The wolfSSL lightweight SSL/TLS library now supports TLS 1.3 (Draft 18) on both the client and server side!

A BETA release of wolfSSL (wolfSSL 3.11.1) is available for download from our download page. This release is strictly BETA, and designed for testing and user feedback. Users and customers wanting a stable and production-ready version of wolfSSL should remain on version 3.11.0.

To compile this release with TLS 1.3 support, use the “–enable-tls13” ./configure option:

$ unzip wolfssl-3.11.1-tls13-beta.zip

$ cd wolfssl-3.11.1-tls13-beta

$ ./configure –enable-tls13

$ make

wolfSSL has two new client/server methods, which can be used to specify TLS 1.3 during creation of a wolfSSL context (WOLFSSL_CTX):

WOLFSSL_METHOD *wolfTLSv1_3_server_method(void);

WOLFSSL_METHOD *wolfTLSv1_3_client_method(void);

The wolfSSL example client and server can be used to easily test TLS 1.3 functionality with wolfSSL. For example, to connect the wolfSSL example client and server to each other using TLS 1.3 and the TLS13-AES128-GCM-SHA256 cipher suite, use the “-v” option with “4” to specify TLS 1.3, and the “-l” option to specify the cipher suite:

$ ./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256

$ ./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256

Alternatively, the example client can be used to connect to an external server. For example, to connect to the wolfSSL website with TLS 1.3:

$ ./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -h www.wolfssl.com -p 443 -g -A ./certs/wolfssl-website-ca.pem

In this command, “-h” specifies the host, “-p” the port, “-g” causes the client to send an HTTP GET request, and “-A” specifies the CA certificate used to authenticate the server.

wolfSSL currently supports the following TLS 1.3 cipher suites:

TLS13-AES128-GCM-SHA256

TLS13-AES256-GCM-SHA384

TLS13-CHACHA20-POLY1305-SHA256

TLS13-AES128-CCM-SHA256

TLS13-AES128-CCM-8-SHA256

Please send any comments or feedback on wolfSSL’s TLS 1.3 support to support@wolfssl.com. Thanks!