RECENT BLOG NEWS
wolfSSL Assembly Optimizations for ARM Processors
If you are looking for an SSL/TLS library to provide security in connected ARM environments, wolfSSL is by far the best choice. wolfSSL is an ARM partner, and our code has been optimized for ARM environments. Public key operations in CyaSSL (wolfSSL) have optimized assembly code that gives wolfSSL faster RSA, Diffie-Hellman, and DSA times.
Optimized assembly code for public key operations can be found in asm.c and are easy to use, simply run ./configure –enable-fastmath and for stack usage reduction we also recommend using TFM_TIMIN_RESISTANT.
For any question regarding wolfSSL in ARM environments please contact us at facts@wolfssl.com.
wolfSSL SSL/TLS Tutorial Video
Below is a link to wolfSSL’s SSL/TLS tutorial video on setting up a basic client and server with the CyaSSL lightweight, embedded SSL/TLS library. This video provides a detailed step-by-step set of instructions, including code, for incorporating CyaSSL into an application. The tutorial walks through Chapter 11 of the CyaSSL manual.
SSL/TLS Tutorial with CyaSSL Lightweight SSL:
https://www.youtube.com/watch?v=-Smp3X1eWNQ
For more information please contact us at facts@wolfssl.com or go to www.wolfssl.com. Instructions for building CyaSSL may be found in Chapter 2 of the CyaSSL Manual.
wolfSSL and CyaSSL Users SAFE from POODLE bites again attacks
Some TLS implementations are vulnerable to the October POODLE attack that at the time was thought to be limited to SSLv3 only: https://www.imperialviolet.org/2014/12/08/poodleagain.html . These implementations are incorrectly using a SSLV3 decoding function while in TLS mode. wolfSSL is not susceptible, it correctly uses TLS decoding while in TLS mode. We would like to reiterate Adam Langley’s advice to use TLS 1.2 with an AEAD cipher suite whenever possible. wolfSSL supports TLS 1.2 and has 3 cipher suite types supporting AEAD; AES-GCM, AES-CCM, and CHACHA20-POLY1305. 29 different AEAD cipher suites are available with TLS 1.2 in wolfSSL. Please contact us at facts@wolfssl.com if you have any questions or comments.
We are happy to announce the release of wolfSSL version 3.3.0
CyaSSL version 3.3.0 offers:
• Secure countermeasures for Handshake message duplicates, CHANGE CIPHER without FINISHED, and fast forward attempts added to our source code. Thanks to Karthikeyan Bhargavan from the Prosecco team at INRIA Paris-Rocquencourt for the report. This is an important fix and all users should update!
• Complete testing for FIPS 140-2 version submitted to NIST. FIPS 140-2 source code now available.
• Removes SSLv2 Client Hello processing for enhanced security, can be enabled with OLD_HELLO_ALLOWED
• Protocol level control: User can now control TLS protocol down-cycling to a minimum downgrade version with CyaSSL_SetMinVersion(). For example, you could reject handshakes at a protocol level less than TLS 1.1.
• Small stack improvements at TLS/SSL layer, to benefit environments with limited available stack.
• TLS Master Secret generation and Key Expansion are now exposed at the API level
• Adds client side Secure Renegotiation, * not recommended, ever! *
• Client side session ticket support. This feature is not fully tested with Secure Renegotiation, so don’t use Secure Renegotiation.
• Allows up to 4096-bit DHE at TLS Key Exchange layer
• Handles non standard SessionID sizes in Hello Messages
• PicoTCP Support added
• TLS Sniffer now supports SNI Virtual Hosts
• TLS Sniffer now handles non HTTPS protocols using STARTTLS
• TLS Sniffer can now parse records with multiple messages
• TI-RTOS updates or enhances support
• Fix for ColdFire optimized fp_digit read only in explicit 32bit case
• Added ADH Cipher Suite ADH-AES128-SHA for EAP-FAST
Stay up to date with what is happening with wolfSSL, you can follow our blog at http://www.wolfssl.com/yaSSL/Blog/Blog.html
If you have any questions please feel free to contact us anytime at facts@wolfssl.com or (425)245-8247.
We look forward to hearing from you!
Thank You!
wolfSSL
Case Study: wolfSSL Secures INSTEON Hub for the Connected Home
INSTEON is leading the way in the field of home automation and control technology with a line of products that include a wide range of smart home devices such as lighting, motion detectors, and security systems. All INSTEON products can be centrally accessed through the Hub, a product that has the ability to connect the smart home even when the network is down.
While researching the best SSL/TLS library for securing the Hub, INSTEON found wolfSSL’s CyaSSL as the optimal solution. With its portable and lightweight design, CyaSSL was seamlessly integrated into INSTEON’s Hub, providing INSTEON users with a safe and secure network to manage all of their smart home devices.
To learn more about INSTEON and their wide range of devices, feel free to visit their website. The INSTEON/wolfSSL case study can be viewed on our Case Studies page.
For questions regarding the use of wolfSSL products in your embedded or IoT devices, contact us at facts@wolfssl.com.
wolfSSL and PicoTCP
The next release of CyaSSL will have official support for the PicoTCP TCP/IP stack. wolfSSL has been working closely with the developers at TASS to add out-of-the-box support for this new, lightweight, and dual-licensed TCP/IP stack – making it easier to secure Internet of Things devices running on top of PicoTCP.
For those not familiar with PicoTCP, it is “a TCP/IP stack developed from the ground up for embedded devices, by embedded software engineers. Resource usage, modularity and portability to different hardware platforms and embedded operating systems are key.” Like CyaSSL, PicoTCP is open source and dual licensed under both the GPLv2 and a commercial license.
TASS has put together a helpful demo application using both CyaSSL and PicoTCP, with a walkthrough documented here:
http://www.picotcp.com/picotcp-and-cyassl-integration
When compiling CyaSSL for use with PicoTCP, users will need to define CYASSL_PICOTCP, and optionally CYASSL_PICOTCP_DEMO when compiling for use with the example demo application listed above.
If you are interested in using CyaSSL with PicoTCP, or have any questions, please contact us at facts@wolfssl.com.
PicoTCP: http://www.picotcp.com/
TASS Belgium (acquired by Altran): https://www.altran.com/nl/en/
Deprecating SSL 3.0 from wolfSSL
Hi! We’ve been telegraphing our plans to drop support for SSL 3.0 for the last year. With the emergence of the POODLE breach, we’ve decided to accelerate our plan. Over the coming weeks and months, we’ll be doing the following:
1. Disabling SSL 3.0 by default at runtime.
2. Disabling our SSL 3.0 code by default at compile time.
3. Eliminating all SSL 3.0 code from our code base, and using TLS 1.0 as the base.
If you have comments or questions, then feel free to contact us at facts@wolfssl.com or call us up at +1 425 245 8247.
Team wolfSSL
POODLE (An SSL 3.0 Vulnerability)
SSL, the predecessor to TLS, reached version 3.0 before changing names to TLS. TLS versions currently defined include TLS 1.0, 1.1, and 1.2, with the 1.3 specification still being worked out.
“Padding Oracle On Downgraded Legacy Encryption” Bug (POODLE) was disclosed on October 14th, 2014 and allows an attacker to read information encrypted with SSL 3.0 in plain text using a man-in-the-middle attack. Here at wolfSSL we highly encourage our users to avoid using SSL 3.0 as an attacker can force a connection to use SSL 3.0 if it is available to both participants in the connection, thus allowing the attacker to exploit this bug.
POODLE effects any clients communicating with SSL 3.0. This is a flaw with the protocol design and not an implementation error. Therefore EVERY software application that uses SSL 3.0 is susceptible.
CyaSSL supports industry standards up to the current TLS 1.2 and as such is not vulnerable to the POODLE bug as long as our clients are using a version of TLS higher than SSL 3.0. It is highly recommended that TLS1.2 is used whenever possible.
Beta Testing curve25519
Implementation of curve25519 is to the point where it is going through a testing cycle. We are looking for interested beta testers and cryptography enthusiasts who wish to test out just how fast it can be.
If interested in getting the source code for the curve25519 implementation, contact us at facts@wolfssl.com.
Secure Renegotiation Support Coming Soon to wolfSSL
Secure Renegotiation will allow for a server to differentiate between an initial connection and a renegotiation, protecting against “man-in-the-middle” attacks during renegotiations.
“Secure Socket Layer (SSL) and Transport Layer Security (TLS)
renegotiation are vulnerable to an attack in which the attacker forms
a TLS connection with the target server, injects content of his
choice, and then splices in a new TLS connection from a client. The
server treats the client`s initial TLS handshake as a renegotiation
and thus believes that the initial data transmitted by the attacker
is from the same entity as the subsequent client data. This
specification defines a TLS extension to cryptographically tie
renegotiations to the TLS connections they are being performed over,
thus preventing this attack.” -Abstract RFC-5746
– We will have an alpha release available for testing in November or December. Interested parties should contact us at facts@wolfssl.com
– Although we`re adding Secure Renegotiation to wolfSSL, we discourage its use when not a strict requirement.
-Initially wolfSSL did not support Renegotiation as it was considered an insecure feature. As such there was no need to support Secure Renegotiation until there was a customer demand for it.
-We make it a priority to ensure our clients have all the necessary tools at their disposal. Therefore we are adding support for Secure Renegotiation for those users and customers where it is a strict requirement.
Weekly updates
Archives
- December 2024 (18)
- November 2024 (29)
- October 2024 (18)
- September 2024 (21)
- August 2024 (24)
- July 2024 (27)
- June 2024 (22)
- May 2024 (28)
- April 2024 (29)
- March 2024 (21)
- February 2024 (18)
- January 2024 (21)
- December 2023 (20)
- November 2023 (20)
- October 2023 (23)
- September 2023 (17)
- August 2023 (25)
- July 2023 (39)
- June 2023 (13)
- May 2023 (11)
- April 2023 (6)
- March 2023 (23)
- February 2023 (7)
- January 2023 (7)
- December 2022 (15)
- November 2022 (11)
- October 2022 (8)
- September 2022 (7)
- August 2022 (12)
- July 2022 (7)
- June 2022 (14)
- May 2022 (10)
- April 2022 (11)
- March 2022 (12)
- February 2022 (22)
- January 2022 (12)
- December 2021 (13)
- November 2021 (27)
- October 2021 (11)
- September 2021 (14)
- August 2021 (10)
- July 2021 (16)
- June 2021 (13)
- May 2021 (9)
- April 2021 (13)
- March 2021 (24)
- February 2021 (22)
- January 2021 (18)
- December 2020 (19)
- November 2020 (11)
- October 2020 (3)
- September 2020 (20)
- August 2020 (11)
- July 2020 (7)
- June 2020 (14)
- May 2020 (13)
- April 2020 (14)
- March 2020 (4)
- February 2020 (21)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (18)
- August 2019 (16)
- July 2019 (8)
- June 2019 (9)
- May 2019 (28)
- April 2019 (27)
- March 2019 (15)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (9)
- October 2018 (15)
- September 2018 (15)
- August 2018 (5)
- July 2018 (15)
- June 2018 (29)
- May 2018 (12)
- April 2018 (6)
- March 2018 (18)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (5)
- September 2017 (7)
- August 2017 (6)
- July 2017 (11)
- June 2017 (7)
- May 2017 (9)
- April 2017 (5)
- March 2017 (6)
- January 2017 (8)
- December 2016 (2)
- November 2016 (1)
- October 2016 (15)
- September 2016 (6)
- August 2016 (5)
- July 2016 (4)
- June 2016 (9)
- May 2016 (4)
- April 2016 (4)
- March 2016 (4)
- February 2016 (9)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (5)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (12)
- January 2015 (4)
- December 2014 (6)
- November 2014 (3)
- October 2014 (1)
- September 2014 (11)
- August 2014 (5)
- July 2014 (9)
- June 2014 (10)
- May 2014 (5)
- April 2014 (9)
- February 2014 (3)
- January 2014 (5)
- December 2013 (7)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (7)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (8)
- December 2012 (12)
- November 2012 (5)
- October 2012 (7)
- September 2012 (3)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (4)
- April 2012 (6)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (5)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (7)
- May 2011 (11)
- April 2011 (4)
- March 2011 (12)
- February 2011 (7)
- January 2011 (11)
- December 2010 (17)
- November 2010 (12)
- October 2010 (11)
- September 2010 (9)
- August 2010 (20)
- July 2010 (12)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)