wolfSSL Embedded SSL/TLS Library
The wolfSSL embedded SSL library is a lightweight SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments - primarily because of its small size, speed, and feature set. It is commonly used in standard operating environments as well because of its royalty-free pricing and excellent cross platform support. wolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.3 protocol levels, is up to 20 times smaller than OpenSSL, and offers progressive ciphers such as ChaCha20, Curve25519, NTRU, and SHA-3. User benchmarking and feedback reports dramatically better performance when using wolfSSL over OpenSSL.
wolfSSL is powered by the wolfCrypt library. A version of the wolfCrypt cryptography library has been FIPS 140-2 validated (Certificate #3389), with FIPS 140-3 validation currently in progress! For additional information, visit the wolfCrypt FIPS FAQ or contact firstname.lastname@example.org
wolfSSL now supports TLS 1.3 (learn more here) and DTLS 1.3!
- Up to TLS 1.3 and DTLS 1.3
- Full client and server support
- Progressive list of supported ciphers
- Key and Certificate generation
- OCSP, CRL support
- Commercially supported
- Small size: 20-100kB
- Runtime memory: 1-36kB
- 20x smaller than OpenSSL
Platform and Language Support
wolfSSL is built for maximum portability and is generally very easy to compile on new platforms. If your desired platform is not listed under the supported operating environments, please contact us.
wolfSSL supports the C programming language as a primary interface. It also supports several other host languages, including Java (wolfSSL JNI), C# (wolfSSL C#), and Python. If you have interest in using wolfSSL in another programming language that it does not currently supported, please contact us.
Hardware encryption and acceleration
wolfSSL supports hardware cryptography and acceleration on several platforms. To see a list of platforms and processors that are supported, please see our hardware cryptography support page.
Support packages for wolfSSL are available on an annual basis directly from wolfSSL. With four different package options, you can compare them side-by-side and choose the package that best fits your specific needs. Please see our Support Packages page for more details or contact us with any questions.
If you would like more detailed information about RAM usage, please contact us for the wolfSSL Resource Use document.
LeanPSK - wolfSSL recently implemented a set of build options for the wolfSSL library which enable the library to be built in as little as 20kB! This build configuration requires the use of pre-shared keys (PSK). Contact us for more details about this build.
wolfSSL Training Course
Interested in getting trained by security experts on subjects related to wolfSSL and SSL/TLS? Learn more.
- wolfSSL has support for chipsets including ARM, Intel, Motorola, mbed, NXP/Freescale, Microchip (PIC32)/Atmel, STMicroelectronics (STM32), Analog Devices, Texas Instruments, Xilinx SoCs/FPGAs, Renesas, Espressif, and more
- If you would like to use or test wolfSSL on another chipset, let us know and we’ll be happy to support you.
Supported Operating Environments
- Win32/64, Linux, Mac OS X, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Yocto Linux, OpenEmbedded, WinCE, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, NonStop, TRON/ITRON/µITRON, Micrium µC/OS-III, FreeRTOS, SafeRTOS, NXP/Freescale MQX, Nucleus, TinyOS, HP/UX, AIX, ARC MQX, TI-RTOS, uTasker, embOS, INtime, Mbed, uT-Kernel, RIOT, CMSIS-RTOS, FROSTED, Green Hills INTEGRITY, Keil RTX, TOPPERS, PetaLinux, Apache Mynewt, PikeOS, Deos, Azure Sphere OS, Zephyr
- If you would like to test wolfSSL on another environment, let us know and we’ll be happy to support you.
- SSL version 3.0 and TLS versions 1.0, 1.1, 1.2, and 1.3 (client and server)
- DTLS 1.0, 1.2, and 1.3 support (client and server)
- Minimum footprint size of 20-100 kB, depending on build options and operating environment
- Runtime memory usage between 1-36 kB (depending on I/O buffer sizes, public key algorithm, and key size)
- OpenSSL compatibility layer
- Simple API
- OCSP, OCSP Stapling, and CRL support
- Hash Functions:
- MD2, MD4, MD5, SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA-3, RIPEMD-160, Poly1305
- Block, Stream, and Authenticated Ciphers:
- AES (CBC, CTR, OFB, XTS, GCM, CCM, GMAC, CMAC), Camellia, DES, 3DES, ARC4, ChaCha20
- Public Key Algorithms:
- RSA, DSA, DH, EDH, ECDH-ECDSA, ECDHE-ECDSA, ECDH-RSA, ECDHE-RSA, NTRU
- Password-based Key Derivation: HMAC, PBKDF2
- Curve25519 and Ed25519
- ECC and RSA Key Generation
- ECC curve types:
- SECP, SECPR2, SECPR3, BRAINPOOL, KOBLITZ
- ECC key lengths:
- 112, 128, 160, 192, 224, 239, 256, 320, 384, 512, 521
- Post Quantum Cryptography support
- X.509v3 RSA and ECC Signed Certificate Generation
- PEM and DER certificate support
- Hash-based PRNG (Hash_DRBG)
- Mutual authentication support (client/server)
- PSK (Pre-Shared Keys)
- Persistent session and certificate cache
- zlib compression support
- Interchangeable crypto and certificate libraries
- Modular cryptography library (wolfCrypt)
- Supported TLS Extensions:
- SNI (Server Name Indication), Maximum Fragment Length, Truncated HMAC, Supported Elliptic Curves, ALPN (Application Layer Protocol Negotiation), Extended Master Secret
- Standalone Certificate Manager
- QSH (quantum-safe handshake) extension
- SRP (Secure Remote Password)
- Asynchronous crypto support: Intel QuickAssist, Cavium Nitrox
- Hardware Cryptography Support:
- Intel AES-NI, AVX1/2, RDRAND, RDSEED, SGX, Cavium NITROX, Intel QuickAssist, STM32F2/F4, Freescale/NXP (CAU, mmCAU, SEC, LTC), Microchip PIC32MZ, ARMv8, Renesas TSIP, ARM CryptoCell, PSA Crypto API, and more!
- SSL Sniffer (SSL Inspection) Support
- IPv4 and IPv6 support
- Abstraction Layers / User Callbacks:
- C Standard Library, Custom I/O, Memory hooks, Logging callbacks, User Atomic Record Layer Processing, Public Key
- Open Source Project Integrations:
- MySQL, OpenSSH, Apache httpd, nginx, wpa_supplicant, Open vSwitch, stunnel, Lighttpd, GoAhead, Mongoose, and more!
- PKCS#1 (RSA Cryptography Standard) support
- PKCS#3 (Diffie-Hellman Key Agreement Standard) support
- PKCS#5 (Password-Based Encryption Standard) support
- PKCS#7 (Cryptographic Message Syntax - CMS) support
- PKCS#8 (Private-Key Information Syntax Standard) support
- PKCS#9 (Selected Attribute Types) support
- PKCS#10 (Certificate Signing Request - CSR) support
- PKCS#11 (Cryptographic Token Interface) support
- PKCS#12 (Certificate/Personal Information Exchange Syntax Standard) support