Introducing wolfSSL: Serious Updates to Our Security Suite

wolfSSL Integration is Here!

The Importance of Security

At NetBurner, we pride ourselves on providing the hardware, software, and tools that enable engineers worldwide to accelerate their product design and development process. As the IoT and embedded systems industries continue to explode, an increasingly important aspect of the support and service we provide revolves around providing security libraries that you can use to keep your precious products and systems safe and secure.

That is a responsibility that we take very seriously. In order to stay up to date with the latest ciphers and security protocols, we are proud to announce that we have incorporated wolfSSL as a standard offering in our NNDK tools. It is currently already available in our NNDK 3.3 tools, and we are presently migrating support to our NNDK 2.9.x tools.

The Secret's Out. Try Our ARM® Embedded Dev Kit Today.

Netburner ARM Cortex M7 embedded Development Kit for IoT product development and industrial automation.

Or, learn more about NetBurner IoT.

As you can imagine, integrating a new SSL/TLS security library into an existing software suite is a significant undertaking. “Why,” you might be asking, “would you do such a thing if what you have already works?” That is an excellent question, and we’re glad you asked! Migrating from our previous security library to wolfSSL has allowed us to provide several significant benefits. These range from immediately improving our capabilities to laying the foundation for future updates.

Let’s take a moment to run through the list, shall we?

SSL/TLS and SSH Security Suite Now Free with Development Kits

We want to encourage good security practices when making design decisions, and a large part of that is making it as easy and accessible as possible for you to do so. To give you a boost in the right direction, we are now including the SSL/TLS and SSH Security Suite with all development kits at no extra cost.

Starting with NNDK 3.3 and our soon-to-be-released NNDK 2.9.3, it will be installed automatically with our tools. For previous versions, contact sales for a key that can be used during the installation process to get access. Please note that this doesn’t mean all platforms are able to support SSL/TLS and SSH. See our development kit comparison for details.

Save your money, our SSL/TLS and SSH Security Suite are now free.

Session Resumption with Session Tickets

Session tickets for everyone!

In our first homegrown implementation of SSL/TLS way back when, we implemented support for session tickets. Unfortunately, in moving to a third-party solution, we ended up losing that feature (though we retained support for session ids). With our move to wolfSSL, we have thankfully regained it, and are excited to deliver it to your waiting arms.

It’s also worth mentioning that session tickets are supported for both client and server applications. Regardless of which side of the connection your device happens to be sitting on, you’ll be covered.

Support for Server-Side Peer Verification

We have long supported client-side peer verification in our SSL/TLS library. Up until this point, unfortunately, the server-side of the connection had been left out of the loop. We’re happy to announce that with the migration to wolfSSL, that’s all changed. Server side-peer verification is officially supported in NNDK 3.3, and will be as well in 2.9.3. Now regardless of their role in your design, your applications will know who they’re talking to.

Faster Key Generation for Onboard Certificate Generation

As if having the ability to generate a self-signed certificate on your device wasn’t enough, now it can happen even more quickly. Below we have a table comparison comparing times for both the MOD5441X and the MODM7AE70 for RSA and ECC. When it comes to ECC, the times are neck and neck, but when it comes to RSA keys, wolfSSL wins hands down.

PlatformLibraryRSA 1024RSA 2048RSA 4096ECC (256)
MOD5441XPrevious Library0:00:460:17:111:20:450:00:04
MODM7AE70Previous Library0:00:210:00:210:39:250:00:03
Key Generation Times in <hours>:<minutes>:<seconds>

Easier To Work With Certificate Authority (CA) Lists

Previously, due to the constraints of the library we were using, changes to the device’s certificate authority list required a restart of the module before they would take effect. Now, wolfSSL gives us the flexibility to change a certificate authority list dynamically at runtime (though it will only take effect for new connections). We have added several new function calls to facilitate this feature:

SSL_AddCertToClientCaList() // Adds a certificate to the client’s CA list
SSL_AddCertToServerCaList() // Adds a certificate to the server’s CA list
SSL_ClearClientCaList() // Clears all certificates for the client’s CA list
SSL_ClearServerCaList() // Clears all certificates for the server’s CA list

It is still possible to set them through calls to SSL_connect(). However, because they previously referenced objects that were tied to the underlying library directly, their signatures have been altered to use parameters that are library agnostic. Additionally, the following functions used to set the certificate authority lists were removed as they also relied on specific library objects that are no longer available.

These are:


Support for DER Encoded Certificates

Previous versions of our library required that you store certificates and keys in PEM format. However, now you can additionally store them as DER encoded, which is a binary format.

DER encoded certificates are now supported.

Laying Groundwork for Future Improvements

We've got plans!
By Unknown Author maybe: Charles Clyde Ebbets

wolfSSL has a strong commitment to continually developing and testing its products. As security practices and needs evolve, wolfSSL is consistently at the forefront of integrating the newest supported ciphers and protocols, as well as planning for the future by laying the groundwork for anticipated improvements.

Some of these are already available, and we plan to integrate them into our system soon. These include TLS v1.3 and DTLS, which provides encryption for the UDP protocol. Future changes we are exploring include the option for Federal Information Processing Standards (FIPS) validation, and a quantum-safe handshake (QSH) extension. You can find more information on these can on the wolfSSL website

Wrapping Up

We’re extremely excited about the new changes to our Embedded IoT Security Suite and where we’re going in the future. The importance of security will only increase in the IoT and embedded space as more and more of our work, life, and play are put online. NetBurner is here to ease that burden for you as you design and build your next network-enabled project. If you have any questions or thoughts about security or our updates, please feel free to leave a comment below, or email us directly at [email protected].

Share this post

Subscribe to our Newsletter

Get monthly updates from our Learn Blog with the latest in IoT and Embedded technology news, trends, tutorial and best practices. Or just opt in for product change notifications.

1 thought on “Introducing wolfSSL: Serious Updates to Our Security Suite

  1. Really excited about this! I have started reading about IoT based security suites, and very interesting to the company’s effort to optimize an already advanced technology. Thank you again.

Leave a Reply
Click to access the login or register cheese