SlideShare a Scribd company logo

wolfSSL : Compatibility layer webinar

J
Jacob Barthelmeh

The document discusses the wolfSSL compatibility layer which maps a subset of the OpenSSL API to the native wolfSSL API. This allows applications designed for OpenSSL to be easily switched to use wolfSSL instead without code changes. The compatibility layer includes over 500 commonly used OpenSSL functions and structures. An example is provided of building and running a simple TLS server application with wolfSSL using the compatibility layer without any code changes from the OpenSSL version. Major projects that have been ported using the layer include Apache, Nginx, MySQL and more.

Software
1 of 23
Download to read offline
A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects Outline
● Dual Licensed GPLv2 and Commercial TLS implementation ● Securing over 2 billion connections world wide ● Meeting high standards of security (FIPS certificate, DO-178, extensive testing) ● Progressive cryptography leading TLS 1.3 adoption ● Resource conscious for use in embedded IoT scaled all the way up to large server farms
● Maps a subset of the OpenSSL API down to native wolfSSL API ● Used for easily switching applications designed for OpenSSL to wolfSSL ● Includes more than 500 of the most commonly used OpenSSL functions ● Maps a subset of OpenSSL structures and enums to wolfSSL implementations ● Main SSL/EVP/BIO type functions are mapped to native wolfSSL API
● EVP init, update, final mapped to wolfSSL implementations ● Sign and verify support with EVP_SignInit, EVP_SignUpdate, EVP_SignFinal ● Hashing and AES calls such as SHA(), SHA256() ● Support for PKEY structures
● Allows for easily migrating a project from OpenSSL to wolfSSL Application wolfSSL OpenSSL
● #include <wolfssl/openssl/ssl.h> is main header: typedef WOLFSSL_EVP_PKEY EVP_PKEY; typedef WOLFSSL_BIO BIO; typedef WOLFSSL_BIO_METHOD BIO_METHOD; typedef WOLFSSL_CIPHER SSL_CIPHER; typedef WOLFSSL_X509_LOOKUP X509_LOOKUP; typedef WOLFSSL_X509_LOOKUP_METHOD X509_LOOKUP_METHOD; typedef WOLFSSL_X509_CRL X509_CRL; … #define SSL_CTX_new wolfSSL_CTX_new #define SSL_new wolfSSL_new #define SSL_set_fd wolfSSL_set_fd #define SSL_get_fd wolfSSL_get_fd #define SSL_connect wolfSSL_connect #define SSL_clear wolfSSL_clear …
● Benefits: ○ Can make use of wolfSSL hardware acceleration implementations ○ TLS 1.3 implementation ○ Reduced footprint size ○ Potential to use wolfSSL FIPS ○ Supported by wolfSSL engineers who work with and developed the code ○ Clear licensing models
● OpenSSL FIPS expected to drop to historical list on January 1, 2020 ● OpenSSL 3.0 FIPS not expected to be available until 2021 (leaving a full year of no FIPS support) ● wolfSSL maintains current FIPS support and is used in numerous FIPS commercial applications ● wolfSSL has FIPS ready build to help get projects ready for FIPS validation
A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Outline
● Enable with (--enable-opensslextra) or by defining the macro OPENSSL_EXTRA i.e. ./configure --enable-opensslextra ● Include <wolfssl/options.h> as first wolfSSL header ● Header files for migration are located under: ○ ./wolfssl/openssl/*.h ○ Ex: <wolfssl/openssl/ssl.h>
● In some cases stub functions are used and can be seen with debug log (--enable-debug) ● Macro NO_WOLFSSL_STUB compiles out all stub functions ● Additional features such as key generation and algorithms need controlled with enable options such as --enable-keygen
A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Outline
● When migrating an application from OpenSSL to wolfSSL: ■ Add ./wolfssl/* to include path, so app can include header like: ● #include <openssl/ssl.h> ■ Or, switch application includes from 1) to 2) 1. #include <openssl/ssl.h> 2. #include <wolfssl/openssl/ssl.h>
● When porting an application from OpenSSL to wolfSSL: ■ Link against wolfSSL instead of OpenSSL ● OpenSSL libraries typically (-lssl -lcrypto) ● wolfSSL libraries (-lwolfssl)
No code changes needed to application c files ● OpenSSL $ gcc the_great_migration.c -o open.out -lssl -lcrypto ● wolfSSL $ gcc -I /path-to/wolfssl/wolfssl -I /path-to/wolfssl -include wolfssl/options.h the_great_migration.c -o wolf.out -lwolfssl
/* establish TLS connection */ printf("TCP connection established now setting up TLSn"); ssl = SSL_new(ctx); if (ssl == NULL) { printf("unable to create SSL objectn"); return -1; } SSL_set_fd(ssl, connd); ret = SSL_accept(ssl); if (ret != 1) { ret = ERR_get_error(); ERR_error_string(ret, msg); printf("[%d] error %s in SSL acceptn", ret, msg); return -1; } /* Read and write message */ memset(msg, 0, SIZE); ret = SSL_read(ssl, msg, SIZE); if (ret > 0) { printf("Read : %sn", msg); ret = SSL_write(ssl, "Hello worldn", sizeof("Hello worldn"));
OpenSSL 1.1.1 wolfSSL 4.1.0 ./configure --enable-opensslextra Using Valgrind + massif + massif-visualizer on Ubuntu 18.04 Same server-tls.c application one linked to OpenSSL and without code change then linked to wolfSSL Comparison of heap usage of server with cipher suite ECDHE-RSA-AES256-GCM-SHA384
A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Outline
● Examples of applications that have been compiled using OpenSSL Compatibility Layer ○ Apache ○ QT ○ NGINX ○ MySQL ○ curl ○ Stunnel ○ and many more...
● Most migrations done for larger open source projects have a build option associated with the port. ● An example of this would be “./configure --enable-nginx” or “./configure --enable-haproxy” ● The full changes done to Nginx can be seen on our github repository at wolfSSL/wolfssl-nginx.
● With being a subset of API there is a chance that some API in the application could not yet be implemented ● Easiest way to tell is to enable all OpenSSL features and link against wolfSSL ● For missing API we accept feature requests or offer consulting to expand the compatibility layer as needed
Email facts@wolfssl.com A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Questions?

Recommended

IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
NotSoSecure Global Services
 
DEF CON 23 - Shawn webb - hardenedBSD internals
DEF CON 23 - Shawn webb - hardenedBSD internalsDEF CON 23 - Shawn webb - hardenedBSD internals
DEF CON 23 - Shawn webb - hardenedBSD internals
Felipe Prado
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the Docker
NotSoSecure Global Services
 
Vulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityVulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer Security
Miguel Pardal
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
Cameron More
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerability
John Kinsella
 
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Lee Myring
 
Operate with an openstack deployment by code
Operate with an openstack deployment by codeOperate with an openstack deployment by code
Operate with an openstack deployment by code
Alessandro Martellone
 

Recommended

IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
NotSoSecure Global Services
 
DEF CON 23 - Shawn webb - hardenedBSD internals
DEF CON 23 - Shawn webb - hardenedBSD internalsDEF CON 23 - Shawn webb - hardenedBSD internals
DEF CON 23 - Shawn webb - hardenedBSD internals
Felipe Prado
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the Docker
NotSoSecure Global Services
 
Vulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityVulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer Security
Miguel Pardal
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
Cameron More
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerability
John Kinsella
 
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Lee Myring
 
Operate with an openstack deployment by code
Operate with an openstack deployment by codeOperate with an openstack deployment by code
Operate with an openstack deployment by code
Alessandro Martellone
 
Certificate based access type in openstack Manila @ openstack paris nov. 2014
Certificate based access type in openstack Manila @ openstack paris nov. 2014Certificate based access type in openstack Manila @ openstack paris nov. 2014
Certificate based access type in openstack Manila @ openstack paris nov. 2014
Deepak Shetty
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash Course
UTD Computer Security Group
 
MQTT with .NET Core
MQTT with .NET CoreMQTT with .NET Core
MQTT with .NET Core
Mark Lechtermann
 
Get a Taste of 1 k+ Nodes by a Handful of Servers
Get a Taste of 1 k+ Nodes by a Handful of Servers Get a Taste of 1 k+ Nodes by a Handful of Servers
Get a Taste of 1 k+ Nodes by a Handful of Servers
LinuxCon ContainerCon CloudOpen China
 
Microsoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group PaderbornMicrosoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group Paderborn
Mark Lechtermann
 
Owin e o Projeto Katana
Owin e o Projeto KatanaOwin e o Projeto Katana
Owin e o Projeto Katana
Andre Carlucci
 
Rdo mitaka
Rdo mitakaRdo mitaka
Rdo mitaka
Narasimha sreeram
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016
RedHatTelco
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
wolfSSL
 
Devstack
DevstackDevstack
Devstack
Narasimha sreeram
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault production
London HashiCorp User Group
 
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsApache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security Considerations
Andrew Carr
 
Practical CNI
Practical CNIPractical CNI
Practical CNI
LinuxCon ContainerCon CloudOpen China
 
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
Paulo Henrique
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with me
Aqua Security
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Michael Man
 
20171010 multitenancy in openshift
20171010 multitenancy in openshift20171010 multitenancy in openshift
20171010 multitenancy in openshift
Smals
 
Varnish TLS
Varnish TLSVarnish TLS
Varnish TLS
Varnish Software
 
Practical Glusto Example
Practical Glusto ExamplePractical Glusto Example
Practical Glusto Example
Gluster.org
 
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuardCentral Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
Andrew Denner
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
Giovanni Bechis
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
ColdFusionConference
 

More Related Content

What's hot

Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
wolfSSL
 

What's hot (20)

Certificate based access type in openstack Manila @ openstack paris nov. 2014
Certificate based access type in openstack Manila @ openstack paris nov. 2014Certificate based access type in openstack Manila @ openstack paris nov. 2014
Certificate based access type in openstack Manila @ openstack paris nov. 2014
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash Course
 
MQTT with .NET Core
MQTT with .NET CoreMQTT with .NET Core
MQTT with .NET Core
 
Get a Taste of 1 k+ Nodes by a Handful of Servers
Get a Taste of 1 k+ Nodes by a Handful of Servers Get a Taste of 1 k+ Nodes by a Handful of Servers
Get a Taste of 1 k+ Nodes by a Handful of Servers
 
Microsoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group PaderbornMicrosoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group Paderborn
 
Owin e o Projeto Katana
Owin e o Projeto KatanaOwin e o Projeto Katana
Owin e o Projeto Katana
 
Rdo mitaka
Rdo mitakaRdo mitaka
Rdo mitaka
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
 
Devstack
DevstackDevstack
Devstack
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault production
 
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsApache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security Considerations
 
Practical CNI
Practical CNIPractical CNI
Practical CNI
 
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with me
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
 
20171010 multitenancy in openshift
20171010 multitenancy in openshift20171010 multitenancy in openshift
20171010 multitenancy in openshift
 
Varnish TLS
Varnish TLSVarnish TLS
Varnish TLS
 
Practical Glusto Example
Practical Glusto ExamplePractical Glusto Example
Practical Glusto Example
 
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuardCentral Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
 

Similar to wolfSSL : Compatibility layer webinar

KennethBaughResume_2015
KennethBaughResume_2015KennethBaughResume_2015
KennethBaughResume_2015
Ken Baugh
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber security
ssuserec53e73
 

Similar to wolfSSL : Compatibility layer webinar (20)

LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
KennethBaughResume_2015
KennethBaughResume_2015KennethBaughResume_2015
KennethBaughResume_2015
 
Dean Hagen
Dean HagenDean Hagen
Dean Hagen
 
Large Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQLLarge Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQL
 
KubeCon 2022 EU Flux Security.pdf
KubeCon 2022 EU Flux Security.pdfKubeCon 2022 EU Flux Security.pdf
KubeCon 2022 EU Flux Security.pdf
 
NginX - good practices, tips and advanced techniques
NginX - good practices, tips and advanced techniquesNginX - good practices, tips and advanced techniques
NginX - good practices, tips and advanced techniques
 
What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6
 
Linux Experience for Herman
Linux Experience for HermanLinux Experience for Herman
Linux Experience for Herman
 
SOA with C, C++, PHP and more
SOA with C, C++, PHP and moreSOA with C, C++, PHP and more
SOA with C, C++, PHP and more
 
An introduction to Node.js application development
An introduction to Node.js application developmentAn introduction to Node.js application development
An introduction to Node.js application development
 
Orchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and PortworxOrchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and Portworx
 
Orchestrating Stateful Applications with PKS and Portworx
Orchestrating Stateful Applications with PKS and PortworxOrchestrating Stateful Applications with PKS and Portworx
Orchestrating Stateful Applications with PKS and Portworx
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstration
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber security
 
Introduction to Node (15th May 2017)
Introduction to Node (15th May 2017)Introduction to Node (15th May 2017)
Introduction to Node (15th May 2017)
 

Recently uploaded

Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 

Recently uploaded (20)

WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
 
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfAzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
WSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in UgandaWSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in Uganda
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
 
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 

wolfSSL : Compatibility layer webinar

  • 1.
  • 2. A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects Outline
  • 3. ● Dual Licensed GPLv2 and Commercial TLS implementation ● Securing over 2 billion connections world wide ● Meeting high standards of security (FIPS certificate, DO-178, extensive testing) ● Progressive cryptography leading TLS 1.3 adoption ● Resource conscious for use in embedded IoT scaled all the way up to large server farms
  • 4. ● Maps a subset of the OpenSSL API down to native wolfSSL API ● Used for easily switching applications designed for OpenSSL to wolfSSL ● Includes more than 500 of the most commonly used OpenSSL functions ● Maps a subset of OpenSSL structures and enums to wolfSSL implementations ● Main SSL/EVP/BIO type functions are mapped to native wolfSSL API
  • 5. ● EVP init, update, final mapped to wolfSSL implementations ● Sign and verify support with EVP_SignInit, EVP_SignUpdate, EVP_SignFinal ● Hashing and AES calls such as SHA(), SHA256() ● Support for PKEY structures
  • 6. ● Allows for easily migrating a project from OpenSSL to wolfSSL Application wolfSSL OpenSSL
  • 7. ● #include <wolfssl/openssl/ssl.h> is main header: typedef WOLFSSL_EVP_PKEY EVP_PKEY; typedef WOLFSSL_BIO BIO; typedef WOLFSSL_BIO_METHOD BIO_METHOD; typedef WOLFSSL_CIPHER SSL_CIPHER; typedef WOLFSSL_X509_LOOKUP X509_LOOKUP; typedef WOLFSSL_X509_LOOKUP_METHOD X509_LOOKUP_METHOD; typedef WOLFSSL_X509_CRL X509_CRL; … #define SSL_CTX_new wolfSSL_CTX_new #define SSL_new wolfSSL_new #define SSL_set_fd wolfSSL_set_fd #define SSL_get_fd wolfSSL_get_fd #define SSL_connect wolfSSL_connect #define SSL_clear wolfSSL_clear …
  • 8. ● Benefits: ○ Can make use of wolfSSL hardware acceleration implementations ○ TLS 1.3 implementation ○ Reduced footprint size ○ Potential to use wolfSSL FIPS ○ Supported by wolfSSL engineers who work with and developed the code ○ Clear licensing models
  • 9. ● OpenSSL FIPS expected to drop to historical list on January 1, 2020 ● OpenSSL 3.0 FIPS not expected to be available until 2021 (leaving a full year of no FIPS support) ● wolfSSL maintains current FIPS support and is used in numerous FIPS commercial applications ● wolfSSL has FIPS ready build to help get projects ready for FIPS validation
  • 10. A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Outline
  • 11. ● Enable with (--enable-opensslextra) or by defining the macro OPENSSL_EXTRA i.e. ./configure --enable-opensslextra ● Include <wolfssl/options.h> as first wolfSSL header ● Header files for migration are located under: ○ ./wolfssl/openssl/*.h ○ Ex: <wolfssl/openssl/ssl.h>
  • 12. ● In some cases stub functions are used and can be seen with debug log (--enable-debug) ● Macro NO_WOLFSSL_STUB compiles out all stub functions ● Additional features such as key generation and algorithms need controlled with enable options such as --enable-keygen
  • 13. A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Outline
  • 14. ● When migrating an application from OpenSSL to wolfSSL: ■ Add ./wolfssl/* to include path, so app can include header like: ● #include <openssl/ssl.h> ■ Or, switch application includes from 1) to 2) 1. #include <openssl/ssl.h> 2. #include <wolfssl/openssl/ssl.h>
  • 15. ● When porting an application from OpenSSL to wolfSSL: ■ Link against wolfSSL instead of OpenSSL ● OpenSSL libraries typically (-lssl -lcrypto) ● wolfSSL libraries (-lwolfssl)
  • 16. No code changes needed to application c files ● OpenSSL $ gcc the_great_migration.c -o open.out -lssl -lcrypto ● wolfSSL $ gcc -I /path-to/wolfssl/wolfssl -I /path-to/wolfssl -include wolfssl/options.h the_great_migration.c -o wolf.out -lwolfssl
  • 17. /* establish TLS connection */ printf("TCP connection established now setting up TLSn"); ssl = SSL_new(ctx); if (ssl == NULL) { printf("unable to create SSL objectn"); return -1; } SSL_set_fd(ssl, connd); ret = SSL_accept(ssl); if (ret != 1) { ret = ERR_get_error(); ERR_error_string(ret, msg); printf("[%d] error %s in SSL acceptn", ret, msg); return -1; } /* Read and write message */ memset(msg, 0, SIZE); ret = SSL_read(ssl, msg, SIZE); if (ret > 0) { printf("Read : %sn", msg); ret = SSL_write(ssl, "Hello worldn", sizeof("Hello worldn"));
  • 18. OpenSSL 1.1.1 wolfSSL 4.1.0 ./configure --enable-opensslextra Using Valgrind + massif + massif-visualizer on Ubuntu 18.04 Same server-tls.c application one linked to OpenSSL and without code change then linked to wolfSSL Comparison of heap usage of server with cipher suite ECDHE-RSA-AES256-GCM-SHA384
  • 19. A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Outline
  • 20. ● Examples of applications that have been compiled using OpenSSL Compatibility Layer ○ Apache ○ QT ○ NGINX ○ MySQL ○ curl ○ Stunnel ○ and many more...
  • 21. ● Most migrations done for larger open source projects have a build option associated with the port. ● An example of this would be “./configure --enable-nginx” or “./configure --enable-haproxy” ● The full changes done to Nginx can be seen on our github repository at wolfSSL/wolfssl-nginx.
  • 22. ● With being a subset of API there is a chance that some API in the application could not yet be implemented ● Easiest way to tell is to enable all OpenSSL features and link against wolfSSL ● For missing API we accept feature requests or offer consulting to expand the compatibility layer as needed
  • 23. Email facts@wolfssl.com A. What is the wolfSSL compatibility layer B. Building wolfSSL with compatibility layer C. Simple example application demonstration D. Examples of major projects used in Questions?