NanoSSL
DigiCert® NanoSSL is a TLS/SSL solution specifically designed to speed product development while providing device security services for resource-constrained environments. With the Internet of Things (IoT), several types of network-connected devices need secured management access to transport data securely over the unsecured Internet.
TLS/SSL (Transport Layer Security/Secure Sockets Layer) authenticates endpoints and encrypts channels to provide session privacy and security on the Internet. SSL operates at the transport layer in the OSI stack and provides secured data transport to applications. It supports peer negotiation for algorithm selection, public key-based exchange of secret session keys, and X.509 certificates.
NanoSSL provides easy-to-use APIs for integration with applications like web servers and browsers. Its certificate management module allows it to fetch or renew SSL certificates, check the status of SSL certificates using CRLs, or to query a Certificate Authority (CA) or certificate chain.
NanoSSL also supports NSA Suite B crypto algorithms to provide a holistic approach for securing networked devices and services, ideally suited for high-traffic enterprise and federal environments where performance is critical. Suite B cryptography is a set of cryptographic algorithms and protocols specified by NIST that are approved by the NSA for protecting classified and unclassified National Security Systems (NSS).
Key features
DigiCert NanoSSL provides the following features:
Small memory footprint
Accelerates integration and testing of complex cryptographic functions for your product
FIPS 140-2/3 Level 1 validated (optional)
Integration with the Enrollment over Secure Transport (RFC-7030)
TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 compliant
OpenSSL Connector for migration from open source with API level equivalency (with turnkey professional services)
Operators for hardware acceleration
Crypto abstraction platform for compliance with export/import controls
SSLv3 (RFC 7568) compliant
SSLv3 is disabled by default in NanoSSL but can be enabled if necessary to support communication with legacy applications that require SSLv3
TCP/IP-neutral
Pre-shared keys
SSL alerts
Support for TLS server name extension (RFC 6066)
Support for mutual authentication
Support for DTLS 1.2 and 1.3
Support for PKCS#8 and PKCS#12 certificate formats
Support for TPM-generated keys
OS- and platform-agnostic for easy portability
Threadless architecture, synchronous and asynchronous
Guaranteed GPL-free code protects your intellectual property
System requirements
Memory requirements
NanoSSL has a minimum memory footprint of 156KB.[1]
Typical memory usage is with a full set of ciphers and may vary (decrease or increase) based on 32/64-bit, x86/ARM/MIPS, reduced set of ciphers, static/shared library, and compile flags.
Supported operating systems
NanoSSL is currently supported on the following operating systems:
Linux (Ubuntu, Debian, Raspbian, CentOS)
Solaris
Microsoft® Windows
Cygwin
FreeBSD
QNX
FreeRTOS
VxWorks
ThreadX
Note
DigiCert can provide a guide to assist with porting to another operating system or RTOS. To learn more, contact your DigiCert account representative.
Supported operating platforms
NanoSSL is currently supported on the following operating platforms:
Intel® x86
ARM Cortex
Hardware Acceleration - Intel AES-NI, Vendor Extensions via NanoCrypto Callbacks
Secure Element - TPM 1.2, TPM 2.0, ARM TrustZone, PKCS11
VxWorks 6.9 and 7.0 Workbench IDE
OPC-UA HP SDK for Linux and Windows platforms
OpenSSL compatibility
TrustCore SDK makes it easy to replace the OpenSSL SSL and crypto library with a shim that uses the NanoSSL and NanoCrypto implementation, so you don't have to change your application calls. To learn more about replacing OpenSSL with NanoSSL, refer to About DigiCert OpenSSL Connector provided by DigiCert.
Supported standards
DigiCert NanoSSL supports the following standards:
RFC 2246: TLS Protocol Version 1.0
RFC 3268: Advanced Encryption Standard (AES) Cipher suites for TLS
RFC 6066: Transport Layer Security (TLS) Extensions
RFC 4279: Pre-shared Key Cipher suites for TLS
RFC 4346: TLS Protocol Version 1.1
RFC 4492: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security
RFC 5077: Transport Layer Security (TLS) Session Resumption without Server-Side State
RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2
RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (obsoletes RFC 3280)
RFC 5288: AES Galois Counter Mode (GCM) Cipher Suites for TLS
RFC 5289: TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)
RFC 5430: Suite B Profile for Transport Layer Security (TLS)
RFC 5487: Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES Galois Counter Mode
RFC 5489: ECDHE_PSK Cipher Suites for Transport Layer Security (TLS)
RFC 5746: TLS Renegotiation Indication Extension
RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions
RFC 6101: Secure Sockets Layer (SSL) Protocol Version 3.0
RFC 6520: Heartbeat Extension for TLS and DTLS.
RFC 6655: AES-CCM Cipher Suites for Transport Layer Security (TLS)
RFC 7251: AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites for TLS
RFC 7568: Deprecating Secure Sockets Layer Version 3.0
RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3
RFC 9146: The Datagram Transport Layer Security (DTLS) Protocol Version 1.3
FIPS and Suite B support
Network diagram
This figure shows how NanoSSL is implemented in a network to securely transfer information between a server and connected devices.
