Skip to content

Add TLS, HTTPS, SSH, and MQTT support for STM32H563 port #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aidangarske wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add TLS, HTTPS, SSH, and MQTT support for STM32H563 port #14

aidangarske wants to merge 5 commits into from

Conversation

@aidangarske
Copy link

@aidangarske aidangarske commented Jan 21, 2026
edited
Loading

Description

This PR adds secure communication capabilities to the STM32H563 bare-metal port using wolfSSL,
wolfSSH, and wolfMQTT libraries.

Features

TLS 1.3 Support

  • TLS echo server on port 8443
  • TLS client for outbound connections (includes Google connectivity test)
  • ECC P-256 with ChaCha20-Poly1305/AES-GCM cipher suites
  • Embedded self-signed test certificate

HTTPS Web Server

  • Status page on port 443 showing device info, IP address, and uptime
  • Minimal footprint suitable for embedded systems

SSH Server

  • Interactive shell on port 22
  • Password authentication (test credentials: admin/wolfip)
  • Built-in commands: help, info, uptime, exit
  • ECC P-256 host key

MQTT Client

  • Secure TLS connection to MQTT broker (port 8883)
  • Publishes device status to wolfip/status topic
  • Non-blocking state machine for integration with main loop
  • Tested with test.mosquitto.org

Build Options

make ENABLE_TLS=1                    # TLS only                                                     
make ENABLE_TLS=1 ENABLE_HTTPS=1     # TLS + HTTPS                                                  
make ENABLE_TLS=1 ENABLE_SSH=1       # TLS + SSH                                                    
make ENABLE_TLS=1 ENABLE_MQTT=1      # TLS + MQTT                                                   
make ENABLE_TLS=1 ENABLE_HTTPS=1 ENABLE_SSH=1 ENABLE_MQTT=1  # All features

New Files

  • tls_server.c/h, tls_client.c/h - TLS implementation
  • ssh_server.c/h - SSH shell server
  • mqtt_client.c/h - MQTT client
  • wolfssl_io.c, wolfssh_io.c, wolfmqtt_io.c - I/O glue layers for wolfIP
  • certs.h, ssh_keys.h - Embedded test certificates/keys
    -user_settings.h - wolfSSL/wolfSSH/wolfMQTT configuration

Testing

All features tested on NUCLEO-H563ZI with DHCP network configuration.
Also tested and verified TZEN=1 is working with basic wolfIP stack

Docs

src/port/stm32h563/README.md

@aidangarske
Add TLS 1.3 client/server support for STM32H563
7516b80 
  - Add wolfSSL TLS 1.3 integration with wolfIP TCP/IP stack
  - TLS server: echo server on port 8443 with ECC P-256 certificate
  - TLS client: connects to Google (HTTPS) to verify outbound TLS
  - Uses ECDHE-P256 key exchange, RSA cert verification, AES-GCM/ChaCha20
  - Custom I/O callbacks in wolfssl_io.c bridge wolfSSL and wolfIP
  - Build with: make ENABLE_TLS=1
  - ~200KB code size with full TLS support
  - Tested: TLS 1.3 handshake to google.com successful
@aidangarske
Add HTTPS web server and SSH shell support for
7f9e8c1 
  STM32H563

  - Add HTTPS server serving status page on port 443
  (ENABLE_HTTPS=1)
  - Add SSH server with interactive shell on port 22
  (ENABLE_SSH=1)
  - Add wolfssh_io.c for wolfSSH-wolfIP integration
  - Increase MAX_TCPSOCKETS from 4 to 8 to support
  multiple servers
  - Fix IP address byte order display in HTTPS status
  page
  - Update Makefile with ENABLE_HTTPS and ENABLE_SSH
  build flags
  - Update README with build and testing documentation
@aidangarske
Fix SSH server for STM32H563 bare-metal operation
ba91cc9 
  Commit Body:
  Fix wolfSSH integration and optimize memory for embedded
  deployment.

  wolfSSH API updates:
  - Add wolfSSH_CTX_SetIO_wolfIP() for context-level I/O
  callbacks
  - Update field names: usernameLen->usernameSz,
  passwordLen->passwordSz
  - Wrap debug logging callback in #ifdef DEBUG_WOLFSSH

  Memory optimization for STM32H563 (640KB SRAM):
  - Reduce wolfSSH window size from 16KB to 4KB
  - Reduce wolfIP RX/TX buffers from 16x to 8x MTU
  - Reduce MAX_TCPSOCKETS to 6, MAX_ICMPSOCKETS to 1

  wolfSSL/wolfSSH configuration:
  - Add WOLFSSL_WOLFSSH for wc_SSH_KDF support
  - Add WOLFSSL_KEY_GEN for host key generation
  - Add WOLFSSH_NO_TERM for bare-metal operation

  Build system:
  - Add signature.c for SSH signature verification
  - Fix pattern rules for wolfSSH compilation

  Tested: SSH login (admin/wolfip), shell commands working
@aidangarske
Add MQTT client support for STM32H563 bare-metal operation
31c0cd1 
  - Add mqtt_client.c/h: Non-blocking MQTT client with state machine
    (IDLE -> CONNECTING -> TLS -> MQTT_CONNECT -> CONNECTED)
  - Add wolfmqtt_io.c: I/O glue layer for wolfIP sockets
  - Update Makefile: Add ENABLE_MQTT build option and wolfMQTT sources
  - Update user_settings.h: Add wolfMQTT configuration (WOLFMQTT_NONBLOCK,
    WOLFMQTT_USER_IO, WOLFMQTT_NO_STDIO, EWOULDBLOCK/EAGAIN defines)
  - Update main.c: Integrate MQTT client into main loop with periodic
    status publishing
  - Update README.md: Add MQTT documentation section

  Features:
  - TLS 1.3 encrypted connection to MQTT broker (port 8883)
  - Connects to test.mosquitto.org by default
  - Publishes status messages to wolfip/status topic
  - QoS 0 (fire and forget) for minimal overhead
  - 60 second keep-alive

  Build: make ENABLE_TLS=1 ENABLE_MQTT=1
@aidangarske aidangarske self-assigned this Jan 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgarske dgarske Awaiting requested review from dgarske

@danielinux danielinux Awaiting requested review from danielinux

At least 1 approving review is required to merge this pull request.

Assignees

@aidangarske aidangarske

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aidangarske