Recipes
Recipe #1 Minimum Footprint
Many users are on deeply embedded systems, where memory resources are tight. For those users, this section describes methods to reduce the footprint size of wolfSSL.
- Limit supported protocol versions to only those required, for example only allowing TLS 1.2 connections.
- Remove unnecessary library features at compile time - section 2.4.1 of the wolfSSL Manual.
- Choose a limited set of cipher suites: a. Memory usage difference between RSA, ECC, PSK. b. Choose smaller key sizes - section 4.3 of the wolfSSL manual.
- Take advantage of hardware crypto if available - section 4.4 of the wolfSSL manual.
- Use compiler and toolchain optimizations.
- Decrease maximum SSL record size if you control both ends of the connection.
Recipe #2 Maximum Speed
Adding SSL/TLS to a connection will always result in an inevitable reduction of performance. Our goal is to make that PERFORMANCE decrease as small as possible. This section describes ways to speed up wolfSSL, both during and after the handshake.
There are two main areas of concern regarding performance:
- SSL/TLS handshake speed.
- Data flow rate (bulk data transfer, after the SSL handshake).
When optimizing SSL handshake performance, items to consider include:
- Use a faster math library (big integer vs. fastmath).
- Take advantage of hardware crypto if available - section 4.4 of the wolfSSL manual.
- Key size - Chapter 4 of the wolfSSL manual.
- Key type (RSA vs ECC for example).
- Trade off between handshake speed and security level (such as client/server cert verification
- section 4.8
- of the wolfSSL manual).
- Consider using PSK (pre-shared keys) - section 4.7 of the wolfSSL manual.
Maximum data flow rate in a streaming media environment for example, such as a video game, VoIP application, or cloud infrastructure, cipher suite choice is critical. In this recipe, there are many options depending on the hardware environment and number of connections. To simplify the recipe to make it usable, we will focus on a single connection environment running on a typical cloud-based server.
When optimizing for maximum data flow rate, items to consider include:
- Choose cipher suites to prioritize faster algorithms over slower ones: Stream Ciphers, Rabbit, HC-128.
- Take advantage of better compiler optimization. (I am not sure if this is a user’s practical option).
- Take advantage of hardware crypto if available.
Recipe #3 Maximum Security
The security of a SSL/TLS connection should be of high concern, since having a secure communication channel is the primary reason for adding SSL/TLS to a project.
As with all cryptography-based protocols, SSL/TLS security recommendations can change as new attacks and vulnerabilities are discovered and released. Optimizing for maximum security can have negative effects on both memory usage and performance, depending on configuration.
- Cipher suite choices based on the best currently available information.
- Key size choices based on the best currently available information.
- Other considerations…
As you can see from the basic recipes above, optimizing SSL is a complex multivariate problem that depends heavily on a wide range of assumptions about your initial environment. We are here to help. The wolfSSL team has successfully guided a vast number of our customers through these choices. We can support you in an entire spectrum of ways, from the simple question and answer process of typical commercial support, to short term professional design consulting, up to managing the entire implementation of your SSL project.