Topic: Porting from unsecure emails to using WolfSSL

I have an embedded application that sends a simple, unsecured email on port 25 (or other user specified unsecured port).  Really simple emails like 'Lights ON', 'Door Open' or 'Gate Closed'.  Ones that really don't need to be secure.  I wrote my own custom stack and packet TX/RX system to keep the footprint very small and I use Keil as my compiler. 

I need to port/enhance this code to use SSL/TLS, so that ports like 587 can be used.  Some customer's email servers are no longer allowing unsecured ports like 25.

So, is there a way to customize WolfSSL to:

1.  Use ports 587 or similar, but have minimal security/encryption.
2.  I don't need to validate certificates or even need them at all.  I just need to send these same emails using secure ports.
3.  Can I use my existing stack and just use WolfSSL functionality that I need to achieve minimal security/encryption?
4.  I'm not using a RTOS.  It's an ARM.

I understand that there may be a minimal amount of encryption that must be used for this.  But, I'm not sure what would
that would be.  Any advice would be extremely helpful.

Sutton

Share

Re: Porting from unsecure emails to using WolfSSL

Hi dodge55,

Yes it is totally possible to use ports other than 443. Use TCP API's to connect to whatever port you wish and set the resulting FD with wolfSSL_set_fd(ssl, sockfd);. For examples you can find some simpler examples in our github wolfssl-examples repo like this simple client here: https://github.com/wolfSSL/wolfssl-exam … ient-tls.c

There are two options WRT certs you can either use pre-shared keys to avoid sending any certs but this requires both client and server to share a common key in advance E.G. you need to provision all clients and servers where every server has keys for every client it expects to connect.

The other option to not send certificates would be to use a cipher suite that typically uses certs but disable all cert verification all the time. This is not recommended. There would still be a key exchange happening in this case though and if you don't send certs it's likely the peer is still going to want them EG the servers handling the emails. I don't think you can get around the certificates requirement.

Warm Regards,

K