Secure Sockets Layer

wolfSSL

Embedded SSL/TLS Library

The wolfSSL embedded SSL library is a lightweight SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments - primarily because of its small size, speed, and feature set.  It is commonly used in standard operating environments as well because of its royalty-free pricing and excellent cross-platform support.  wolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.3 protocol levels, is up to 20 times smaller than OpenSSL and offers progressive ciphers such as ChaCha20, Curve25519, NTRU, and SHA-3.  User benchmarking and feedback report dramatically better performance when using wolfSSL over OpenSSL.

wolfSSL is powered by the wolfCrypt library. A version of the wolfCrypt cryptography library has been FIPS 140-2 validated (Certificate #3389), with FIPS 140-3 validation currently in progress.

 

Highlights

Lightweight

Portable

Up to TLS 1.3 and DTLS 1.3

Small size: 20-100kB

Abstraction Layers (OS, Custom I/O, Standard C library, etc.)

 Full client and server support

Runtime memory: 1-36kB

Simple API

Progressive list of supported ciphers

20x smaller than OpenSSL

OpenSSL Compatibility Layer

Key and Certificate generation

 

Long list of supported platforms

OCSP, CRL support

   

Commercially supported

   

 

Protocol Versions

SSL version 3.0 and TLS versions 1.0, 1.1, 1.2, and 1.3 (client and server)

DTLS versions 1.0, 1.2, and 1.3 (client and server)

QUIC support

 

Memory & Size

Minimum footprint size of 20-100 kB, depending on build options and operating environment

Runtime memory usage between 1-36 kB (depending on I/O buffer sizes, public key algorithm, and key size)

 

Compatibility & Integration

OpenSSL compatibility layer

• Open Source Project Integrations: MySQL, OpenSSH, Apache httpd, and more

SSL Sniffer (SSL Inspection) Support

 

Features & Extensions

Simple API

• OCSP, OCSP Stapling, and CRL support

Hybrid Public Key Encryption (HPKE) and Encrypted Client Hello (ECH)

Supported TLS Extensions: SNI, ALPN, etc.

Persistent session and certificate cache

zlib compression support

• IPv4 and IPv6 support

Standalone Certificate Manager

SRP (Secure Remote Password)

Abstraction Layers / User Callbacks: C Standard Library, Custom I/O, etc.

 

Cryptography

Hash Functions: MD2, MD4, MD5, SHA series, and more

• Block, Stream, and Authenticated Ciphers: AES, ChaCha20, DES, etc.

 Public Key Algorithms: RSA, DSA, ECDH, ECC, etc.

Password-based Key Derivation: HMAC, PBKDF2

ECC curves and key lengths

Post Quantum Cryptography support: Dilithium, SPHINCS+, Kyber KEM, etc.

 X.509v3 RSA and ECC Signed Certificate Generation

 PEM and DER certificate support

 Hash-based PRNG (Hash_DRBG)

 Mutual authentication support (client/server)

 PSK (Pre-Shared Keys)

 Interchangeable crypto and certificate libraries

 Modular cryptography library (wolfCrypt)

 Curve25519 and Ed25519

 

Hardware & Asynchronous Support

 Asynchronous crypto support: Intel QuickAssist, Cavium Nitrox

Hardware Cryptography Support: Intel AES-NI, Cavium NITROX, ARMv8, etc.

 

PKCS Standards

 PKCS#1 (RSA Cryptography Standard) support

 PKCS#3 (Diffie-Hellman Key Agreement Standard) support

 PKCS#5 (Password-Based Encryption Standard) support

 PKCS#7 (Cryptographic Message Syntax - CMS) support

 PKCS#8 (Private-Key Information Syntax Standard) support

 PKCS#9 (Selected Attribute Types) support

 PKCS#10 (Certificate Signing Request - CSR) support

 PKCS#11 (Cryptographic Token Interface) support

 PKCS#12 (Certificate/Personal Information Exchange Syntax Standard) support