Product of the Week: wolfSSL Embedded SSL/TLS Library

January 27, 2021


Product of the Week: wolfSSL Embedded SSL/TLS Library

Secure connections are more imperative forever, even for the simplest Internet-enabled devices.

This week’s product, the wolfSSL embedded SSL/TLS library, is a 20 kB to 100 kB cryptographic library with a runtime memory footprint of just 1 kB to 36 kB. That makes it up to 20x smaller than OpenSSL.

With support for the current TLS 1.3 and DTLS 1.2 protocol standards, the wolfSSL embedded SSL/TLS library can be deployed in both client and server implementations. It is based on the FIPS 140-2/3-validaed wolfCrypt library of hashes, ciphers, and encryption algorithms, which includes:

  • Hashes: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, BLAKE2b, etc.
  • Authentication Ciphers: AES,  DES, ARC4, ChaCha20, etc.
  • Public Key Algorithms: RSA, DSS, ECDH-ECDSA, NTRU, etc.

Additional features of the wolfSSL library include IPv4 and IPv6 support, mutual authentication, pre-shared keys, hash-based pseudo-random number generator (PRNG), interchangeable crypto and certificate libraries, persistent session and certificate cache, standalone certificate manager, quantum-safe handshake (QSH) extensions, a variety of additional security protocols, and so on.

The library is also compatible with hardware cryptography and acceleration capabilities of select Intel, Arm, Cavium, Analog Devices, Texas Instruments, NXP, STMicroelectronics, Renesas, Microchip, Xilinx, Espressif, and other devices.

The embedded crypto stack is royalty-free and available under a GPLv2 license. The recent 4.6.0 release includes enhancements such as Linux kernel module support, TLS and AES CCM sniffer support, adds provisions for hardware acceleration on Silicon Labs and NXP crypto-coprocessors, and expands math implementations, among other additions.

The wolfSSL Embedded SSL/TLS Library in Action

The wolfSSL embedded SSL/TLS Library is written in the C programming language, which makes it ideally suited for resource-constrained, RTOS-based embedded systems. This, along with support for other languages such as Java, Python, PHP, Perl, and C#, also improves the solution’s portability and cross-platform support.

An OpenSSL compatibility layer and the use of simple APIs ease integration with existing crypto implementations and offer an easy path to establishing secure communications between clients and servers. The library also integrates with open source projects such as MySQL, OpenSSH, Apache httpd, Open vSwitch, stunnel, Lighttpd, GoAhead, Mongoose, and more.

As mentioned, the entire stack can be reduced to footprints of roughly 20 kB to 100 kB depending on the user’s selected build options and operating environment. Similarly, the I/O buffer sizes, public key algorithms, and key sizes selected will determine where the runtime memory sits on a scale of 1 kB to 36 kB.

Benchmarking information and feedback reports sourced from testing on various development boards and platforms demonstrates the performance advantages of wolfSSL over alternative crypto libraries. The figure below shows how a prior version of wolfSSL performed compared to  OpenSSL running a 128-bit AES algorithm on Intel Advanced Vector Extensions 2 (Intel AVX 2) hardware.

The X axis depicts relative speed and the Y axis shows block size.

Getting Started with the wolfSSL embedded SSL/TLS Library

In addition to the hardware integration mentioned earlier, the wolfSSL embedded SSL/TLS library can be used in a range of operating environments, spanning real-time operating systems like FreeRTOS, Green Hills INITEGRITY, Mentor Nucleus, Micrium µC/OS, and Wind River VxWorks to general-purpose operating systems such as Windows, Linux, Mac OS X, and Android to enterprise-grade offerings including Apache Mynewt, Solaris, and others.  It’s even supported on the Nintendo Wii and Gamecube via DevKitPro.

The latest version of the wolfSSL embedded SSL/TLS library can be downloaded directly from the wolfSSL website, allowing experienced users to begin incorporating the library into their designs right away. For those who require additional engineering services or ongoing commercial-grade maintenance and optimizations, wolfSSL offers a variety support packages that are available on an annual basis.

And for those interested in learning about how SSL/TLS work in general and how to develop the most effective implementation of the wolfSSL embedded SSL/TLS library, training courses are available.

For more information, check out the “Getting Started” chapter in the wolfSSL manual, visit the company’s website, or follow the links below.