wolfCrypt as an Engine for OpenSSL

    • As many people know, the OpenSSL project is struggling with FIPS, as of October 2020, OpenSSL has no active FIPS 140 validation. OpenSSL had plans to restore it’s FIPS validation with OpenSSL 3.0, however they ran into significant delays, and since FIPS 140-2 testing ends September 2021, OpenSSL ultimately decided to focus their efforts on FIPS 140-3 standards.

    This means that OpenSSL users will not have a supported package for the indefinite future. This is a big issue for companies that rely on security. 

    To fill this breach, wolfSSL has integrated our FIPS-certified crypto module (wolfCrypt) with OpenSSL as an OpenSSL engine. This means that:

    1. OpenSSL users can get a supported FIPS solution, with packages available up to the 24×7 level,
    2. The new wolfCrypt FIPS solution supports algorithms used in TLS 1.3, meaning your OpenSSL-based project can support TLS 1.3,
    3. You can support hardware encryption with your project, as the new wolfCrypt solution has full hardware encryption support, as provided by native wolfCrypt!

    Additionally, should you be using one of the OpenSSL derivatives like BoringSSL, we can also support you.

    wolfEngine is structured as a separate standalone library which links against wolfSSL (libwolfssl) and OpenSSL.  wolfEngine implements and exposes an OpenSSL engine implementation which wraps the wolfCrypt native API internally.  Algorithm support matches that as listed on the wolfCrypt FIPS 140-2 certificate #3389.

    wolfEngine is compiled by default as a shared library called libwolfengine which can be dynamically registered at runtime by an application or OpenSSL through a config file.  wolfEngine also provides an entry point for applications to load the engine when compiled in a static build.

    The current wolfCrypt FIPS engine for OpenSSL has been tested on Linux with OpenSSL 1.0.2h and 1.1.1b inside OpenSSL apps (s_client, s_server, etc) and several popular Open Source packages – including cURL, stunnel, nginx, OpenLDAP, and OpenSSH!

     

    Contact us at facts@wolfssl.com if you would like to learn more, or would like to use wolfEngine with other OpenSSL versions or Open Source projects!

    Love it? Star wolfSSL on GitHub.