The document discusses the wolfSSL compatibility layer which maps a subset of the OpenSSL API to the native wolfSSL API. This allows applications designed for OpenSSL to be easily switched to use wolfSSL instead without code changes. The compatibility layer includes over 500 commonly used OpenSSL functions and structures. An example is provided of building and running a simple TLS server application with wolfSSL using the compatibility layer without any code changes from the OpenSSL version. Major projects that have been ported using the layer include Apache, Nginx, MySQL and more.
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
wolfSSL : Compatibility layer webinar
1.
2. A. What is the wolfSSL compatibility layer
B. Building wolfSSL with compatibility layer
C. Simple example application demonstration
D. Examples of major projects
Outline
3. ● Dual Licensed GPLv2 and Commercial TLS implementation
● Securing over 2 billion connections world wide
● Meeting high standards of security (FIPS certificate, DO-178,
extensive testing)
● Progressive cryptography leading TLS 1.3 adoption
● Resource conscious for use in embedded IoT scaled all the way up
to large server farms
4. ● Maps a subset of the OpenSSL API down to native wolfSSL API
● Used for easily switching applications designed for OpenSSL to
wolfSSL
● Includes more than 500 of the most commonly used OpenSSL
functions
● Maps a subset of OpenSSL structures and enums to wolfSSL
implementations
● Main SSL/EVP/BIO type functions are mapped to native wolfSSL API
5. ● EVP init, update, final mapped to wolfSSL
implementations
● Sign and verify support with EVP_SignInit,
EVP_SignUpdate, EVP_SignFinal
● Hashing and AES calls such as SHA(), SHA256()
● Support for PKEY structures
6. ● Allows for easily migrating a project from OpenSSL
to wolfSSL
Application
wolfSSL
OpenSSL
8. ● Benefits:
○ Can make use of wolfSSL hardware acceleration
implementations
○ TLS 1.3 implementation
○ Reduced footprint size
○ Potential to use wolfSSL FIPS
○ Supported by wolfSSL engineers who work with and
developed the code
○ Clear licensing models
9. ● OpenSSL FIPS expected to drop to historical list on January 1, 2020
● OpenSSL 3.0 FIPS not expected to be available until 2021 (leaving a
full year of no FIPS support)
● wolfSSL maintains current FIPS support and is used in numerous
FIPS commercial applications
● wolfSSL has FIPS ready build to help get projects ready for FIPS
validation
10. A. What is the wolfSSL compatibility layer
B. Building wolfSSL with compatibility layer
C. Simple example application demonstration
D. Examples of major projects used in
Outline
11. ● Enable with (--enable-opensslextra) or by defining
the macro OPENSSL_EXTRA
i.e. ./configure --enable-opensslextra
● Include <wolfssl/options.h> as first wolfSSL header
● Header files for migration are located under:
○ ./wolfssl/openssl/*.h
○ Ex: <wolfssl/openssl/ssl.h>
12. ● In some cases stub functions are used and can be seen with debug
log (--enable-debug)
● Macro NO_WOLFSSL_STUB compiles out all stub functions
● Additional features such as key generation and algorithms need
controlled with enable options such as --enable-keygen
13. A. What is the wolfSSL compatibility layer
B. Building wolfSSL with compatibility layer
C. Simple example application demonstration
D. Examples of major projects used in
Outline
14. ● When migrating an application from OpenSSL to
wolfSSL:
■ Add ./wolfssl/* to include path, so app can
include header like:
● #include <openssl/ssl.h>
■ Or, switch application includes from 1) to 2)
1. #include <openssl/ssl.h>
2. #include <wolfssl/openssl/ssl.h>
15. ● When porting an application from OpenSSL to
wolfSSL:
■ Link against wolfSSL instead of OpenSSL
● OpenSSL libraries typically (-lssl
-lcrypto)
● wolfSSL libraries (-lwolfssl)
17. /* establish TLS connection */
printf("TCP connection established now setting up TLSn");
ssl = SSL_new(ctx);
if (ssl == NULL) {
printf("unable to create SSL objectn");
return -1;
}
SSL_set_fd(ssl, connd);
ret = SSL_accept(ssl);
if (ret != 1) {
ret = ERR_get_error();
ERR_error_string(ret, msg);
printf("[%d] error %s in SSL acceptn", ret, msg);
return -1;
}
/* Read and write message */
memset(msg, 0, SIZE);
ret = SSL_read(ssl, msg, SIZE);
if (ret > 0) {
printf("Read : %sn", msg);
ret = SSL_write(ssl, "Hello worldn", sizeof("Hello worldn"));
18. OpenSSL 1.1.1 wolfSSL 4.1.0
./configure --enable-opensslextra
Using Valgrind + massif + massif-visualizer on Ubuntu 18.04
Same server-tls.c application one linked to OpenSSL and without
code change then linked to wolfSSL
Comparison of heap usage of server with cipher suite ECDHE-RSA-AES256-GCM-SHA384
19. A. What is the wolfSSL compatibility layer
B. Building wolfSSL with compatibility layer
C. Simple example application demonstration
D. Examples of major projects used in
Outline
20. ● Examples of applications that have been compiled
using OpenSSL Compatibility Layer
○ Apache
○ QT
○ NGINX
○ MySQL
○ curl
○ Stunnel
○ and many more...
21. ● Most migrations done for larger open source projects have a build
option associated with the port.
● An example of this would be “./configure --enable-nginx” or
“./configure --enable-haproxy”
● The full changes done to Nginx can be seen on our github
repository at wolfSSL/wolfssl-nginx.
22. ● With being a subset of API there is a chance that some API in the
application could not yet be implemented
● Easiest way to tell is to enable all OpenSSL features and link against
wolfSSL
● For missing API we accept feature requests or offer consulting to
expand the compatibility layer as needed
23. Email facts@wolfssl.com
A. What is the wolfSSL compatibility layer
B. Building wolfSSL with compatibility layer
C. Simple example application demonstration
D. Examples of major projects used in
Questions?