Secure Sockets Layer

wolfSSL

Embedded SSL/TLS Library

The wolfSSL embedded SSL library is a lightweight SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments - primarily because of its small size, speed, and feature set.  It is commonly used in standard operating environments as well because of its royalty-free pricing and excellent cross-platform support.  wolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.3 protocol levels, is up to 20 times smaller than OpenSSL and offers progressive ciphers such as ChaCha20, Curve25519, NTRU, and SHA-3.  User benchmarking and feedback report dramatically better performance when using wolfSSL over OpenSSL.

wolfSSL is powered by the wolfCrypt library. A version of the wolfCrypt cryptography library has been FIPS 140-2 validated (Certificate #3389), with FIPS 140-3 validation currently in progress.

 

Highlights

Lightweight

Portable

Up to TLS 1.3 and DTLS 1.3

Small size: 20-100kB

Abstraction Layers (OS, Custom I/O, Standard C library, etc.)

 Full client and server support

Runtime memory: 1-36kB

Simple API

Progressive list of supported ciphers

20x smaller than OpenSSL

OpenSSL Compatibility Layer

Key and Certificate generation

 

Long list of supported platforms

OCSP, CRL support

   

Commercially supported

   

 

Protocol Versions

SSL version 3.0 and TLS versions 1.0, 1.1, 1.2, and 1.3 (client and server)

DTLS versions 1.0, 1.2, and 1.3 (client and server)

QUIC support

 

Memory & Size

Minimum footprint size of 20-100 kB, depending on build options and operating environment

Runtime memory usage between 1-36 kB (depending on I/O buffer sizes, public key algorithm, and key size)

 

Compatibility & Integration

OpenSSL compatibility layer

• Open Source Project Integrations: MySQL, OpenSSH, Apache httpd, and more

SSL Sniffer (SSL Inspection) Support

 

Features & Extensions

Simple API

• OCSP, OCSP Stapling, and CRL support

Hybrid Public Key Encryption (HPKE) and Encrypted Client Hello (ECH)

Supported TLS Extensions: SNI, ALPN, etc.

Persistent session and certificate cache

zlib compression support

• IPv4 and IPv6 support

Standalone Certificate Manager

SRP (Secure Remote Password)

Abstraction Layers / User Callbacks: C Standard Library, Custom I/O, etc.

 

Cryptography

Hash Functions: MD2, MD4, MD5, SHA series, and more

• Block, Stream, and Authenticated Ciphers: AES, ChaCha20, DES, etc.

 Public Key Algorithms: RSA, DSA, ECDH, ECC, etc.

Password-based Key Derivation: HMAC, PBKDF2

ECC curves and key lengths

Post Quantum Cryptography support: Dilithium, SPHINCS+, Kyber KEM, etc.

 X.509v3 RSA and ECC Signed Certificate Generation

 PEM and DER certificate support

 Hash-based PRNG (Hash_DRBG)

 Mutual authentication support (client/server)

 PSK (Pre-Shared Keys)

 Interchangeable crypto and certificate libraries

 Modular cryptography library (wolfCrypt)

 Curve25519 and Ed25519

 

Hardware & Asynchronous Support

 Asynchronous crypto support: Intel QuickAssist, Cavium Nitrox

Hardware Cryptography Support: Intel AES-NI, Cavium NITROX, ARMv8, etc.

 

PKCS Standards

 PKCS#1 (RSA Cryptography Standard) support

 PKCS#3 (Diffie-Hellman Key Agreement Standard) support

 PKCS#5 (Password-Based Encryption Standard) support

 PKCS#7 (Cryptographic Message Syntax - CMS) support

 PKCS#8 (Private-Key Information Syntax Standard) support

 PKCS#9 (Selected Attribute Types) support

 PKCS#10 (Certificate Signing Request - CSR) support

 PKCS#11 (Cryptographic Token Interface) support

 PKCS#12 (Certificate/Personal Information Exchange Syntax Standard) support

 

Integration with Cs/NET

The following application note details the process for configuring Cs/NET, the Cesium RTOS network stack, to work with the wolfSSL TLS library. The document outlines various steps and considerations necessary for this integration, focusing on aspects such as wolfSSL port design choices, preparing Cs/NET for wolfSSL (including build requirements and system time setting), and specific configurations needed for TLS support within Cs/NET.

Key highlights include the importance of including a "user_settings.h" file, the necessity of setting adequate task priorities, and ensuring the system time is accurately set for certificate verification. The document also discusses configuring secure settings within the "net_cfg.h" file, such as enabling TLS support, hardware crypto engine support, and mutual authentication.

Moreover, it guides modifying the "user_settings.h" configuration file for wolfSSL, selecting supported cipher suites, and defining the wolfSSL PK callback function. The note mentions limitations, including compatibility with certain versions of wolfSSL and the exclusion of DTLS 1.3 support at launch, with a promise of future updates.

Overall, the application note serves as a comprehensive guide for developers looking to secure their embedded systems by leveraging the integration between Cs/NET and wolfSSL, emphasizing configuration details, design choices, and practical considerations to ensure a successful implementation.

 

Downloads

You must be a registered user and logged-in in order to access the available downloads.