wolfSSL is releasing wolfssl-openssl1, a build of OpenSSL 1.1.1 where every cryptographic primitive is implemented by wolfCrypt. It produces drop-in libcrypto.so.1.1 and libssl.so.1.1. Applications get FIPS 140-3 validated crypto without recompiling.
OpenSSL 1.1.1 reached end-of-life in September 2023. Its FIPS module is also EOL. There is no upgrade path to FIPS 140-3. Customers stuck on OpenSSL 1.x need a way forward.
Why not wolfEngine?
wolfSSL ships wolfEngine for OpenSSL 1.x. It works. But it only intercepts calls through the EVP layer.
Legacy codebases can call OpenSSL’s low-level API directly. SHA256_Init(), AES_cbc_encrypt(), RSA_private_encrypt() bypass ENGINE dispatch entirely. The crypto runs through OpenSSL’s own primitives, not wolfCrypt.
wolfssl-openssl1 replaces the public crypto symbols. EVP and low-level. Each call reaches wolfCrypt.
How it works
At build time, OpenSSL’s crypto object files are excluded from the link. wolfCrypt links in their place. OpenSSL’s TLS state machine, X.509, ASN.1, and BIO layers remain unchanged.
A shim library (libwolfshim.a) bridges the two APIs. It provides ~290 ELF symbol wrappers so the linker resolves every OpenSSL function name to a wolfCrypt implementation. A runtime ABI check validates struct sizes and field offsets at load time.
The result is libcrypto.so.1.1 and libssl.so.1.1. Same sonames. Same symbols. Different crypto engine.
Supported algorithms
| Category | Algorithms |
|---|---|
| Hashes | SHA-1, SHA-2 family, SHA-3 family, SHAKE-128/256 |
| Symmetric | AES-CBC/CTR/GCM/CCM/XTS/OFB/CFB, 3DES, ChaCha20-Poly1305 |
| MAC | HMAC with any supported digest, AES-CMAC |
| Asymmetric | RSA (PKCS#1 v1.5, OAEP, PSS), ECDSA/ECDH (P-256, P-384, P-521) |
| Key exchange | DH, X25519, X448 |
| Signatures | Ed25519, Ed448 |
| RNG | DRBG via wolfCrypt |
TLS 1.3 works. Full handshake with TLS_AES_256_GCM_SHA384 and X25519 is confirmed.
FIPS 140-3 without porting
Because the shim replaces all crypto symbols, every call resolves to wolfCrypt.
No call path bypasses the validated module.
Porting a legacy codebase to OpenSSL 3 takes months. wolfssl-openssl1 works today on the existing codebase, with the existing binary interface.
For new deployments, wolfProvider on OpenSSL 3.x is the recommended path. wolfssl-openssl1 is for codebases that cannot migrate yet.
Build
git clone https://github.com/wolfSSL/wolfssl-openssl1 cd wolfssl-openssl1 git submodule update --init --depth=1 ./build.sh
The shim is MIT-licensed. wolfSSL is GPL-3.0 or commercially licensed.
If your OpenSSL 1.x deployment needs FIPS 140-3 and cannot migrate to OpenSSL 3 today, wolfssl-openssl1 fills the gap. See also: wolfProvider FIPS for 35+ open-source packages.
If you have questions, contact us at facts@wolfssl.com or call +1 425 245 8247.
Download wolfSSL Now