ThingWorx Edge C SDK > How to Set Up Security > Using SSL/TLS for Security
Using SSL/TLS for Security
OpenSSL provides a more secure and more frequently updated library for securing your Edge applications than the Open Source axTLS library, which was previously provided with the ThingWorx Edge C SDK. As of release 2.2.5, the C SDK upgraded to OpenSSL 1.1.1. Version 2.2.12 of the C SDK upgrades to OpenSSL 1.1.1j. OpenSSL 1.1.1 does not support FIPS mode, and is not backwards compatible to OpenSSL 1.0.2. FIPS mode requires OpenSSL 1.0.2 or earlier.
Although OpenSSL 1.1.1 includes TLS 1.3, TLS 1.3 will not work in C SDK applications communicating with the ThingWorx Platform. Although ThingWorx Platform v.9.1.x runs on Java 11, it does not fully support TLS 1.3 yet.
If you require FIPS support, you must obtain an older version of OpenSSL that supports FIPS mode. This approach is not recommended. If you prefer to use your own security implementation or a version of OpenSSL that supports FIPS, you can use the C SDK wrapper functions that closely follow the OpenSSL API. To use another SSL/TLS implementation, you need to set up the C SDK to use your implementation by following the template provided in the file, twTemplateSSL.h, located in the subdirectory, /src/tls, of the C SDK installation. This file contains a template for an SSL/TLS wrapper layer for your SSL/TLS implementation.
The C SDK prints not only its version number but also the SSL/TLS library and version number being used in its log output.
For best security practices, use OpenSSL, which is provided in the distribution bundle. For information on setting up certificates, refer to the section, Security for ThingWorx Edge SDK Applications.
The C SDK supports Apache Tomcat default ciphers up to and including Tomcat 8.0.33. Subsequent versions of Tomcat may exclude ciphers that are used in older versions of OpenSSL and therefore will prevent the ThingWorx C SDK from connecting to the server in question (a ThingWorx Platform).
The OpenSSL library supports client authentication for an application that you are developing with the C SDK.
When you generate the make or project files using CMake, remember that the default setting for the flag that indicates whether to use OpenSSL is ON. If you are using your own security implementation, you can turn this OpenSSL flag to OFF and your implementation ON. Here is an example of enabling a custom implementation and disabling OpenSSL:
Do not use an insecure connection, especially in a production environment.
The first argument for cmake is always the path to the source directory.
Was this helpful?