RECENT BLOG NEWS

Hi!  We`ve scheduled ourselves to implement ChaCha20 and Poly1305 into wolfSSL this summer.  If you`re learning about what these are, see these links: http://cr.yp.to/mac.html https://www.imperialviolet.org/2013/10/07/chacha20.html We`re excited about this addition to our code.  If you have comments, questions, or need it in our code sooner than this summer, then let us know!  We can be […]

As a follow up to the recent Heartbleed bug in OpenSSL, Embedded Computing Design interviewed wolfSSL’s CTO, Todd Ouska for an article titled “Heartbleed: (Not) one in a million”. You can read the article at the following URL: http://embedded-computing.com/20937-heartbleed-not-one-in-a-million

Version 1.1.0 of wolfSSL JNI is now available for download. wolfSSL JNI provides Java applications with a convenient Java API to the widely-used CyaSSL lightweight SSL/TLS library, including support for TLS 1.2 and DTLS 1.2. This release contains bug fixes and features including: – Updated support for CyaSSL, tested against CyaSSL 2.9.4 – Updated example […]

The OpenBSD team is refactoring OpenSSL, which is admirable work.  You can see their progress at http://opensslrampage.org. If you read the OpenSSL Rampage blog, you can see that they have their work cut out for them.  The OpenSSL code base is very old, and has had literally hundreds of unknown hands making changes over its 20+ […]

If you are using or thinking about using the wolfSSL lightweight SSL/TLS library in your application or project, it’s oftentimes helpful to get a general overview of some of the terms and types which are used in a simple wolfSSL connection. Below we have included a general summary of these types. 1) socket: wolfSSL uses […]

Dark Reading has a nice overview article covering IoT security issues.  See:  http://www.darkreading.com/vulnerabilities—threats/thingularity-triggers-security-warnings/d/d-id/1141587

Issue #1 (Memory  Corruption)CVE-ID:  CVE-2014-2896Product: CyaSSLVendor: wolfSSL Inc.Affected Versions: CyaSSL 2.9.0 and previous versionsVulnerability Type:  Improper Input Validation (CWE-20) Description: The TLS and DTLS implementations in wolfSSL CyaSSL before 2.9.4 lack a buffer length check in DoAlert(), possibly allowing an attacker to set the read index by up to 2 bytes past the length of […]

Release 2.9.4 includes important Security Fixes for issues found by Ivan Fratric of the Google Security Team and Suman Jana with security researchers at UT Austin and UC Davis.  CVE details to be posted today for issues with memory corruption, null pointer deference, out of bound read, and unknown certificate extensions.  All users should upgrade […]

A recently-discovered bug in OpenSSL’s implementation of the TLS Heartbeat Extension makes it possible for malicious attackers to potentially recover the private keys and sensitive data that should normally be secured by SSL/TLS. The vulnerability has been recorded as CVE-2014-0160. The purpose of this note is not to gloat over a competing projects problems, as […]

If you missed our recent presentation at FOSDEM, we just put our slide deck up online at the following URL: https://speakerdeck.com/wolfssl/wolfssl-year-in-review wolfSSL made significant progress in 2013 towards bringing the community a more usable, feature-rich, and better supported library for use in an ever-growing range of platforms and environments. These slides (and talk) provides an […]