wolfSSL (formerly CyaSSL) is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3!
toddouska d07cf53bb1
Merge pull request #2034 from miyazakh/Espressif_port_Phase2B
1 month ago
IDE Merge pull request #2034 from miyazakh/Espressif_port_Phase2B 1 month ago
IPP Release 3.7.0 3 years ago
certs New tests for cert chains, alternate cert chains, trusted peer certs and DH prime cleanup: 1 month ago
ctaocrypt Release v3.12.2 (lib 14.0.0). Updated copywright. 1 year ago
cyassl Fix define check of `NO_CERT` to be `NO_CERTS`. 1 month ago
doc Moving PRF to wolfcrypt 1 month ago
examples Fix Checks 1 month ago
lib 1.8.8 init 8 years ago
m4 Configure Update 7 months ago
mcapi fixes for gcc 8 string warnings 1 month ago
mplabx Release v3.12.2 (lib 14.0.0). Updated copywright. 1 year ago
mqx check return value of wolfSSL_set_fd 2 years ago
rpm Refactor and rename of cryptodev to cryptocb. Refactor API names from `wc_CryptoDev` to use `wc_CryptoCb`. Backwards compatibility is retained for anyone using old `WOLF_CRYPTO_DEV` name. Added comment about fall-through case when CryptoCb return `NOT_COMPILED_IN`. 1 month ago
scripts OCSP Script Update 1 month ago
src Merge pull request #2043 from SparkiDev/tls13_psk_down 1 month ago
sslSniffer Sniffer Update 2 months ago
support Removed automatically generated file wolfssl.pc 1 year ago
swig use XFILE, BADFILE, XFxxxx 4 months ago
tests Merge pull request #2019 from dgarske/arduino 1 month ago
testsuite Release v3.12.2 (lib 14.0.0). Updated copywright. 1 year ago
tirtos rename the file io.h to wolfio.h 1 year ago
wolfcrypt Merge pull request #2034 from miyazakh/Espressif_port_Phase2B 1 month ago
wolfssl Merge pull request #2034 from miyazakh/Espressif_port_Phase2B 1 month ago
wrapper update IO callback function names with CSharp wrapper 8 months ago
.cproject Intel QuickAssist (QAT) support and async enhancements/fixes: 1 year ago
.gitignore Merge branch 'master' of https://github.com/wolfssl/wolfssl into doxygen-update 2 months ago
.project Include the .project and .cproject files in distribution. Fix issue with adding wolfssl to existing project, so the <name> is "wolfssl", not "lib_wolfssl". 2 years ago
AUTHORS 1.8.8 init 8 years ago
COPYING update FSF address, wolfSSL copyright 4 years ago
ChangeLog.md prepare for release 3.15.7 1 month ago
INSTALL add Yocto Project / OpenEmbedded build instructions to INSTALL file 2 months ago
LICENSING Name change to LICENSING 3 years ago
Makefile.am add CMS SignedData support for detached signatures 3 months ago
README prepare for release 3.15.7 1 month ago
README.md prepare for release 3.15.7 1 month ago
SCRIPTS-LIST Added new `async-check.sh` script for setting up the async simulator for internal testing. 9 months ago
Vagrantfile updates Linux deps on README 2 years ago
async-check.sh Speedups for the `git clone` calls in check scripts to use `--depth 1`. 3 months ago
autogen.sh Test Fixes 9 months ago
commit-tests.sh 1. Add DES3 enable to full commit test. 2 years ago
configure.ac Merge pull request #2041 from dgarske/crypto_cb 1 month ago
fips-check.sh Fix to resolve issue with fips_check.sh after --depth=1 change in PR #1920. Fixes Jenkins report `error: pathspec 'v3.6.0' did not match any file(s) known to git`. 3 months ago
gencertbuf.pl Added new API `wolfSSL_CTX_load_verify_chain_buffer_format` for loading CA cert chain as DER buffer list including API unit test. Support for device serial number OID. 5 months ago
input check return value of wolfSSL_set_fd 2 years ago
pre-commit.sh pre-commit to use wolfssl/options 4 years ago
pre-push.sh remove autogen clone of fips repo; pre-push runs fips-check if fips directory exists 3 years ago
pull_to_vagrant.sh Merge branch csr into 'master' 3 years ago
quit Brian Aker commits plus some minor changes like AM_CFLAGS getting AC_SUBST and --enable-xxx #ifdef to new header layout 7 years ago
resource.h Add a version resource to the wolfSSL library for Visual Studio builds. 4 months ago
stamp-h.in Brian Aker commits plus some minor changes like AM_CFLAGS getting AC_SUBST and --enable-xxx #ifdef to new header layout 7 years ago
valgrind-error.sh add enable-valgrind 6 years ago
wnr-example.conf add example netRandom config file 2 years ago
wolfssl-ntru.sln xcode projects, merge Chriss latest 4 years ago
wolfssl-ntru.vcproj rename the file io.h to wolfio.h 1 year ago
wolfssl.rc prepare for release 3.15.5 3 months ago
wolfssl.sln xcode projects, merge Chriss latest 4 years ago
wolfssl.vcproj Fix for building TLS v1.3 code on Windows 1 year ago
wolfssl.vcxproj Exclude the version resource from the static library builds. It triggers a linker warning for Win32 builds and it isn't used in the static builds. 4 months ago
wolfssl64.sln 1. Set the base address of the 32-bit DLL builds. 1 year ago



The wolfSSL embedded SSL library (formerly CyaSSL) is a lightweight SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments - primarily because of its small size, speed, and feature set. It is commonly used in standard operating environments as well because of its royalty-free pricing and excellent cross platform support. wolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.3 levels, is up to 20 times smaller than OpenSSL, and offers progressive ciphers such as ChaCha20, Curve25519, NTRU, and Blake2b. User benchmarking and feedback reports dramatically better performance when using wolfSSL over OpenSSL.

wolfSSL is powered by the wolfCrypt library. A version of the wolfCrypt cryptography library has been FIPS 140-2 validated (Certificate #2425). For additional information, visit the wolfCrypt FIPS FAQ or contact fips@wolfssl.com

Why Choose wolfSSL?

There are many reasons to choose wolfSSL as your embedded SSL solution. Some of the top reasons include size (typical footprint sizes range from 20-100 kB), support for the newest standards (SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3, DTLS 1.0, and DTLS 1.2), current and progressive cipher support (including stream ciphers), multi-platform, royalty free, and an OpenSSL compatibility API to ease porting into existing applications which have previously used the OpenSSL package. For a complete feature list, see Section 4.1.

Notes - Please read

Note 1

wolfSSL as of 3.6.6 no longer enables SSLv3 by default.  wolfSSL also no
longer supports static key cipher suites with PSK, RSA, or ECDH.  This means
if you plan to use TLS cipher suites you must enable DH (DH is on by default),
or enable ECC (ECC is on by default), or you must enable static
key cipher suites with

though static key cipher suites are deprecated and will be removed from future
versions of TLS.  They also lower your security by removing PFS.  Since current
NTRU suites available do not use ephemeral keys, WOLFSSL_STATIC_RSA needs to be
used in order to build with NTRU suites.

When compiling ssl.c, wolfSSL will now issue a compiler error if no cipher suites
are available.  You can remove this error by defining WOLFSSL_ALLOW_NO_SUITES
in the event that you desire that, i.e., you're not using TLS cipher suites.

Note 2

wolfSSL takes a different approach to certificate verification than OpenSSL
does.  The default policy for the client is to verify the server, this means
that if you don't load CAs to verify the server you'll get a connect error,
no signer error to confirm failure (-188).  If you want to mimic OpenSSL
behavior of having SSL_connect succeed even if verifying the server fails and
reducing security you can do this by calling:

wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);

before calling wolfSSL_new();  Though it's not recommended.

Note 3

The enum values SHA, SHA256, SHA384, SHA512 are no longer available when
wolfSSL is built with --enable-opensslextra (OPENSSL_EXTRA) or with the macro
NO_OLD_SHA_NAMES. These names get mapped to the OpenSSL API for a single call
hash function. Instead the name WC_SHA, WC_SHA256, WC_SHA384 and WC_SHA512
should be used for the enum name.

wolfSSL Release 3.15.7 (12/26/2018)

Release 3.15.7 of wolfSSL embedded TLS has bug fixes and new features including:

  • Support for Espressif ESP-IDF development framework
  • Fix for XCode build with iPhone simulator on i386
  • PKCS7 support for generating and verify bundles using a detached signature
  • Fix for build disabling AES-CBC and enabling opensslextra compatibility layer
  • Updates to sniffer for showing session information and handling split messages across records
  • Port update for Micrium uC/OS-III
  • Feature to adjust max fragment size post handshake when compiled with the macro WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST
  • Adding the macro NO_MULTIBYTE_PRINT for compiling out special characters that embedded devices may have problems with
  • Updates for Doxygen documentation, including PKCS #11 API and more
  • Adding Intel QuickAssist v1.7 driver support for asynchronous crypto
  • Adding Intel QuickAssist RSA key generation and SHA-3 support
  • RSA verify only (--enable-rsavfy) and RSA public only (--enable-rsapub) builds added
  • Enhancements to test cases for increased code coverage
  • Updates to VxWorks port for use with Mongoose, including updates to the OpenSSL compatibility layer
  • Yocto Project ease of use improvements along with many updates and build instructions added to the INSTALL file
  • Maximum ticket nonce size was increased to 8
  • Updating --enable-armasm build for ease of use with autotools
  • Updates to internal code checking TLS 1.3 version with a connection
  • Removing unnecessary extended master secret from ServerHello if using TLS 1.3
  • Fix for TLS v1.3 HelloRetryRequest to be sent immediately and not grouped

This release of wolfSSL includes a fix for 1 security vulnerability.

Medium level fix for potential cache attack with a variant of Bleichenbacher’s attack. Earlier versions of wolfSSL leaked PKCS #1 v1.5 padding information during private key decryption that could lead to a potential padding oracle attack. It is recommended that users update to the latest version of wolfSSL if they have RSA cipher suites enabled and have the potential for malicious software to be ran on the same system that is performing RSA operations. Users that have only ECC cipher suites enabled and are not performing RSA PKCS #1 v1.5 Decryption operations are not vulnerable. Also users with TLS 1.3 only connections are not vulnerable to this attack. Thanks to Eyal Ronen (Weizmann Institute), Robert Gillham (University of Adelaide), Daniel Genkin (University of Michigan), Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom (University of Adelaide and Data61) for the report.

The paper for further reading on the attack details can be found at http://cat.eyalro.net/cat.pdf.

See INSTALL file for build instructions. More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html


wolfSSL Website

wolfSSL Wiki


wolfSSL Manual

wolfSSL API Reference

wolfCrypt API Reference

TLS 1.3