Embedded SSL/TLS Library
The wolfSSL embedded SSL library is a lightweight SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments - primarily because of its small size, speed, and feature set. It is commonly used in standard operating environments as well because of its royalty-free pricing and excellent cross-platform support. wolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.3 protocol levels, is up to 20 times smaller than OpenSSL and offers progressive ciphers such as ChaCha20, Curve25519, NTRU, and SHA-3. User benchmarking and feedback report dramatically better performance when using wolfSSL over OpenSSL.
wolfSSL is powered by the wolfCrypt library. A version of the wolfCrypt cryptography library has been FIPS 140-2 validated (Certificate #3389), with FIPS 140-3 validation currently in progress.
|
Highlights |
Lightweight |
Portable |
|
• Up to TLS 1.3 and DTLS 1.3 |
• Small size: 20-100kB |
• Abstraction Layers (OS, Custom I/O, Standard C library, etc.) |
|
• Full client and server support |
• Runtime memory: 1-36kB |
• Simple API |
|
• Progressive list of supported ciphers |
• 20x smaller than OpenSSL |
• OpenSSL Compatibility Layer |
|
• Key and Certificate generation |
• Long list of supported platforms |
|
|
• OCSP, CRL support |
||
|
• Commercially supported |
Protocol Versions
|
• SSL version 3.0 and TLS versions 1.0, 1.1, 1.2, and 1.3 (client and server) |
|
• DTLS versions 1.0, 1.2, and 1.3 (client and server) |
|
• QUIC support |
Memory & Size
|
• Minimum footprint size of 20-100 kB, depending on build options and operating environment |
|
• Runtime memory usage between 1-36 kB (depending on I/O buffer sizes, public key algorithm, and key size) |
Compatibility & Integration
|
• OpenSSL compatibility layer |
|
• Open Source Project Integrations: MySQL, OpenSSH, Apache httpd, and more |
|
• SSL Sniffer (SSL Inspection) Support |
Features & Extensions
|
• Simple API |
|
• OCSP, OCSP Stapling, and CRL support |
|
• Hybrid Public Key Encryption (HPKE) and Encrypted Client Hello (ECH) |
|
• Supported TLS Extensions: SNI, ALPN, etc. |
|
• Persistent session and certificate cache |
|
• zlib compression support |
|
• IPv4 and IPv6 support |
|
• Standalone Certificate Manager |
|
• SRP (Secure Remote Password) |
|
• Abstraction Layers / User Callbacks: C Standard Library, Custom I/O, etc. |
Cryptography
|
• Hash Functions: MD2, MD4, MD5, SHA series, and more |
|
• Block, Stream, and Authenticated Ciphers: AES, ChaCha20, DES, etc. |
|
• Public Key Algorithms: RSA, DSA, ECDH, ECC, etc. |
|
• Password-based Key Derivation: HMAC, PBKDF2 |
|
• ECC curves and key lengths |
|
• Post Quantum Cryptography support: Dilithium, SPHINCS+, Kyber KEM, etc. |
|
• X.509v3 RSA and ECC Signed Certificate Generation |
|
• PEM and DER certificate support |
|
• Hash-based PRNG (Hash_DRBG) |
|
• Mutual authentication support (client/server) |
|
• PSK (Pre-Shared Keys) |
|
• Interchangeable crypto and certificate libraries |
|
• Modular cryptography library (wolfCrypt) |
|
• Curve25519 and Ed25519 |
Hardware & Asynchronous Support
|
• Asynchronous crypto support: Intel QuickAssist, Cavium Nitrox |
|
• Hardware Cryptography Support: Intel AES-NI, Cavium NITROX, ARMv8, etc. |
PKCS Standards
|
• PKCS#1 (RSA Cryptography Standard) support |
|
• PKCS#3 (Diffie-Hellman Key Agreement Standard) support |
|
• PKCS#5 (Password-Based Encryption Standard) support |
|
• PKCS#7 (Cryptographic Message Syntax - CMS) support |
|
• PKCS#8 (Private-Key Information Syntax Standard) support |
|
• PKCS#9 (Selected Attribute Types) support |
|
• PKCS#10 (Certificate Signing Request - CSR) support |
|
• PKCS#11 (Cryptographic Token Interface) support |
|
• PKCS#12 (Certificate/Personal Information Exchange Syntax Standard) support |
Integration with Cs/NET
The following application note details the process for configuring Cs/NET, the Cesium RTOS network stack, to work with the wolfSSL TLS library. The document outlines various steps and considerations necessary for this integration, focusing on aspects such as wolfSSL port design choices, preparing Cs/NET for wolfSSL (including build requirements and system time setting), and specific configurations needed for TLS support within Cs/NET.
Key highlights include the importance of including a "user_settings.h" file, the necessity of setting adequate task priorities, and ensuring the system time is accurately set for certificate verification. The document also discusses configuring secure settings within the "net_cfg.h" file, such as enabling TLS support, hardware crypto engine support, and mutual authentication.
Moreover, it guides modifying the "user_settings.h" configuration file for wolfSSL, selecting supported cipher suites, and defining the wolfSSL PK callback function. The note mentions limitations, including compatibility with certain versions of wolfSSL and the exclusion of DTLS 1.3 support at launch, with a promise of future updates.
Overall, the application note serves as a comprehensive guide for developers looking to secure their embedded systems by leveraging the integration between Cs/NET and wolfSSL, emphasizing configuration details, design choices, and practical considerations to ensure a successful implementation.
Downloads
You must be a registered user and logged-in in order to access the available downloads.
