Month: September 2018

cURL is an open-source project that provides the command line tool, curl, for transferring data between client and server with URLs, powered by cURL’s library, libcurl. curl and libcurl both provide support for building SSL/TLS libraries, including wolfSSL! The latest version of cURL can be downloaded from https://github.com/curl/curl.

To build curl with wolfSSL, simply configure and install curl with:

$ ./configure --with-wolfssl --without-ssl
$ make && make install

Starting with version 7.52.0, curl provides TLS 1.3 support when built with a TLS library. TLS 1.3 protocol support is also currently available in the wolfSSL library. Since both curl and wolfSSL support TLS 1.3, curl can be compiled with the addition of wolfSSL to select the TLS 1.3 protocol.

Configuring wolfSSL and curl to implement TLS 1.3 is simple. To build curl and libcurl with wolfSSL, wolfSSL must first be configured with TLS 1.3 support.

To enable TLS 1.3 support in wolfSSL, compile and install wolfSSL with the “–enable-tls13” option:

$ ./configure --enable-tls13
$ make && make install

Then, build curl with TLS 1.3-enabled wolfSSL:

$ ./configure --with-wolfssl --without-ssl
$ make && make install

To test a TLS 1.3 connection with curl + wolfSSL, invoke curl with the –tlsv1.3 option on a server that supports TLS 1.3. For example:

$ curl --tlsv1.3 https://enabled.tls13.com/

A successful connection will return the HTML page downloaded from https://enabled.tls13.com/:

<html>
    <head>
        <title>Test</title>
    </head>
    <body>
        <h1>Test</h1>
        <p>Testing</p>
    </body>
</html>

For more information on the cURL project, visit https://curl.haxx.se/

If you would like more information about wolfSSL’s support for TLS 1.3 or help on using it in your application, contact us at facts@wolfssl.com.

wolfSSL is pleased to announce the following addition to the wolfSSL FIPS certificate!

Debian 8.7.0	Intel ® Xeon® E3 Family with SGX support	Intel®x64 Server System R1304SP
Windows 10 Pro	Intel ® Core TM i5 with SGX support	Dell LatitudeTM 7480

The wolfCrypt FIPS validated cryptographic module has been validated while running inside an Intel SGX enclave and examples have been setup for both Linux and Windows environments.

Intel ® SGX (Software Guard Extensions) can be thought of as a black-box where no other application running on the same device can see inside regardless of privilege. From a security standpoint this means that even if a malicious actor were to gain complete control of a system including root privileges, that actor, no matter what they tried, would not be able to access data inside of this “black-box”.

An Intel enclave is a form of user-level Trusted Execution Environment (TEE) which can provide both storage and execution. Meaning one can store sensitive information inside and also move sensitive portions of a program or an entire application inside.

While testing, wolfSSL has placed both individual functions and entire applications inside the enclave. One of the wolfSSL examples shows a client inside the enclave with the only entry/exit points being “start_client”, “read”, and “write”. The client is pre-programmed with a peer to connect with and specific functionality. When “start_client” is invoked it connects to the peer using SSL/TLS and executes the pre-programmed tasks where the only data entering and leaving the enclave is the info being sent to and received from the peer. Other examples show placing a single cryptographic operation inside the enclave, passing in plain-text data and receiving back encrypted data masking execution of the cryptographic operations.

If you are working with SGX and need FIPS validated crypto running in an enclave contact us at fips@wolfssl.com or support@wolfssl.com with any questions. We would love the opportunity to field your questions and hear about your project!

Resources:
https://software.intel.com/en-us/blogs/2016/12/20/overview-of-an-intel-software-guard-extensions-enclave-life-cycle