RECENT BLOG NEWS

wolfSSL is looking to hire a C# programmer to work on our TLS interface and wolfCrypt interface for C#.

If interest wolfSSL product and company details can be found online at www.wolfssl.com.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

All of the wolfSSL team prides themselves on offering the Best Tested SSL/TLS library on the market. wolfSSL is able to do so by conducting regular, diligent, and well-planned testing to maintain a robust and secure library. wolfSSL knows that it is impossible to test every single possible path through the software, but opts to practice an approach that is focused on lowering risk of failure. wolfSSL implements an extensive internal testing plan that not only uses automated testing but makes sure to test well-known use cases. A key process in wolfSSLs’ internal testing plan is Fuzz Testing.

What is Fuzz Testing?

Fuzz testing, also known as fuzzing, is an automated software testing technique that is conducted to reveal coding errors and security loopholes in softwares, networks, or operating systems. A fuzz test is a technique that is widely used to discover defects which otherwise would not be identified by merely using traditional functional testing methods. Fuzzing is a Black Box testing technique that bombards a library with invalid, unexpected, or random data (known as fuzz to the system) in an attempt to expose inputs that cause the system to crash, fail in unexpected ways, or leak memory. This allows wolfSSL to catch bugs that could turn into potential vulnerabilities before they are able to make it into a release!

Fuzzing at wolfSSL

wolfSSL firmly believes that if a TLS and cryptography provider does not do fuzz testing, they are extremely exposed. wolfSSL runs 7 fuzz testers internally, every night to insure the most secure library on the market. wolfSSL tests using several different software fuzzers, including an in-memory fuzzer, a network fuzzer, OSS-fuzz, libfuzzer, tlsfuzzer, and AFL.

As a testament to wolfSSLs’ commitment to security, highly respected external testers are utilized when possible, for example: Guido Vranken in Holland and Robert Horr of T-Systems in Germany (check out this post by Guido Vranken on Fuzzing for wolfSSL).

As stated in the wolfSSL 2019 Annual Report, wolfSSL is the best – tested cryptography on market, due to consistent implementation of additional fuzz testing resources from both internal and external sources.

For further details regarding the internal wolfSSL process of testing to ensure code quality and security, please reference this blog page.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

If there is a desire for wolfSSL to include other SSL/TLS or crypto implementations in wolfSSL interop testing, please let the wolfSSL team know! Likewise, if users would like to include wolfSSL in their own test framework, wolfSSL would be happy to discuss!

As a Cybersecurity company we have to make sure all of our products are state of the art. In accordance, wolfSSL is conducting Stages of Involvement (SOI) audit on our wolfCrypt product.

Last year wolfSSL added support for complete RTCA DO-178C level A certification. wolfSSL offers DO-178 wolfCrypt as a commercial off -the-shelf (COTS) solution for connected avionics applications. The primary goal of this was to provide the proper cryptographic underpinnings for secure boot and secure firmware update in commercial and military avionics. Avionics developers now have a flexible, compact, economical, high-performance COTS solution for quickly delivering FIPS 140-2 validated crypto algorithms can be used in DO-178 mode for combined FIPS 140-2/DO-178 consumption.

Any aviation system development requires Stages of Involvement (SOI) audits to review the overall software project and ensure that it complies with the objectives of DO-178. Originally, DO-178 based development did not require SOI’s, however a problem arose because of divergence between different development organizations and what the certification authorities wanted. As a result, SOI’s have become an informal de facto standard applied to most projects.

To assess compliance, there are four Stages of Involvement. The four stages are:

1. Planning Review
2. Design review
3. Validation and Verification review
4. Final Review

We have fully completed SOI #1 through #4.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Are you interested in having the best tested cryptography ported to libest? wolfSSL has many ports to various devices and projects. We are constantly working on and expanding our collection of ports and will soon be working on porting wolfSSL/wolfCrypt into libest.

The libest project is a library that implements RFC 7030 (Enrollment over Secure Transport). EST is used to provision certificates from a CA or RA. EST is a replacement for SCEP, providing several security enhancements and support for ECC certificates. Libest is written in C and currently is set up to use OpenSSL 1.0.1.  This port will allow libest to use wolfSSL in place of OpenSSL.

If you are interested in using wolfSSL with libest, or are looking to use wolfSSL with a different open source project, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

We hope everyone is enjoying this June weather. We understand due to current circumstances we have been under lockdown and cannot enjoy the weather as we have in the past. It is however a fantastic time to start a new project, or update and get proper support for your existing ones. That is why we are offering a 20% discount on support for NTLM + cURL users this June.

cURL is a computer software project providing a library for transferring data using various protocols. These protocols include (but are not limited to) FTP, FTPS, HTTP, HTTPS, and more. This version of the cURL library is nearly identical to the original library, except for a major difference: it is available for dual-licensing like many of the other wolfSSL products. Additionally, wolfSSL provides commercial curl support as well as support for wolfCrypt FIPS and FIPS ready.

NTLM authentication is a family of authentication protocols that are encompassed in the Windows Msv1_0.dll. The NTLM authentication protocols include LAN Manager version 1 and 2, and NTLM version 1 and 2. The NTLM authentication protocols authenticate users and computers based on a challenge/response mechanism that proves to a server or domain controller that a user knows the password associated with an account.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL has added support for secure renegotiation in DTLS 1.2 as defined in RFC 5746. Secure renegotiation is an extension to (D)TLS 1.2 which fixes the vulnerability found in the original specification. Previously, a third party could use renegotiation to inject malicious data preceding valid data from the client. This could be accomplished by establishing a (D)TLS connection with the target server and sending data over this connection. The third party can then intercept a handshake initiation attempt from the client and send this over its already established connection to trigger a renegotiation. The client’s connection is then established over the third party’s connection. From the perspective of the server the client sent data and then initiated a renegotiation. This is dangerous as the application layer could interpret this as a single valid stream of data causing the malicious traffic to be used in the context of the client’s valid traffic.

RFC 5746 (D)TLS Renegotiation Indication Extension creates a cryptographic binding between the renegotiation and the underlying (D)TLS to disallow a man in the middle attack on the secure connection. In a secure renegotiation, the client and server dismiss an invalid renegotiation attempt.

(D)TLS secure renegotiation may be used for example to establish new cryptographic parameters to increase security. It may also be used to request a certificate from the other party to require authentication before completing some action in the application layer.

To use secure renegotiation in wolfSSL use the “–enable-secure-renegotiation” configure option. For more build options refer to the second chapter of the wolfSSL User Manual.

The wolfSSL DTLS 1.2 secure renegotiation implementation is also compatible with our asynchronous module! Use hardware acceleration and don’t wait on pending cryptographic operations! If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Recently the Treck (https://treck.com/) TCP stack has had some notable vulnerabilities reported. Though this TCP stack is not a part of the wolfSSL software, it is an embedded TCP stack, and we would like to help with notifying the embedded community that if you are using the Treck TCP stack then it should be updated. Attacks from these reports can range anywhere from a denial of service to leaking information. Further reading about the report can be found at the CERT coordinating center site here: https://kb.cert.org/vuls/id/257161.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL 4.4.0 introduces new high security elliptic curve algorithms: X448 and Ed448. These algorithms are specified for TLS – RFC 8446 and RFC 8442 – and in NIST drafts FIPS 186-5 and SP 800-186.

These high security algorithms are not only fast but also small – 10KB for the optimised X448 C code on Intel x64! And it’s faster than OpenSSL:

wolfSSL is nearly two and half times faster than OpenSSL when performing key agreement, three and a third times faster for signing and over two times faster when verifying!

Curve448 is great choice for applications where code size matters; especially compared to P-384:

Curve448 can be used in TLS 1.2 and 1.3 for key exchange and certificates.

Do you need higher security or is code size important? Then you must consider using X448 and Ed448 for your public key operations from wolfSSL!

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

With every release of the wolfSSL embedded SSL/TLS library, there are multiple feature additions, port additions, and updates. One of the ports that was added to the wolfSSL library recently was a port to ARM mbed-os! You can checkout the changes for mbed-os port in PR #12997 the ARMmbed/mbed-os github repository (https://github.com/ARMmbed/mbed-os/pull/12997) . While you’re there we would greatly appreciate it if you could “react” to the PR.

Arm Mbed OS is a free, open-source embedded operating system designed specifically for the “things” in the Internet of Things. Mbed OS provides the Mbed C/C++ software platform and tools for creating microcontroller firmware that runs on IoT devices. It consists of the core libraries that provide the microcontroller peripheral drivers, networking, RTOS and runtime environment, build tools and test and debug scripts. These connections can be secured by compatible SSL/TLS libraries such as wolfSSL, which supports mbed-rtos.

A very important note to make here is that we are the source of TLS 1.3 and FIPS Ready and a whole world of hardware encryption support for MBED OS! (not mbedTLS)

The list of reasons to use wolfSSL vs mbedTLS is very long, but here are a few:

• Reduced code size
• Commercial grade production TLS / Crypto library
• FIPS 140-2 certification
• Supported by original engineers (support@wolfssl.com)
• Designed for embedded use
• Performance is better and can be increased further (see ENABLE_WOLF_SPEEDUPS).
• Fastest vulnerability response time in the industry.
• TLS v1.3 (can be enabled in mbed-os/blob/wolf/features/wolf/user_settings.h using WOLFSSL_TLS13)
• Progressive algorithms (SHA3, Curve/ED448, Curve/ED25519, etc…)

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL 4.4.0 introduces new optimised implementations of the elliptic curve P-384. Our Single Precision (SP) math code has been enhanced to support the NIST P-384/secp384r1 curve. If you need higher security public key cryptography then P-384 from wolfSSL is your choice.

wolfSSL now has optimised C implementations that will enhance the performance on any platform while there are assembly optimisations for Intel and ARM chips. As an example of the improvements you will see, take a look at the comparison to OpenSSL when signing and verifying on Intel x64:

*with pre-computation table caching

That’s right, a 14 times improvement in speed for signing and 3.2 times (or 7.8 when using caching) improvement in verification!

Also take look at the performance of the key agreement operation in comparison with high security DH (also optimised in SP.)

The P-384 curve key agreement is even faster than 2048-bit DH! High security and high performance are now in reach with the new SP optimised code.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.