wolfSSL 5.8.4 Now Available

    • wolfSSL 5.8.4 introduces several updates, including the addition of a GPLv3 exceptions list. This allows specific GPLv3-licensed codebases linking against wolfSSL to continue using wolfSSL under GPLv2.

    Current GPLv3 Exceptions:

    • MariaDB Server
    • MariaDB Client Libraries
    • OpenVPN-NL
    • Fetchmail
    • OpenVPN

    Security Fixes

    This release includes multiple fixes across TLS 1.2, TLS 1.3, X25519, XChaCha20-Poly1305, and PSK processing. Highlights include:

    • A timing-side-channel issue in X25519 specifically affecting Xtensa-based ESP32 devices. Low-memory X25519 implementations are now the default for Xtensa.
    • A medium-severity TLS 1.3 server-side DoS risk from repeated KeyShareEntry values in malicious ClientHello messages.
    • Several TLS 1.3 downgrade-related issues (PFS downgrades, signature algorithm downgrades, and duplicate extension parsing).
    • A memory leak risk in TLS 1.2 certificate digest handling.
    • XChaCha20-Poly1305 decryption bounds-check fix and constant-time improvements in PSK binder verification.

    Special thanks to Adrian Cinal, Jaehun Lee and Kyungmin Bae (POSTECH), Luigino Camastra (Aisle Research), and all researchers who contributed.

    New Features

    This release includes focused improvements and additions:

    • ML-KEM / ML-DSA: new APIs, PKCS8 seed/import support, and improved key management.
    • FreeBSD kernel module: initial support for wolfCrypt in the FreeBSD kernel.
    • PKCS7/CMS: expanded decoding capabilities, additional callbacks, and more flexible builds.
    • Rust wrapper enhancements: broader algorithm coverage, optional heap/dev_id support, and conditional compilation based on C build options.
    • Hardware platform updates: STM32 and PSoC6 improvements, including STM32U5 SAES support.
    • New –enable-curl=tiny option for smaller cURL-linked builds.

    Improvements & Optimizations

    Key improvements include:

    • Broader and more consistent testing across TLS 1.3/1.2, libssh2, Arduino, ESP-IDF, and nightly workflows.
    • Documentation updates, expanded crypto-callback support, and improved AES/HW offload functionality.
    • ESP32, Renesas FSP/RA, and SGX build enhancements.
    • Build-system refinements across Autotools, CMake, Apple platforms, and Debian packaging.
    • RISC-V and PPC32 assembly introspection helpers and benchmarking updates.

    Bug Fixes

    Notable fixes:

    • C# wrapper correction for Ed25519 raw public-key import.
    • Sniffer stability fixes and X.509 path-length and certificate-chain improvements.
    • DTLS ordering, cookie handling, and replay protection updates.
    • Kernel-mode, FIPS, and PIE-related build fixes.
    • ML-KEM/ML-DSA correctness and safety fixes.
    • Various static-analysis, warning cleanup, memory-management, and undefined-behavior fixes.

    For a more detailed list of changes check out the ChangeLog.md bundled with wolfSSL. To download the latest release go to the download page. For any questions, reach out to us at facts@wolfssl.com or call us at +1 425 245 8247.

    Download wolfSSL Now