Skip to content

Add TLS, HTTPS, SSH, and MQTT support for STM32H563 port#14

Merged
danielinux merged 6 commits intowolfSSL:masterfrom
aidangarske:wolfip-stm32h5-update
Jan 27, 2026
Merged

Add TLS, HTTPS, SSH, and MQTT support for STM32H563 port#14
danielinux merged 6 commits intowolfSSL:masterfrom
aidangarske:wolfip-stm32h5-update

Conversation

@aidangarske
Copy link
Copy Markdown
Member

@aidangarske aidangarske commented Jan 21, 2026
edited
Loading

Description

This PR adds secure communication capabilities to the STM32H563 bare-metal port using wolfSSL,
wolfSSH, and wolfMQTT libraries.

Features

TLS 1.3 Support

  • TLS echo server on port 8443
  • TLS client for outbound connections (includes Google connectivity test)
  • ECC P-256 with ChaCha20-Poly1305/AES-GCM cipher suites
  • Embedded self-signed test certificate

HTTPS Web Server

  • Status page on port 443 showing device info, IP address, and uptime
  • Minimal footprint suitable for embedded systems

SSH Server

  • Interactive shell on port 22
  • Password authentication (test credentials: admin/wolfip)
  • Built-in commands: help, info, uptime, exit
  • ECC P-256 host key

MQTT Client

  • Secure TLS connection to MQTT broker (port 8883)
  • Publishes device status to wolfip/status topic
  • Non-blocking state machine for integration with main loop
  • Tested with test.mosquitto.org

Build Options

make ENABLE_TLS=1                    # TLS only                                                     
make ENABLE_TLS=1 ENABLE_HTTPS=1     # TLS + HTTPS                                                  
make ENABLE_TLS=1 ENABLE_SSH=1       # TLS + SSH                                                    
make ENABLE_TLS=1 ENABLE_MQTT=1      # TLS + MQTT                                                   
make ENABLE_TLS=1 ENABLE_HTTPS=1 ENABLE_SSH=1 ENABLE_MQTT=1  # All features

New Files

  • tls_server.c/h, tls_client.c/h - TLS implementation
  • ssh_server.c/h - SSH shell server
  • mqtt_client.c/h - MQTT client
  • wolfssl_io.c, wolfssh_io.c, wolfmqtt_io.c - I/O glue layers for wolfIP
  • certs.h, ssh_keys.h - Embedded test certificates/keys
    -user_settings.h - wolfSSL/wolfSSH/wolfMQTT configuration

Testing

All features tested on NUCLEO-H563ZI with DHCP network configuration.
Also tested and verified TZEN=1 is working with basic wolfIP stack

Docs

src/port/stm32h563/README.md

@aidangarske
Add TLS 1.3 client/server support for STM32H563
7516b80 
  - Add wolfSSL TLS 1.3 integration with wolfIP TCP/IP stack
  - TLS server: echo server on port 8443 with ECC P-256 certificate
  - TLS client: connects to Google (HTTPS) to verify outbound TLS
  - Uses ECDHE-P256 key exchange, RSA cert verification, AES-GCM/ChaCha20
  - Custom I/O callbacks in wolfssl_io.c bridge wolfSSL and wolfIP
  - Build with: make ENABLE_TLS=1
  - ~200KB code size with full TLS support
  - Tested: TLS 1.3 handshake to google.com successful
@aidangarske
Add HTTPS web server and SSH shell support for
7f9e8c1 
  STM32H563

  - Add HTTPS server serving status page on port 443
  (ENABLE_HTTPS=1)
  - Add SSH server with interactive shell on port 22
  (ENABLE_SSH=1)
  - Add wolfssh_io.c for wolfSSH-wolfIP integration
  - Increase MAX_TCPSOCKETS from 4 to 8 to support
  multiple servers
  - Fix IP address byte order display in HTTPS status
  page
  - Update Makefile with ENABLE_HTTPS and ENABLE_SSH
  build flags
  - Update README with build and testing documentation
@aidangarske
Fix SSH server for STM32H563 bare-metal operation
ba91cc9 
  Commit Body:
  Fix wolfSSH integration and optimize memory for embedded
  deployment.

  wolfSSH API updates:
  - Add wolfSSH_CTX_SetIO_wolfIP() for context-level I/O
  callbacks
  - Update field names: usernameLen->usernameSz,
  passwordLen->passwordSz
  - Wrap debug logging callback in #ifdef DEBUG_WOLFSSH

  Memory optimization for STM32H563 (640KB SRAM):
  - Reduce wolfSSH window size from 16KB to 4KB
  - Reduce wolfIP RX/TX buffers from 16x to 8x MTU
  - Reduce MAX_TCPSOCKETS to 6, MAX_ICMPSOCKETS to 1

  wolfSSL/wolfSSH configuration:
  - Add WOLFSSL_WOLFSSH for wc_SSH_KDF support
  - Add WOLFSSL_KEY_GEN for host key generation
  - Add WOLFSSH_NO_TERM for bare-metal operation

  Build system:
  - Add signature.c for SSH signature verification
  - Fix pattern rules for wolfSSH compilation

  Tested: SSH login (admin/wolfip), shell commands working
@aidangarske
Add MQTT client support for STM32H563 bare-metal operation
31c0cd1 
  - Add mqtt_client.c/h: Non-blocking MQTT client with state machine
    (IDLE -> CONNECTING -> TLS -> MQTT_CONNECT -> CONNECTED)
  - Add wolfmqtt_io.c: I/O glue layer for wolfIP sockets
  - Update Makefile: Add ENABLE_MQTT build option and wolfMQTT sources
  - Update user_settings.h: Add wolfMQTT configuration (WOLFMQTT_NONBLOCK,
    WOLFMQTT_USER_IO, WOLFMQTT_NO_STDIO, EWOULDBLOCK/EAGAIN defines)
  - Update main.c: Integrate MQTT client into main loop with periodic
    status publishing
  - Update README.md: Add MQTT documentation section

  Features:
  - TLS 1.3 encrypted connection to MQTT broker (port 8883)
  - Connects to test.mosquitto.org by default
  - Publishes status messages to wolfip/status topic
  - QoS 0 (fire and forget) for minimal overhead
  - 60 second keep-alive

  Build: make ENABLE_TLS=1 ENABLE_MQTT=1
@aidangarske aidangarske self-assigned this Jan 21, 2026
@danielinux danielinux merged commit bd96da6 into wolfSSL:master Jan 27, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danielinux danielinux danielinux approved these changes

@dgarske dgarske dgarske approved these changes

Assignees

@danielinux danielinux

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aidangarske @danielinux @dgarske @wolfSSL-Bot