Fuzz testing is an important part of maintaining a secure code base here at wolfSSL. While we already have fuzzers in use ensuring that our library is as secure as possible, we recently decided to integrate 4 more fuzzers with our library to ensure that no potential bugs go undetected. This is one of many reasons that wolfSSL remains the best choice for an SSL/TLS library.
One of the new fuzzers being implemented into our system is the tlsfuzzer. This fuzzer was developed by Hubert Kario at Red Hat and was written purely in Python. Kario has developed over 60 unique scripts within the tlsfuzzer that run against the server of a given SSL/TLS library. These scripts attempt to find bugs and flaws in the system being tested against. After making a few slight modifications to our server, the tlsfuzzer scripts are now able to run against our server and provide us with detailed performance reports. The tlsfuzzer is an open source project available on Github.
Once the tlsfuzzer was successfully implemented with our system, we tested our server against each script and compared these results to other SSL/TLS libraries. Using these results, we know exactly where to make improvements and how to proceed with their implementations. We are excited to be taking further steps in improving the security of our library.
For further details regarding our process of testing the wolfSSL library to ensure code quality and security, please reference this blog page.