SlideShare a Scribd company logo

wolfSSL : Compatibility layer webinar

J
Jacob Barthelmeh

The document discusses the wolfSSL compatibility layer which maps a subset of the OpenSSL API to the native wolfSSL API. This allows applications designed for OpenSSL to be easily switched to use wolfSSL instead without code changes. The compatibility layer includes over 500 commonly used OpenSSL functions and structures. An example is provided of building and running a simple TLS server application with wolfSSL using the compatibility layer without any code changes from the OpenSSL version. Major projects that have been ported using the layer include Apache, Nginx, MySQL and more.

Software
1 of 23
Download to read offline
A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects Outline
● Dual Licensed GPLv2 and Commercial TLS implementation ● Securing over 2 billion connections world wide ● Meeting high standards of security (FIPS certificate, DO-178, extensive testing) ● Progressive cryptography leading TLS 1.3 adoption ● Resource conscious for use in embedded IoT scaled all the way up to large server farms
● Maps a subset of the OpenSSL API down to native wolfSSL API ● Used for easily switching applications designed for OpenSSL to wolfSSL ● Includes more than 500 of the most commonly used OpenSSL functions ● Maps a subset of OpenSSL structures and enums to wolfSSL implementations ● Main SSL/EVP/BIO type functions are mapped to native wolfSSL API
● EVP init, update, final mapped to wolfSSL implementations ● Sign and verify support with EVP_SignInit, EVP_SignUpdate, EVP_SignFinal ● Hashing and AES calls such as SHA(), SHA256() ● Support for PKEY structures
● Allows for easily migrating a project from OpenSSL to wolfSSL Application wolfSSL OpenSSL
● #include <wolfssl/openssl/ssl.h> is main header: typedef WOLFSSL_EVP_PKEY EVP_PKEY; typedef WOLFSSL_BIO BIO; typedef WOLFSSL_BIO_METHOD BIO_METHOD; typedef WOLFSSL_CIPHER SSL_CIPHER; typedef WOLFSSL_X509_LOOKUP X509_LOOKUP; typedef WOLFSSL_X509_LOOKUP_METHOD X509_LOOKUP_METHOD; typedef WOLFSSL_X509_CRL X509_CRL; … #define SSL_CTX_new wolfSSL_CTX_new #define SSL_new wolfSSL_new #define SSL_set_fd wolfSSL_set_fd #define SSL_get_fd wolfSSL_get_fd #define SSL_connect wolfSSL_connect #define SSL_clear wolfSSL_clear …
● Benefits: ○ Can make use of wolfSSL hardware acceleration implementations ○ TLS 1.3 implementation ○ Reduced footprint size ○ Potential to use wolfSSL FIPS ○ Supported by wolfSSL engineers who work with and developed the code ○ Clear licensing models
● OpenSSL FIPS expected to drop to historical list on January 1, 2020 ● OpenSSL 3.0 FIPS not expected to be available until 2021 (leaving a full year of no FIPS support) ● wolfSSL maintains current FIPS support and is used in numerous FIPS commercial applications ● wolfSSL has FIPS ready build to help get projects ready for FIPS validation
A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Outline
● Enable with (--enable-opensslextra) or by defining the macro OPENSSL_EXTRA i.e. ./configure --enable-opensslextra ● Include <wolfssl/options.h> as first wolfSSL header ● Header files for migration are located under: ○ ./wolfssl/openssl/*.h ○ Ex: <wolfssl/openssl/ssl.h>
● In some cases stub functions are used and can be seen with debug log (--enable-debug) ● Macro NO_WOLFSSL_STUB compiles out all stub functions ● Additional features such as key generation and algorithms need controlled with enable options such as --enable-keygen
A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Outline
● When migrating an application from OpenSSL to wolfSSL: ■ Add ./wolfssl/* to include path, so app can include header like: ● #include <openssl/ssl.h> ■ Or, switch application includes from 1) to 2) 1. #include <openssl/ssl.h> 2. #include <wolfssl/openssl/ssl.h>
● When porting an application from OpenSSL to wolfSSL: ■ Link against wolfSSL instead of OpenSSL ● OpenSSL libraries typically (-lssl -lcrypto) ● wolfSSL libraries (-lwolfssl)
No code changes needed to application c files ● OpenSSL $ gcc the_great_migration.c -o open.out -lssl -lcrypto ● wolfSSL $ gcc -I /path-to/wolfssl/wolfssl -I /path-to/wolfssl -include wolfssl/options.h the_great_migration.c -o wolf.out -lwolfssl
/* establish TLS connection */ printf("TCP connection established now setting up TLSn"); ssl = SSL_new(ctx); if (ssl == NULL) { printf("unable to create SSL objectn"); return -1; } SSL_set_fd(ssl, connd); ret = SSL_accept(ssl); if (ret != 1) { ret = ERR_get_error(); ERR_error_string(ret, msg); printf("[%d] error %s in SSL acceptn", ret, msg); return -1; } /* Read and write message */ memset(msg, 0, SIZE); ret = SSL_read(ssl, msg, SIZE); if (ret > 0) { printf("Read : %sn", msg); ret = SSL_write(ssl, "Hello worldn", sizeof("Hello worldn"));
OpenSSL 1.1.1 wolfSSL 4.1.0 ./configure --enable-opensslextra Using Valgrind + massif + massif-visualizer on Ubuntu 18.04 Same server-tls.c application one linked to OpenSSL and without code change then linked to wolfSSL Comparison of heap usage of server with cipher suite ECDHE-RSA-AES256-GCM-SHA384
A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Outline
● Examples of applications that have been compiled using OpenSSL Compatibility Layer ○ Apache ○ QT ○ NGINX ○ MySQL ○ curl ○ Stunnel ○ and many more...
● Most migrations done for larger open source projects have a build option associated with the port. ● An example of this would be “./configure --enable-nginx” or “./configure --enable-haproxy” ● The full changes done to Nginx can be seen on our github repository at wolfSSL/wolfssl-nginx.
● With being a subset of API there is a chance that some API in the application could not yet be implemented ● Easiest way to tell is to enable all OpenSSL features and link against wolfSSL ● For missing API we accept feature requests or offer consulting to expand the compatibility layer as needed
Email facts@wolfssl.com A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Questions?

Recommended

IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
NotSoSecure Global Services
 
DEF CON 23 - Shawn webb - hardenedBSD internals
DEF CON 23 - Shawn webb - hardenedBSD internalsDEF CON 23 - Shawn webb - hardenedBSD internals
DEF CON 23 - Shawn webb - hardenedBSD internals
Felipe Prado
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the Docker
NotSoSecure Global Services
 
Vulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityVulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer Security
Miguel Pardal
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
Cameron More
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerability
John Kinsella
 
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Lee Myring
 
Operate with an openstack deployment by code
Operate with an openstack deployment by codeOperate with an openstack deployment by code
Operate with an openstack deployment by code
Alessandro Martellone
 

Recommended

IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
NotSoSecure Global Services
 
DEF CON 23 - Shawn webb - hardenedBSD internals
DEF CON 23 - Shawn webb - hardenedBSD internalsDEF CON 23 - Shawn webb - hardenedBSD internals
DEF CON 23 - Shawn webb - hardenedBSD internals
Felipe Prado
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the Docker
NotSoSecure Global Services
 
Vulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityVulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer Security
Miguel Pardal
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
Cameron More
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerability
John Kinsella
 
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Lee Myring
 
Operate with an openstack deployment by code
Operate with an openstack deployment by codeOperate with an openstack deployment by code
Operate with an openstack deployment by code
Alessandro Martellone
 
Certificate based access type in openstack Manila @ openstack paris nov. 2014
Certificate based access type in openstack Manila @ openstack paris nov. 2014Certificate based access type in openstack Manila @ openstack paris nov. 2014
Certificate based access type in openstack Manila @ openstack paris nov. 2014
Deepak Shetty
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash Course
UTD Computer Security Group
 
MQTT with .NET Core
MQTT with .NET CoreMQTT with .NET Core
MQTT with .NET Core
Mark Lechtermann
 
Get a Taste of 1 k+ Nodes by a Handful of Servers
Get a Taste of 1 k+ Nodes by a Handful of Servers Get a Taste of 1 k+ Nodes by a Handful of Servers
Get a Taste of 1 k+ Nodes by a Handful of Servers
LinuxCon ContainerCon CloudOpen China
 
Microsoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group PaderbornMicrosoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group Paderborn
Mark Lechtermann
 
Owin e o Projeto Katana
Owin e o Projeto KatanaOwin e o Projeto Katana
Owin e o Projeto Katana
Andre Carlucci
 
Rdo mitaka
Rdo mitakaRdo mitaka
Rdo mitaka
Narasimha sreeram
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016
RedHatTelco
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
wolfSSL
 
Devstack
DevstackDevstack
Devstack
Narasimha sreeram
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault production
London HashiCorp User Group
 
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsApache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security Considerations
Andrew Carr
 
Practical CNI
Practical CNIPractical CNI
Practical CNI
LinuxCon ContainerCon CloudOpen China
 
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
Paulo Henrique
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with me
Aqua Security
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Michael Man
 
20171010 multitenancy in openshift
20171010 multitenancy in openshift20171010 multitenancy in openshift
20171010 multitenancy in openshift
Smals
 
Varnish TLS
Varnish TLSVarnish TLS
Varnish TLS
Varnish Software
 
Practical Glusto Example
Practical Glusto ExamplePractical Glusto Example
Practical Glusto Example
Gluster.org
 
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuardCentral Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
Andrew Denner
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
Giovanni Bechis
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
ColdFusionConference
 

More Related Content

What's hot

Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
wolfSSL
 

What's hot (20)

Certificate based access type in openstack Manila @ openstack paris nov. 2014
Certificate based access type in openstack Manila @ openstack paris nov. 2014Certificate based access type in openstack Manila @ openstack paris nov. 2014
Certificate based access type in openstack Manila @ openstack paris nov. 2014
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash Course
 
MQTT with .NET Core
MQTT with .NET CoreMQTT with .NET Core
MQTT with .NET Core
 
Get a Taste of 1 k+ Nodes by a Handful of Servers
Get a Taste of 1 k+ Nodes by a Handful of Servers Get a Taste of 1 k+ Nodes by a Handful of Servers
Get a Taste of 1 k+ Nodes by a Handful of Servers
 
Microsoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group PaderbornMicrosoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group Paderborn
 
Owin e o Projeto Katana
Owin e o Projeto KatanaOwin e o Projeto Katana
Owin e o Projeto Katana
 
Rdo mitaka
Rdo mitakaRdo mitaka
Rdo mitaka
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
 
Devstack
DevstackDevstack
Devstack
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault production
 
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsApache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security Considerations
 
Practical CNI
Practical CNIPractical CNI
Practical CNI
 
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with me
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
 
20171010 multitenancy in openshift
20171010 multitenancy in openshift20171010 multitenancy in openshift
20171010 multitenancy in openshift
 
Varnish TLS
Varnish TLSVarnish TLS
Varnish TLS
 
Practical Glusto Example
Practical Glusto ExamplePractical Glusto Example
Practical Glusto Example
 
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuardCentral Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
 

Similar to wolfSSL : Compatibility layer webinar

KennethBaughResume_2015
KennethBaughResume_2015KennethBaughResume_2015
KennethBaughResume_2015
Ken Baugh
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber security
ssuserec53e73
 

Similar to wolfSSL : Compatibility layer webinar (20)

LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
KennethBaughResume_2015
KennethBaughResume_2015KennethBaughResume_2015
KennethBaughResume_2015
 
Dean Hagen
Dean HagenDean Hagen
Dean Hagen
 
Large Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQLLarge Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQL
 
KubeCon 2022 EU Flux Security.pdf
KubeCon 2022 EU Flux Security.pdfKubeCon 2022 EU Flux Security.pdf
KubeCon 2022 EU Flux Security.pdf
 
NginX - good practices, tips and advanced techniques
NginX - good practices, tips and advanced techniquesNginX - good practices, tips and advanced techniques
NginX - good practices, tips and advanced techniques
 
What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6
 
Linux Experience for Herman
Linux Experience for HermanLinux Experience for Herman
Linux Experience for Herman
 
SOA with C, C++, PHP and more
SOA with C, C++, PHP and moreSOA with C, C++, PHP and more
SOA with C, C++, PHP and more
 
An introduction to Node.js application development
An introduction to Node.js application developmentAn introduction to Node.js application development
An introduction to Node.js application development
 
Orchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and PortworxOrchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and Portworx
 
Orchestrating Stateful Applications with PKS and Portworx
Orchestrating Stateful Applications with PKS and PortworxOrchestrating Stateful Applications with PKS and Portworx
Orchestrating Stateful Applications with PKS and Portworx
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstration
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber security
 
Introduction to Node (15th May 2017)
Introduction to Node (15th May 2017)Introduction to Node (15th May 2017)
Introduction to Node (15th May 2017)
 

Recently uploaded

The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
Roberto Bettazzoni
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
Prakhyath Rai
 

Recently uploaded (20)

The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 
Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...
Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...
Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanWorkshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
 
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
 
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 

wolfSSL : Compatibility layer webinar

  • 1.
  • 2. A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects Outline
  • 3. ● Dual Licensed GPLv2 and Commercial TLS implementation ● Securing over 2 billion connections world wide ● Meeting high standards of security (FIPS certificate, DO-178, extensive testing) ● Progressive cryptography leading TLS 1.3 adoption ● Resource conscious for use in embedded IoT scaled all the way up to large server farms
  • 4. ● Maps a subset of the OpenSSL API down to native wolfSSL API ● Used for easily switching applications designed for OpenSSL to wolfSSL ● Includes more than 500 of the most commonly used OpenSSL functions ● Maps a subset of OpenSSL structures and enums to wolfSSL implementations ● Main SSL/EVP/BIO type functions are mapped to native wolfSSL API
  • 5. ● EVP init, update, final mapped to wolfSSL implementations ● Sign and verify support with EVP_SignInit, EVP_SignUpdate, EVP_SignFinal ● Hashing and AES calls such as SHA(), SHA256() ● Support for PKEY structures
  • 6. ● Allows for easily migrating a project from OpenSSL to wolfSSL Application wolfSSL OpenSSL
  • 7. ● #include <wolfssl/openssl/ssl.h> is main header: typedef WOLFSSL_EVP_PKEY EVP_PKEY; typedef WOLFSSL_BIO BIO; typedef WOLFSSL_BIO_METHOD BIO_METHOD; typedef WOLFSSL_CIPHER SSL_CIPHER; typedef WOLFSSL_X509_LOOKUP X509_LOOKUP; typedef WOLFSSL_X509_LOOKUP_METHOD X509_LOOKUP_METHOD; typedef WOLFSSL_X509_CRL X509_CRL; … #define SSL_CTX_new wolfSSL_CTX_new #define SSL_new wolfSSL_new #define SSL_set_fd wolfSSL_set_fd #define SSL_get_fd wolfSSL_get_fd #define SSL_connect wolfSSL_connect #define SSL_clear wolfSSL_clear …
  • 8. ● Benefits: ○ Can make use of wolfSSL hardware acceleration implementations ○ TLS 1.3 implementation ○ Reduced footprint size ○ Potential to use wolfSSL FIPS ○ Supported by wolfSSL engineers who work with and developed the code ○ Clear licensing models
  • 9. ● OpenSSL FIPS expected to drop to historical list on January 1, 2020 ● OpenSSL 3.0 FIPS not expected to be available until 2021 (leaving a full year of no FIPS support) ● wolfSSL maintains current FIPS support and is used in numerous FIPS commercial applications ● wolfSSL has FIPS ready build to help get projects ready for FIPS validation
  • 10. A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Outline
  • 11. ● Enable with (--enable-opensslextra) or by defining the macro OPENSSL_EXTRA i.e. ./configure --enable-opensslextra ● Include <wolfssl/options.h> as first wolfSSL header ● Header files for migration are located under: ○ ./wolfssl/openssl/*.h ○ Ex: <wolfssl/openssl/ssl.h>
  • 12. ● In some cases stub functions are used and can be seen with debug log (--enable-debug) ● Macro NO_WOLFSSL_STUB compiles out all stub functions ● Additional features such as key generation and algorithms need controlled with enable options such as --enable-keygen
  • 13. A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Outline
  • 14. ● When migrating an application from OpenSSL to wolfSSL: ■ Add ./wolfssl/* to include path, so app can include header like: ● #include <openssl/ssl.h> ■ Or, switch application includes from 1) to 2) 1. #include <openssl/ssl.h> 2. #include <wolfssl/openssl/ssl.h>
  • 15. ● When porting an application from OpenSSL to wolfSSL: ■ Link against wolfSSL instead of OpenSSL ● OpenSSL libraries typically (-lssl -lcrypto) ● wolfSSL libraries (-lwolfssl)
  • 16. No code changes needed to application c files ● OpenSSL $ gcc the_great_migration.c -o open.out -lssl -lcrypto ● wolfSSL $ gcc -I /path-to/wolfssl/wolfssl -I /path-to/wolfssl -include wolfssl/options.h the_great_migration.c -o wolf.out -lwolfssl
  • 17. /* establish TLS connection */ printf("TCP connection established now setting up TLSn"); ssl = SSL_new(ctx); if (ssl == NULL) { printf("unable to create SSL objectn"); return -1; } SSL_set_fd(ssl, connd); ret = SSL_accept(ssl); if (ret != 1) { ret = ERR_get_error(); ERR_error_string(ret, msg); printf("[%d] error %s in SSL acceptn", ret, msg); return -1; } /* Read and write message */ memset(msg, 0, SIZE); ret = SSL_read(ssl, msg, SIZE); if (ret > 0) { printf("Read : %sn", msg); ret = SSL_write(ssl, "Hello worldn", sizeof("Hello worldn"));
  • 18. OpenSSL 1.1.1 wolfSSL 4.1.0 ./configure --enable-opensslextra Using Valgrind + massif + massif-visualizer on Ubuntu 18.04 Same server-tls.c application one linked to OpenSSL and without code change then linked to wolfSSL Comparison of heap usage of server with cipher suite ECDHE-RSA-AES256-GCM-SHA384
  • 19. A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Outline
  • 20. ● Examples of applications that have been compiled using OpenSSL Compatibility Layer ○ Apache ○ QT ○ NGINX ○ MySQL ○ curl ○ Stunnel ○ and many more...
  • 21. ● Most migrations done for larger open source projects have a build option associated with the port. ● An example of this would be “./configure --enable-nginx” or “./configure --enable-haproxy” ● The full changes done to Nginx can be seen on our github repository at wolfSSL/wolfssl-nginx.
  • 22. ● With being a subset of API there is a chance that some API in the application could not yet be implemented ● Easiest way to tell is to enable all OpenSSL features and link against wolfSSL ● For missing API we accept feature requests or offer consulting to expand the compatibility layer as needed
  • 23. Email facts@wolfssl.com A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Questions?