We are excited to announce that wolfSSL version 5.9.0 is now available! wolfSSL 5.9.0 brings a strong focus on advancing post-quantum cryptography support, an expanded Rust wrapper, new hardware platform integrations, and a number of security vulnerability fixes.

Security Fixes
wolfSSL 5.9.0 includes fixes for 15 security vulnerabilities spanning a range of severity levels, covering areas including CRL parsing, TLS 1.3 ECH extension handling, ALPN parsing, PKCS7 encoding, the packet sniffer, and side channel hardening of post-quantum implementations on ARM Cortex-M. We would like to thank all external researchers who responsibly disclosed issues to us. For full details on each vulnerability please visit the wolfSSL Security Vulnerabilities page.

Post-Quantum Cryptography: SLH-DSA and More
Post-quantum cryptography continues to be a major area of focus in the security industry. In this release there is an addition of SLH-DSA (FIPS 205) — the Stateless Hash-Based Digital Signature Standard — rounding out wolfSSL’s coverage of all three NIST post-quantum digital signature standards alongside ML-DSA and FALCON.

SLH-DSA is a stateless, hash-based signature scheme that provides strong security guarantees without relying on the hardness of lattice problems. It offers an alternative signature foundation for deployments that want to diversify their post-quantum strategy beyond lattice-based approaches. With this addition wolfSSL now supports the full NIST PQC signature portfolio: ML-DSA (FIPS 204), FALCON, and SLH-DSA (FIPS 205), as well as the stateful hash-based schemes LMS/HSS and XMSS/XMSS^MT for specialized use cases.

Beyond SLH-DSA, this release also brings a range of improvements across the existing PQC stack:

• ML-DSA improvements — Several bug fixes including a fix for ML-DSA verification when using WOLFSSL_DILITHIUM_SMALL, improved no-malloc build support, and PKCS#11 integration for ML-DSA key operations.

• ML-KEM improvements — Bug fixes and hardening across no-malloc builds, static memory handling, DTLS 1.3 cookie and ClientHello fragment handling, and expanded hybrid/individual ML-KEM level test coverage.

• Fault injection hardening for PQC on Cortex-M — New protection for ML-KEM and ML-DSA implementations on ARM Cortex-M, specifically guarding against fault injection attacks targeting Keccak-based seed expansion.

• General WOLFSSL_NO_MALLOC PQC support — Broader no-malloc improvements make PQC algorithms more accessible in deeply embedded environments.

• SLH-DSA and FALCON key-type detection fixes — Corrected the key variant identification logic in both the SLH-DSA (SPHINCS+) and FALCON signature algorithm implementations.

New Features

• OCSP Responder API — wolfSSL can now act as an OCSP responder. A new API and supporting infrastructure have been added to serve certificate status responses, enabling wolfSSL to be used in PKI infrastructure roles beyond the TLS client and server. (PR 9761)

• AES CryptoCB Key Import — Added AES key import support via the crypto callback interface, making it easier to use externally managed AES keys through wolfSSL’s callback framework. (PR 9658)

• RNG Bank Facility — New wc_rng_new_bankref() API allows multiple wolfCrypt contexts to share a seeded RNG pool, reducing the overhead of repeated seeding at runtime — particularly useful in resource-constrained embedded systems. (PR 9616)

Rust Wrapper Expansion
The wolfSSL Rust wrapper received significant expansion in this release, gaining FIPS support and coverage for a large number of new cryptographic primitives. New modules were added for Dilithium/ML-DSA, ChaCha20-Poly1305, Curve25519, BLAKE2, LMS, and ML-KEM. Improvements were also made for RSA, ECC, HASH-DRBG, HMAC-BLAKE2, and XChaCha20-Poly1305, along with support for optional heap and device ID parameters and conditional compilation based on underlying C build options.

TLS/DTLS Improvements
TLS 1.3 now supports Brainpool curves for key exchange (PR 9701). DTLS retransmission handling has been improved and TLS message order checking has been hardened on both client and server sides. The MAC and hash comparisons in the TLS 1.3 and TLS 1.2 Finished messages were also strengthened. Additional improvements include an extended AIA (Authority Information Access) interface, better ECH (Encrypted Client Hello) handling, and a range of smaller robustness fixes across fragmentation, session ticket lifetime validation, and QUIC transport parameter handling.

Kernel Module Updates
The Linux kernel module received various fixes and enhancements for Tegra kernels, including support for offline FIPS hash calculation. The FreeBSD kernel module gained both FIPS support and x86 hardware crypto acceleration in this release, broadening wolfCrypt’s kernel-mode footprint across operating environments.

Ports and Hardware Integration
New platform support in 5.9.0 includes the Renesas SK-S7G2 board, STM32 HMAC hardware acceleration, and STM32G0 hardware crypto. Various Thumb2 AES and SP assembly optimizations were added or fixed, and Zephyr 4.1+ compatibility was added for the wolfssl_tls_sock sample application.

PKCS Improvements
This release adds PKCS7 ECC raw sign callback support, RSA-PSS support for SignedData, and RSA-PSS certificate support for PKCS7 EnvelopedData KTRI. Several PKCS7 parsing fixes were also included, along with expanded ML-DSA support via PKCS#11.

Testing and CI Improvements
Test coverage was expanded with a particular focus on PQC and CMake builds. The CI test matrix grew to include rng-tools 6.17, openldap 2.6.9, and bind 9.20.11. A new TLS Anvil interoperability test workflow was added, and a stateful port-tracking mechanism was implemented to eliminate test port collisions during high-concurrency CI runs.

For a full list of fixes and optimizations, check out the ChangeLog.md bundled with wolfSSL. Download the latest release from the download page. If you have any questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now