

Addition of a new WKS KeyStore type to better facilitate FIPS compliance where needed

Performance and scalability improvement with the use of native poll() set as default over select()

Support for using RSA-PSS based certificates in TLS connections

Addition of LDAPS endpoint identification verification to X509ExtendedTrustManager

Two new JNI wrapped methods for native “wolfSSL_SessionIsSetup()” and “wolfSSL_SESSION_dup()”

JSSE System/Security Property Support:

wolfjsse.debugFormat=JSON – a new System property to support outputting debug logs in JSON format, which can be more friendly for some log collection mechanisms

wolfjsse.clientSessionCache.disabled – a new Security property to disable the Java client-side session cache, which will prevent session resumption from occurring

JSSE Changes:

Native memory leak fixes, related to calls to wolfSSL_get_peer_certificate()

Optimizations to allow for easier and more efficient garbage collection

SSLEngine fixes for session storage, unwrap() FINISHED state transitions, HandshakeStatus when receiving TLS 1.3 session tickets after the handshake, correctly closing inbound on ALPN protocol name errors, and closure when fatal alerts are received

SSLSocket fixes for end of stream handling in InputStream read() calls

Fixes to throw expected or correct exceptions for several cases

SSLSession getPeerCertificates() returns correct X509Certificate array

Fixes around SSLSocket closure in a few different use cases

Client-side session resumption is now keyed on the cipher suite and protocol in addition to host and port

Build compatibility has been fixed with the older Android API 24, removing method calls not available in that SDK version

A potential deadlock on close() between SSLSocket and the associated InputStream read() or OutputStream write() calls has been fixed

Exchange Changes:

The Host String has been added into the HTTP GET request in the example ClientJSSE when used with the “-g” command line option

JNI-only threaded client/server example applications have been added which can be helpful for seeing or debugging session resumption at the JNI-only level

A basic RMI example client and server have been added, which can useful for reference and testing wolfJSSE over RMI

Testing Changes:

Facebook Infer is now run on all GitHub pull requests using GitHub Actions

TLS 1.0 and 1.1 JUnit tests are now run even if those protocols are disabled in the system “java.security” file, as long as native wolfSSL support has been compiled in

Android Gradle builds are now tested on all GitHub pull requests using GitHub Actions

wolfSSL JNI/JSSE 1.14.0 can be downloaded from the wolfSSL download page, and an updated version of the wolfSSL JNI/JSSE User Manual can be found here. For any questions, or to get help using wolfSSL products in your projects, contact us at support@wolfssl.com.

If you have questions about any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247.

Download wolfSSL Now

2024-11-06 15:44:58

wolfSSL is proud to announce the release of wolfMQTT v1.19.1!

This release fixes an issue in the Espressif example and corrects some documentation issues.

Release 1.19.1 has been developed according to wolfSSL’s development and QA process and successfully passed the quality criteria.

Check out the ChangeLog from the download for a full list of features and fixes, or contact us at facts@wolfSSL.com with any questions. While you’re there, show us some love and give the wolfMQTT project a Star!

Download the latest release or clone directly from our GitHub repository.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

2024-11-06 11:13:21

We are proud to announce the next release of wolfTPM that includes minor bug fixes and some exciting new features. The v3.6.0 release is incremental and part of our quarterly release schedule. Each release goes through additional testing including tests on actual TPM 2.0 hardware.

This release includes minor bug fixes and new features such as:

Provisioning the initial device (IDevID) and initial attestation (IAK)
- New key templates and examples
- New build option --enable-provisioning or WOLFTPM_PROVISIONING

Improved support for parsing for all TPM2_GetCapability capabilities

Improved the TPM TLS examples for use with WOLFTPM_MFG_IDENTITY

New TPM2_Certify example

New wolfTPM2_CreatePrimaryKey_ex API for creation ticket

Tested support with Nations NS350 TPM

The minor issues fixed are:

Issue with TPM2_GetRCString and RC_WARN error codes (broken in v3.4.0)

Issue with TPM2_SetupPCRSel on some PCR selection edge cases

Improved building without ECC or RSA or file system

The new v3.6.0 release can be downloaded on our website or on GitHub.com/wolfssl/woltpm

If you have questions about ay of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Welcome to the wolfSSL Forums!

Search options (Page 1 of 2)

Posts found: 1 to 25 of 31

1 Topic by shizuka 2025-12-15 17:13:01

Topic: wolfBoot v2.7.0 Available (0 replies, posted in Announcements)

2 Topic by shizuka 2025-12-09 09:57:53

Topic: wolfTPM 3.10.0 Release (0 replies, posted in Announcements)

3 Topic by shizuka 2025-12-04 11:00:02

Topic: Announcing wolfMQTT v1.21.0: NetX and ThreadX RTOS Support (0 replies, posted in Announcements)

4 Topic by shizuka 2025-11-21 15:26:16

Topic: wolfSSL 5.8.4 Now Available (0 replies, posted in Announcements)

5 Topic by shizuka 2025-11-04 14:20:57

Topic: wolfProvider 1.1.0: Major Release with Enhanced Features and Extensive (0 replies, posted in Announcements)

6 Topic by shizuka 2025-10-23 15:35:32

Topic: wolfSSH 1.4.21 Released (0 replies, posted in Announcements)

7 Topic by shizuka 2025-08-18 10:19:56

Topic: wolfBoot v2.6.0 Now Available (0 replies, posted in Announcements)

8 Topic by shizuka 2025-07-29 14:22:41

Topic: wolfCLU 0.1.9 Available Now (0 replies, posted in Announcements)

9 Topic by shizuka 2025-07-18 13:11:22

Topic: wolfSSL 5.8.2 Now Available (0 replies, posted in Announcements)

10 Topic by shizuka 2025-05-08 15:13:35

Topic: wolfBoot release: v.2.5.0 (1 replies, posted in Announcements)

11 Topic by shizuka 2025-05-05 12:03:09

Topic: Announcing wolfMQTT v1.20.0: Now with WebSocket Support (0 replies, posted in Announcements)

12 Topic by shizuka 2025-04-28 09:44:00

Topic: wolfSSL 5.8.0 (0 replies, posted in Announcements)

13 Topic by shizuka 2025-03-26 12:25:36

Topic: wolfProvider 1.0.2: Enhanced Compatibility (0 replies, posted in Announcements)

14 Topic by shizuka 2025-02-20 15:51:03

Topic: wolfSSH 1.4.20: Enhanced Features and Stability (0 replies, posted in Announcements)

15 Topic by shizuka 2025-02-14 15:27:22

Topic: wolfMQTT Releases v1.19.2 (0 replies, posted in Announcements)

16 Topic by shizuka 2025-01-30 13:56:28

Topic: wolfTPM Release v3.8.0 (0 replies, posted in Announcements)

17 Topic by shizuka 2025-01-28 14:00:33

Topic: wolfBoot release: v.2.4.0 (0 replies, posted in Announcements)

18 Topic by shizuka 2025-01-24 21:07:17

Topic: wolfSSL JNI/JSSE 1.15.0 Now Available (0 replies, posted in Announcements)

19 Topic by shizuka 2025-01-24 20:38:00

Topic: wolfCrypt JNI/JCE 1.8.0 Now Available (0 replies, posted in Announcements)

20 Topic by shizuka 2024-12-31 15:41:06

Topic: New Year New Release: Introducing wolfSSL 5.7.6 (0 replies, posted in Announcements)

21 Topic by shizuka 2024-11-18 09:12:33

Topic: wolfCLU Release 0.1.6 (0 replies, posted in Announcements)

22 Topic by shizuka 2024-11-14 11:47:30

Topic: wolfCrypt JNI/JCE 1.7.0 Now Available (0 replies, posted in Announcements)

23 Topic by shizuka 2024-11-14 11:29:25

Topic: wolfSSL JNI/JSSE 1.14.0 Now Available (0 replies, posted in Announcements)

24 Topic by shizuka 2024-11-06 15:44:58

Topic: wolfMQTT Releases v1.19.1 (0 replies, posted in Announcements)

25 Topic by shizuka 2024-11-06 11:13:21

Topic: wolfTPM release: v3.6.0 (0 replies, posted in Announcements)

Posts found: 1 to 25 of 31