The wolfSSL lightweight SSL/TLS library now supports TLS 1.3 (Draft 18) on both the client and server side!
A BETA release of wolfSSL (wolfSSL 3.11.1) is available for download from our download page. This release is strictly BETA, and designed for testing and user feedback. Users and customers wanting a stable and production-ready version of wolfSSL should remain on version 3.11.0.
To compile this release with TLS 1.3 support, use the “–enable-tls13” ./configure option:
$ unzip wolfssl-3.11.1-tls13-beta.zip
$ cd wolfssl-3.11.1-tls13-beta
$ ./configure –enable-tls13
$ make
wolfSSL has two new client/server methods, which can be used to specify TLS 1.3 during creation of a wolfSSL context (WOLFSSL_CTX):
WOLFSSL_METHOD *wolfTLSv1_3_server_method(void);
WOLFSSL_METHOD *wolfTLSv1_3_client_method(void);
The wolfSSL example client and server can be used to easily test TLS 1.3 functionality with wolfSSL. For example, to connect the wolfSSL example client and server to each other using TLS 1.3 and the TLS13-AES128-GCM-SHA256 cipher suite, use the “-v” option with “4” to specify TLS 1.3, and the “-l” option to specify the cipher suite:
$ ./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256
$ ./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256
Alternatively, the example client can be used to connect to an external server. For example, to connect to the wolfSSL websitewith TLS 1.3:
$ ./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -h www.wolfssl.com -p 443 -g -A ./certs/wolfssl-website-ca.pem
In this command, “-h” specifies the host, “-p” the port, “-g” causes the client to send an HTTP GET request, and “-A” specifies the CA certificate used to authenticate the server.
wolfSSL currently supports the following TLS 1.3 cipher suites:
TLS13-AES128-GCM-SHA256
TLS13-AES256-GCM-SHA384
TLS13-CHACHA20-POLY1305-SHA256
TLS13-AES128-CCM-SHA256
TLS13-AES128-CCM-8-SHA256
Please send any comments or feedback on wolfSSL’s TLS 1.3 support to support@wolfssl.com. Thanks!