wolfProvider Expansion: 35+ New FIPS Open Source Integrations
Introduction
Since the release of wolfProvider 1.0.2, the wolfSSL team has been hard at work expanding the ecosystem of open source projects that integrate seamlessly with wolfProvider. As an OpenSSL 3.x provider that brings wolfSSL’s FIPS cryptographic capabilities to OpenSSL-based applications, wolfProvider enables organizations to leverage wolfSSL’s FIPS-certified implementations, optimized performance, and reduced memory footprint—all without modifying existing application code.
Today, we’re excited to announce that wolfProvider now includes comprehensive integration testing for over 35 additional open source projects spanning web infrastructure, networking tools, authentication systems, cryptographic libraries, and system utilities. This massive expansion demonstrates wolfProvider’s production readiness and broad compatibility across the open source ecosystem, providing drop-in replacements to allow FIPS compliance with no changes to the target application.
This post provides a high-level overview of these new integrations. In the coming weeks, we’ll be publishing detailed technical guides for larger projects, covering specific configuration steps, performance considerations, and best practices.
Web and Application Infrastructure
gRPC
gRPC is Google’s high-performance, open source RPC framework used by organizations worldwide for microservices communication. With wolfProvider integration, gRPC applications can now leverage wolfSSL’s cryptographic implementations for TLS connections, enabling FIPS compliance for service-to-service authentication and data encryption.
BIND9
BIND9 is the most widely used DNS server software on the Internet. Our integration enables DNS operators to use wolfProvider for DNSSEC operations, bringing wolfSSL’s cryptographic capabilities to critical Internet infrastructure for secure domain name resolution.
Network and Communication Tools
libwebsockets
libwebsockets is a lightweight C library for implementing WebSocket servers and clients. The wolfProvider integration allows WebSocket applications to use wolfSSL for TLS handshakes and encrypted communications, ideal for real-time applications requiring FIPS-certified cryptography.
socat
socat is a multipurpose relay tool for bidirectional data transfer between two data streams. With wolfProvider, socat can establish TLS-secured connections using wolfSSL, making it valuable for secure tunneling and network debugging scenarios.
iperf
iperf is the industry-standard tool for network performance measurement and tuning. The wolfProvider integration enables network engineers to test TLS performance using wolfSSL’s optimized implementations, providing accurate benchmarks for encrypted network throughput.
rsync
rsync is the ubiquitous file synchronization and transfer tool. Our integration allows rsync to use wolfProvider for securing file transfers over SSH, bringing wolfSSL’s cryptographic capabilities to backup and replication workflows.
tnftp
tnftp (the enhanced FTP client from NetBSD) can now leverage wolfProvider for TLS-enabled FTP connections, allowing secure file transfers with wolfSSL’s FIPS-certified cryptography.
ppp
The Point-to-Point Protocol daemon is fundamental for dial-up and VPN connections. wolfProvider integration enables PPP to use wolfSSL for authentication protocols, supporting secure remote access scenarios.
Authentication and Security
Kerberos (krb5)
MIT Kerberos is the gold standard for network authentication. Our integration allows Kerberos to use wolfProvider for cryptographic operations, enabling enterprises to leverage wolfSSL’s FIPS implementations for their single sign-on infrastructure.
pam-pkcs11
pam-pkcs11 provides smart card authentication for Linux systems. With wolfProvider, organizations can use wolfSSL for certificate validation and cryptographic operations in their smart card-based access control systems.
OpenSC
OpenSC provides a set of libraries and utilities for smart card access. The wolfProvider integration brings wolfSSL’s cryptographic capabilities to smart card operations, supporting various cryptographic tokens and hardware security modules.
libfido2
libfido2 implements the FIDO2/WebAuthn standards for passwordless authentication. Our integration enables FIDO2 implementations to use wolfProvider for cryptographic operations, supporting modern passwordless login flows with wolfSSL.
libtss2
libtss2 is the Trusted Platform Module 2.0 software stack. With wolfProvider, TPM-based applications can leverage wolfSSL for cryptographic operations, ideal for hardware-backed secure boot and attestation scenarios.
OpenLDAP
OpenLDAP is the leading open source LDAP directory server. The wolfProvider integration allows OpenLDAP to use wolfSSL for TLS connections and cryptographic operations, bringing FIPS compliance to enterprise directory services.
SSSD
The System Security Services Daemon provides access to identity and authentication providers. With wolfProvider, SSSD can leverage wolfSSL for secure communications with Active Directory, LDAP, and other authentication backends.
OpenSSH
OpenSSH is the premier connectivity tool for secure remote login. Our integration enables OpenSSH to use wolfProvider for all cryptographic operations, supporting FIPS-compliant SSH connections for system administration and file transfers.
stunnel
stunnel is a proxy designed to add TLS encryption to existing clients and servers. With wolfProvider, stunnel can use wolfSSL’s optimized TLS implementations, ideal for securing legacy applications without code modifications.
Cryptographic Libraries and Tools
cjose
cjose is a C implementation of the JOSE (JSON Object Signing and Encryption) standard. The wolfProvider integration enables JOSE operations using wolfSSL, supporting modern token-based authentication and API security patterns.
xmlsec
xmlsec provides XML Digital Signature and Encryption capabilities. With wolfProvider, applications can use wolfSSL for XML security operations, supporting SAML, WS-Security, and other XML-based security protocols.
libcryptsetup
libcryptsetup manages encrypted block devices in Linux. Our integration allows disk encryption tools to use wolfProvider for cryptographic operations, enabling FIPS-compliant full-disk encryption with wolfSSL.
libeac3
libeac3 implements the Extended Access Control protocol for electronic passports. The wolfProvider integration brings wolfSSL to e-passport applications, supporting secure identity verification scenarios.
liboauth2
liboauth2 is a library for OAuth 2.0 flows. With wolfProvider, OAuth implementations can leverage wolfSSL for cryptographic operations, supporting secure API authentication and authorization.
libssh2
libssh2 is a client-side C library implementing the SSH2 protocol. Our integration enables libssh2 applications to use wolfProvider for SSH connections, bringing wolfSSL’s performance and FIPS capabilities to SSH-based automation and file transfer tools.
System and Utility Tools
systemd
systemd is the init system used by most modern Linux distributions. The wolfProvider integration enables systemd’s cryptographic operations to use wolfSSL, supporting secure boot, TPM integration, and encrypted credentials.
tcpdump
tcpdump is the premier packet analyzer for network troubleshooting. With wolfProvider, tcpdump can decrypt TLS traffic for analysis using wolfSSL’s cryptographic implementations.
x11vnc
x11vnc allows remote desktop access to X11 displays. Our integration enables x11vnc to use wolfProvider for TLS-encrypted remote desktop sessions, supporting secure remote administration with wolfSSL.
sscep
sscep is a Simple Certificate Enrollment Protocol client. With wolfProvider, SCEP operations can use wolfSSL for certificate enrollment and management, supporting automated certificate provisioning workflows.
ipmitool
ipmitool provides command-line access to IPMI-enabled devices for server management. The wolfProvider integration enables secure IPMI communications using wolfSSL, supporting out-of-band management scenarios.
tpm2-tools
tpm2-tools provides utilities for TPM 2.0 management and testing. With wolfProvider, TPM operations can leverage wolfSSL’s cryptographic implementations, supporting hardware-backed security operations.
net-snmp
net-snmp is a suite of applications for SNMP network monitoring. Our integration allows SNMP to use wolfProvider for cryptographic operations, enabling secure network management with SNMPv3.
python3-ntp
The Python NTP implementation can now use wolfProvider for cryptographic operations in Network Time Protocol security extensions, supporting authenticated time synchronization.
Application Frameworks
Qt5 Network
Qt5’s networking module is used by thousands of applications worldwide. The wolfProvider integration enables Qt applications to use wolfSSL for TLS connections, supporting FIPS compliance for cross-platform desktop and mobile applications.
libnice
libnice implements ICE (Interactive Connectivity Establishment) for NAT traversal. With wolfProvider, WebRTC and other real-time communication applications can use wolfSSL for DTLS operations.
libhashkit2
libhashkit2 provides consistent hashing algorithms used in distributed systems. Our integration enables applications to use wolfProvider for cryptographic hashing operations with wolfSSL.
What This Means for the wolfSSL Ecosystem
This extensive integration testing demonstrates wolfProvider’s production readiness and compatibility across diverse open source projects. All integrations use the standard OpenSSL provider framework with minimal modifications, and each includes automated CI testing to ensure reliability. Integration patches are maintained in the wolfSSL OSP repository for community access.
Looking Ahead
We’ll be publishing detailed integration guides for major projects like gRPC, OpenSSH, systemd, and others where deployment considerations are more complex. These guides will cover configuration, performance tuning, and FIPS-specific requirements.
Get Started Today
All integration testing configurations and patches are available in the wolfProvider repository and the OSP repository. The automated workflows in .github/workflows/ provide reference implementations showing exactly how to build and test each integration.
Whether you’re looking to achieve FIPS compliance, optimize cryptographic performance, or reduce memory footprint, wolfProvider’s broad ecosystem support makes it easier than ever to bring wolfSSL’s benefits to your existing OpenSSL-based applications.
For questions or assistance with wolfProvider integration, please contact us at support@wolfssl.com or visit www.wolfssl.com.
Stay tuned for our upcoming integration guides!
wolfProvider is available under the GPLv3 license with commercial licensing options available. For more information, visit the wolfProvider GitHub repository.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call +1 425 245 8247.
Download wolfSSL Now
wolfProvider 1.1.0: Major Release with Enhanced Features and Extensive Integration Testing
wolfSSL is proud to announce the release of wolfProvider 1.1.0. This major release represents a significant milestone in our commitment to providing robust OpenSSL 3.x compatibility with FIPS 140-3 validated cryptography. wolfProvider 1.1.0 has been developed according to wolfSSL’s rigorous development and QA process and has successfully passed our quality criteria.
wolfProvider is designed for customers who want FIPS-validated cryptography but are already invested in using OpenSSL. The provider delivers drop-in replacements for cryptographic algorithms used by OpenSSL, leveraging the wolfCrypt engine underneath, which is FIPS 140-3 certified.
New Cryptographic Features
This release introduces several important cryptographic capabilities:
- KBKDF (Key-Based Key Derivation Function): Implementation of NIST SP 800-108 key derivation for secure key generation from existing key material.
- KRB5KDF (Kerberos 5 Key Derivation Function): Support for Kerberos cryptographic operations, enabling enterprise authentication scenarios.
- AES-CTS (Ciphertext Stealing): Additional AES cipher mode for applications requiring specific padding behavior.
- RSA No-Padding Operations: Raw RSA encrypt/decrypt operations for applications with custom padding schemes.
Replace-Default Provider Mode
A groundbreaking feature in this release is the ability to replace OpenSSL’s default provider entirely with wolfProvider. This mode makes wolfProvider the primary cryptographic implementation system-wide, allowing existing OpenSSL applications to transparently use wolfSSL’s FIPS-validated cryptography without any code modifications. This feature includes comprehensive testing to ensure the default swap works as expected across various scenarios.
Enhanced Testing and Quality Assurance
wolfProvider 1.1.0 significantly expands our integration testing with real-world open-source applications. We’ve added automated CI/CD workflows for over 40 popular applications, ensuring wolfProvider works seamlessly with:
Network Infrastructure: gRPC, OpenSSH, libssh2, OpenSC/PKCS11, OpenLDAP, IPMItool, Stunnel, socat, SSSD, net-snmp, liboauth2, tnftp, systemd, X11VNC, sscep, TPM2 tools, libcryptsetup, libtss2, KRB5, bind9, hostap
Development Tools: Python3 NTP, libeac, xmlsec, Qt5 Network, rsync, libwebsockets, tcpdump, cjose, iperf, libfido2, ppp, pam-pkcs11, kmod, libnice
This extensive testing demonstrates wolfProvider’s production-readiness and compatibility with the broader OpenSSL ecosystem.
Command-Line Integration
New command-line integration tests validate wolfProvider’s compatibility with OpenSSL command-line tools for AES, RSA, RSA-PSS, Hash, and ECC operations. This ensures that scripts and automation tools using OpenSSL commands work correctly with wolfProvider.
Debian Package Support
This release includes comprehensive Debian packaging support, making deployment on Debian-based systems straightforward. The packaging includes proper dependency management and integration with system OpenSSL configurations.
Bug Fixes and Stability Improvements
wolfProvider 1.1.0 includes over 100 bug fixes addressing issues across all cryptographic operations:
AES Improvements: Fixed AES-GCM streaming bugs, authentication tag handling, IV management, and CBC consecutive call handling.
RSA Enhancements: Resolved RSA PSS decoding issues, key import edge cases, keygen retry logic, certificate display formatting, and parameter handling.
ECC Fixes: Corrected public key validation, parameter handling, private key operations, signing restrictions, and encoding issues.
DH Corrections: Fixed FIPS build compatibility, parameter handling, private key operations, and decoder registrations.
General Stability: Improved locking around signature operations, NULL reinit handling, core libctx management, and OpenSSL patching detection.
Looking Forward
wolfProvider 1.1.0 represents a major step forward in providing FIPS-validated cryptography to the OpenSSL ecosystem. The extensive integration testing, new cryptographic features, and replace-default mode make this release suitable for production deployment in enterprise environments requiring FIPS compliance.
Refer to the README.md found in the release for usage instructions. We also maintain a ChangeLog.md for a complete list of changes in each release.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now
Live Webinar: DTLS 1.3 Training
Upgrade Your UDP Security with DTLS 1.3!
Join our upcoming DTLS 1.3 Training on November 5th at 9 AM PT to explore the latest advancements in DTLS security. Learn how to move from DTLS 1.2 to DTLS 1.3 to reduce handshake round-trips, strengthen downgrade resistance, enable post-quantum authentication and key exchange, and meet modern compliance needs, essential improvements for embedded, aerospace, and high-assurance systems.
Register today: DTLS 1.3 Training
Date: November 5th | 9 AM PT
wolfSSL DTLS 1.3 delivers these performance and security enhancements in a small, embedded-friendly package. Deploy DTLS 1.3 in constrained environments without sacrificing speed or reliability, backed by a mature open-source library proven in real-world deployments.
This webinar will cover:
- Introduction to wolfSSL: products and open-source ecosystem
- DTLS basics: concepts, handshake, and use cases
- DTLS v1.3 vs v1.2: key differences and benefits
- Hands-on: implement DTLS in UDP applications
Register Now to see DTLS 1.3 in action and learn how to secure your systems efficiently with wolfSSL
As always, our webinar will include Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfssl.com or call +1 425 452 8247.
Download wolfSSL Now
wolfDemo: A Passion Project Showcasing wolfSSL Technology
About Me
For this blog post, I’m going to do something a little different. This is a personal project, and as such, you should probably know a little about the person behind it. My name is Andrew Hutchings, I have an extensive engineering background, and in my spare time, I design new circuit boards for vintage computers.
I was part of the wolfSSL team at Embedded World 2025. This is a photo of the team there, I’m the one in the light-blue jeans.
I’m also wearing a badge here, which I designed, which is an entirely custom board using an RP2040 microcontroller and power management/battery management hardware. It uses a highly optimised OLED driver and graphics library firmware I wrote for it.
At Embedded World, we were showcasing various wolfSSL products running on stock development boards. It was here I had the thought “what if we had our own development board?”. In my hotel room, I got to work on planning and designing. There are some basic requirements I wanted to target:
- It had to have wolfSSL branding and draw attention.
- It had to have mikroBus sockets. Pretty much every expansion possible is available in the open mikroBus standard.
- It should be easy to use for people who are not as experienced in embedded development.
- It should have a Tag-Connect connector for the JTAG. This is just a personal thing, I use Tag-Connect everywhere.
I quickly settled on the STM32U585 for this board. It has a lot of flash and RAM, hardware crypto acceleration for AES and SHA-256, it is quite fast (Cortex-M33 at 160MHz) and relatively inexpensive. I’ve also developed ST based boards before. So, whilst I figured that I would end up doing boards with other manufacturer’s MCUs, this would be a lower barrier to a first version.
The wolfDemo Board
The final version of the board I think met all my requirements. I used various aspects of the PCB to make the wolfSSL logo and put four addressable cyan LED sections underneath the board to glow for the wolf’s bark, one section for each of the curved bars for the bark. You can see the third from the right bar glowing in the photo above. There are two mikroBus sockets, two input buttons, and a USB to UART for getting log data or flashing the board. It even has Tag-Connect for JTAG, as well as an option for a 10-pin ARM Cortex JTAG header.
In addition, I created a mikroBus click board for the ST33 TPM.
Better Demos
Now that we have a board, we need demos to run on it. We have the wolfCrypt benchmark, it is a great way to show how fast wolfCrypt runs on various platforms. But, at a casual glance in an expo environment, it isn’t the easiest to understand. So, I made some improvements…
Behind the scenes, there is the regular wolfCrypt benchmark running underneath. Although there is a new feature I wrote to show the heap / stack usage for each algo. The front end you are seeing here is a Python script that listens on the USB serial port and processes the results in real-time, rendering it into the table. Also, for an added visual touch, as each log line is sent from the board, the wolf bark LED changes.
What’s Next!
This is not something we will be selling. I’m going to be making more boards in my spare time and sending them to the rest of the team. In fact, I’ve sent some already and have a batch ready to go. This way we can show demos on the board at more events. We have also made the design files and examples publicly available.
There will definitely be more demos. I showed the board for the first time at it-sa in Nuremberg, and partners have already approached us saying that they would like demos of their technology on it. With the mikroBus sockets, we can show wolfSSL’s products running whilst connected to hundreds of different hardware boards.
I will also be designing variants using MCUs from other companies, so that we can show that wolfSSL’s products are extremely versatile.
If you are coming to an event, and wolfSSL is there. Lookout for demos using the wolfDemo board!
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now
GNOME Crypto Ring FIPS 104-3 with wolfSSL
GNOME Crypto Ring (GCR) is a core library in the GNOME desktop environment. Built on libgcrypt, GCR can achieve FIPS 140-3 compliance using wolfSSL’s libgcrypt port.
wolfSSL’s libgcrypt port ensures compliance for FIPS 140-3 in applications consuming GCR, such as:
- Certificate and Key Viewing: The gcr-viewer tool allows inspection of cryptographic files like X.509 certificates and private keys, displaying details such as issuer, expiration, and signatures in a user-friendly interface.
- Cryptographic UI Components: GCR provides widgets and dialogs for GNOME applications, enabling secure prompts for PINs, passwords, or certificate verification in tools like email clients and browsers.
- Key Store Integration: GCR supports accessing key stores via PKCS#11 standards, facilitating interaction with hardware security modules or smart cards for secure key management.
- Parsing and Import/Export: GCR handles parsing of various cryptographic formats and importing/exporting certificates and keys, simplifying credential management.
Questions?
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
wolfCrypt Rust Wrappers: Secure and Efficient Cryptography in Rust
We are thrilled to announce a significant enhancement to the wolfSSL repository: the addition of Rust wrappers for wolfCrypt! This integration, available now in our official wolfSSL GitHub repository, allows developers to leverage the robust cryptographic primitives of wolfCrypt directly within their Rust applications, benefiting from Rust’s safety, performance, and modern language features.
Why Rust
Rust has rapidly gained popularity for its focus on safety, particularly memory safety, without sacrificing performance. Its strong type system and ownership model prevent common programming errors like null pointer dereferences and data races, making it an ideal choice for building secure and reliable software. Cryptographic implementations, in particular, demand the highest levels of correctness and security, which align perfectly with Rust’s design principles.
Introducing wolfCrypt Rust Wrappers
The new Rust wrappers provide a safe and idiomatic interface to wolfCrypt’s comprehensive suite of cryptographic algorithms. Rust wrapper development is an ongoing effort and more functionality is planned. Initially Rust wrappers are targeting the wolfCrypt FIPS API. Currently, developers can now easily integrate features such as:
- Asymmetric Cryptography: RSA and ECC
- Symmetric Ciphers: AES
- Hashing: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256
- Key Exchange: Diffie-Hellman, ECDH
- Random Number Generation: FIPS 140-2 certified random number generator (RNG)
More Rust wrappers for functionality such as HMAC, CMAC, KDF, Ed25591, and Ed448, and more are planned.
Key Benefits
- Memory Safety,/strong>: Rust’s ownership and borrowing system eliminates common memory-related vulnerabilities that plague C/C++ implementations, such as buffer overflows and use-after-free errors.
- Thread Safety: The Rust type system prevents data races, ensuring that cryptographic operations are safe in multi-threaded environments.
- Performance: wolfCrypt is renowned for its small footprint and high performance, and these characteristics are preserved when used through the Rust wrappers.
- Ease of Use,/strong>: The wrappers are designed to be intuitive and follow Rust’s best practices, making it straightforward for Rust developers to incorporate powerful cryptography into their projects.
- FIPS 140-2 Compliance: Leverage wolfCrypt’s FIPS 140-2 validated cryptographic modules directly from Rust.
Getting Started
Integrating the wolfCrypt Rust wrappers into your project is simple. You can find the necessary files and detailed instructions within the wolfSSL GitHub repository in the wrapper/rust directory.
Example Usage
Here’s a sneak peek at how easy it is to use the new wrappers (specific API details can be found in the repository).
RNG
use wolfssl::wolfcrypt::random::RNG;
fn main() {
// Create a RNG instance.
let mut rng = RNG::new().expect("Failed to create RNG");
// Generate a single random byte value.
let byte = rng.generate_byte().expect("Failed to generate a single byte");
// Generate a random block.
let mut buffer = [0u32; 8];
rng.generate_block(&mut buffer).expect("Failed to generate a block");
}
SHA-256
use wolfssl::wolfcrypt::sha::SHA256;
fn main() {
// Create a SHA256 instance.
let mut sha = SHA256::new().expect("Error with new()");
// Feed input data (can be called multiple times).
sha.update(b"input").expect("Error with update()");
// Retrieve the final SHA-256 hash.
let mut hash = [0u8; SHA256::DIGEST_SIZE];
sha.finalize(&mut hash).expect("Error with finalize()");
}
ECC
use wolfssl::wolfcrypt::random::RNG;
use wolfssl::wolfcrypt::ecc::ECC;
fn main () {
let mut rng = RNG::new().expect("Failed to create RNG");
// Generate a new ECC key.
let mut ecc = ECC::generate(32, &mut rng).expect("Error with generate()");
let hash = [0x42u8; 32];
let mut signature = [0u8; 128];
// Sign a hash with the ECC key.
let signature_length = ecc.sign_hash(&hash, &mut signature, &mut rng).expect("Error with sign_hash()");
let signature = &signature[0..signature_length];
}
Community and Support
We encourage the Rust community to explore these new wrappers and provide feedback. Your contributions and insights are invaluable as we continue to improve and expand our offerings. If you encounter any issues or have suggestions, please open an issue or submit a pull request on our GitHub repository.
What’s Next?
wolfSSL is committed to enhancing the security and usability of our products across various platforms and languages. The introduction of Rust wrappers is a testament to this commitment. We plan to continue expanding the functionality and improving the developer experience for our Rust users.
Stay tuned for more updates and exciting developments from wolfSSL!
Useful Links
If you have any questions, please contact us at facts@wolfssl.com, or call us at +1 425 245 8247. We look forward to seeing what you build with wolfCrypt and Rust!
Download wolfSSL Now
Live Webinar: How to Secure AMD Xilinx Platforms with wolfSSL
Build faster, boot safer, and secure your Xilinx designs against tomorrow’s threats.
Join wolfSSL senior software engineer Jacob Barthelmeh for a live walkthrough of how wolfSSL brings high-assurance cryptography and post-quantum protection to AMD Xilinx platforms. Learn how wolfBoot establishes a secure boot chain, how wolfHSM provides hardware-rooted key management, and how wolfCrypt delivers FIPS 140-3 validated and CNSA 2.0-aligned post-quantum algorithms for long-term security. Whether you’re developing for aerospace, defense, or industrial systems, discover how wolfSSL combines performance, portability, and certification-ready protection for AMD Xilinx devices.
Register Now: How to Secure AMD Xilinx Platforms with wolfSSL
Date: October 29 | 9 AM PT
What this webinar will cover:
- Building wolfSSL for Xilinx Devices — Optimize builds and enable hardware acceleration
- Integration with PetaLinux — Configure, package, and deploy wolfSSL efficiently
- wolfBoot for Secure Boot — Authenticate firmware and enforce a trusted boot chain
- wolfHSM Overview — Implement hardware-backed key storage and crypto offload
- PQC & CNSA 2.0 Readiness — Integrate ML-KEM, ML-DSA, LMS, and XMSS for quantum-safe protection
- FIPS 140-3 Validated wolfCrypt — Meet compliance requirements for regulated environments
Register now to learn how wolfSSL delivers quantum-ready, certifiable security for AMD Xilinx platforms.
As always, our webinar will include Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now
wolfSSH 1.4.21 Released
Version 1.4.21 of wolfSSH is now available! This update includes a critical security fix, improved interoperability, and enhancements for embedded and hardware-backed key use cases.
Security Updates
This release addresses two security issues:
- CVE-2025-11625: Fixed a client-side host verification bypass that could expose credentials (PR#840).
- CVE-2025-11624: Fixed an SFTP server stack overflow triggered by malformed input. Thanks to Stanislav Fort of Aisle Research for the report
Feature Additions
- TPM key authentication for hardware-based identity protection.
- ED25519 key generation support added to the API.
- Curve25519 alias compatibility with curve25519-sha256@libssh.org for improved interoperability.
- Keyboard-interactive authentication can now be enabled at build time (–enable-keyboard-interactive).
- AES-CBC is now disabled by default, shifting focus toward stronger default cipher suites.
- Added Microchip ATSAMV71Q21B example with harmony filesystem integration.
This version refines FATFS support, enhances user authentication handling, and improves SFTP and rekeying operations. Post quantum hybrid support was also touched up along with numerous Coverity findings, warning cleanups, and minor API consistency fixes.
Users of the wolfSSH client code or SFTP server should upgrade, particularly those relying on host verification.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now
Xilinx Accelerated Crypto with FIPS
It’s already possible to use ARMv8 crypto extensions with FIPS 140-3 using PAA (Processor Algorithm Acceleration) but did you know that we have researched using Xilinx/AMD’s hardened crypto with wolfSSL while being FIPS certified? Many benefits can come from using Xilinx/AMD’s hardened crypto accelerators, for example it free’s up the CPU to be used for other operations and it also comes with additional side channel hardening. Leveraging these benefits in projects where FIPS 140-3 certification is required would be useful. If curious about a hybrid FIPS certification that can make use of the CSU, or newer ASU, while having a FIPS 140-3 certification contact us at facts@wolfssl.com.
Join our upcoming webinar “How to Secure AMD Xilinx Platforms with wolfSSL” on October 29 at 9 AM PT to learn how to leverage AMD/Xilinx’s hardened crypto with FIPS 140-3 certification for enhanced performance and security.
Register now!
If you have questions about any of the above, please contact us at facts@wolfssl.com or call +1 425 245 8247.
Download wolfSSL Now
Updated Xilinx/AMD Versal Benchmarks
There are three build options for crypto operations when using wolfSSL on Xilinx/AMD Ultrascale+ devices. The lightweight wolfSSL library can use a software only implementation, make use of the ARMv8 crypto extensions along with custom ARM assembly, or offload the operation to the CSU. Each has its trade offs. Recently wolfSSL has made improvements to the ARMv8 optimizations for use with AES-GCM operations.
- Offloading to the CSU (labeled here as the hardened option) free’s up the CPU for other operations and it leverages the hardening available which provides enhancements like additional protections against DPA (differential power analysis)
- ARMv8 crypto extensions is very performant for smaller block sizes and can be taken through a FIPS OE with use of PAA (Processor Algorithm Acceleration)
The following tables are raw numbers of the throughput collected. Collecting the performance on even larger block sizes would show that Xilinx/AMD hardened crypto accelerators continue on linearly until reaching their maximum. The hardened numbers were collected previously using FreeRTOS, the software and ARMv8 were collected while running on Petalinux with the latest wolfSSL version 5.8.2. A VMK180 Versal board was used.
| Algorithm | Hardened – MB/s | Block Size |
| AES-256-GCM-enc-no_AAD | 0.19188 | 16 |
| AES-256-GCM-enc-no_AAD | 6.324667 | 528 |
| AES-256-GCM-enc-no_AAD | 12.254902 | 1024 |
| AES-256-GCM-enc-no_AAD | 49.01886 | 4112 |
| AES-256-GCM-enc-no_AAD | 89.60888 | 7696 |
| AES-256-GCM-enc-no_AAD | 181.00591 | 15888 |
| AES-256-GCM-enc-no_AAD | 350.444225 | 32768 |
| AES-256-GCM-enc-no_AAD | 633.100698 | 65535 |
| Algorithm | Software – MB/s | Block Size |
| AES-256-GCM-enc-no_AAD | 15.0984 | 16 |
| AES-256-GCM-enc-no_AAD | 31.0764 | 528 |
| AES-256-GCM-enc-no_AAD | 31.5839 | 1024 |
| AES-256-GCM-enc-no_AAD | 32.0214 | 4112 |
| AES-256-GCM-enc-no_AAD | 32.0883 | 7696 |
| AES-256-GCM-enc-no_AAD | 32.1052 | 15888 |
| AES-256-GCM-enc-no_AAD | 32.1038 | 32768 |
| AES-256-GCM-enc-no_AAD | 32.1293 | 65535 |
| Algorithm | ARMv8 – MB/s | Block Size |
| AES-256-GCM-enc-no_AAD | 120.862503 | 16 |
| AES-256-GCM-enc-no_AAD | 633.607939 | 528 |
| AES-256-GCM-enc-no_AAD | 715.517677 | 1024 |
| AES-256-GCM-enc-no_AAD | 776.28316 | 4112 |
| AES-256-GCM-enc-no_AAD | 783.198307 | 7696 |
| AES-256-GCM-enc-no_AAD | 793.405041 | 15888 |
| AES-256-GCM-enc-no_AAD | 793.122663 | 32768 |
| AES-256-GCM-enc-no_AAD | 797.332681 | 65535 |
For RSA operations the following chart shows performance differences using a 4096 bit key for private key operations. SP stands for Single Precision.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call +1 425 245 8247.
Download wolfSSL Now