RECENT BLOG NEWS

wolfSSL uses mutexes for most locking synchronization. In release 5.6.0 we have added support for pthread_rwlock_t (https://github.com/wolfSSL/wolfssl/pull/5952 and https://github.com/wolfSSL/wolfssl/pull/6086). It is currently implemented in the session caching logic. This will speed up multi-threaded servers by allowing multiple threads to read from the cache simultaneously. We also recommend multi-threaded servers to define ENABLE_SESSION_CACHE_ROW_LOCK when building wolfSSL. This will initialize and use a separate lock for each row in the cache.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL makes a great effort to support many different projects. We provide patches for projects to leverage our OpenSSL Compatibility Layer and work with maintainers to upstream support whenever possible. This blog is a list of currently supported open source projects. The support type denotes how wolfSSL is supported. “Patch” means that we provide a patch file that needs to be applied. “Upstream” means that wolfSSL is supported in the project’s mainline. “Fork” means that we provide a forked version of the library with changes made to support wolfSSL.

List of Supported Projects

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL release version 5.6.0 is available now! A couple things to note with this release is that the new and improved ASN parsing, and generation, code is enabled by default now. Additionally we have the upcoming deprecation of –enable-heapmath which is scheduled to be removed by 2024.

This release also saw the addition of DTLS 1.3 stateless ClientHello parsing support. Not only are we leading the pack with adaptation of DTLS 1.3 but we are also adding in features such as the stateless ClientHello support. Some other additions of note were; the port to RT1170 and use of CAAM, update to Stunnel version 5.67, RX64/RX71 hardware acceleration support, and expansion of the compatibility layer.

Improvements to continuous integration testing and some refactoring of our testing framework was done during the last release cycle. To stay the best tested crypto on the market we are constantly trying to improve the testing that we do. This release also had some nice fixes that were made.

A full list of the changes can be found in the ChangeLog.md file bundled with wolfSSL. If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

What is the difference in modes with wpa_supplicant using wolfSSL FIPS vs non FIPS? Some of the algorithms are restricted when using CONFIG_FIPS=y while building wpa_supplicant. This is not a limitation in wpa_supplicant or in wolfSSL, but is due to restrictions and guidelines put in place for FIPS. To help avoid using algorithms that have not been sanctioned for use with FIPS, the build removes MD5/MD4 along with DES. Removal of these algorithms limits the modes supported.

Another restriction that is seen with FIPS use is that the key passed into HMAC must be 14 bytes or longer, this can cause issues with hunting-and-peck mode unless password sizes can be known to always be large enough. To avoid the limitation on HMAC key size, hash-to-element (sae_pwe=1) can be used instead.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL and Intel have jointly published a white paper on the advantages of using the wolfBoot secure bootloader together with 11th Gen Intel Core processors.  The white paper has been published on wolfSSL’s White Paper page and can be downloaded today!

This white paper introduces the wolfBoot secure bootloader and 11th Gen Intel Core i7 Processors, talks about potential advantages of replacing the Intel Slim Bootloader with wolfBoot, and shows performance benchmarks of how the wolfCrypt cryptography library benefits from leveraging Intel AES-NI, AVX2, and AVX-512.

11th Gen Intel Core i7 processors include security features out of the box that make them an ideal processor choice for a number of project designs. Some of these include Intel Advanced Encryption Standard New Instructions (Intel AES-NI) , Intel Advanced Vector Extensions (Intel AVX2, Intel AVX-512), and UEFI Secure Boot. Given an excellent set of features offered by Intel processors, some users and Intel-based projects will benefit from extending the boot process using a second stage bootloader subsequent to Intel’s UEFI. This paper will introduce the wolfBoot secure bootloader, 11th Gen Intel® CoreTM i7 processors, and how wolfBoot can replace Intel® Slim Bootloader to provide certified and customized solutions such as securely unlocking a SATA drive using the trusted platform module version 2.0 (TPM 2.0) during boot.

wolfBoot is flexible and customizable in its use of hardware-based cryptography and secure key storage solutions.  It can leverage the wolfCrypt FIPS 140-2 (and upcoming 140-3) module for applications needing validated cryptography, or wolfCrypt DO-178C for secure boot requirements in avionics applications.  For more details, download our white paper today, If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

One of the primary distinctions between wolfSSL and other security libraries is the availability of commercial support packages (https://www.wolfssl.com/products/support-and-maintenance/).

The Premium Support package includes these benefits:

• Optimization Assistance
• Unlimited Support Incidents
• Contact via email, phone, and shared screen debug session
• Dedicated Support Engineer
• 4 Business Hour Response Time
• Build Config Added to Nightly CI Tests

Having your build configuration tested by our Nightly CI ensures that any changes made to the library will not cause regressions to your project! Having a highly configurable library means having a high level of complexity. We make every effort to test against the most common configurations, and having your project’s wolfSSL configuration added to that matrix removes any uncertainty that you’ll be able to painlessly update to future releases of the library.

Customers with our 24×7 Support package gain the additional advantage of having their target hardware added to our Nightly CI Tests.

wolfSSL wants to help you achieve your project’s security goals! If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

A little while ago, we wrote a blog post (https://www.wolfssl.com/nsa-announces-cnsa-suite-2-0/) and did a webinar (https://www.youtube.com/watch?v=IiykMe-pjqo) about the CNSA 2.0 announcement(https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF).  It discusses the need for preparing to use post-quantum algorithms.  For signature schemes, it specifies Dilithium Level 5 as a good general purpose algorithm and LMS and XMSS as being good for signing software and firmware updates.

Here at wolfSSL, plans are underway to make our wolfBoot product use post-quantum algorithms to sign the image updates.  Whether we start with Dilithium Level 5, LMS or XMSS  is up in the air. On the one hand, the time lines as prescribed in CNSA 2.0 for LMS and XMSS are accelerated. On the other hand, Dilithium is already supported through our integration with liboqs.

Want us to accelerate our plans and get them a higher priority? Have a preference for one of Dilithium, LMS or XMSS? If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

This past December, NIST announced that the venerable SHA-1 algorithm, introduced in 1995, is at end-of-life.  While wolfSSL does not use or recommend SHA-1 for new designs, we do implement and support it in our products.  With the NIST announcement, that will soon change for new FIPS 140 submissions, as we too will retire SHA-1.

The wolfSSL FIPS 140-3 cryptographic module currently in process at NIST includes SHA-1.  Thus, customers with an existing requirement for SHA-1 will be able to satisfy that requirement under that certificate once it has been issued.

However, and regardless of FIPS status, customers still using SHA-1 in security-critical roles — signatures, authentications, HMAC, KDFs, etc. — should refactor the implicated systems to use a modern hash algorithm such as SHA-2 or SHA-3.  wolfSSL stands ready to help our customers select and implement an appropriate migration path.

All FIPS 140 modules submitted on or after December 31 2025 will exclude SHA-1, to avoid early certificate sunset under the timeline announced by NIST.

In preparation for this transition, wolfSSL has already prepared its FIPS 140-3 codebase to build, run, and pass full ACVP testing, with SHA-1 gated out.  We are also routinely testing our mainline and FIPS codebases to assure correct function with SHA-1 disabled.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Celebrate 25 Years of curl with a Zoom Birthday Party on March 20, 2023 at 17:00 UTC. Join fellow curl developers and enthusiasts online for a presentation on the major changes done over the years. Come and contribute to the discussion by asking questions or sharing your own insights. Let’s make this a memorable birthday party for curl!

Read the blog to learn about the history of curl!

Follow this link to Daniel Stenberg’s blog providing more detail on the event: https://daniel.haxx.se/blog/2023/03/10/curl-25-years-online-celebration/

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Earlier this month, we issued the final beta release of wolfSentry, the wolfSSL
embedded IDPS/firewall. This set the stage for our first production release of
wolfSentry, with increasingly mature and comprehensive facilities for securing
embedded endpoints.

Version 1.0.0 of wolfSentry delivers high-performance thread safety — in
multithreaded builds, all internal structures are protected, with shared locks
allowing for high concurrency on multithreaded/multicore targets. Realtime/TSN
use cases are supported with hard deadlines for return of control to the caller.

We have also improved support for dynamic/stateful rules, including constant
time garbage collection. These capabilites are demonstrated in the updated and
refined examples/notification-demo, our sample implementation of dynamic
defenses and event notifications integrated with an embedded web server.

Configuration of user plugins can now be driven with deep user-defined JSON
trees embedded within the unified JSON configuration package. These trees are
parsed at configuration time, and the pre-parsed contents are then available to
plugins through high performance btree lookups. This highly expressive, high
performance configuration mechanism streamlines configuration of complex
application-specific plugins. Moreover, the pre-parsed JSON trees can be
updated and expanded by plugin logic, using lock upgrades and DOM accessors, as
a supplementary stateful mechanism.

wolfSentry is available now, and is an ideal endpoint security solution for
deeply embedded use cases, with close and easy integration with user
applications, embedded IP stacks, and common libraries like wolfSSL.

Take advantage of the opportunity to enhance your embedded security knowledge with wolfSSL’s free two-day training taking place March 15th and 16th. Be sure to register for both days as day 2 will build off the content from day 1.

Day 1 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_OZ3yQPubRBqrtxhHsOm3ug

Day 2 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_8eIUIe_yRtCiaS1yKGKwJQ

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.