SharkSSL Embedded SSL/TLS Client and Server (Standalone)

While the Internet has become the norm for connecting and controlling embedded devices, it is inherently insecure. Embedded developers need to encrypt data interchanges to prevent unauthorized users from intercepting private data or gaining access to your devices and infrastructure.

SharkSSL Online Demo

Before developing our own secure sockets layer, we searched for a small, embedded SSL implementation. This proved impossible to find. The companies providing SSL products were either releasing solutions that were too expensive or too big for practical use in embedded devices. For example, the standard OpenSSL library is over 1 MB in size, a size totally unsuitable for embedded systems.

The standalone SharkSSL package includes the following components: Embedded M2M Client Framework, Embedded WebSocket Client, Embedded WebSocket Server, and an Embedded SMTP Library.

SharkSSL is an extremely compact SSL/TLS stack. It’s designed from the ground up to ensure completely secure communication and management of remote embedded devices and dedicated applications. Extremely small and boasting a transport-agnostic API, SharkSSL can be used in virtually any embedded device, ranging from 8- through 64-bit microcontrollers. To date, SharkSSL is the smallest SSL/TLS server on the market.

SharkSSL Embedded SSL/TLS Server Features & Advantages

  • Designed in C code and provides an object-oriented API (includes an optional C++ API)
  • Supports hardware-acceleration encryption engines
  • Contains code size of less than 20kB total footprint on ColdFire® microcontrollers when using the "CAU" cryptography acceleration coprocessor unit
  • Includes crypto software library for processors without hardware encryption support or with partial hardware encryption acceleration (AES, DES, 3DES, ARC4, SHA1, MD5)
  • Provides RSA and DH crypto libraries specifically optimized for embedded systems which can be retargeted to dedicated DSP engines
  • Offers configurable session caching
  • Incorporates advanced embedded buffer management with no coding required to handle SSL buffers; custom memory allocators can be specified
  • Compatible with any transport type, including TCP/IP, thanks to our unique transport-agnostic API
  • Provides multithreading support with optimal performance when used with multitasking/process operating systems
  • Supports SSL V3.0, TLS V1.0, TLS V1.1, and TLS V1.2 ciphers:
      DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA256 DHE_RSA_WITH_AES_128_CCM DHE_RSA_WITH_AES_128_CCM_8 DHE_RSA_WITH_AES_128_GCM_SHA256 DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA_WITH_AES_256_CBC_SHA256 DHE_RSA_WITH_AES_256_CCM DHE_RSA_WITH_AES_256_CCM_8 DHE_RSA_WITH_AES_256_GCM_SHA384 DHE_RSA_WITH_DES_CBC_SHA ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    SSL Block Diagram
    • ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    • ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    • ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • ECDHE_ECDSA_WITH_NULL_SHA
    • ECDHE_ECDSA_WITH_RC4_128_SHA
    • ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    • ECDHE_RSA_WITH_AES_128_CBC_SHA
    • ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • ECDHE_RSA_WITH_AES_256_CBC_SHA
    • ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • ECDHE_RSA_WITH_NULL_SHA
    • ECDHE_RSA_WITH_RC4_128_SHA
    • ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
    • ECDH_ECDSA_WITH_AES_128_CBC_SHA
    • ECDH_ECDSA_WITH_AES_128_CBC_SHA256
    • ECDH_ECDSA_WITH_AES_128_GCM_SHA256
    • ECDH_ECDSA_WITH_AES_256_CBC_SHA
    • ECDH_ECDSA_WITH_AES_256_CBC_SHA384
    • ECDH_ECDSA_WITH_AES_256_GCM_SHA384
    • ECDH_ECDSA_WITH_NULL_SHA
    • ECDH_ECDSA_WITH_RC4_128_SHA
    • ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    • ECDH_RSA_WITH_AES_128_CBC_SHA
    • ECDH_RSA_WITH_AES_128_CBC_SHA256
    • ECDH_RSA_WITH_AES_128_GCM_SHA256
    • ECDH_RSA_WITH_AES_256_CBC_SHA
    • ECDH_RSA_WITH_AES_256_CBC_SHA384
    • ECDH_RSA_WITH_AES_256_GCM_SHA384
    • ECDH_RSA_WITH_NULL_SHA
    • ECDH_RSA_WITH_RC4_128_SHA
    • RSA_WITH_3DES_EDE_CBC_SHA
    • RSA_WITH_AES_128_CBC_SHA
    • RSA_WITH_AES_128_CBC_SHA256
    • RSA_WITH_AES_128_CCM
    • RSA_WITH_AES_128_CCM_8
    • RSA_WITH_AES_128_GCM_SHA256
    • RSA_WITH_AES_256_CBC_SHA
    • RSA_WITH_AES_256_CBC_SHA256
    • RSA_WITH_AES_256_CCM
    • RSA_WITH_AES_256_CCM_8
    • RSA_WITH_AES_256_GCM_SHA384
    • RSA_WITH_DES_CBC_SHA
    • RSA_WITH_NULL_MD5
    • RSA_WITH_NULL_SHA
    • RSA_WITH_NULL_SHA256
    • RSA_WITH_RC4_128_MD5
    • RSA_WITH_RC4_128_SHA

SharkSSL Can Be Purchased in Multiple Configurations:

  • Standalone SharkSSL client SSL/TLS C library
  • Standalone SharkSSL server SSL/TLS C library
  • Standalone SharkSSL client and server SSL/TLS C library
  • As a plugin for the Barracuda Web Server
  • As a plugin for the PikeHTTP Client Library
  • SharkSSL client and server comes included in the Barracuda Application Server at no additional cost. The Barracuda Application Server provides a number of high-level SharkSSL Lua APIs, including working with certificates and certificate authority store, which shield you from learning SSL in detail.
Barracuda Application Server and SharkSSL:

The Barracuda Application Server uses the SharkSSL server for secure (HTTPS) communication. The high level SMTP Library and the PikeHTTP client library uses the SharkSSL client when communicating with secure servers. The high level Secure Sockets API is integrated with the SharkSSL client and server, enabling designers to easily design custom secure protocols.

Bare-Metal or RTOS

Assembler Optimized

SharkSSL, with its assembly-optimized big integer library, also delivers record-breaking performance on processors without specialized crypto units. While keeping code size to a minimum, SharkSSL is capable of performing a private RSA operation in 100 ms on a Cortex-M3 running at 100 MHz, a speed 60 percent faster than competitors’.

Optimized to take advantage of encryption acceleration, SharkSSL achieves unmatched throughput on ColdFire, Kinetis K60, and all the Cortex-M3 and -M4 processors. Available as source code, SharkSSL code can be implemented on any processor off the shelf. The SharkSSL library has been successfully deployed on ARM, Freescale, and PowerPC-based FPGA architectures. Other processors and accelerators can be accommodated upon request.

Out-of-the-box operating system (OS) support includes INTEGRITY™, MQX™, SMX™, ThreadX™, VxWorks™, EBSnet™, rtplatform, uCLinux™, Linux and Windows™. It can also be used in bare-metal (no OS) configurations. Multi-threading is available for added performance when using an OS that supports multi-threading.

SharkSSL Footprint for ARM Cortex-M3

SharkSSL sizes (kB) obtained with IAR Embedded Workbench V5.4 (-Ohz optimization):

Code combinations ROM RAM (2)
Server-only TLS1.0, TLS1.1, and TLS1.2 stack (1)
library excluding AES and DES encryption software
16 2
Client-only TLS1.0, TLS1.1, and TLS1.2 stack (1)
library excluding AES and DES encryption software
19 2
Client+Server TLS1.0, TLS1.1, and TLS1.2 stack (1)
library excluding AES and DES encryption software
21 2

Symmetric Encryption Algorithms (3) ROM RAM
AES encryption software 4.7 -
DES/3DES encryption software (3) 3.5 -

  1. The above configuration options for SharkSSL have been selected for minimum code size.
  2. RAM is not including the memory allocated on a per connection basis.
  3. The AES, DES, 3DES algorithm can be replaced with hardware accelerator versions when available, with better performance and reduced footprint.

Additional Software

We include many demos and examples in our standalone SharkSSL package. Our demos focus on implementing practical protocol examples for tiny devices/microcontrollers. Here are a few examples of additional software that come with SharkSSL: