Open Source Embedded SSL
MatrixSSL™ is an embedded SSL and TLS implementation designed for small footprint applications and devices. Available is a fully supported, commercial version
as well as an open source version that is available for download. MatrixSSL allows secure management of remote devices. Several secure embedded Web servers also use MatrixSSL for their encryption layer.
July 15, 2015:
All versions of MatrixSSL are unaffected by the recent OpenSSL "Heartbleed" bug.
MatrixSSL is not affected by the POODLE vulnerability: SSL 3.0 is disabled by default since version 3.3.1 on July 16, 2012.
All versions of MatrixSSL are unaffected by "Weak keys" attack.
All versions of MatrixSSL are unaffected by the July 2015 OpenSSL cerificate validation bug.
Before developing our own Secure Sockets Layer,
we looked for a small, open source SSL/TLS implementation. This proved very difficult to find. We found several past attempts at an "OpenSSL Lite", "small OpenSSL" or "embedded OpenSSL", but none reduced the code to levels we required. The standard OpenSSL library is over 1 MB, and the best we found was more than half that. OpenSSL
is a decent solution, but embedded security is one area where there was room for improvement.
to the MatrixSSL RSS news feed to be notified of updates and security advisories. You can also subscribe to new releases through FreeCode
to be notified through email.
- < 50KB total footprint with crypto provider
- TLS 1.0, 1.1 and 1.2 server and client support (SSL 3.0 optional)
- Included crypto library - RSA, ECC, 3DES, AES, ARC4, SHA1, SHA2, MD5
- Assembly language optimizations for Intel, ARM and MIPS
- Session re-keying and cipher renegotiation
- Full support for session resumption/caching
- Server Name Indication and Stateless Session Tickets
- RFC7301 Application Protocol Negotiation
- Server and client X.509 certificate chain authentication
- Parsing of X.509 .pem and ASN.1 DER certificate formats
- PKCS#1.5, PKCS#5 PKCS#8 and PKCS#12 support for key formatting
- RSASSA-PSS Signature Algorithm support
- Certificate Revocation List (CRL) support
- SSH command line support¹
- DTLS support¹
- Fully cross platform, portable codebase; minimum use of system calls
- Pluggable cipher suite interface
- Pluggable crypto provider interface
- Pluggable operating system and malloc interface
- TCP/IP optional
- Multithreading optional
- Only a handful of external APIs, all non-blocking
- Example client and server code included
- Clean, heavily commented code in portable C
- User and developer documentation
¹Included with commercial license
MatrixSSL has been ported to operating systems including FreeRTOS, Bare Metal, eCos, VxWorks, uClinux, eCos, FreeRTOS, ThreadX, WindowsCE, PocketPC, Palm, pSOS, SMX, BREW, MacOS X, Linux and Windows.
Ported hardware platforms include ARM, MIPS32, PowerPC, H-8, SH3, i386 and x86-64.
Complexity is the main enemy of security. Therefore, any security design should strive for simplicity. We are quite ruthless about this, even though this does not make us popular. Eliminate all the options that you can. Get rid of all those baroque features that few people use. Stay away from committee designs, because the committee process always leads to extra features or options in order to achieve compromise. In security, simplicity is king.
As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model; it's smart engineering practice.
The software is fully downloadable under a dual licensing model; GNU Public License
and a Standard Commercial license. Basically, the dual license means that you can use the library for free as long as you make public all code that links with it or otherwise uses the library. In addition, any changes made to the library must also be made public. If the application source code using MatrixSSL is to remain proprietary, a commercial license can be purchased from PeerSec Networks
, the authors of MatrixSSL. The commercial license includes support, updates and additional software features such as client authentication and certificate/key generation. Another example of software using this model is MySQL
, a widely used open source database.
The names "MatrixSSL", "PeerSec", "PeerSec Neworks" and their corresponding logos are Trademark (™) INSIDE Secure Corp. All content Copyright © INSIDE Secure Corp., 2002-2015.