RECENT BLOG NEWS

Elliptic curve cryptography (ECC) is increasingly popular in secure communications, and secp256k1—famous for its use in Bitcoin and Blockchains—is a widely used curve. This blog post will walk you through building wolfSSL with support for secp256k1, generating an ECC certificate using that curve, and using it in a TLS connection with wolfSSL’s example client and server.

Step 1: Build wolfSSL with secp256k1 Support

Start by cloning the wolfSSL repository and building it with custom curve and certificate generation support:

# Download wolfssl from https://www.wolfssl.com/download/
cd wolfssl
./configure --enable-ecccustcurves=all --enable-keygen --enable-certgen --enable-certreq --enable-certext
make
sudo make install

Step 2: Generate a secp256k1 Certificate

Next, use the certgen example from wolfSSL’s examples repository.

git clone https://github.com/wolfssl/wolfssl-examples
cd wolfssl-examples/certgen

Modify the example for secp256k1

In certgen_example.c, modify the key generation line to explicitly use secp256k1:

- ret = wc_ecc_make_key(&rng, 32, &newKey);
+ ret = wc_ecc_make_key_ex(&rng, 32, &newKey, ECC_SECP256K1);

Add Key Output in PEM Format

To write the private key to a file, add the following block after certificate generation (be sure to add in proper error checks):

derBufSz = wc_EccKeyToDer(&newKey, derBuf, LARGE_TEMP_SZ);
pemBufSz = wc_DerToPem(derBuf, derBufSz, pemBuf, LARGE_TEMP_SZ, ECC_PRIVATEKEY_TYPE);
if (pemBufSz < 0) goto exit;

file = fopen("newCert.key", "wb");
if (!file) goto exit;
ret = (int)fwrite(pemBuf, 1, pemBufSz, file);
fclose(file);

Build and Run

make
./certgen_example

You should now have newCert.pem and newCert.key files using a secp256k1 key.

Step 3: Configure Client/Server for secp256k1

Go back to the wolfssl directory and modify the client example to explicitly support the secp256k1 curve:

+++ b/examples/client/client.c
@@ -3707,6 +3707,9 @@
     #endif
+
+    wolfSSL_CTX_UseSupportedCurve(ctx, WOLFSSL_ECC_SECP256K1);
+
 #if defined(HAVE_SUPPORTED_CURVES)

Run the Server and Client

Use the generated cert/key with the server, and run the client with a trusted CA cert:

./examples/server/server -d -c newCert.pem -k newCert.key

./examples/client/client -A ./certs/ca-ecc-cert.pem

If everything is set up correctly, you'll see output like:

SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL curve name is SECP256K1
I hear you fa shizzle!

You’ve just built wolfSSL with support for custom ECC curves, generated a certificate using secp256k1, and successfully used it in a TLS session. This setup is great for anyone integrating Bitcoin-style cryptography into embedded or resource-constrained systems using wolfSSL.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

We are excited to announce the creation of mcwolf, a new project that brings a Classic McEliece post-quantum cryptographic algorithm implementation and integration to wolfSSL. We would like to thank Daniel J. Bernstein for the integration work that went into mcwolf.

The mcwolf project is a series of scripts and patches against wolfSSL that adds support for Classic McEliece, a code-based post-quantum cryptographic algorithm that is deployed in various applications (see https://mceliece.org) and is under consideration for standardization by ISO. The project uses the official vec implementation of Classic McEliece, providing a portable solution that can be optimized for various platforms. This implementation vectorizes across 64-bit integers.

The project’s page can be found here.

Why Classic McEliece?

Post-quantum cryptographic algorithms like Classic McEliece are designed to resist attacks from both classical and quantum computers, ensuring long-term security for sensitive data.

Classic McEliece is particularly known for its:

• Strong security foundations based on the well-studied McEliece cryptosystem with a long pedigree dating back to 1978
• Relatively small ciphertext sizes compared to other post-quantum KEMs

Technical Details

The mcwolf project has several notable characteristics:

• Uses the official vec implementation of Classic McEliece, which is portable across platforms
• Includes comprehensive testing, with the same code being extensively tested in SUPERCOP and libmceliece

The implementation supports various parameter sets for Classic McEliece, including:

• mceliece348864
• mceliece348864pc
• mceliece460896
• mceliece460896pc
• mceliece6688128
• mceliece6688128pc
• mceliece6960119
• mceliece6960119pc
• mceliece8192128
• mceliece8192128pc

How to Build mcwolf

Building mcwolf is straightforward. Go to https://cr.yp.to/2025/20250426-mcwolf/notes.html and download the build script. Mark it as executable and run the script on your linux machine. You need curl, python3, git, autoconf, libtool and generic gcc build tools already installed.

The mcwolf implementation includes tests that are integrated into the existing testing framework. Here is some expected output:

 ...
 MCELIECE348864 test passed!
 MCELIECE460896 test passed!
 MCELIECE6688128 test passed!
 MCELIECE6960119 test passed!
 MCELIECE8192128 test passed!
 ...
------------------------------------------------------------------------------
  wolfSSL version 5.8.0
 ------------------------------------------------------------------------------
 Math: ??????Multi-Precision: Wolf(SP) word-size=64 bits=4096 sp_int.c
 wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each)
 mceliece 348864  key gen   	100 ops took 4.492 sec, avg 44.922 ms, 22.261 ops/sec
 mceliece 348864	encap 	18100 ops took 1.005 sec, avg 0.056 ms, 18007.073 ops/sec
 mceliece 348864	decap  	6500 ops took 1.005 sec, avg 0.155 ms, 6466.727 ops/sec
 mceliece 460896  key gen   	100 ops took 14.307 sec, avg 143.068 ms, 6.990 ops/sec
 mceliece 460896	encap  	9800 ops took 1.005 sec, avg 0.103 ms, 9751.777 ops/sec
 mceliece 460896	decap  	2200 ops took 1.009 sec, avg 0.459 ms, 2180.508 ops/sec
 mceliece 6688128  key gen   	100 ops took 30.491 sec, avg 304.906 ms, 3.280 ops/sec
 mceliece 6688128	encap  	5900 ops took 1.007 sec, avg 0.171 ms, 5856.450 ops/sec
 mceliece 6688128	decap  	2000 ops took 1.001 sec, avg 0.500 ms, 1998.431 ops/sec
 mceliece 6960119  key gen   	100 ops took 27.325 sec, avg 273.249 ms, 3.660 ops/sec
 mceliece 6960119	encap  	6300 ops took 1.008 sec, avg 0.160 ms, 6248.913 ops/sec
 mceliece 6960119	decap  	2100 ops took 1.022 sec, avg 0.487 ms, 2055.315 ops/sec
 mceliece 8192128  key gen   	100 ops took 35.826 sec, avg 358.255 ms, 2.791 ops/sec
 mceliece 8192128	encap  	5500 ops took 1.001 sec, avg 0.182 ms, 5495.955 ops/sec
 mceliece 8192128	decap  	2100 ops took 1.044 sec, avg 0.497 ms, 2010.617 ops/sec

Conclusion

The mcwolf implementation brings another post-quantum cryptographic KEM to wolfSSL, helping to future-proof security-critical applications against the threat of quantum computing. We encourage the wider community to try out the mcwolf project!

From the wolfSSL team, we give our heart-felt thanks to Daniel J. Bernstein! Thank you Daniel!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

We’re excited to announce that wolfSSL now officially supports the STM32WBA series of microcontrollers from STMicroelectronics! This addition broadens our commitment to providing lightweight, robust, and high-performance SSL/TLS solutions across a wide range of embedded platforms.

What is the STM32WBA Series?

The STM32WBA series is a family of ultra-low-power wireless microcontrollers designed to bring advanced Bluetooth® Low Energy (LE) connectivity to IoT and embedded devices. Built around the Arm Cortex-M33 core with TrustZone security and integrated radio, STM32WBA microcontrollers are optimized for secure, connected applications in healthcare, industrial, and smart home environments.

Why This Matters

By integrating wolfSSL with STM32WBA, developers now have:

• Seamless TLS/SSL support for Bluetooth LE and IP-based connectivity.
• Optimized performance with wolfSSL’s small footprint and STM32’s hardware acceleration features.
• Ease of integration with STM32Cube ecosystem tools and examples to get started quickly.

Key Highlights:

• Full TLS 1.3 and DTLS 1.3 support.
• Hardware crypto acceleration using STM32WBA’s on-chip crypto engine.
• Support for wolfCrypt’s entire crypto-suite (including Post-Quantum Cryptography).
• Example projects for STM32CubeIDE and STM32CubeMX to simplify setup.

To explore wolfSSL on STM32WBA, check out our STM32 Cube Pack instructions and examples here.

For more information on wolfSSL and how it integrates with the STM32WBA, visit our documentation or reach out to our team at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Release 5.8.0 of our wolfSSL library implements hybrid key exchange algorithms that combine conventional elliptic curve cryptography with post-quantum key encapsulation mechanisms (KEMs).

New Hybrid Groups: Combining elliptic curves (SECP256/384/521, X25519, X448) with ML-KEM. This provides compatibility with Chromium and other organizations that are together with wolfSSL leading the way in post-quantum migration. Some of the new hybrid groups were already done in previous releases. Here is the complete list of hybrid key exchange groups in TLS 1.3:

• WOLFSSL_P256_ML_KEM_512
• WOLFSSL_P384_ML_KEM_768
• WOLFSSL_P256_ML_KEM_768
• WOLFSSL_P521_ML_KEM_1024
• WOLFSSL_P384_ML_KEM_1024
• WOLFSSL_X25519_ML_KEM_512
• WOLFSSL_X25519_ML_KEM_768
• WOLFSSL_X448_ML_KEM_768

The new release includes comprehensive test configurations demonstrating how to use these new hybrid groups in TLS 1.3 connections. Go ahead and start thwarting the “Harvest Now, Decrypt Later” threat model that is currently in play.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now