RECENT BLOG NEWS
wolfSSL 5.8.2 Now Available
wolfSSL 5.8.2 is now available! We are excited to announce the release of wolfSSL 5.8.2, packed with significant enhancements, introducing new functionalities, and refining existing features!
Important Notes for this Release
- GPLv3 Licensing: wolfSSL has transitioned from GPLv2 to GPLv3.
- Deprecated Feature: `–enable-heapmath` is now deprecated.
- MD5 Disabled by Default: For enhanced security, MD5 is now disabled by default.
Key Highlights of wolfSSL 5.8.2
Vulnerability Mitigations:
- ECC and Ed25519 Fault Injection Mitigation (Low): (Thanks to Kevin from Fraunhofer AISEC)
- Apple Native Cert Validation Override (High – CVE-2025-7395): (Thanks to Thomas Leong from ExpressVPN)
- Predictable `RAND_bytes()` after `fork()` (Medium – CVE-2025-7394): (Thanks to Per Allansson from Appgate)
- Curve25519 Blinding Enabled by Default (Low – CVE-2025-7396): (Thanks to Arnaud Varillon, Laurent Sauvage, and Allan Delautre from Telecom Paris)
New Features:
- Sniffer Enhancements: Support for multiple sessions and a new `ssl_RemoveSession()` API for cleanup.
- New ASN.1 X509 API: `wc_GetSubjectPubKeyInfoDerFromCert` for retrieving public key information.
- PKCS#12 Improvements: `wc_PKCS12_create()` now supports PBE_AES(256|128)_CBC key and certificate encryptions.
- PKCS#7 Decoding: Added `wc_PKCS7_DecodeEncryptedKeyPackage()` for decoding encrypted key packages.
- Linux Kernel Module Expansion: All AES, SHA, and HMAC functionality now implemented within the Linux Kernel Module.
- OpenSSL Compatibility Layer Additions: New APIs for X.509 extensions and RSA PSS: `i2d_PrivateKey_bio`, `BN_ucmp`, and `X509v3_get_ext_by_NID`.
- Platform Support: Added support for STM32N6.
- Assembly Optimizations: Implemented SHA-256 for PPC 32 assembly.
Improvements & Optimizations:
This release includes a wide range of improvements across various categories, including:
- Extensive Linux Kernel Module (LinuxKM) Enhancements: Numerous minor fixes, registrations, and optimizations for cryptography operations within the Linux Kernel Module.
- Post-Quantum Cryptography (PQC) & Asymmetric Algorithms: Updates to Kyber, backward compatibility for ML_KEM IDs, fixes for LMS building and parameters, and OpenSSL format support for ML-DSA/Dilithium.
- Build System & Portability: General build configuration fixes, improvements for older GCC versions, new CMakePresets, and default MD5 disabling.
- Testing & Debugging: Enhanced debugging output, additional unit tests for increased code coverage, and improved benchmark help options.
- Certificates & ASN.1: Improved handling of X509 extensions, fixed printing of empty names, and better error handling.
- TLS/DTLS & Handshake: Corrected group handling, improved DTLS record processing, and refined TLS 1.3 key derivation.
- Memory Management & Optimizations: Stack refactors, improved stack size with MLKEM and Dilithium, and heap math improvements.
- Cryptography & Hash Functions: Added options to disable assembly optimizations for SipHash and SHA3, and improved Aarch64 XFENCE.
- Platform-Specific & Hardware Integration: Explicit support for ESP32P4, public `wc_tsip_*` APIs, and enhanced PlatformIO certificate bundle support.
- General Improvements & Refactoring: Updated libspdm, fixed PEM key formatting, and improved API accessibility for certificate failure callbacks.
wolfSSL 5.8.2 also includes some nice bug fixes, addressing issues across various modules, ensuring greater stability and reliability. For a complete and detailed list of all changes, please refer to the full release notes.
We encourage all users to upgrade to wolfSSL 5.8.2 to take advantage of these important security updates, new features, and performance enhancements. Download the latest release.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Utilizing PSRAM for wolfSSL Heap Operations for the Espressif ESP32
The latest updates to the Espressif-specific integration of wolfSSL bring a significant enhancement for developers working on memory-constrained embedded systems: support for using PSRAM (pseudo-static RAM) during wolfSSL heap operations.
This improvement not only unlocks larger memory capacity for cryptographic operations, but also lays the foundation for more stable and scalable TLS communication on ESP32 and other Espressif-based platforms.
Why more stable?
Some of the ESP32 chip types have relatively little RAM. Once a large and complex application is written, there may be little leftover room for TLS exchanges. Heap corruption and / or stack overflows will typically ensue, causing undesired stability problems.
What Changed?
The recent GitHub Pull Request #8987 introduces a set of enhancements that allow dynamic memory allocation routines in wolfSSL to take advantage of the extended PSRAM region (when available). This is especially valuable on platforms such as the ESP32-WROVER, ESP32-C3, and ESP32-S3 which support external PSRAM.
Here’s a breakdown of the key updates:
Custom Allocator Integration
wolfSSL can now check for application-defined memory allocators using wolfSSL_GetAllocators() before falling back to the default FreeRTOS pvPortMalloc() or realloc() calls. This opens up new flexibility.
For instance, add these #define statements to the wolfssl user_settings.h file.
#define XMALLOC_USER #define XFREE MY_FREE #define XMALLOC MY_MALLOC
Then implement custom FREE and MALLOC in the application.
void MY_FREE(void *p, void* heap, int type) { free(p); } void* MY_MALLOC(size_t sz, void* heap, int type) { return malloc(sz); }
With this mechanism, if your app defines a heap allocator that maps to PSRAM (e.g., via heap_caps_malloc(…, MALLOC_CAP_SPIRAM)), wolfSSL will use it.
XREALLOC / XMALLOC / XFREE Wrappers Updated
Custom memory macros (XMALLOC, XFREE, XREALLOC) were updated to redirect to the new PSRAM-aware versions in esp_sdk_mem_lib.c. Debug versions were added as well:
#define XMALLOC(s, h, type) \ wc_pvPortMalloc((s)) // Uses PSRAM-aware allocator
Debug-Friendly Memory Tracing
For developers debugging memory usage, verbose allocation logging was added when either DEBUG_WOLFSSL or DEBUG_WOLFSSL_MALLOC are defined. This makes it easier to catch leaks, misallocations, or fragmentation in systems where memory is limited.
ESP_LOGE("malloc", "Failed Allocating memory of size: %d bytes", size);
Benefits of PSRAM Integration
Embedded systems often face memory limitations, especially when running TLS sessions, parsing certificates, or handling large buffers. By enabling PSRAM usage in wolfSSL:
- Larger TLS Buffers: Allows larger I/O buffers and longer certificate chains without heap exhaustion.
- Stronger Security: Enables features like TLS 1.3 with minimal compromise on memory availability.
- Scalability: Supports more simultaneous connections or sessions on memory-constrained MCUs.
- Debugging Support: Optional debug builds can now track allocations and reallocation failures with file/line/function info.
How to Enable It
This integration is automatic if you’re using wolfSSL on ESP-IDF and PSRAM is configured in your project.
For full benefit:
Ensure your build enables PSRAM via menuconfig:
Component config – ESP32-specific – Support for external – SPI-connected RAM
Optionally implement custom allocators using heap_caps_malloc() targeting PSRAM:
void* my_malloc(size_t sz) { return heap_caps_malloc(sz, MALLOC_CAP_SPIRAM | MALLOC_CAP_8BIT); }
Register your allocators:
wolfSSL_SetAllocators(my_malloc, my_free, my_realloc);
As a reminder: No more than CONFIG_LWIP_MAX_SOCKETS sockets should be opened.
Example:
#ifndef NO_WOLFSSL_MEMORY static void *custom_malloc(size_t size) { void* this_custom_malloc; this_custom_malloc = heap_caps_malloc(size, MALLOC_CAP_SPIRAM | MALLOC_CAP_8BIT); return this_custom_malloc; } static void* custom_realloc(void* ptr, size_t size) { void* this_custom_realloc; this_custom_realloc = heap_caps_realloc(ptr, size, MALLOC_CAP_SPIRAM | MALLOC_CAP_8BIT); return this_custom_realloc; } static void custom_free(void *ptr) { heap_caps_free(ptr); } #endif
Then in the main app, use wolfSSL_SetAllocators:
#if defined(NO_WOLFSSL_MEMORY) ESP_LOGE(TAG, "Cannot use wolfSSL_SetAllocators with NO_WOLFSSL_MEMORY"); #else wolfSSL_SetAllocators((wolfSSL_Malloc_cb)custom_malloc, (wolfSSL_Free_cb)custom_free, (wolfSSL_Realloc_cb)custom_realloc); #endif esp_err_t error = heap_caps_register_failed_alloc_callback(heap_caps_alloc_failed_hook); if (error == ESP_OK) { ESP_LOGE(TAG, "Success: heap_caps_register_failed_alloc_callback"); } else { ESP_LOGE(TAG, "FAILED: heap_caps_register_failed_alloc_callback"); }
Tested Platforms
This change is specifically tailored for the Espressif ESP-IDF platform, including:
- ESP32-WROVER
- ESP32-S3
- ESP32-C3 (with PSRAM)
- Any module with external SPI RAM
Acknowledgements
We extend our thanks to Fidel for suggesting, contributing sample code, and helping to test this feature. Congratulations on getting 50 concurrent FreeRTOS tasks running on the ESP32, each communicating with wolfSSL Post Quantum algorithms!
Ing. Fidel Alejandro Rodríguez Corbo, Phd
Smart Electronics Research Group
School of Engineering and Science
Tecnologico de Monterrey,
Av. Eugenio Garza Sada 2501 Sur
Col. Tecnológico, C.P. 64849
Monterrey, Nuevo León, México
Final Thoughts
This patch brings wolfSSL one step closer to optimal memory use in constrained environments. By supporting PSRAM, developers can offload cryptographic operations away from limited internal RAM – enhancing both stability and performance.
wolfSSL continues to push forward in embedded TLS innovation, and these improvements make it an even better fit for secure IoT applications on ESP32.
For more information or to contribute, visit wolfSSL GitHub and explore the Espressif-specific README.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now
Updated wolfSSL 5.8.2 for Espressif ESP-IDF Registry
We’re excited to announce that wolfSSL v5.8.2 is now officially released and available through The ESP Component Registry!
wolfSSL is a lightweight, high-performance TLS/SSL library optimized for embedded systems. It is widely used in IoT, automotive, aerospace, and other resource-constrained environments.
What’s New in v5.8.2:
- Security Enhancements: Multiple updates for improved cryptographic robustness and protocol handling.
- Expanded Hardware Acceleration Support: Optimizations for ESP32 and ESP32-C3/C6/S3 targets, making the most of Espressif’s hardware crypto engines.
- Improved Certificate Handling: More flexible certificate loading and verification, including enhancements for embedded CA chains.
- Bug Fixes and Stability Improvements: Various fixes across TLS 1.2 and TLS 1.3 implementations to ensure smoother and more reliable secure connections.
- ESP-IDF Compatibility: Verified support for ESP-IDF v5.x, ensuring seamless integration with the latest Espressif SDKs.
Check out the wolfSSL release notes!
Why Use wolfSSL on ESP32?
- Minimal footprint with aggressive size optimizations.
- Full support for TLS 1.3 and TLS 1.2.
- Hardware crypto acceleration using Espressif APIs.
- FIPS-ready and MISRA-compliant options available for safety-critical applications.
Integration Highlights
- Register and include the component in your
idf_component.yml: dependencies: wolfssl/wolfssl: version: "5.8.2"
- Or install via the command line:
idf.py add-dependency "wolfssl/wolfssl@5.8.2"
Get Started With Examples
To help you get started quickly, the wolfSSL v5.8.2 component includes a rich set of fully integrated ESP-IDF examples, covering a variety of use cases and configurations.
- setup the ESP-IDF environment.
- fetch the wolfSSL benchmark example.
- change directory to the downloaded project.
- compile, upload, and view output.
Like this:
. ~/esp/esp-idf/export.sh idf.py create-project-from-example "wolfssl/wolfssl^5.8.2:wolfssl_test" cd wolfssl_test idf.py -b 115200 flash monitor
These examples are ideal for developers new to wolfSSL, as well as those looking to evaluate specific TLS features or test hardware acceleration support on Espressif chips.
- template A minimally viable wolfSSL setup, perfect as a starting point for your own project. This clean and simple example helps you integrate wolfSSL with minimal configuration.
- wolfssl_benchmark – Runs the wolfcrypt benchmark application on your ESP32 target. Ideal for measuring the performance of cryptographic operations across different chips and configurations.
- wolfssl_client – A TLS client demo that connects to a secure server (e.g., CLI server or Espressif TLS server). Demonstrates how to initialize, configure, and run a secure client using wolfSSL.
- wolfssl_server – A TLS server counterpart to the client example. This demo creates a secure endpoint on the ESP32 and shows how to handle TLS handshakes and encrypted communications.
- wolfssl_test – A port of the wolfcrypt test application for ESP32. Use this to verify the build and runtime functionality of various wolfSSL cryptographic components in your environment.
New to wolfSSL on the Espressif family of devices?
If you are new to wolfSSL on the Espressif ESP32, this video can help to get started:
Additional Details
To check which version of the Component Manager is currently available, use the command:
python -m idf_component_manager -h
The Component Manager should have been installed during the installation of the ESP-IDF. If your version of ESP-IDF doesn’t come with the IDF Component Manager, you can install it:
python -m pip install --upgrade idf-component-manager
For further details on the Espressif Component Manager, see the GitHub idf-component-manager repo.
Have a specific request or questions? We’d love to hear from you. Please contact us at support@wolfssl.com or open an issue on GitHub.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Live Webinar: Post-Quantum Secure TLS 1.3 on Application MPUs
Discover how wolfSSL, Crypto4A Technologies Inc., and NXP Semiconductors are driving innovation in secure, post-quantum embedded systems.
Join this 60-minute expert-led session as leaders in cryptography and hardware explore the latest advancements in embedded security. Learn how post-quantum algorithms, hardware security modules (HSMs) and trusted platforms are converging to protect next-generation devices.
Register Now: Post-Quantum Secure TLS 1.3 on Application MPUs
Date: September 17th | 9 AM PT
What you’ll learn:
- Introduction to wolfSSL, Crypto4A and NXP
- How wolfSSL supports NXP platforms
- Fundamentals of post-quantum cryptography and HSMs for embedded security
- NXP’s support for PQC in hardware and firmware via the EdgeLock® Secure Enclave (ELE)
- Live demo: Establishing a secure post-quantum TLS 1.3 connection
Register today to gain valuable insights into the future of secure, post-quantum embedded systems.
As always, our webinar will include Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Community Spotlight: Jon Durrant
We are thrilled to recognize Dr. Jon Durrant (@DrJonEA) for his exceptional work highlighting wolfSSL across multiple platforms. His dedication to showcasing wolfSSL’s capabilities in real-world IoT and embedded systems projects has been truly outstanding.
Jon has 25+ years as an IT professional. With a PhD in Object Oriented Development and Distributed System Design from the University of Brighton. Jon began his career in Embedded C Development and advanced to Senior Director at PlayStation. He now teaches Raspberry Pi Pico development courses on Udemy and creates IoT content on YouTube.
He has done YouTube video tutorials and web blog articles showcasing projects featuring wolfSSL’s products:
- Raspberry PI Pico-W: TLS Sockets in C/C++ – Technical tutorial showing secure TLS communications using WolfSSL on Raspberry Pi Pico. Over 3,800 viewers have benefited from this practical guidance.
- WolfSSL: A Library That Keeps Me Coming Back – Detailed technical explanations of WolfSSL’s benefits for IoT development, sharing genuine experience across multiple projects and demonstrating real-world use cases.
- NEW! Pico and RP2350: Unleashing A Simple Flash Security Attack and How to Shield Your App! – Uncover the hidden secrets of Pico and RP2350 flash memory and tools! We look into how to avoid easy security attacks. Spoiler: The best way to avoid these attacks is to use WolfCrypt!!
We love the work that Jon is doing to advance secure IoT development via wolfSSL. His combination of technical expertise, educational content creation, and genuine advocacy makes him an invaluable member of the wolfSSL ecosystem.
To explore Jon’s content:
Thank you, Jon, for being such a great advocate for secure IoT development!!
If you have questions about any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247
Download wolfSSL Now
Securing BoringTun with wolfSSL’s FIPS 140-3 Cryptography
We’re excited to announce that wolfSSL is taking the next step in its journey to bring FIPS 140-3 compliance to the WireGuard ecosystem. Following our successful ports of our FIPS crypto into both WireGuard-linux and Wireguard-GO, we are setting our sights on a new target: BoringTun.
BoringTun is a popular, high-performance implementation of the WireGuard protocol written in Rust. It’s used by major players in the tech industry and as the demand for robust, certified cryptographic solutions grows — especially within government and highly regulated sectors — it is a logical next step to provide the same level of cryptographic assurance for this key WireGuard implementation.
wolfSSL has begun the process of integrating our FIPS 140-3 validated library wolfCrypt directly into BoringTun. This project will replace BoringTun’s existing cryptographic backend with a FIPS-compliant alternative, providing the same high-speed, modern protocol that WireGuard is known for, but with the added assurance of a government-certified cryptography module.
This will make BoringTun a viable option for organizations that have a CMMC 2.0, FEDRAMP, or FIPS 140-3 requirement. Are you interested in a FIPS certified BoringTun?
If you have questions about any of the above or need assistance, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
CRL vs OCSP: Secure Certificate Revocation with wolfSSL
Ensuring your TLS certificates are still valid and haven’t been revoked is critical for secure communications. Two methods exist for this:
Certificate Revocation Lists (CRLs) are signed lists published by Certificate Authorities that clients download and check offline. They contain serial numbers of revoked certificates and must be regularly updated and cached by clients to remain effective. CRLs are simple and privacy-friendly but can become large over time and may not reflect revocations in real-time, leaving a window of vulnerability between updates.
Online Certificate Status Protocol (OCSP) lets clients query a CA’s responder in real-time to check if a certificate is revoked. It provides up-to-date, on-demand validation with lower bandwidth than downloading full CRLs. However, it requires an active network connection and can introduce latency or privacy concerns if the client queries the CA directly. OCSP Stapling addresses these issues by allowing the server to “staple” a recent OCSP response to the TLS handshake, improving performance and protecting client privacy.
wolfSSL supports both CRL and OCSP checking, plus OCSP stapling, giving you flexible, layered certificate validation that fits any use case. Enable CRL support to verify certificates against cached revocation lists, and OCSP for live, up-to-the-minute status checks. Use both together for maximum security—CRLs handle offline or initial checks, and OCSP keeps your system aware of recent revocations.
In wolfSSL, enabling these features is straightforward:
// Enable and load CRL wolfSSL_CTX_EnableCRL(ctx, WOLFSSL_CRL_CHECKALL); wolfSSL_CTX_LoadCRL(ctx, "crl.pem", WOLFSSL_FILETYPE_PEM, 0); // Enable OCSP checking and stapling wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_CHECKALL); wolfSSL_CTX_EnableOCSPStapling(ctx);
Check out our manual for more information on these APIs:
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Protect TLS Secrets After the Handshake — Only with wolfSSL
Most TLS libraries leave your certificates and private keys sitting in RAM long after they’re used — a jackpot for attackers with memory access. wolfSSL is the only TLS library that gives you the power to erase them completely with the wolfSSL_UnloadCertsKeys API. This function doesn’t just free memory — it securely zeroes out every byte of your sensitive data, ensuring nothing remains to be stolen.
From IoT devices and payment terminals to aerospace, automotive, and defense systems, wolfSSL_UnloadCertsKeys helps you meet the toughest security and compliance requirements. Combined with wolfSSL’s FIPS 140-3 validated cryptography, you get end-to-end protection: strong encryption for data in transit, and proactive memory sanitization for keys at rest in RAM. This synergy reduces your attack surface, thwarts memory dump attacks, and helps satisfy stringent standards like GDPR, HIPAA, and PCI DSS.
With wolfSSL, you’re not just encrypting traffic — you’re safeguarding the secrets behind it.
You can find more information on the wolfSSL_UnloadCertsKeys API in our manual.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now
Live Webinar: An introduction to Stateful Hash-Based Signature Schemes
Unlock the Next Era of Cybersecurity with Stateful Hash-Based Signatures!
Join “An Introduction to Stateful Hash-Based Signature Schemes” on September 11 at 9:00 AM PT, presented by Senior Software Developer Anthony Hu. Learn the fundamentals of these quantum-resistant signatures and their role in securing long-lived systems.
Stateful hash-based signature schemes use one-time signatures and Merkle trees to ensure strong security, but require careful state management. Anthony will guide you through the core concepts and share practical considerations for implementation.
Register Now: An introduction to Stateful Hash-Based Signature Schemes
Date: September 11 | 9 AM PT
Duration: 60 Minutes
This webinar will cover:
- CNSA 2.0 and the move to post-quantum cryptography
- One-Time Signatures (OTS)
- Merkle trees for scalability and security
- State management and common pitfalls
- Advanced topics and implementation tips
Register now to stay ahead in the post-quantum cybersecurity landscape.
As always, our webinar will include Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfssl.com or call +1 425 245 8247.
Download wolfSSL Now
Keystores and Secure Elements supported by wolfSSL
When looking to store your cryptographic secrets, it is important to have a good platform to store them on. Even more important is the ease of accessing and using those secrets.
With wolfTPM, we have support for all TPM 2.0 APIs. Additionally we provide the following wrappers:
- Key Generation/Loading
- RSA encrypt/decrypt
- ECC sign/verify
- ECDH
- NV storage
- Hashing/HMAC
- AES
- Sealing/Unsealing
- Attestation
- PCR Extend/Quote
- Secure Root of Trust
Supported Platforms
In wolfTPM we already added support for the following platforms:
- Raspberry Pi (Linux)
- MMIO (Memory mapped IO)
- MMIO (Memory mapped IO)
- Atmel ASF
- Xilinx (Ultrascale+ / Microblaze)
- QNX
- Infineon TriCore (TC2xx/TC3xx)
- Barebox
- Zephyr Project RTOS
- U-Boot Bootloader
- Microchip Harmony (MPLABX)
TPM 2.0 Modules
These TPM (Trusted Platform Module) 2.0 modules are tested and running in the field:
- STM ST33TP* SPI/I2C
- Infineon OPTIGA SLB9670/SLB9672/SLB9673
- Microchip ATTPM20
- Nations Tech Z32H330TC
- Nuvoton NPCT650/NPCT750
- Nations NS350
PKCS#11 Support
We have our own wolfPKCS11 with support for TPM 2.0 using wolfTPM. We also offer support for PKCS11 to interface to various HSMs like:
- Infineon TriCore Aurix
- Renesas RH850
- ST SPC58
Direct Secure Element Access
For direct Secure Element access, we have ports in wolfSSL for:
- ST-SAFE
- Microchip ATECC508/608
- Microchip TA100
- NXP SE050
- TROPIC01 Secure Element
Hardware Cryptographic Acceleration
Wolfcrypt has support for the following:
NXP Platforms
- NXP CAAM (Cryptographic Acceleration and Assurance Module) on i.MX6 (QNX), i.MX8 (QNX/Linux), RT1170 FreeRTOS
Intel & ARM Security
Maxim Integrated
- MAXQ1065/1080 RNG
- MAX32665 and MAX32666 TPU (Trust Protection Unit)
STM32 Platform Support
- STM32MP135F – Complete hardware acceleration suite with STM32CubeIDE support, HAL support for SHA-2/SHA-3/AES/RNG/ECC optimizations
- STM32H5 – Advanced performance microcontroller support
- STM32WBA – Wireless connectivity focused platform
- STM32G4 – General purpose microcontroller series
- STM32U575xx – Ultra-low-power microcontroller boards
- STM32 Cube Expansion Pack – Enhanced development support
Renesas Hardware Acceleration
- Renesas TSIP – RSA Public Encrypt/Private Decrypt operations, AES-CTR mode support
- Renesas SCE – RSA crypto-only support
Infineon Security Solutions
- Infineon TriCore (TC2XX/TC3XX) – Hardware security module with TPM support
- Infineon SLB9672/SLB9673 – Advanced TPM modules with firmware update capabilities
- Infineon Modus Toolbox – Development environment integration
- Infineon CyHal I2C/SPI – Hardware abstraction layer support
Development Board Support
- Raspberry Pi RP2350 – Latest generation with enhanced RNG optimizations
- Raspberry Pi RP2040 – Improved support with RNG optimizations
- SiFive HiFive Unleashed Board – RISC-V development board support
Bootloader and OS Integration
- U-Boot Bootloader – Secure boot integration with TPM support
- Zephyr Project RTOS – Real-time operating system with TPM integration
- Microchip Harmony (MPLABX) – Complete development ecosystem support
Advanced Features
- Memory Mapped I/O (MMIO) TPMs – Direct memory access to TPM modules
- Pre-provisioned Device Identity Keys – Support for manufacturer-provisioned security credentials
- Firmware Update Support – Secure firmware update capabilities for supported TPM modules
For more detailed information on our supported hardware take a look at our Hardware Support list.
PSA (Platform Security Architecture)
Wolfcrypt also can make use of PSA (Platform Security Architecture). This includes the following algorithms:
- Hashes: SHA-1, SHA-224, SHA-256
- AES: AES-ECB, AES-CBC, AES-CTR, AES-GCM, AES-CCM
- ECDH PK callbacks (P-256)
- ECDSA PK callbacks (P-256)
- RNG
wolfBoot Integration
Another product of interest could be wolfBoot, which – as the name suggests – is a bootloader that can use an HSM (Hardware Security Module) for validation and verification. It also provides secure vaults accessible via PKCS#11 API and secured through the ARM TrustZone technology. WolfBoot also supports all of the TPMs and secure elements listed above, as it inherits all of wolfCrypt’s capabilities. WolfBoot can also be combined with wolfTPM to implement measured boot.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now
Deprecation Notice: TLS 1.3 Draft 18
The wolfSSL team is deprecating the following:
- WOLFSSL_TLS13_DRAFT preprocessor macro
- –enable-tls13-draft18 configure option
These components were originally introduced during the TLS 1.3 standardization process to support interoperability with implementations based on Draft 18 of the TLS 1.3 specification. During the multi-year standardization process (2014-2018), multiple draft versions were published before the final RFC 8446 was released in August 2018.
The –enable-tls13-draft18 configure option currently has no functional effect in the codebase and serves no purpose.
The WOLFSSL_TLS13_DRAFT macro, when defined, modifies version number handling in TLS handshakes to use draft-specific version numbers (TLS_DRAFT_MAJOR = 0x7f) instead of the final TLS 1.3 version numbers. This was designed to maintain compatibility with implementations during the transition period which ended long ago.
Maintaining compatibility with obsolete specifications introduces unnecessary complexity. The TLS ecosystem has fully migrated to the TLS 1.3 standard. For these reasons, we are eliminating draft compatibility.
This decision is not yet final. If you think you need these configuration flags to be available, please reach out to us at support@wolfssl.com and let us know.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now
Weekly updates
Archives
- September 2025 (13)
- August 2025 (23)
- July 2025 (27)
- June 2025 (22)
- May 2025 (25)
- April 2025 (24)
- March 2025 (22)
- February 2025 (21)
- January 2025 (23)
- December 2024 (22)
- November 2024 (29)
- October 2024 (18)
- September 2024 (21)
- August 2024 (24)
- July 2024 (27)
- June 2024 (22)
- May 2024 (28)
- April 2024 (29)
- March 2024 (21)
- February 2024 (18)
- January 2024 (21)
- December 2023 (20)
- November 2023 (20)
- October 2023 (23)
- September 2023 (17)
- August 2023 (25)
- July 2023 (39)
- June 2023 (13)
- May 2023 (11)
- April 2023 (6)
- March 2023 (23)
- February 2023 (7)
- January 2023 (7)
- December 2022 (15)
- November 2022 (11)
- October 2022 (8)
- September 2022 (7)
- August 2022 (12)
- July 2022 (7)
- June 2022 (14)
- May 2022 (10)
- April 2022 (11)
- March 2022 (12)
- February 2022 (22)
- January 2022 (12)
- December 2021 (13)
- November 2021 (27)
- October 2021 (11)
- September 2021 (14)
- August 2021 (10)
- July 2021 (16)
- June 2021 (13)
- May 2021 (9)
- April 2021 (13)
- March 2021 (24)
- February 2021 (22)
- January 2021 (18)
- December 2020 (19)
- November 2020 (11)
- October 2020 (3)
- September 2020 (20)
- August 2020 (11)
- July 2020 (7)
- June 2020 (14)
- May 2020 (13)
- April 2020 (14)
- March 2020 (4)
- February 2020 (21)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (18)
- August 2019 (16)
- July 2019 (8)
- June 2019 (9)
- May 2019 (28)
- April 2019 (27)
- March 2019 (15)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (9)
- October 2018 (15)
- September 2018 (15)
- August 2018 (5)
- July 2018 (15)
- June 2018 (29)
- May 2018 (12)
- April 2018 (6)
- March 2018 (18)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (5)
- September 2017 (7)
- August 2017 (6)
- July 2017 (11)
- June 2017 (7)
- May 2017 (9)
- April 2017 (5)
- March 2017 (6)
- January 2017 (8)
- December 2016 (2)
- November 2016 (1)
- October 2016 (15)
- September 2016 (6)
- August 2016 (5)
- July 2016 (4)
- June 2016 (9)
- May 2016 (4)
- April 2016 (4)
- March 2016 (4)
- February 2016 (9)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (5)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (12)
- January 2015 (4)
- December 2014 (6)
- November 2014 (3)
- October 2014 (1)
- September 2014 (11)
- August 2014 (5)
- July 2014 (9)
- June 2014 (10)
- May 2014 (5)
- April 2014 (9)
- February 2014 (3)
- January 2014 (5)
- December 2013 (7)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (7)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (8)
- December 2012 (12)
- November 2012 (5)
- October 2012 (7)
- September 2012 (3)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (4)
- April 2012 (6)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (5)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (7)
- May 2011 (11)
- April 2011 (4)
- March 2011 (12)
- February 2011 (7)
- January 2011 (11)
- December 2010 (17)
- November 2010 (12)
- October 2010 (11)
- September 2010 (9)
- August 2010 (20)
- July 2010 (12)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)