wolfSSL Supported Open Source Projects

wolfSSL makes a great effort to support many different projects. We provide patches for projects to leverage our OpenSSL Compatibility Layer and work with maintainers to upstream support whenever possible. This blog is a list of currently supported open source projects. The support type denotes how wolfSSL is supported. “Patch” means that we provide a patch file that needs to be applied. “Upstream” means that wolfSSL is supported in the project’s mainline. “Fork” means that we provide a forked version of the library with changes made to support wolfSSL.

List of Supported Projects

Project NameDescriptionSupport TypeLink
apache-httpdApache HTTP ServerPatchhttps://github.com/wolfSSL/osp/tree/master/apache-httpd
asioAsio C++ LibraryPatchhttps://github.com/wolfSSL/osp/tree/master/asio
bind9DNS software systemPatchhttps://github.com/wolfSSL/osp/tree/master/bind9
chronyNetwork Time Protocol ImplementationPatchhttps://github.com/wolfSSL/osp/tree/master/chrony/4.1
cjoseJOSE for C/C++Patchhttps://github.com/wolfSSL/osp/tree/master/cjose
curlcommand-line tool for transferring dataUpstreamhttps://github.com/curl/curl
ffmpegVideo Manipulation UtilityPatchhttps://github.com/wolfSSL/osp/tree/master/ffmpeg
freeradius-server-2.1.12FreeRADIUS Server ProjectPatchhttps://github.com/wolfSSL/osp/tree/master/freeradius-server-2.1.12
gitVersion ControlPatchhttps://github.com/wolfSSL/osp/tree/master/git
haproxyLoad BalancerPatchhttps://github.com/wolfSSL/osp/tree/master/haproxy
hostapdAccess Point and Authentication ServerUpstreamhttps://w1.fi/hostapd/
Kerberos 5Network AuthenticationPatchhttps://github.com/wolfSSL/osp/tree/master/krb5
libestCisco EST stack written in CPatchhttps://github.com/wolfSSL/osp/tree/master/libest
libimobiledeviceLibrary to communicate with services on iOS devicesPatchhttps://github.com/wolfSSL/osp/tree/master/libimobiledevice
libsignal-protocol-cSignal Protocol C LibraryPatchhttps://github.com/wolfSSL/osp/tree/master/libsignal-protocol-c
libspdmSecurity Protocol and Data Model ImplementationPatchhttps://github.com/wolfSSL/osp/tree/master/libspdm/1.0.0
libssh2client-side C library for SSH2Patchhttps://github.com/wolfSSL/osp/tree/master/libssh2/1.9.0
lighttpdlighttpd web serverUpstreamhttps://github.com/lighttpd/lighttpd1.4
mariadbMariaDB relational databasePatchhttps://github.com/wolfSSL/osp/tree/master/mariadb/10.5.11
msmtpSMTP clientPatchhttps://github.com/wolfSSL/osp/tree/master/msmtp/1.8.7
net-snmpSimple Network Management ProtocolPatchhttps://github.com/wolfSSL/osp/tree/master/net-snmp
nginxWeb ServerPatchhttps://github.com/wolfSSL/wolfssl-nginx
ntpNetwork Time ProtocolPatchhttps://github.com/wolfSSL/osp/tree/master/ntp/4.2.8p15
NXP SE05X MiddlewarewolfSSL HostCrypto support patchPatchhttps://github.com/wolfSSL/osp/tree/master/nxp-se05x-middleware
openldapOpen source lightweight directory access protocolPatchhttps://github.com/wolfSSL/osp/tree/master/openldap
openpegasusOpen source DMTF CIM and WBEMPatchhttps://github.com/wolfSSL/osp/tree/master/openpegasus/2.14.1
openrestyNingx and LuaJIT-based web platformPatchhttps://github.com/wolfSSL/osp/tree/master/openresty
OpenSSHSSHPatchhttps://github.com/wolfSSL/osp/tree/master/openssh
OpenVPNVirtual Private NetworkUpstreamhttps://github.com/OpenVPN/openvpn
pppPaul’s PPP PackageForkhttps://github.com/wolfSSL/osp/tree/master/ppp
PythonPython language and interpreterPatchhttps://github.com/wolfSSL/osp/tree/master/Python
qtQt GUI LibraryPatchhttps://github.com/wolfSSL/osp/tree/master/qt
rsyslogrocket-fast Syslog ServerPatchhttps://github.com/wolfSSL/osp/tree/master/rsyslog/8.2106.0
sblim-sfcbSBLIM Small-footprint CIM BrokerPatchhttps://github.com/wolfSSL/osp/tree/master/sblim-sfcb/1.4.9
socatsocat Multipurpose relayPatchhttps://github.com/wolfSSL/osp/tree/master/socat
strongSwanIPsec-based VPNUpstreamhttps://github.com/strongswan/strongswan
stunnelstunnel ProxyPatchhttps://github.com/wolfSSL/osp/tree/master/stunnel
sudoCommand-line UtilityPatchhttps://github.com/wolfSSL/osp/tree/master/sudo/1.9.5p2
tcpdumpCommand-line packet analyzerPatchhttps://github.com/wolfSSL/osp/tree/master/tcpdump/4.9.3
urllib3urllib3 HTTP client for PythonPatchhttps://github.com/wolfSSL/osp/tree/master/urllib3
websocket-clientWebSocket client for PythonForkhttps://github.com/wolfSSL/osp/tree/master/websocket-client
websocketppWebSocket++Forkhttps://github.com/wolfSSL/osp/tree/master/websocketpp
wpa-supplicantWiFi Authentication with WPA, WPA2, and WPA3Upstreamhttps://w1.fi/wpa_supplicant/

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL Release Version 5.6.0

wolfSSL release version 5.6.0 is available now! A couple things to note with this release is that the new and improved ASN parsing, and generation, code is enabled by default now. Additionally we have the upcoming deprecation of –enable-heapmath which is scheduled to be removed by 2024.

This release also saw the addition of DTLS 1.3 stateless ClientHello parsing support. Not only are we leading the pack with adaptation of DTLS 1.3 but we are also adding in features such as the stateless ClientHello support. Some other additions of note were; the port to RT1170 and use of CAAM, update to Stunnel version 5.67, RX64/RX71 hardware acceleration support, and expansion of the compatibility layer.

Improvements to continuous integration testing and some refactoring of our testing framework was done during the last release cycle. To stay the best tested crypto on the market we are constantly trying to improve the testing that we do. This release also had some nice fixes that were made.

A full list of the changes can be found in the ChangeLog.md file bundled with wolfSSL. If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL and wpa_supplicant FIPS

What is the difference in modes with wpa_supplicant using wolfSSL FIPS vs non FIPS? Some of the algorithms are restricted when using CONFIG_FIPS=y while building wpa_supplicant. This is not a limitation in wpa_supplicant or in wolfSSL, but is due to restrictions and guidelines put in place for FIPS. To help avoid using algorithms that have not been sanctioned for use with FIPS, the build removes MD5/MD4 along with DES. Removal of these algorithms limits the modes supported.

Another restriction that is seen with FIPS use is that the key passed into HMAC must be 14 bytes or longer, this can cause issues with hunting-and-peck mode unless password sizes can be known to always be large enough. To avoid the limitation on HMAC key size, hash-to-element (sae_pwe=1) can be used instead.

Supported By wolfSSL
wpa_supplicant modes Not FIPS FIPS Test Ran
EAP-TLS Yes Yes eap_proto_tls
EAP-PEAP/MSCHAPv2 Yes No ap_wpa_eap_peap_eap_mschapv2

ap_wpa2_eap_peap_eap_mschapv2

EAP-PEAP/TLS Yes Yes ap_wpa2_eap_peap_eap_tls
EAP-PEAP/GTC Yes Yes ap_wpa2_eap_peap_eap_gtc
EAP-PEAP/OTP Yes Yes eap_proto_otp
EAP-TTLS/EAP-MD5-Challenge Yes No ap_wpa2_eap_ttls_eap_md5
EAP-TTLS/EAP-GTC Yes Yes ap_wpa2_eap_ttls_eap_gtc
EAP-TTLS/EAP-MSCHAPv2 Yes No ap_wpa2_eap_ttls_mschapv2
EAP-TTLS/MSCHAP Yes No ap_wpa2_eap_ttls_mschap
EAP-TTLS/PAP Yes Yes ap_wpa2_eap_ttls_pap
EAP-TTLS/CHAP Yes No ap_wpa2_eap_ttls_chap
EAP-SIM Yes Yes eap_proto_sim
EAP-AKA Yes Yes eap_proto_aka
EAP-PSK Yes Yes eap_proto_psk
EAP-PAX Yes Yes eap_proto_pax
LEAP Yes No eap_proto_leap

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

White Paper: Applying wolfBoot to 11th Gen Intel Core Processors for Secure Boot

wolfSSL and Intel have jointly published a white paper on the advantages of using the wolfBoot secure bootloader together with 11th Gen Intel Core processors.  The white paper has been published on wolfSSL’s White Paper page and can be downloaded today!

This white paper introduces the wolfBoot secure bootloader and 11th Gen Intel Core i7 Processors, talks about potential advantages of replacing the Intel Slim Bootloader with wolfBoot, and shows performance benchmarks of how the wolfCrypt cryptography library benefits from leveraging Intel AES-NI, AVX2, and AVX-512.

11th Gen Intel Core i7 processors include security features out of the box that make them an ideal processor choice for a number of project designs. Some of these include Intel Advanced Encryption Standard New Instructions (Intel AES-NI) , Intel Advanced Vector Extensions (Intel AVX2, Intel AVX-512), and UEFI Secure Boot. Given an excellent set of features offered by Intel processors, some users and Intel-based projects will benefit from extending the boot process using a second stage bootloader subsequent to Intel’s UEFI. This paper will introduce the wolfBoot secure bootloader, 11th Gen Intel® CoreTM i7 processors, and how wolfBoot can replace Intel® Slim Bootloader to provide certified and customized solutions such as securely unlocking a SATA drive using the trusted platform module version 2.0 (TPM 2.0) during boot.

wolfBoot is flexible and customizable in its use of hardware-based cryptography and secure key storage solutions.  It can leverage the wolfCrypt FIPS 140-2 (and upcoming 140-3) module for applications needing validated cryptography, or wolfCrypt DO-178C for secure boot requirements in avionics applications.  For more details, download our white paper today, If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL Premium Support

One of the primary distinctions between wolfSSL and other security libraries is the availability of commercial support packages (https://www.wolfssl.com/products/support-and-maintenance/).

The Premium Support package includes these benefits:

  • Optimization Assistance
  • Unlimited Support Incidents
  • Contact via email, phone, and shared screen debug session
  • Dedicated Support Engineer
  • 4 Business Hour Response Time
  • Build Config Added to Nightly CI Tests

Having your build configuration tested by our Nightly CI ensures that any changes made to the library will not cause regressions to your project! Having a highly configurable library means having a high level of complexity. We make every effort to test against the most common configurations, and having your project’s wolfSSL configuration added to that matrix removes any uncertainty that you’ll be able to painlessly update to future releases of the library.

Customers with our 24×7 Support package gain the additional advantage of having their target hardware added to our Nightly CI Tests.

wolfSSL wants to help you achieve your project’s security goals! If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Post-Quantum Verification in wolfBoot

A little while ago, we wrote a blog post (https://www.wolfssl.com/nsa-announces-cnsa-suite-2-0/) and did a webinar (https://www.youtube.com/watch?v=IiykMe-pjqo) about the CNSA 2.0 announcement(https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF).  It discusses the need for preparing to use post-quantum algorithms.  For signature schemes, it specifies Dilithium Level 5 as a good general purpose algorithm and LMS and XMSS as being good for signing software and firmware updates.

Here at wolfSSL, plans are underway to make our wolfBoot product use post-quantum algorithms to sign the image updates.  Whether we start with Dilithium Level 5, LMS or XMSS  is up in the air. On the one hand, the time lines as prescribed in CNSA 2.0 for LMS and XMSS are accelerated. On the other hand, Dilithium is already supported through our integration with liboqs.

Want us to accelerate our plans and get them a higher priority? Have a preference for one of Dilithium, LMS or XMSS? If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

FIPS 140-3 and SHA-1 Retirement

This past December, NIST announced that the venerable SHA-1 algorithm, introduced in 1995, is at end-of-life.  While wolfSSL does not use or recommend SHA-1 for new designs, we do implement and support it in our products.  With the NIST announcement, that will soon change for new FIPS 140 submissions, as we too will retire SHA-1.

The wolfSSL FIPS 140-3 cryptographic module currently in process at NIST includes SHA-1.  Thus, customers with an existing requirement for SHA-1 will be able to satisfy that requirement under that certificate once it has been issued.

However, and regardless of FIPS status, customers still using SHA-1 in security-critical roles — signatures, authentications, HMAC, KDFs, etc. — should refactor the implicated systems to use a modern hash algorithm such as SHA-2 or SHA-3.  wolfSSL stands ready to help our customers select and implement an appropriate migration path.

All FIPS 140 modules submitted on or after December 31 2025 will exclude SHA-1, to avoid early certificate sunset under the timeline announced by NIST.

In preparation for this transition, wolfSSL has already prepared its FIPS 140-3 codebase to build, run, and pass full ACVP testing, with SHA-1 gated out.  We are also routinely testing our mainline and FIPS codebases to assure correct function with SHA-1 disabled.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

CURL 25th Anniversary Online Celebration

Celebrate 25 Years of curl with a Zoom Birthday Party on March 20, 2023 at 17:00 UTC. Join fellow curl developers and enthusiasts online for a presentation on the major changes done over the years. Come and contribute to the discussion by asking questions or sharing your own insights. Let’s make this a memorable birthday party for curl!

Read the blog to learn about the history of curl!

Follow this link to Daniel Stenberg’s blog providing more detail on the event: https://daniel.haxx.se/blog/2023/03/10/curl-25-years-online-celebration/

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSentry Goes Gold

Earlier this month, we issued the final beta release of wolfSentry, the wolfSSL
embedded IDPS/firewall. This set the stage for our first production release of
wolfSentry, with increasingly mature and comprehensive facilities for securing
embedded endpoints.

Version 1.0.0 of wolfSentry delivers high-performance thread safety — in
multithreaded builds, all internal structures are protected, with shared locks
allowing for high concurrency on multithreaded/multicore targets. Realtime/TSN
use cases are supported with hard deadlines for return of control to the caller.

We have also improved support for dynamic/stateful rules, including constant
time garbage collection. These capabilites are demonstrated in the updated and
refined examples/notification-demo, our sample implementation of dynamic
defenses and event notifications integrated with an embedded web server.

Configuration of user plugins can now be driven with deep user-defined JSON
trees embedded within the unified JSON configuration package. These trees are
parsed at configuration time, and the pre-parsed contents are then available to
plugins through high performance btree lookups. This highly expressive, high
performance configuration mechanism streamlines configuration of complex
application-specific plugins. Moreover, the pre-parsed JSON trees can be
updated and expanded by plugin logic, using lock upgrades and DOM accessors, as
a supplementary stateful mechanism.

wolfSentry is available now, and is an ideal endpoint security solution for
deeply embedded use cases, with close and easy integration with user
applications, embedded IP stacks, and common libraries like wolfSSL.

Take advantage of the opportunity to enhance your embedded security knowledge with wolfSSL’s free two-day training taking place March 15th and 16th. Be sure to register for both days as day 2 will build off the content from day 1.

Day 1 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_OZ3yQPubRBqrtxhHsOm3ug

Day 2 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_8eIUIe_yRtCiaS1yKGKwJQ

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

How wolfSSL’s Python and Golang Wrappers Simplify SSL/TLS Security in Embedded and IoT Systems

The wolfSSL Python wrapper provides a Python interface to the wolfSSL library, a lightweight and portable SSL/TLS library optimized for performance in embedded and IoT devices.

The wolfSSL Python wrapper allows Python developers to use the wolfSSL library, simplifying the development process and reducing time-to-market. Furthermore, The wolfSSL port allows you to use Python with our FIPS 140-2/3 certified wolfCrypt library, ensuring that it meets strict security standards for developers working with sensitive data.

To use the wolfSSL Python wrapper, developers can follow the instructions provided in the wolfSSL open source projects repository on GitHub. Once installed, developers can easily integrate wolfSSL into their Python applications, from IoT devices to embedded systems.

wolfSSL also has a very simple Golang wrapper. While GO has its own tls/crypto library, wolfSSL is a proven and optimized solution that is a viable option for GO projects. For some insight on how it would work, follow the instructions in this README to view/build a simple server/client example secured by wolfSSL TLS.

Are you interested in extensions to our Golang wrapper?  Let us know at facts@wolfssl.com.

Take advantage of the opportunity to enhance your embedded security knowledge with wolfSSL’s free two-day training taking place March 15th and 16th. Be sure to register for both days as day 2 will build off the content from day 1.

Day 1 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_OZ3yQPubRBqrtxhHsOm3ug

Day 2 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_8eIUIe_yRtCiaS1yKGKwJQ

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Posts navigation

1 2 3