wolfSSL JSSE Provider and JNI Wrapper 1.13.0 Now Available

wolfSSL JNI/JSSE 1.13.0 is now available for download!

wolfSSL JNI/JSSE provides Java-based applications with an easy way to use the native wolfSSL SSL/TLS library. The thin JNI wrapper can be used for direct JNI calls into native wolfSSL, or the JSSE provider (wolfJSSE) can be registered as a Java Security provider for seamless integration underneath the Java Security API. wolfSSL JNI/JSSE provides TLS 1.3 support and can also support running on top of wolfCrypt FIPS 140-2 and the upcoming wolfCrypt 140-3 modules.

Release 1.13.0 contains a significant number of bug fixes, changes, and new features to help better support application usage of the Java Security APIs as well as 3rd party Java frameworks that consume JSSE providers internally. This release also improves behavior when used in multi threaded applications and use cases, and improves automated testing with GitHub actions across several Java JDK implementations and versions.

New functionality

New functionality added in this release is summarized below, but please see ChangeLog.md for a full list that includes all changes and fixes.

New JSSE Functionality:

  • Add SSLSocket.getApplicationProtocol(), which returns the negotiated ALPN protocol of a TLS connection (PR 150)
  • Add native WOLFSSL_TRUST_PEER_CERT support in WolfSSLTrustX509 (PR 154)
  • Add implementation of javax.net.ssl.X509ExtendedTrustManager, which adds hostname checking inside the TrustManager (PR 159)
  • Add getSSLParameters() to SSLEngine and SSLSocket, allowing applications to retrieve the SSLParameters objects set (PR 159)
  • Add getHandshakeSession() to SSLSocket, returning the SSLSession being constructed during the TLS handshake (PR 159)
  • Convert SSLSession to ExtendedSSLSession, adding getRequestedServerNames() to return a list of all SNIServerNames of the requested SNI extension(PR 159)
  • Add ALPN API support to SSLSocket and SSLEngine with tests (PR 163)
  • Add implementation of X509ExtendedKeyManager (PR 167)
  • New JSSE System/Security Property Support:
    • Add partial support for jdk.tls.disabledAlgorithms Security property, allowing algorithms and key sizes to be limited (PR 136)
    • Add support for wolfjsse.enabledCipherSuites Security property, enabling locking down of TLS cipher suites allowed (PR 136)
    • Add support for wolfjsse.enabledSignatureAlgorithms Security property, enabling locking down of the TLS signature algorithms allowed (PR 136)
    • Add support for wolfjsse.enabledSupportedCurves Security property, enabling locking down of the TLS supported ECC curves allowed (PR 143)

New JNI Wrapped APIs and Functionality:

  • wolfSSL_CTX_SetTmpDH() and wolfSSL_CTX_SetTmpDH_file() (PR 136)
  • wolfSSL_CTX_SetMinDh/Rsa/EccKey_Sz() (PR 136)
  • wolfSSL_set1_sigalgs_list() (PR 136)
  • wolfSSL_CTX_UseSupportedCurve() (PR 158)
  • wolfSSL_X509_check_host() and wolfSSL_SNI_GetRequest() (PR 159)
  • wolfSSL_CTX_set_groups() and wolfTLSv1_3_client/server_method() (PR 164)
  • SSL_CTX_set1_sigalgs_list() (PR 169)
  • wolfSSL_set_tls13_secret_cb(), add ability to set Java callback (PR 181)
  • Add X.509v3 certificate generation support in WolfSSLCertificate and examples (PR 141)
  • Add Certificate Signing Request (CSR) support and examples (PR 146)

New Platform Support:

Build System Changes:

  • Add JAVA_HOME support in java.sh for use with custom Java install (PR 121)
  • New argument to java.sh for custom wolfSSL library name to be used (PR 126)
  • Add lib64 directory to library search path in java.sh (PR 130)
  • Standardize JNI library name on OSX to .dylib (PR 152)
  • Add Maven build support (PR 153)
  • Update Android Studio example project (PR 185)

Debugging Changes:

  • Add WolfSSLDebug.logHex() for printing byte arrays as hex (PR 129)
  • Add synchronization and Thread ID to debug log messages (PR 129)
  • Add new debug System property wolfsslengine.io.debug for I/O debug logs (PR 137)
  • Add timestamp to debug logs (PR 148)
  • Fix for enabling JSSE debug logs after WolfSSLProvider has been registered (PR 166)
  • Make native wolfSSL debug log format consistent with wolfJSSE logs (PR 166)

Testing Changes:

  • Add Facebook Infer test script, make fixes (PR 127, 182)
  • Add extended threading test of SSLEngine (PR 124)
  • Testing with and fixes from SonarQube static analyzer (PR 131)
  • Add extended threading test of SSLSocket (PR 149)
  • Testing with and fixes for running SunJSSE tests on wolfJSSE (PR 170, 174)
  • Add GitHub Actions tests for Oracle/Zulu/Coretto/Temurin/Microsoft JDKs on Linux and OS X (PR 176)

wolfSSL JNI/JSSE 1.13.0 can be downloaded from the wolfSSL download page, and an updated version of the wolfSSL JNI/JSSE User Manual can be found here. For any questions, or to get help using wolfSSL in your product or projects, contact us at support@wolfSSL.com.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Vulnerability Disclosure: wolfSSH (CVE-2024-2873)

Affected Users:

Anyone using wolfSSH server versions prior to release v1.4.17.

Summary:

It is possible for a malicious client to bypass user authentication when logging into a wolfSSH server. The wolfSSH server was not rigorous about checking the current state of the key exchange when handling channel open messages.

wolfSSH’s example echoserver and the wolfSSHd server will not allow one to obtain a shell as root or any other user. By skipping the user authentication, the user’s login name won’t be set, and the server will error out because it cannot find the user’s home directory. At this point, the server has allocated some memory resources for a channel, but then releases them immediately.

Due to the way wolfSSH server handles incoming connections, forwarding requires an active shell connection to work. If user authentication is skipped, the server will terminate the connection with an error before allowing any forwarding.

This issue with message processing is in the library. The application using the library has the responsibility of checking that the username is set and checking the credentials. One could have an application that gives access to the system without checking the user authentication.

Recommendation:

Prompt update to wolfSSH v1.4.17. This version rejects out-of-sequence channel messages before user authentication has completed and rejects user authentication messages after user authentication is complete.

Additional Details:

The patch fixing this issue can be viewed at the links:

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSH, SHA-1, and Configuration

wolfSSH is following the industry common practice of removing SHA-1 as a default configuration option. SHA-1 has been considered broken for a while now and shouldn’t be used for security purposes. [RFC 8332](https://datatracker.ietf.org/doc/html/rfc8332) recognizes this for the SSH protocol and offers new RSA-based algorithms for signing authentication messages.

In the wolfSSH v1.4.15 release, we were heavy-handed when it came to disabling SHA-1 and removed it from the compile using a preprocessor flag. There was an option to add it back in, but its use wasn’t clear. This was a mistake.

For wolfSSH v1.4.17, we restored SHA-1 to the library, but it is “soft-disabled.” This means it is not offered in the default list of algorithms available during key exchange. One may add the algorithm “ssh-rsa” back as an available algorithm, along with DHE using SHA-1, at runtime. To support this, there is now a set of functions to set the algorithm lists used during key exchange and to poll the library on which algorithms are enabled in the build. Please see the wolfSSH manual section 13 for more information on the [Key Exchange Algorithm Configuration].

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSH v1.4.17 Improvements and Fixes

wolfSSH has several useful features that were introduced in this most recent release.

We have made wolfSSH builds for various systems better and easier. This includes changes to configuration scripts and modifying code to work with various compiler quirks. We’ve made building wolfSSH for Nucleus, QNX, Windows, and ESP32 builds better. And we’ve fixed an issue working with the Zephyr file system involving redundant file mode bits.

We’ve improved testing of wolfSSH. There are new scripts to test details of the wolfSSHd server. Also, the Zephyr SFTP test uses a different file for the transfer test. The new file used is available in all situations.

The terminal support with shells is improved. The terminal size bounds were not getting set correctly in all builds, and that is now fixed. The shell environment now sets up things like the `$SHELL` variable and the `$0` value as expected. We fixed a potential memory leak when receiving the terminal modes from the peer. For Windows builds, the shell environment has its own quirks and we are working with those better.

wolfSSH has been able to run commands and scripts over a connection for a while. We’ve recently improved this behavior with wolfSSHd and use the I/O pipes better. The return code from the script or command is captured and returned to the peer as expected.

Missed with the SHA-1 disable and reenable was a bug with verifying RSA signatures. Disabling SHA-1, the testing used ECDSA authentication instead. This bug is now fixed.

Finally, we try to keep wolfSSH tunable for size. If you don’t want a feature, you can easily leave it out of a build. This is good for embedded targets with constraints on code and memory usage. A few of the guard checks were incorrect and have been fixed.

In all, we think this makes wolfSSH a better product. If you have any questions or are wondering about wolfSSH on other platforms, please email support@wolfSSL.com. Thank you!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Join wolfSSL for Cybersecurity Innovations at AMD AC Summits in North America

We are thrilled to announce that wolfSSL will be participating in all the upcoming AMD AC Summits across North America, kicking off in Boston, MA on May 7th and concluding in Dallas, TX on May 21st. As a leading provider of lightweight, portable, embedded SSL/ TLS software, we’re excited to be a part of AMD AC Summit to explore the latest advancements and opportunities in the industry.

Event Details

  • Boston, MA | May 7th
  • Washington D.C., MD | May 9th
  • Los Angeles, CA | May 14th
  • San Jose, CA | May 16th
  • Dallas, TX | May 21st

Why wolfSSL?

wolfSSL brings cutting-edge solutions to the table, including support for UltraScale+, MicroBlaze, AMD Zen and x86 processors. Tested and benchmarked on boards such as; Versal, ZCU102, and the Zynq series.

  • wolfSSL: Our lightweight and portable SSL/TLS library, written in C, is powered by the wolfCrypt library, currently on the CMVP Modules in Process List for FIPS 140-3. wolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.3 protocol levels.
  • wolfBoot: our secure bootloader solution is a portable, OS-agnostic, and for 32-bit microcontrollers and IoT devices. It ensures the prevention of loading malicious or unauthorized firmware on the target. Our implementation leverages wolfSSL’s underlying wolfCrypt module for signature authentication of running firmware, with support for DO-178 and MISRA compliance support.
  • Hardware Platform Support: Our solutions are tested and optimized for a wide range of hardware platforms, including Ultrascale+ and Versal. Plus, our architecture is designed for easy portability to new hardware, ensuring seamless integration with your next-generation devices.
  • Post-Quantum Support: Our own implementation of NIST’s ML-KEM protocol, commonly referred to as Kyber, has been seamlessly integrated with wolfSSL. We are in the advanced stages of planning further integrations with wolfBoot and curl to enhance our cryptographic capabilities. Our goal is to support you in meeting the CASA 2.0 standards, ensuring robust cryptographic protection for your systems.

Let’s Connect:

Register today to secure your spot at the AMD AC Summit and connect with wolfSSL. Join us to explore solutions to enhance your cybersecurity systems.

If you have questions about any of the above, or would like to schedule a meeting with us, please reach out to facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Join Our Webinar: Everything You Need to Know about FIPS 140-3 in 2024

Join us on May 9th at 10am PT for an enlightening webinar hosted by Kaleb Himes, Senior Software Engineer at wolfSSL, as we explore the critical aspects of FIPS 140-3. This webinar will deep dive into the fundamentals, benefits of wolfCrypt FIPS, and the essentials of FIPS certification.

Watch the webinar here: Everything You Need to Know about FIPS 140-3

During this detailed session, you will gain insights into:

  • The benefits of FIPS 140-3 for securing cryptographic modules
  • Detailed FIPS certification and compliance procedures
  • Understanding the significance of an Operational Environment (OE)
  • Exploring how wolfCrypt FIPS can be integrated as kernel modules
  • Utilizing wolfEngine and wolfProvider to meet OpenSSL FIPS 140-3 requirements
  • Latest updates on the status of wolfCrypt FIPS 140-3

Watch now to ensure you don’t miss out on this valuable opportunity to deepen your understanding of FIPS 140-3 and its certification process. Learn how wolfCrypt FIPS can streamline your FIPS compliance needs.

As always, our webinar will include a live Q&A session. If you have any questions about wolfCrypt FIPS, FIPS 140-3 certification, or any related topics, please feel free to contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

PQC support for the Zephyr port

PQC support for the Zephyr port was introduced in the last wolfSSL release using liboqs. This involved adding necessary files to the CMakeLists.txt for the Zephyr module. Zephyr is an open-source real-time operating system (RTOS) designed for resource-constrained devices and embedded systems. It is maintained by the Linux Foundation and supported by a vibrant community of developers and contributors.

PR #7026 (https://github.com/wolfSSL/wolfssl/pull/7026) also addressed proper random number generation within liboqs by using the wolfSSL interface. Previously, liboqs random data acquisition relied on various sources, depending on the liboqs build configuration. With the changes, a custom RNG method is provided through the OQS_randombytes_custom_algorithm() interface, enabling liboqs to obtain RNG data from wolfSSL for all generic liboqs uses.

If you have questions about post quantum or any of the above, please contact facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Join Us in Stockholm for curl-up 2024

Exciting news from cURL! We’re thrilled to announce that in just 2 days, the much-anticipated curl-up 2024 event will kick off in Stockholm, Sweden from May 4th to the 5th. This event is a key gathering for software developers, open-source enthusiasts, and network professionals who use or contribute to cURL.

We’re inviting all cURL contributors, maintainers, and fans to join us. This is a perfect opportunity for you to engage directly with Daniel Stenberg, the founder and maintainer of cURL, as well as network with other speakers and industry experts in software development and open-source technology.

Date: May 4th to the 5th

Location: Best Western, Döbelnsgatan 17, 111 40 Stockholm, Sweden

Stay updated on event details, including the venue and agenda, on our dedicated web page, curl-up 2024.

We are excited to support our top-100 contributors with traveling and lodging expenses. Please consult the funding attendance section on our website to view the regulations and eligibility requirements.

Registration is mandatory. Register now to secure your space! Let’s make curl-up 2024 an unforgettable weekend. We can’t wait to see you there!

For any inquiries regarding the event, please don’t hesitate to contact us at facts@wolfSSL.com or call us at +1 425 245 9247.

Download wolfSSL Now

wolfSSL on Microblaze

MicroBlaze, developed by Xilinx, is a soft processor core optimized for Xilinx FPGAs. It offers flexibility and scalability, making it suitable for a wide range of applications, including embedded systems and IoT devices. Integrating wolfSSL’s AES-GCM with MicroBlaze is possible and has been done running on a soft CPU on MicroBlaze. In the latest wolfSSL release this integration saw some additional enhancements. When used on a MicroBlaze, wolfSSL’s AES-GCM enhances the security capabilities of FPGA-based systems, enabling developers to implement secure communication protocols and data encryption mechanisms. There is also the option of setting up wolfSSL so that it makes use of Xilinx’s xilsecure while running on the Microblaze. Increasing the AES-GCM performance significantly.

For more information about using wolfSSL on a MicroBlaze or if you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

RSA-PSS with CRL’s

Did you know wolfSSL has integration of RSA-PSS signatures with Certificate Revocation List (CRL) support?

RSA-PSS: Enhancing Security Layers

RSA-PSS, or Probabilistic Signature Scheme, represents a modern approach to digital signatures. Unlike traditional RSA signatures, RSA-PSS offers improved security properties, making it more resilient against various cryptographic attacks. By adopting RSA-PSS, wolfSSL users benefit from heightened security, enhancing the integrity of cryptographic operations.

Certificate Revocation List (CRL): Managing Certificate Integrity

In the realm of certificate management, CRL plays a pivotal role. It serves as a mechanism for indicating the revocation status of digital certificates. With CRL, systems can promptly identify and reject compromised or revoked certificates, bolstering the overall security posture. Integrating CRL support into wolfSSL empowers users with efficient certificate management capabilities, ensuring the authenticity and integrity of cryptographic transactions.

Empowering wolfSSL with RSA-PSS and CRL Integration

The fusion of RSA-PSS with CRL support within wolfSSL is a logical step when providing cutting-edge security solutions. Now, wolfSSL users can leverage the combined strength of RSA-PSS signatures and CRL management to fortify their cryptographic environments.

To delve deeper into the RSA-PSS with CRL integration in wolfSSL, visit our GitHub repository (https://github.com/wolfSSL/wolfssl/pull/7119) or reach out to facts@wolfSSL.com for assistance.

Thank you for entrusting wolfSSL as your ally in cybersecurity.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2 3 15 16 17 18 19 20 21 189 190 191