The fundamentals of WolfSSL lie in Secure Sockets Layer (SSL), an internet security protocol capable of establishing encrypted connections between computers on a network. The OpenSSL Project was founded back in 1998 to develop a free, versatile set of encryption tools for online use. Amongst other things this includes open source versions of both the SSL and Transport Layer Security (TLS) protocols.
WolfSSL arrived in 2004, originally titled yaSSL (Yet Another SSL). The project’s founders enjoyed the freedom that came from having an open-source SSL library for creating applications but also wanted a form of SSL that was geared towards commercial applications and worked well in embedded hardware. The result is an SSL library incorporating a compatibility layer for OpenSSL while staying much smaller and faster.
What is WolfSSL?
The very first major usage of WolfSSL was in the open-source database management system MySQL. With time other open-source projects came to embrace the WolfSSL library such as the FOSS Apache and Mongoose web servers and even the Ubuntu Linux operating system. The WolfSSL project website claims that today over two billion connections are secured by their library.
WolfSSL actually refers to a number of products, the primary one of which is WolfSSL itself. It’s a lightweight SSL/TLS Library written in the ANSI C Programming Language. The developers mean this in a literal sense as WolfSSL was written “from the ground up” and doesn’t include most of the legacy code included with OpenSSL, whilst still maintaining compatibility.
It supports both the TLS and DTLS 1.3 Protocols meaning it delivers maximum security for encrypting connections. For security reasons, SSL is disabled, though developers can manually enable it.
The project website claims that WolfSSL is around twenty times smaller than equivalent libraries, has a footprint of 20 - 100K, using just 1 - 36Kb of runtime memory. This makes WolfSSL ideal for embedding on hardware and the creators have published an extensive list of products which use the library including home energy monitors and POS systems.
The set-up also makes it easy not only to release WolfSSL products under a commercial licence but also offer paid training and support packages, making them a lot more business friendly than other SSL libraries which usually only make the code available online.
WolfSSL: Crypto
WolfSSL is powered by the WolfCrypt library. There are two versions of this on the project page, one of which has been FIPS (Federal Information Processing Standards) 140-2 Certified. Effectively, this means that the cryptography used complies with certain government-mandated standards.
If a vendor wishes to use the WolfCrypt cryptographic software API library in their own product, this means that they can truthfully claim they’re running a FIPS-certified cryptographic module in their product without having to go through the certification process themselves. WolfSSL have designed their products’ FIPS boundary in such a way that this is much easier to do relative to other FIPS-accredited SSL libraries like OpenSSL.
The WolfCrypt cryptography engine is written in ANSI C like WolfSSL itself and also like WolfSSL, is designed to perform well in embedded systems and low-resource environments.
The crypto library supports all the standard encryption methods you’d expect such as RSA, AES and ChaCha20 as well as more exotic ones like HC-128 and RABBIT. It even supports NTRU, which is supposedly able to withstand decryption even by quantum computers though there’s no way to test this at present.
The WolfCrypt library is designed to work on both hardware and software. It can generate both keys and certificates and can even make use of ECC (Elliptic Curve Cryptography) up to 521 Bits. ECC offers the same protection as conventional crypto but does so in a more efficient way, making it perfect once again for low-resource environments.
The library also makes use of a hash-based PRNG (Pseudo-random number generator). These are excellent for producing random numbers in a short time to use for the basis for encryption keys. Producing a hash of the random ‘entropy pool’ also means the WolfCrypt functions don’t expose the raw random data, which would be cryptographically insecure.
WolfSSL and VPNs
WolfSSL’s lightweight library combined with a powerful cryptographic engine makes it perfect for use with the best VPNs. The software can be compiled directly to support the secure OpenVPN protocol.
For example, a custom “Lightway” protocol deployed by ExpressVPN employs WolfSSL for secure encryption, with the company highlighting the advantages of using an embedded and open-source crypto library that has been robustly tested rather than developing their own.
WolfSSL and SSH
WolfSSH is also in the works - a portable lightweight, SSH v2 client for virtually every platform. Like WolfSSL, it draws on the WolfCrypt library to secure connections. This means it’s FIPS-certified, plus it supports all popular encryption schemes such as RSA to generate/validate SSH keys and AES to secure connections.
Its untime memory usage is 1 - 2.4 Kb meaning it’s also perfect for low-resource environments and/or being embedded in hardware such as the Apple TV 2. There is also support for a number of chipsets including ARM, Intel and Texas Instruments.
The software is available for virtually every platform including Windows, macOS, Linux and various BSD implementations.
WolfSSL: Security flaws
In July 2020, a researcher at UK-based cybersecurity firm NCC Group found a serious security flaw in the WolfSSL library. It was found that under certain circumstances, it could be used to impersonate servers using TLS 1.3, leaving users vulnerable to a “man in the middle” attack.
A patch was released the following day by the team at WolfSSL, with a WolfSSL spokesperson congratulating the security researcher on his find and encouraging others to try to come forward and “break” WolfSSL’s code so that more vulnerabilities could be found and fixed.
The project website maintains a page of known security vulnerabilities and how long it took to fix them. Some of these are fairly low risk but others may still allow bad actors to impersonate TLS servers or carry out DDoS attacks. For that reason, it’s critical to keep WolfSSL up to date, alongside additional security such as DDoS protection, if you implement it in your products.
