wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an

open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use and view the source code, design documents, or content of the product. The open source model is a decentrali ...

implementation of TLS (SSL 3.0, TLS 1.0, 1.1, 1.2, 1.3, and DTLS 1.0, 1.2, and 1.3) written in the

C programming language C (''pronounced'' '' – like the letter c'') is a general-purpose programming language. It was created in the 1970s by Dennis Ritchie and remains very widely used and influential. By design, C's features cleanly reflect the capabilities of ...

. It includes SSL/TLS client libraries and an SSL/TLS server implementation as well as support for multiple APIs, including those defined by SSL and TLS. wolfSSL also includes an

OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS web ...

compatibility interface with the most commonly used OpenSSL functions.wolfSSL – Embedded Communications Products
/ref>

Platforms

wolfSSL is currently available for

Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

Linux Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...

macOS macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...

Solaris Solaris is the Latin word for sun. It may refer to: Arts and entertainment Literature, television and film * ''Solaris'' (novel), a 1961 science fiction novel by Stanisław Lem ** ''Solaris'' (1968 film), directed by Boris Nirenburg ** ''Sol ...

ESP32 ESP32 is a family of low-cost, energy-efficient microcontrollers that integrate both Wi-Fi and Bluetooth capabilities. These chips feature a variety of processing options, including the Tensilica Xtensa LX6 microprocessor available in both dual-c ...

ESP8266 The ESP8266 is a low-cost Wi-Fi microcontroller, with built-in TCP/IP stack, TCP/IP networking software, and microcontroller capability, produced by Espressif Systems in Shanghai, China. The chip was popularized in the English-speaking maker c ...

, ThreadX,

VxWorks VxWorks is a real-time operating system (or RTOS) developed as proprietary software by Wind River Systems, a subsidiary of Aptiv. First released in 1987, VxWorks is designed for use in embedded systems requiring real-time, Deterministic system, ...

FreeBSD FreeBSD is a free-software Unix-like operating system descended from the Berkeley Software Distribution (BSD). The first version was released in 1993 developed from 386BSD, one of the first fully functional and free Unix clones on affordable ...

NetBSD NetBSD is a free and open-source Unix-like operating system based on the Berkeley Software Distribution (BSD). It was the first open-source BSD descendant officially released after 386BSD was fork (software development), forked. It continues to ...

OpenBSD OpenBSD is a security-focused operating system, security-focused, free software, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by fork (software development), forking NetBSD ...

embedded Linux The Linux, Linux Operating system is prevalent in embedded systems. As of 2024, developer surveys and industry reports find that Embedded Linux is used in 44%-46% of embedded systems. Due to its Linux range of use, versatility, its large community ...

Yocto Project The Yocto Project is a Linux Foundation collaborative open source project whose goal is to produce tools and processes that enable the creation of Linux distributions for embedded and IoT software that are independent of the underlying architect ...

OpenEmbedded OpenEmbedded (OE) is a build automation framework and cross-compile environment used to create Linux distributions for embedded devices. The framework is developed by the OpenEmbedded community, which was formally established in 2003. OpenEmbed ...

, WinCE,

Haiku is a type of short form poetry that originated in Japan. Traditional Japanese haiku consist of three phrases composed of 17 Mora (linguistics), morae (called ''On (Japanese prosody), on'' in Japanese) in a 5, 7, 5 pattern; that include a ''kire ...

OpenWrt OpenWrt (from ''open wireless router'') is an open-source project for embedded operating systems based on Linux kernel, Linux, primarily used on Embedded system, embedded devices to Router (computing), route network traffic. The main components ...

iPhone The iPhone is a line of smartphones developed and marketed by Apple that run iOS, the company's own mobile operating system. The first-generation iPhone was announced by then–Apple CEO and co-founder Steve Jobs on January 9, 2007, at ...

, Android,

Wii The Wii ( ) is a home video game console developed and marketed by Nintendo. It was released on November 19, 2006, in North America, and in December 2006 for most other regions of the world. It is Nintendo's fifth major home game console, f ...

, and

GameCube The is a PowerPC-based home video game console developed and marketed by Nintendo. It was released in Japan on September 14, 2001, in North America on November 18, 2001, in Europe on May 3, 2002, and in Australia on May 17, 2002. It is the suc ...

through DevKitPro support, QNX,

MontaVista MontaVista Software is a company that develops embedded Linux system software, development tools, and related software. Its products are made for other corporations developing embedded systems such as automotive electronics, communications eq ...

Tron ''Tron'' (stylized as ''TRON'') is a 1982 American science fiction action adventure film written and directed by Steven Lisberger from a story by Lisberger and Bonnie MacBird. The film stars Jeff Bridges as Kevin Flynn, a computer programmer ...

variants,

NonStop OS NonStop is a series of server computers introduced to market in 1976 by Tandem Computers Inc., beginning with the NonStop product line. It was followed by the Tandem Integrity NonStop line of lock-step fault-tolerant computers, now defunct (n ...

OpenCL OpenCL (Open Computing Language) is a software framework, framework for writing programs that execute across heterogeneous computing, heterogeneous platforms consisting of central processing units (CPUs), graphics processing units (GPUs), di ...

, Micrium's MicroC/OS-II,

FreeRTOS FreeRTOS is a real-time operating system Kernel (operating system), kernel for embedded devices that has been ported to 40 microcontroller platforms. It is distributed under the MIT License. History The FreeRTOS kernel was originally developed ...

, SafeRTOS, Freescale MQX,

Nucleus Nucleus (: nuclei) is a Latin word for the seed inside a fruit. It most often refers to: *Atomic nucleus, the very dense central region of an atom *Cell nucleus, a central organelle of a eukaryotic cell, containing most of the cell's DNA Nucleu ...

TinyOS TinyOS is an embedded, component-based operating system and platform for low-power wireless devices, such as those used in wireless sensor networks (WSNs), smartdust, ubiquitous computing, personal area networks, building automation, and smart me ...

, TI-RTOS,

HP-UX HP-UX (from "Hewlett Packard Unix") is a proprietary software, proprietary implementation of the Unix operating system developed by Hewlett Packard Enterprise; current versions support HPE Integrity Servers, based on Intel's Itanium architect ...

, uTasker, uT-kernel, embOS, INtime, mbed,

RIOT A riot or mob violence is a form of civil disorder commonly characterized by a group lashing out in a violent public disturbance against authority, property, or people. Riots typically involve destruction of property, public or private. The p ...

, CMSIS-RTOS, FROSTED, Green Hills INTEGRITY, Keil RTX, TOPPERS, PetaLinux, Apache Mynewt, and PikeOS.

History

The genesis of wolfSSL dates to 2004.

was available at the time, and was dual licensed under the ''OpenSSL License'' and the ''SSLeay license''. yaSSL, alternatively, was developed and dual-licensed under both a commercial license and the GPL. yaSSL offered a more modern API, commercial style developer support and was complete with an OpenSSL compatibility layer. The first major user of wolfSSL/CyaSSL/yaSSL was

MySQL MySQL () is an Open-source software, open-source relational database management system (RDBMS). Its name is a combination of "My", the name of co-founder Michael Widenius's daughter My, and "SQL", the acronym for Structured Query Language. A rel ...

. Through bundling with MySQL, yaSSL has achieved extremely high distribution volumes in the millions. In February 2019,

Daniel Stenberg Magnus Daniel Stenberg is a Swedish developer and recipient of the 2017 Polhem Prize (for a high-level technological innovation or an ingenious solution to a technical problem) for his work on the cURL utility. Stenberg was born and raised in Hu ...

, the creator of

cURL cURL (pronounced like "curl", ) is a free and open source computer program for transferring data to and from Internet servers. It can download a URL from a web server over HTTP, and supports a variety of other network protocols, URI scheme ...

, was hired by the wolfSSL project to work on cURL.

Protocols

The wolfSSL lightweight SSL library implements the following protocols:wolfSSL – Docs , CyaSSL Manual – Chapter 4 (Features)
/ref> * SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3 * DTLS 1.0, DTLS 1.2, DTLS 1.3 * Extensions: Server Name Indication (SNI), Maximum Fragment Length, Truncated

HMAC In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a se ...

, Application Layer Protocol Negotiation (ALPN), Extended Master Secret * Ciphersuites: TLS Secure Remote Password, TLS Pre-Shared Key *

Post-quantum cryptography Post-quantum cryptography (PQC), sometimes referred to as quantum-proof, quantum-safe, or quantum-resistant, is the development of cryptographic algorithms (usually public-key algorithms) that are currently thought to be secure against a crypt ...

: ML-DSA added to sigAlgs, ML-KEM added to Supported Groups, QSH (deprecated and removed) * Public Key Cryptography Standards: ** PKCS #1 - RSA Cryptography ** PKCS #3 - Diffie-Hellman Key Agreement ** PKCS #5 - Password-Based Encryption ** PKCS #7 - Cryptographic Message Syntax (CMS) ** PKCS #8 - Private-Key Information Syntax ** PKCS #9 - Selected Attribute Types ** PKCS #10 -

Certificate signing request In public key infrastructure (PKI) systems, a certificate signing request (CSR or certification request) is a message sent from an applicant to a certificate authority of the public key infrastructure (PKI) in order to apply for a digital identity ...

(CSR) ** PKCS #11 - Cryptographic Token Interface ** PKCS #12 - Certificate/Personal Information Exchange Syntax Standard Protocol Notes: * SSL 2.0 – SSL 2.0 was deprecated (prohibited) in 2011 by RFC 6176. wolfSSL does not support it. * SSL 3.0 – SSL 3.0 was deprecated (prohibited) in 2015 by RFC 7568. In response to the POODLE attack, SSL 3.0 has been disabled by default since wolfSSL 3.6.6, but can be enabled with a compile-time option.

Algorithms

wolfSSL uses the following cryptography libraries:

wolfCrypt

By default, wolfSSL uses the cryptographic services provided by wolfCrypt. wolfCrypt Provides RSA, ECC, DSS, Diffie–Hellman, EDH,

NTRU NTRU is an open-source public-key cryptosystem that uses lattice-based cryptography to encrypt and decrypt data. It consists of two algorithms: NTRUEncrypt, which is used for encryption, and NTRUSign, which is used for digital signatures. Unlike ...

(deprecated and removed), DES,

Triple DES In cryptography, Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The 56-bit key of the Dat ...

, AES (CBC, CTR, CCM, GCM),

Camellia ''Camellia'' (pronounced or ) is a genus of flowering plants in the family Theaceae. They are found in tropical and subtropical areas in East Asia, eastern and South Asia, southern Asia, from the Himalayas east to Japan and Indonesia. There are ...

IDEA In philosophy and in common usage, an idea (from the Greek word: ἰδέα (idea), meaning 'a form, or a pattern') is the results of thought. Also in philosophy, ideas can also be mental representational images of some object. Many philosophe ...

, ARC4, HC-128, ChaCha20, MD2,

MD4 The MD4 Message-Digest Algorithm is a cryptographic hash function developed by Ronald Rivest in 1990. The digest length is 128 bits. The algorithm has influenced later designs, such as the MD5, SHA-1 and RIPEMD algorithms. The initialism "MD" st ...

MD5 The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4, and was specified in 1992 as Request for Comments, RFC 1321. MD5 ...

SHA-1 In cryptography, SHA-1 (Secure Hash Algorithm 1) is a hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits. It was designed by the United States ...

SHA-2 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...

SHA-3 SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like stru ...

BLAKE2 BLAKE is a cryptographic hash function based on Daniel J. Bernstein's ChaCha (cipher), ChaCha stream cipher, but a permuted copy of the input block, XORed with round constants, is added before each ChaCha round. Like SHA-2, there are two variants ...

, RIPEMD-160,

Poly1305 Poly1305 is a universal hash family designed by Daniel J. Bernstein in 2002 for use in cryptography. As with any universal hash family, Poly1305 can be used as a one-time message authentication code to authenticate a single message using a sec ...

, Random Number Generation, Large Integer support, base 16/64 encoding/decoding, and post-quantum cryptographic algorithms: ML-KEM (certified under FIPS 203) and ML-DSA (certified under FIPS 204). wolfCrypt also includes support for the recent

X25519 X, or x, is the twenty-fourth letter of the Latin alphabet, used in the English alphabet, modern English alphabet, the alphabets of other western European languages and others worldwide. Its name in English is Wikt:ex#English, ''ex'' (pro ...

and Ed25519 algorithms. wolfCrypt acts as a back-end crypto implementation for several popular software packages and libraries, including MIT Kerberos (where it can be enabled using a build option).

NTRU

CyaSSL+ includes

NTRU CryptoLabs
public key encryption. The addition of NTRU in CyaSSL+ was a result of the partnership between yaSSL and Security Innovation. NTRU works well in mobile and embedded environments due to the reduced bit size needed to provide the same security as other public key systems. In addition, it's not known to be vulnerable to quantum attacks. Several cipher suites utilizing NTRU are available with CyaSSL+ including AES-256, RC4, and HC-128.

Hardware Integration

Secure Element Support

wolfSSL supports the following Secure Elements: *

STMicroelectronics STMicroelectronics Naamloze vennootschap, NV (commonly referred to as ST or STMicro) is a European multinational corporation, multinational semiconductor contract manufacturing and design company. It is the largest of such companies in Europe. ...

STSAFE *

Microchip An integrated circuit (IC), also known as a microchip or simply chip, is a set of electronic circuits, consisting of various electronic components (such as transistors, resistors, and capacitors) and their interconnections. These components a ...

CryptoAuthentication ATECC508A * NXP EdgeLock SE050 Secure Element

Technology Support

wolfSSL supports the following hardware technologies: *

Intel Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California, and Delaware General Corporation Law, incorporated in Delaware. Intel designs, manufactures, and sells computer compo ...

SGX (

Software Guard Extensions Intel Software Guard Extensions (SGX) is a set of instruction codes implementing trusted execution environment that are built into some Intel central processing units (CPUs). They allow user-level and operating system code to define protected priv ...

) - Intel SGX allows a smaller attack surface and has been shown to provide a higher level of security for executing code without a significant impact on performance.

Hardware Encryption Support

The following tables list wolfSSL's support for using various devices' hardware encryption with various algorithms. - "All" denotes 128, 192, and 256-bit supported block sizes

Certifications

wolfSSL supports the following certifications: *

Federal Information Processing Standards The Federal Information Processing Standards (FIPS) of the United States are a set of publicly announced standards that the National Institute of Standards and Technology (NIST) has developed for use in computer systems of non-military United State ...

(

FIPS 140 The 140 series of Federal Information Processing Standards ( FIPS) are U.S. government computer security standards that specify requirements for cryptographic modules. , FIPS 140-2 and FIPS 140-3 are both accepted as current and active. FIPS 1 ...

) ** FIPS 140-2 and FIPS 140-3 *** wolfCrypt FIPS Module: 3.6.0
NIST certificate #2425
- ''Historical'' *** wolfCrypt FIPS Module: 4.0
NIST certificate #3389
- ''Historical'' *** wolfCrypt FIPS Module: v5.2.1
NIST certificate #4718
- ''Active'' *

Radio Technical Commission for Aeronautics RTCA, Inc. (formerly known as Radio Technical Commission for Aeronautics) is a United States non-profit organization that develops technical guidance for use by government regulatory authorities and by industry. It was founded in 1935 and was re-in ...

(RTCA) **

DO-178C DO-178C, Software Considerations in Airborne Systems and Equipment Certification is the primary document by which the certification authorities such as Federal Aviation Administration, FAA, European Aviation Safety Agency, EASA and Transport Can ...

*** wolfCrypt COTS DO-178C certification kit (DAL A) wolfSSL Support for DO-178C DAL A
/ref>

Licensing

wolfSSL is dual licensed: * Licensed under the GPL-2.0-or-later license. This is good for GPL open source projects and evaluation. * Licensed under a commercial non-GPL license. This comes with additional support and maintenance packages and is priced at 7,500 USD per ''product'' or ''SKU'' as of 2025.

References

External links

wolfSSL/CyaSSL Homepage

wolfSSL Now With ChaCha20 and Poly1305
{{SSL/TLS C (programming language) libraries Cryptographic software Transport Layer Security implementation