RECENT BLOG NEWS
Join Our Live Webinar: Benchmarks with wolfSSL
Get excited for the upcoming webinar on ‘Benchmarks with wolfSSL,’ scheduled for May 16th at 10am PT. Led by wolfSSL Senior Software Engineer Jacob Barthelmeh, this session is set to be a deep dive into SSL/TLS performance optimization techniques.
During the webinar, Jacob will demonstrate how the wolfSSL embedded SSL/TLS library excels in various hardware devices and environments, providing detailed insights into cryptographic performance analysis.
Watch the webinar here: Benchmarks with wolfSSL
Sneak peek into the webinar agenda:
- Analyzing Performance History in Cryptography
- Evaluating Cryptographic Performance with the Crypto Benchmark Application
- Leveraging Hardware Acceleration for Enhanced SSL/TLS Performance
- Exploring Asynchronous/Code Wrapper Benchmarks for Optimization
…and much more
*Agenda is subject to change
Don’t miss this exclusive opportunity to learn directly from Jacob about leveraging wolfSSL benchmarks to deepen your understanding of cryptographic performance. Watch now and embark on this enlightening journey with us!
As always, our webinar includes Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
wolfSSL JSSE Provider and JNI Wrapper 1.13.0 Now Available
wolfSSL JNI/JSSE 1.13.0 is now available for download!
wolfSSL JNI/JSSE provides Java-based applications with an easy way to use the native wolfSSL SSL/TLS library. The thin JNI wrapper can be used for direct JNI calls into native wolfSSL, or the JSSE provider (wolfJSSE) can be registered as a Java Security provider for seamless integration underneath the Java Security API. wolfSSL JNI/JSSE provides TLS 1.3 support and can also support running on top of wolfCrypt FIPS 140-2 and the upcoming wolfCrypt 140-3 modules.
Release 1.13.0 contains a significant number of bug fixes, changes, and new features to help better support application usage of the Java Security APIs as well as 3rd party Java frameworks that consume JSSE providers internally. This release also improves behavior when used in multi threaded applications and use cases, and improves automated testing with GitHub actions across several Java JDK implementations and versions.
New functionality
New functionality added in this release is summarized below, but please see ChangeLog.md for a full list that includes all changes and fixes.
New JSSE Functionality:
- Add SSLSocket.getApplicationProtocol(), which returns the negotiated ALPN protocol of a TLS connection (PR 150)
- Add native WOLFSSL_TRUST_PEER_CERT support in WolfSSLTrustX509 (PR 154)
- Add implementation of javax.net.ssl.X509ExtendedTrustManager, which adds hostname checking inside the TrustManager (PR 159)
- Add getSSLParameters() to SSLEngine and SSLSocket, allowing applications to retrieve the SSLParameters objects set (PR 159)
- Add getHandshakeSession() to SSLSocket, returning the SSLSession being constructed during the TLS handshake (PR 159)
- Convert SSLSession to ExtendedSSLSession, adding getRequestedServerNames() to return a list of all SNIServerNames of the requested SNI extension(PR 159)
- Add ALPN API support to SSLSocket and SSLEngine with tests (PR 163)
- Add implementation of X509ExtendedKeyManager (PR 167)
- New JSSE System/Security Property Support:
- Add partial support for jdk.tls.disabledAlgorithms Security property, allowing algorithms and key sizes to be limited (PR 136)
- Add support for wolfjsse.enabledCipherSuites Security property, enabling locking down of TLS cipher suites allowed (PR 136)
- Add support for wolfjsse.enabledSignatureAlgorithms Security property, enabling locking down of the TLS signature algorithms allowed (PR 136)
- Add support for wolfjsse.enabledSupportedCurves Security property, enabling locking down of the TLS supported ECC curves allowed (PR 143)
New JNI Wrapped APIs and Functionality:
- wolfSSL_CTX_SetTmpDH() and wolfSSL_CTX_SetTmpDH_file() (PR 136)
- wolfSSL_CTX_SetMinDh/Rsa/EccKey_Sz() (PR 136)
- wolfSSL_set1_sigalgs_list() (PR 136)
- wolfSSL_CTX_UseSupportedCurve() (PR 158)
- wolfSSL_X509_check_host() and wolfSSL_SNI_GetRequest() (PR 159)
- wolfSSL_CTX_set_groups() and wolfTLSv1_3_client/server_method() (PR 164)
- SSL_CTX_set1_sigalgs_list() (PR 169)
- wolfSSL_set_tls13_secret_cb(), add ability to set Java callback (PR 181)
- Add X.509v3 certificate generation support in WolfSSLCertificate and examples (PR 141)
- Add Certificate Signing Request (CSR) support and examples (PR 146)
New Platform Support:
- Add Windows support with Visual Studio, see IDE/WIN/README.md (PR 125)
Build System Changes:
- Add JAVA_HOME support in java.sh for use with custom Java install (PR 121)
- New argument to java.sh for custom wolfSSL library name to be used (PR 126)
- Add lib64 directory to library search path in java.sh (PR 130)
- Standardize JNI library name on OSX to .dylib (PR 152)
- Add Maven build support (PR 153)
- Update Android Studio example project (PR 185)
Debugging Changes:
- Add WolfSSLDebug.logHex() for printing byte arrays as hex (PR 129)
- Add synchronization and Thread ID to debug log messages (PR 129)
- Add new debug System property wolfsslengine.io.debug for I/O debug logs (PR 137)
- Add timestamp to debug logs (PR 148)
- Fix for enabling JSSE debug logs after WolfSSLProvider has been registered (PR 166)
- Make native wolfSSL debug log format consistent with wolfJSSE logs (PR 166)
Testing Changes:
- Add Facebook Infer test script, make fixes (PR 127, 182)
- Add extended threading test of SSLEngine (PR 124)
- Testing with and fixes from SonarQube static analyzer (PR 131)
- Add extended threading test of SSLSocket (PR 149)
- Testing with and fixes for running SunJSSE tests on wolfJSSE (PR 170, 174)
- Add GitHub Actions tests for Oracle/Zulu/Coretto/Temurin/Microsoft JDKs on Linux and OS X (PR 176)
wolfSSL JNI/JSSE 1.13.0 can be downloaded from the wolfSSL download page, and an updated version of the wolfSSL JNI/JSSE User Manual can be found here. For any questions, or to get help using wolfSSL in your product or projects, contact us at support@wolfSSL.com.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Vulnerability Disclosure: wolfSSH (CVE-2024-2873)
Affected Users:
Anyone using wolfSSH server versions prior to release v1.4.17.
Summary:
It is possible for a malicious client to bypass user authentication when logging into a wolfSSH server. The wolfSSH server was not rigorous about checking the current state of the key exchange when handling channel open messages.
wolfSSH’s example echoserver and the wolfSSHd server will not allow one to obtain a shell as root or any other user. By skipping the user authentication, the user’s login name won’t be set, and the server will error out because it cannot find the user’s home directory. At this point, the server has allocated some memory resources for a channel, but then releases them immediately.
Due to the way wolfSSH server handles incoming connections, forwarding requires an active shell connection to work. If user authentication is skipped, the server will terminate the connection with an error before allowing any forwarding.
This issue with message processing is in the library. The application using the library has the responsibility of checking that the username is set and checking the credentials. One could have an application that gives access to the system without checking the user authentication.
Recommendation:
Prompt update to wolfSSH v1.4.17. This version rejects out-of-sequence channel messages before user authentication has completed and rejects user authentication messages after user authentication is complete.
Additional Details:
The patch fixing this issue can be viewed at the links:
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
wolfSSH, SHA-1, and Configuration
wolfSSH is following the industry common practice of removing SHA-1 as a default configuration option. SHA-1 has been considered broken for a while now and shouldn’t be used for security purposes. [RFC 8332](https://datatracker.ietf.org/doc/html/rfc8332) recognizes this for the SSH protocol and offers new RSA-based algorithms for signing authentication messages.
In the wolfSSH v1.4.15 release, we were heavy-handed when it came to disabling SHA-1 and removed it from the compile using a preprocessor flag. There was an option to add it back in, but its use wasn’t clear. This was a mistake.
For wolfSSH v1.4.17, we restored SHA-1 to the library, but it is “soft-disabled.” This means it is not offered in the default list of algorithms available during key exchange. One may add the algorithm “ssh-rsa” back as an available algorithm, along with DHE using SHA-1, at runtime. To support this, there is now a set of functions to set the algorithm lists used during key exchange and to poll the library on which algorithms are enabled in the build. Please see the wolfSSH manual section 13 for more information on the [Key Exchange Algorithm Configuration].
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
wolfSSH v1.4.17 Improvements and Fixes
wolfSSH has several useful features that were introduced in this most recent release.
We have made wolfSSH builds for various systems better and easier. This includes changes to configuration scripts and modifying code to work with various compiler quirks. We’ve made building wolfSSH for Nucleus, QNX, Windows, and ESP32 builds better. And we’ve fixed an issue working with the Zephyr file system involving redundant file mode bits.
We’ve improved testing of wolfSSH. There are new scripts to test details of the wolfSSHd server. Also, the Zephyr SFTP test uses a different file for the transfer test. The new file used is available in all situations.
The terminal support with shells is improved. The terminal size bounds were not getting set correctly in all builds, and that is now fixed. The shell environment now sets up things like the `$SHELL` variable and the `$0` value as expected. We fixed a potential memory leak when receiving the terminal modes from the peer. For Windows builds, the shell environment has its own quirks and we are working with those better.
wolfSSH has been able to run commands and scripts over a connection for a while. We’ve recently improved this behavior with wolfSSHd and use the I/O pipes better. The return code from the script or command is captured and returned to the peer as expected.
Missed with the SHA-1 disable and reenable was a bug with verifying RSA signatures. Disabling SHA-1, the testing used ECDSA authentication instead. This bug is now fixed.
Finally, we try to keep wolfSSH tunable for size. If you don’t want a feature, you can easily leave it out of a build. This is good for embedded targets with constraints on code and memory usage. A few of the guard checks were incorrect and have been fixed.
In all, we think this makes wolfSSH a better product. If you have any questions or are wondering about wolfSSH on other platforms, please email support@wolfSSL.com. Thank you!
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Join wolfSSL for Cybersecurity Innovations at AMD AC Summits in North America
We are thrilled to announce that wolfSSL will be participating in all the upcoming AMD AC Summits across North America, kicking off in Boston, MA on May 7th and concluding in Dallas, TX on May 21st. As a leading provider of lightweight, portable, embedded SSL/ TLS software, we’re excited to be a part of AMD AC Summit to explore the latest advancements and opportunities in the industry.
Event Details
- Boston, MA | May 7th
- Washington D.C., MD | May 9th
- Los Angeles, CA | May 14th
- San Jose, CA | May 16th
- Dallas, TX | May 21st
Why wolfSSL?
wolfSSL brings cutting-edge solutions to the table, including support for UltraScale+, MicroBlaze, AMD Zen and x86 processors. Tested and benchmarked on boards such as; Versal, ZCU102, and the Zynq series.
- wolfSSL: Our lightweight and portable SSL/TLS library, written in C, is powered by the wolfCrypt library, currently on the CMVP Modules in Process List for FIPS 140-3. wolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.3 protocol levels.
- wolfBoot: our secure bootloader solution is a portable, OS-agnostic, and for 32-bit microcontrollers and IoT devices. It ensures the prevention of loading malicious or unauthorized firmware on the target. Our implementation leverages wolfSSL’s underlying wolfCrypt module for signature authentication of running firmware, with support for DO-178 and MISRA compliance support.
- Hardware Platform Support: Our solutions are tested and optimized for a wide range of hardware platforms, including Ultrascale+ and Versal. Plus, our architecture is designed for easy portability to new hardware, ensuring seamless integration with your next-generation devices.
- Post-Quantum Support: Our own implementation of NIST’s ML-KEM protocol, commonly referred to as Kyber, has been seamlessly integrated with wolfSSL. We are in the advanced stages of planning further integrations with wolfBoot and curl to enhance our cryptographic capabilities. Our goal is to support you in meeting the CASA 2.0 standards, ensuring robust cryptographic protection for your systems.
Let’s Connect:
Register today to secure your spot at the AMD AC Summit and connect with wolfSSL. Join us to explore solutions to enhance your cybersecurity systems.
If you have questions about any of the above, or would like to schedule a meeting with us, please reach out to facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Join Our Webinar: Everything You Need to Know about FIPS 140-3 in 2024
Join us on May 9th at 10am PT for an enlightening webinar hosted by Kaleb Himes, Senior Software Engineer at wolfSSL, as we explore the critical aspects of FIPS 140-3. This webinar will deep dive into the fundamentals, benefits of wolfCrypt FIPS, and the essentials of FIPS certification.
Watch the webinar here: Everything You Need to Know about FIPS 140-3
During this detailed session, you will gain insights into:
- The benefits of FIPS 140-3 for securing cryptographic modules
- Detailed FIPS certification and compliance procedures
- Understanding the significance of an Operational Environment (OE)
- Exploring how wolfCrypt FIPS can be integrated as kernel modules
- Utilizing wolfEngine and wolfProvider to meet OpenSSL FIPS 140-3 requirements
- Latest updates on the status of wolfCrypt FIPS 140-3
Watch now to ensure you don’t miss out on this valuable opportunity to deepen your understanding of FIPS 140-3 and its certification process. Learn how wolfCrypt FIPS can streamline your FIPS compliance needs.
As always, our webinar will include a live Q&A session. If you have any questions about wolfCrypt FIPS, FIPS 140-3 certification, or any related topics, please feel free to contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now
PQC support for the Zephyr port
PQC support for the Zephyr port was introduced in the last wolfSSL release using liboqs. This involved adding necessary files to the CMakeLists.txt for the Zephyr module. Zephyr is an open-source real-time operating system (RTOS) designed for resource-constrained devices and embedded systems. It is maintained by the Linux Foundation and supported by a vibrant community of developers and contributors.
PR #7026 (https://github.com/wolfSSL/wolfssl/pull/7026) also addressed proper random number generation within liboqs by using the wolfSSL interface. Previously, liboqs random data acquisition relied on various sources, depending on the liboqs build configuration. With the changes, a custom RNG method is provided through the OQS_randombytes_custom_algorithm() interface, enabling liboqs to obtain RNG data from wolfSSL for all generic liboqs uses.
If you have questions about post quantum or any of the above, please contact facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Join Us in Stockholm for curl-up 2024
Exciting news from cURL! We’re thrilled to announce that in just 2 days, the much-anticipated curl-up 2024 event will kick off in Stockholm, Sweden from May 4th to the 5th. This event is a key gathering for software developers, open-source enthusiasts, and network professionals who use or contribute to cURL.
We’re inviting all cURL contributors, maintainers, and fans to join us. This is a perfect opportunity for you to engage directly with Daniel Stenberg, the founder and maintainer of cURL, as well as network with other speakers and industry experts in software development and open-source technology.
Date: May 4th to the 5th
Location: Best Western, Döbelnsgatan 17, 111 40 Stockholm, Sweden
Stay updated on event details, including the venue and agenda, on our dedicated web page, curl-up 2024.
We are excited to support our top-100 contributors with traveling and lodging expenses. Please consult the funding attendance section on our website to view the regulations and eligibility requirements.
Registration is mandatory. Register now to secure your space! Let’s make curl-up 2024 an unforgettable weekend. We can’t wait to see you there!
For any inquiries regarding the event, please don’t hesitate to contact us at facts@wolfSSL.com or call us at +1 425 245 9247.
Download wolfSSL Now
wolfSSL on Microblaze
MicroBlaze, developed by Xilinx, is a soft processor core optimized for Xilinx FPGAs. It offers flexibility and scalability, making it suitable for a wide range of applications, including embedded systems and IoT devices. Integrating wolfSSL’s AES-GCM with MicroBlaze is possible and has been done running on a soft CPU on MicroBlaze. In the latest wolfSSL release this integration saw some additional enhancements. When used on a MicroBlaze, wolfSSL’s AES-GCM enhances the security capabilities of FPGA-based systems, enabling developers to implement secure communication protocols and data encryption mechanisms. There is also the option of setting up wolfSSL so that it makes use of Xilinx’s xilsecure while running on the Microblaze. Increasing the AES-GCM performance significantly.
For more information about using wolfSSL on a MicroBlaze or if you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Weekly updates
Archives
- December 2024 (15)
- November 2024 (29)
- October 2024 (18)
- September 2024 (21)
- August 2024 (24)
- July 2024 (27)
- June 2024 (22)
- May 2024 (28)
- April 2024 (29)
- March 2024 (21)
- February 2024 (18)
- January 2024 (21)
- December 2023 (20)
- November 2023 (20)
- October 2023 (23)
- September 2023 (17)
- August 2023 (25)
- July 2023 (39)
- June 2023 (13)
- May 2023 (11)
- April 2023 (6)
- March 2023 (23)
- February 2023 (7)
- January 2023 (7)
- December 2022 (15)
- November 2022 (11)
- October 2022 (8)
- September 2022 (7)
- August 2022 (12)
- July 2022 (7)
- June 2022 (14)
- May 2022 (10)
- April 2022 (11)
- March 2022 (12)
- February 2022 (22)
- January 2022 (12)
- December 2021 (13)
- November 2021 (27)
- October 2021 (11)
- September 2021 (14)
- August 2021 (10)
- July 2021 (16)
- June 2021 (13)
- May 2021 (9)
- April 2021 (13)
- March 2021 (24)
- February 2021 (22)
- January 2021 (18)
- December 2020 (19)
- November 2020 (11)
- October 2020 (3)
- September 2020 (20)
- August 2020 (11)
- July 2020 (7)
- June 2020 (14)
- May 2020 (13)
- April 2020 (14)
- March 2020 (4)
- February 2020 (21)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (18)
- August 2019 (16)
- July 2019 (8)
- June 2019 (9)
- May 2019 (28)
- April 2019 (27)
- March 2019 (15)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (9)
- October 2018 (15)
- September 2018 (15)
- August 2018 (5)
- July 2018 (15)
- June 2018 (29)
- May 2018 (12)
- April 2018 (6)
- March 2018 (18)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (5)
- September 2017 (7)
- August 2017 (6)
- July 2017 (11)
- June 2017 (7)
- May 2017 (9)
- April 2017 (5)
- March 2017 (6)
- January 2017 (8)
- December 2016 (2)
- November 2016 (1)
- October 2016 (15)
- September 2016 (6)
- August 2016 (5)
- July 2016 (4)
- June 2016 (9)
- May 2016 (4)
- April 2016 (4)
- March 2016 (4)
- February 2016 (9)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (5)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (12)
- January 2015 (4)
- December 2014 (6)
- November 2014 (3)
- October 2014 (1)
- September 2014 (11)
- August 2014 (5)
- July 2014 (9)
- June 2014 (10)
- May 2014 (5)
- April 2014 (9)
- February 2014 (3)
- January 2014 (5)
- December 2013 (7)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (7)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (8)
- December 2012 (12)
- November 2012 (5)
- October 2012 (7)
- September 2012 (3)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (4)
- April 2012 (6)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (5)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (7)
- May 2011 (11)
- April 2011 (4)
- March 2011 (12)
- February 2011 (7)
- January 2011 (11)
- December 2010 (17)
- November 2010 (12)
- October 2010 (11)
- September 2010 (9)
- August 2010 (20)
- July 2010 (12)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)