The wolfSSL lightweight SSL/TLS library now supports TLS 1.3 (Draft 18) on both the client and server side!


A BETA release of wolfSSL (wolfSSL 3.11.1) is available for download from our download page.  This release is strictly BETA, and designed for testing and user feedback.  Users and customers wanting a stable and production-ready version of wolfSSL should remain on version 3.11.0.


Advantages to Using TLS 1.3


There are many benefits in changing to the newest version of the TLS specification.


One significant difference you will notice is the reduced number of round-trips when performing a full handshake.  Older versions of the TLS protocol require two complete round-trips before the client sends the application data. With TLS v1.3 only 1 round-trip is required! Additionally, the server can send application data in response to the clients first handshake message!  This means network latency has less impact on the time required to establish a secure connection.


Another difference is the way session resumption works in TLS v1.3. Previous versions of TLS have the client send a session id which the server has to lookup in its cache. If there was a match then they used the same security parameters. This is a very simplistic mechanism that requires sharing of state on servers.


TLS v1.3 has made significant improvements by re-purposing the ticketing system tacked onto older versions of TLS. The server sends the client a new session ticket after the handshake is complete. This ticket, a blob of data to the client, can be a database lookup key like the old session id. Alternatively, it can be a self-encrypted and self-authenticated value that contains the data for the previous connection. This means the server can be stateless!


Finally, the specification has been evaluated by cryptographic experts in efforts to prove the security of the protocol. While no security proof is perfect, the previous attacks on renegotiation, protocol version downgrading, compression, CBC and padding have been mitigated and the protocol is generally more resistant to attack.


Differences Between TLS 1.2 and TLS 1.3


This protocol was defined in an Internet Draft in April of 2017. TLS 1.3 contains improved security and speed. The major differences include:


  1. -The list of supported symmetric algorithms has been pruned of all legacy algorithms. The remaining algorithms all use Authenticated Encryption with Associated Data (AEAD) algorithms.

  2. -A zero-RTT (0-RTT) mode was added, saving a round-trip at connection setup for some application data at the cost of certain security properties.

  3. -All handshake messages after the ServerHello are now encrypted.

  4. -Key derivation functions have been re-designed, with the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) being used as a primitive.

  5. -The handshake state machine has been restructured to be more consistent and remove superfluous messages.

  6. -ECC is now in the base spec  and includes new signature algorithms. Point format negotiation has been removed in favor of single point format for each curve.

  7. -Compression, custom DHE groups, and DSA have been removed, RSA padding now uses PSS.

  8. -TLS 1.2 version negotiation verification mechanism was deprecated in favor of a version list in an extension.

  9. -Session resumption with and without server-side state and the PSK-based ciphersuites of earlier versions of TLS have been replaced by a single new PSK exchange.


Compiling wolfSSL with TLS 1.3 Support


To compile wolfSSL with TLS 1.3 support, use the “--enable-tls13” ./configure option:


$ unzip wolfssl-3.11.1-tls13-beta.zip

$ cd wolfssl-3.11.1-tls13-beta

$ ./configure --enable-tls13

$ make


Using TLS 1.3 in wolfSSL


wolfSSL has two new client/server methods, which can be used to specify TLS 1.3 during creation of a wolfSSL context (WOLFSSL_CTX):


WOLFSSL_METHOD *wolfTLSv1_3_server_method(void);

WOLFSSL_METHOD *wolfTLSv1_3_client_method(void);


The wolfSSL example client and server can be used to easily test TLS 1.3 functionality with wolfSSL.  For example, to connect the wolfSSL example client and server to each other using TLS 1.3 and the TLS13-AES128-GCM-SHA256 cipher suite, use the “-v” option with “4” to specify TLS 1.3, and the “-l” option to specify the cipher suite:


$ ./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256

$ ./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256


Alternatively, the example client can be used to connect to an external server.  For example, to connect to the wolfSSL website with TLS 1.3:


$ ./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -h www.wolfssl.com -p 443 -g -A ./certs/wolfssl-website-ca.pem


In this command, “-h” specifies the host, “-p” the port, “-g” causes the client to send an HTTP GET request, and “-A” specifies the CA certificate used to authenticate the server.


wolfSSL currently supports the following TLS 1.3 cipher suites:


TLS13-AES128-GCM-SHA256

TLS13-AES256-GCM-SHA384

TLS13-CHACHA20-POLY1305-SHA256

TLS13-AES128-CCM-SHA256

TLS13-AES128-CCM-8-SHA256


Learn more about TLS 1.3


Learn more about TLS 1.3 from the RFC. The most recent version can be found here:

https://tools.ietf.org/html/draft-ietf-tls-tls13-20


Or, browse some of our recent blog posts on TLS 1.3:


Differences between TLS 1.2 and TLS 1.3

TLS 1.3 Now Available in wolfSSL #TLS13

wolfSSL TLS 1.3 BETA Release Now Available

Updated TLS 1.3 Draft on GitHub


Support


Please direct any questions about using wolfSSL with TLS 1.3, or about our current TLS 1.3 support to [email protected].  We also appreciate any comments or feedback.  Thanks!

TLS 1.3 Protocol Support

Copyright 2017 wolfSSL Inc.  All rights reserved.

Questions?

Please feel free to contact us with any questions you might have.

wolfCrypt FIPS Module

The CMVP has issued FIPS 140-2 Certificate #2425 for the wolfCrypt Module developed by wolfSSL Inc.

wolfSSL 3.12.0

Release 3.12.0 includes a vulnerability fix, TLS 1.3 support, Intel assembly improvements and SGX Linux support, DTLS multicast, Xilinx port, SHA3 (Keccak), and more!

embedded ssl

Questions? +1 (425) 245-8247