diff --git a/config.h.in b/config.h.in
index 17a6549..d60b9c7 100644
--- a/config.h.in
+++ b/config.h.in
@@ -633,6 +633,8 @@
 #undef WITH_EXT2
 #undef WITH_OPENSSL
 #undef WITH_OPENSSL_METHOD
+#undef WITH_WOLFSSL
+#undef OPENSSL_NO_COMP
 #undef WITH_RES_DEPRECATED 	/* AAONLY,PRIMARY */
 #define WITH_STREAMS 1
 #undef WITH_FIPS
diff --git a/configure.ac b/configure.ac
index d788dc1..3d33bc4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -474,108 +474,175 @@ if test -n "$WITH_READLINE"; then
   fi
 fi
 
-AC_MSG_CHECKING(whether to include openssl support)
-AC_ARG_ENABLE(openssl, [  --disable-openssl       disable OpenSSL support],
-  [ case "$enableval" in
-    no) AC_MSG_RESULT(no); WITH_OPENSSL= ;;
-    *) AC_MSG_RESULT(yes); WITH_OPENSSL=1 ;;
-   esac],
-   [ AC_MSG_RESULT(yes);   WITH_OPENSSL=1 ])
-#
-if test -n "$WITH_OPENSSL"; then
-  AC_MSG_NOTICE(checking for components of OpenSSL)
-  # first, we need to find the include file <openssl/ssl.h>
-  AC_CACHE_VAL(sc_cv_have_openssl_ssl_h,
-    [AC_TRY_COMPILE([#include <openssl/ssl.h>],[;],
-      [sc_cv_have_openssl_ssl_h=yes; OPENSSL_ROOT=""; ],
-      [sc_cv_have_openssl_ssl_h=no
-       for D in "/sw" "/usr/local" "/opt/freeware" "/usr/sfw" "/usr/local/ssl"; do
-	I="$D/include"
-	i="$I/openssl/ssl.h"
-	if test -r "$i"; then
-	  #V_INCL="$V_INCL -I$I"
-	  CPPFLAGS="$CPPFLAGS -I$I"
-	  AC_MSG_NOTICE(found $i)
-	  sc_cv_have_openssl_ssl_h=yes; OPENSSL_ROOT="$D"
-	  break;
+AC_MSG_CHECKING(whether to include wolfSSL support)
+WOLFSSL_URL="https://www.wolfssl.com/download/"
+AC_ARG_WITH(wolfssl,
+    [  --with-wolfssl=PATH     PATH to wolfssl install (default /usr/local) ],
+    [
+        if test "x$withval" != "xno"; then
+           if test -d "$withval/lib"; then
+                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+           fi
+           if test -d "$withval/include"; then
+               CPPFLAGS="$CPPFLAGS -I${withval}/include -I${withval}/include/wolfssl"
+           fi
+        fi
+
+        if test "x$withval" == "xyes" ; then
+            LDFLAGS="-L/usr/local/lib $LDFLAGS"
+            CPPFLAGS="-I/usr/local/include -I/usr/local/include/wolfssl $CPPFLAGS"
+        fi
+
+        LIBS="$LIBS -lwolfssl"
+
+        AC_MSG_RESULT([yes])
+
+        AC_DEFINE([WITH_WOLFSSL])
+        AC_DEFINE([WITH_OPENSSL])
+        AC_DEFINE([WITH_OPENSSL_METHOD])
+
+        # Note that we are disabling compression when using wolfSSL.
+        AC_DEFINE([OPENSSL_NO_COMP])
+
+        AC_CHECK_FUNC([wolfTLS_client_method],     [AC_DEFINE([HAVE_TLS_client_method])], [])
+        AC_CHECK_FUNC([wolfTLS_server_method],     [AC_DEFINE([HAVE_TLS_server_method])], [])
+        AC_CHECK_FUNC([wolfSSLv2_client_method],   [AC_DEFINE([HAVE_SSLv2_client_method])], [])
+        AC_CHECK_FUNC([wolfSSLv2_server_method],   [AC_DEFINE([HAVE_SSLv2_server_method])], [])
+        AC_CHECK_FUNC([wolfSSLv3_client_method],   [AC_DEFINE([HAVE_SSLv3_client_method])], [])
+        AC_CHECK_FUNC([wolfSSLv3_server_method],   [AC_DEFINE([HAVE_SSLv3_server_method])], [])
+        AC_CHECK_FUNC([wolfSSLv23_client_method],  [AC_DEFINE([HAVE_SSLv23_client_method])], [])
+        AC_CHECK_FUNC([wolfSSLv23_server_method],  [AC_DEFINE([HAVE_SSLv23_server_method])], [])
+        AC_CHECK_FUNC([wolfTLSv1_client_method],   [AC_DEFINE([HAVE_TLSv1_client_method])], [])
+        AC_CHECK_FUNC([wolfTLSv1_server_method],   [AC_DEFINE([HAVE_TLSv1_server_method])], [])
+        AC_CHECK_FUNC([wolfTLSv1_1_client_method], [AC_DEFINE([HAVE_TLSv1_1_client_method])], [])
+        AC_CHECK_FUNC([wolfTLSv1_1_server_method], [AC_DEFINE([HAVE_TLSv1_1_server_method])], [])
+        AC_CHECK_FUNC([wolfTLSv1_2_client_method], [AC_DEFINE([HAVE_TLSv1_2_client_method])], [])
+        AC_CHECK_FUNC([wolfTLSv1_2_server_method], [AC_DEFINE([HAVE_TLSv1_2_server_method])], [])
+        AC_CHECK_FUNC([wolfDTLSv1_client_method],  [AC_DEFINE([HAVE_DTLSv1_client_method])], [])
+        AC_CHECK_FUNC([wolfDTLSv1_server_method],  [AC_DEFINE([HAVE_DTLSv1_server_method])], [])
+        AC_CHECK_FUNC([wolfSSL_RAND_egd],          [AC_DEFINE([HAVE_RAND_egd])], [])
+        AC_CHECK_FUNC([wolfSSL_DH_set0_pqg],       [AC_DEFINE([HAVE_DH_set0_pqg])], [])
+        AC_CHECK_FUNC([wolfSSL_ASN1_STRING_data],  [AC_DEFINE([HAVE_ASN1_STRING_get0_data])], [])
+        AC_CHECK_FUNC([wolfSSL_RAND_status],       [AC_DEFINE([HAVE_RAND_status])], [])
+
+        AC_MSG_CHECKING(for type WOLFSSL_EC_KEY)
+        AC_TRY_COMPILE([#include <wolfssl/openssl/ec.h>], [EC_KEY *s;], [HAVE_TYPE_EC_KEY=yes], [HAVE_TYPE_EC_KEY=no])
+        if test "$HAVE_TYPE_EC_KEY" = "yes"
+        then
+           AC_DEFINE([HAVE_TYPE_EC_KEY])
+           AC_MSG_RESULT([yes])
+        else
+           AC_MSG_RESULT([no])
+        fi
+    ],
+    [AC_MSG_RESULT([no])]
+)
+
+if test "$WITH_WOLFSSL" = "no"
+then
+	AC_MSG_CHECKING(whether to include openssl support)
+	AC_ARG_ENABLE(openssl, [  --disable-openssl       disable OpenSSL support],
+	  [ case "$enableval" in
+	    no) AC_MSG_RESULT(no); WITH_OPENSSL= ;;
+	    *) AC_MSG_RESULT(yes); WITH_OPENSSL=1 ;;
+	   esac],
+	   [ AC_MSG_RESULT(yes);   WITH_OPENSSL=1 ])
+
+	if test -n "$WITH_OPENSSL"; then
+	  AC_MSG_NOTICE(checking for components of OpenSSL)
+	  # first, we need to find the include file <openssl/ssl.h>
+	  AC_CACHE_VAL(sc_cv_have_openssl_ssl_h,
+	    [AC_TRY_COMPILE([#include <openssl/ssl.h>],[;],
+	      [sc_cv_have_openssl_ssl_h=yes; OPENSSL_ROOT=""; ],
+	      [sc_cv_have_openssl_ssl_h=no
+	       for D in "/sw" "/usr/local" "/opt/freeware" "/usr/sfw" "/usr/local/ssl"; do
+		I="$D/include"
+		i="$I/openssl/ssl.h"
+		if test -r "$i"; then
+		  #V_INCL="$V_INCL -I$I"
+		  CPPFLAGS="$CPPFLAGS -I$I"
+		  AC_MSG_NOTICE(found $i)
+		  sc_cv_have_openssl_ssl_h=yes; OPENSSL_ROOT="$D"
+		  break;
+		fi
+	      done])
+	  ])
+	  if test "$sc_cv_have_openssl_ssl_h" = "yes"; then
+	    AC_DEFINE(HAVE_OPENSSL_SSL_H)
+	  fi
+	  AC_MSG_NOTICE(checked for openssl/ssl.h... $sc_cv_have_openssl_ssl_h)
+	fi	# end checking for openssl/ssl.h
+	#
+	if test -n "$WITH_OPENSSL" -a "$sc_cv_have_openssl_ssl_h" = 'yes'; then
+	  # next, we search for the openssl library (libssl.*)
+	  # interesting: Linux only requires -lssl, FreeBSD requires -lssl -lcrypto
+	  # Note, version OpenSSL 0.9.7j requires -lcrypto even on Linux.
+	  AC_MSG_CHECKING(for libssl)
+	  AC_CACHE_VAL(sc_cv_have_libssl,
+	    [ LIBS0="$LIBS"
+	      if test -n "$OPENSSL_ROOT"; then
+		L="$OPENSSL_ROOT/lib"; LIBS="$LIBS -L$L -lssl"
+	      else
+		LIBS="$LIBS -lssl"
+	      fi
+	      AC_TRY_LINK([#include <openssl/ssl.h>],
+		[SSL_library_init();ERR_error_string()],
+		[sc_cv_have_libssl='yes'],
+		[ LIBS="$LIBS -lcrypto"
+		  AC_TRY_LINK([#include <openssl/ssl.h>],
+		  [SSL_library_init()],
+		  [sc_cv_have_libssl='yes'],
+		  [sc_cv_have_libssl='no'])
+	        ])
+	      if test "$sc_cv_have_libssl" != 'yes'; then
+		LIBS="$LIBS0"
+	      fi
+	    ]
+	  )
+	  if test "$sc_cv_have_libssl" = 'yes'; then
+	    AC_DEFINE(HAVE_LIBSSL)
+	  fi
+	  AC_MSG_RESULT($sc_cv_have_libssl)
+	fi
+	#
+	#    # a possible location for openssl (on Sourceforge/Solaris)
+	#    AC_CHECK_FILE(/usr/local/ssl/lib, LIBS="$LIBS -L/usr/local/ssl/lib/")
+	#    # sometimes on Solaris:
+	#    AC_CHECK_FILE(/pkgs/lib, LIBS="$LIBS -L/pkgs/lib/")
+	#    # for AIX 5.1 with Linux toolbox:
+	#    AC_CHECK_FILE(/opt/freeware/lib, LIBS="$LIBS -L/opt/freeware/lib/")
+	#
+	#    AC_CHECK_LIB(crypto, main)
+	#    AC_CHECK_LIB(ssl, main)
+	#
+	#    # MacOSX has openssl includes in another directory
+	#    if test -d /sw/include/; then
+	#	V_INCL="$V_INCL -I/sw/include"
+	#    # and Solaris at sourceforge here:
+	#    elif test -d /usr/local/ssl/include/; then
+	#	V_INCL="$V_INCL -I/usr/local/ssl/include"
+	#    # and AIX 5.1 with Linux toolbox:
+	#    elif test -d /opt/freeware/include; then
+	#	V_INCL="$V_INCL -I/opt/freeware/include"
+	#    fi
+	#fi
+	if test -n "$WITH_OPENSSL"; then
+	  if test "$sc_cv_have_openssl_ssl_h" = "yes" -a "$sc_cv_have_libssl" = "yes"; then
+	    AC_DEFINE(WITH_OPENSSL)
+	  else
+	    AC_MSG_WARN([not all components of OpenSSL found, disabling it]);
+	  fi
 	fi
-      done])
-  ])
-  if test "$sc_cv_have_openssl_ssl_h" = "yes"; then
-    AC_DEFINE(HAVE_OPENSSL_SSL_H)
-  fi
-  AC_MSG_NOTICE(checked for openssl/ssl.h... $sc_cv_have_openssl_ssl_h)
-fi	# end checking for openssl/ssl.h
-#
-if test -n "$WITH_OPENSSL" -a "$sc_cv_have_openssl_ssl_h" = 'yes'; then
-  # next, we search for the openssl library (libssl.*)
-  # interesting: Linux only requires -lssl, FreeBSD requires -lssl -lcrypto
-  # Note, version OpenSSL 0.9.7j requires -lcrypto even on Linux.
-  AC_MSG_CHECKING(for libssl)
-  AC_CACHE_VAL(sc_cv_have_libssl,
-    [ LIBS0="$LIBS"
-      if test -n "$OPENSSL_ROOT"; then
-	L="$OPENSSL_ROOT/lib"; LIBS="$LIBS -L$L -lssl"
-      else
-	LIBS="$LIBS -lssl"
-      fi
-      AC_TRY_LINK([#include <openssl/ssl.h>],
-	[SSL_library_init();ERR_error_string()],
-	[sc_cv_have_libssl='yes'],
-	[ LIBS="$LIBS -lcrypto"
-	  AC_TRY_LINK([#include <openssl/ssl.h>],
-	  [SSL_library_init()],
-	  [sc_cv_have_libssl='yes'],
-	  [sc_cv_have_libssl='no'])
-        ])
-      if test "$sc_cv_have_libssl" != 'yes'; then
-	LIBS="$LIBS0"
-      fi
-    ]
-  )
-  if test "$sc_cv_have_libssl" = 'yes'; then
-    AC_DEFINE(HAVE_LIBSSL)
-  fi
-  AC_MSG_RESULT($sc_cv_have_libssl)
-fi
-#
-#    # a possible location for openssl (on Sourceforge/Solaris)
-#    AC_CHECK_FILE(/usr/local/ssl/lib, LIBS="$LIBS -L/usr/local/ssl/lib/")
-#    # sometimes on Solaris:
-#    AC_CHECK_FILE(/pkgs/lib, LIBS="$LIBS -L/pkgs/lib/")
-#    # for AIX 5.1 with Linux toolbox:
-#    AC_CHECK_FILE(/opt/freeware/lib, LIBS="$LIBS -L/opt/freeware/lib/")
-#
-#    AC_CHECK_LIB(crypto, main)
-#    AC_CHECK_LIB(ssl, main)
-#
-#    # MacOSX has openssl includes in another directory
-#    if test -d /sw/include/; then
-#	V_INCL="$V_INCL -I/sw/include"
-#    # and Solaris at sourceforge here:
-#    elif test -d /usr/local/ssl/include/; then
-#	V_INCL="$V_INCL -I/usr/local/ssl/include"
-#    # and AIX 5.1 with Linux toolbox:
-#    elif test -d /opt/freeware/include; then
-#	V_INCL="$V_INCL -I/opt/freeware/include"
-#    fi
-#fi
-if test -n "$WITH_OPENSSL"; then
-  if test "$sc_cv_have_openssl_ssl_h" = "yes" -a "$sc_cv_have_libssl" = "yes"; then
-    AC_DEFINE(WITH_OPENSSL)
-  else
-    AC_MSG_WARN([not all components of OpenSSL found, disabling it]);
-  fi
-fi
 
-if test -n "$WITH_OPENSSL"; then
-AC_MSG_CHECKING(whether to include OpenSSL method option)
-AC_ARG_ENABLE(openssl-method, [  --enable-openssl-method       enable OpenSSL method option],
-	      [case "$enableval" in
-	       no) AC_MSG_RESULT(no);;
-	       *) AC_DEFINE(WITH_OPENSSL_METHOD) WITH_OPENSSL_METHOD=1; AC_MSG_RESULT(yes);;
-	       esac],
-	       [AC_MSG_RESULT(no)])
+	if test -n "$WITH_OPENSSL"; then
+	AC_MSG_CHECKING(whether to include OpenSSL method option)
+	AC_ARG_ENABLE(openssl-method, [  --enable-openssl-method       enable OpenSSL method option],
+		      [case "$enableval" in
+		       no) AC_MSG_RESULT(no);;
+		       *) AC_DEFINE(WITH_OPENSSL_METHOD) WITH_OPENSSL_METHOD=1; AC_MSG_RESULT(yes);;
+		       esac],
+		       [AC_MSG_RESULT(no)])
+	fi
 fi
 
 AC_MSG_CHECKING(whether to include deprecated resolver option)
@@ -586,92 +653,95 @@ AC_ARG_ENABLE(res-deprecated, [  --enable-res-deprecated       enable deprecated
 	       esac],
 	       [AC_MSG_RESULT(no)])
 
-# check for fips support
-AC_MSG_CHECKING(whether to include openssl fips support)
-AC_ARG_ENABLE(fips, [  --enable-fips          enable OpenSSL FIPS support],
-  [ case "$enableval" in
-    yes) AC_MSG_RESULT(yes); WITH_FIPS=1 ;;
-    *) AC_MSG_RESULT(no); WITH_FIPS= ;;
-   esac],
-   [ AC_MSG_RESULT(no);   WITH_FIPS= ])
-
-if test -n "$WITH_FIPS"; then
-  if test -n "$WITH_OPENSSL"; then
-    AC_CHECK_PROG(HAVE_FIPSLD, fipsld, 1)
-    if test "$sc_cv_have_openssl_ssl_h" != "yes" -o "$sc_cv_have_libssl" != "yes" -o ! "$HAVE_FIPSLD";
- then
-      AC_MSG_WARN([not all components of OpenSSL found, disabling FIPS]);
-      WITH_FIPS=
-    fi
-  else
-    AC_MSG_WARN([must enable OpenSSL to enable FIPS; use --enable-openssl]);
-  fi
-fi
+if test "$WITH_WOLFSSL" = "no"
+then
+	# check for fips support
+	AC_MSG_CHECKING(whether to include openssl fips support)
+	AC_ARG_ENABLE(fips, [  --enable-fips          enable OpenSSL FIPS support],
+	  [ case "$enableval" in
+	    yes) AC_MSG_RESULT(yes); WITH_FIPS=1 ;;
+	    *) AC_MSG_RESULT(no); WITH_FIPS= ;;
+	   esac],
+	   [ AC_MSG_RESULT(no);   WITH_FIPS= ])
+
+	if test -n "$WITH_FIPS"; then
+	  if test -n "$WITH_OPENSSL"; then
+	    AC_CHECK_PROG(HAVE_FIPSLD, fipsld, 1)
+	    if test "$sc_cv_have_openssl_ssl_h" != "yes" -o "$sc_cv_have_libssl" != "yes" -o ! "$HAVE_FIPSLD";
+	 then
+	      AC_MSG_WARN([not all components of OpenSSL found, disabling FIPS]);
+	      WITH_FIPS=
+	    fi
+	  else
+	    AC_MSG_WARN([must enable OpenSSL to enable FIPS; use --enable-openssl]);
+	  fi
+	fi
 
-if test -n "$WITH_FIPS"; then
-  AC_MSG_CHECKING(for components of OpenSSL FIPS)
-  # first, we need to find the include file <openssl/fips.h>
-  AC_CACHE_VAL(sc_cv_have_openssl_fips_h,
-    [AC_TRY_COMPILE([#define OPENSSL_FIPS
-#include <stddef.h>
-#include <openssl/fips.h>],[;],
-      [sc_cv_have_openssl_fips_h=yes; ],
-      [sv_cv_have_openssl_fips_h=no
-        if test -n "$OPENSSL_ROOT"; then
-          I="$OPENSSL_ROOT/include"
-          i="$I/openssl/fips.h"
-          if test -r "$i"; then
-            AC_MSG_NOTICE(found $i)
-            sc_cv_have_openssl_fips_h=yes;
-          fi
-        fi
-      ]
-    )]
-  )
-  if test "$sv_cv_have_openssl_fips_h" = "yes"; then
-    AC_DEFINE(HAVE_OPENSSL_FIPS_H)
-  fi
-  AC_MSG_NOTICE(checked for openssl/fips.h... $sc_cv_have_openssl_ssl_h)
-fi
+	if test -n "$WITH_FIPS"; then
+	  AC_MSG_CHECKING(for components of OpenSSL FIPS)
+	  # first, we need to find the include file <openssl/fips.h>
+	  AC_CACHE_VAL(sc_cv_have_openssl_fips_h,
+	    [AC_TRY_COMPILE([#define OPENSSL_FIPS
+	#include <stddef.h>
+	#include <openssl/fips.h>],[;],
+	      [sc_cv_have_openssl_fips_h=yes; ],
+	      [sv_cv_have_openssl_fips_h=no
+	        if test -n "$OPENSSL_ROOT"; then
+	          I="$OPENSSL_ROOT/include"
+	          i="$I/openssl/fips.h"
+	          if test -r "$i"; then
+	            AC_MSG_NOTICE(found $i)
+	            sc_cv_have_openssl_fips_h=yes;
+	          fi
+	        fi
+	      ]
+	    )]
+	  )
+	  if test "$sv_cv_have_openssl_fips_h" = "yes"; then
+	    AC_DEFINE(HAVE_OPENSSL_FIPS_H)
+	  fi
+	  AC_MSG_NOTICE(checked for openssl/fips.h... $sc_cv_have_openssl_ssl_h)
+	fi
 
-if test -n "$WITH_FIPS" -a "$sc_cv_have_openssl_fips_h" = 'yes'; then
-  # check for the libcrypto library with fips support
-  AC_MSG_CHECKING(for libcrypto with FIPS support)
-  AC_CACHE_VAL(sc_cv_have_libcrypto,
-    [ LIBS0="$LIBS"
-      echo $LIBS | grep -q "\-lcrypto"
-      if test $? -ne 0; then
-        if test -n "$OPENSSL_ROOT"; then
-          L="$OPENSSL_ROOT/lib"; LIBS="$LIBS -L$L -lcrypto"
-        else
-          LIBS="$LIBS -lcrypto"
-        fi
-      fi
-      AC_TRY_LINK([#define OPENSSL_FIPS
-#include <openssl/ssl.h>
-#include <openssl/fips.h>],
-        [int res = FIPS_mode_set(1);],
-        [sc_cv_have_libcrypto='yes'],
-        [sc_cv_have_libcrypto='no']
-      )
-      if test "$sc_cv_have_libcrypto" != 'yes'; then
-        LIBS="$LIBS0"
-      fi
-    ]
-  )
-  if test "$sc_cv_have_libcrypto" = 'yes'; then
-    AC_DEFINE(HAVE_LIBCRYPTO)
-  fi
-  AC_MSG_RESULT($sc_cv_have_libcrypto)
-fi
+	if test -n "$WITH_FIPS" -a "$sc_cv_have_openssl_fips_h" = 'yes'; then
+	  # check for the libcrypto library with fips support
+	  AC_MSG_CHECKING(for libcrypto with FIPS support)
+	  AC_CACHE_VAL(sc_cv_have_libcrypto,
+	    [ LIBS0="$LIBS"
+	      echo $LIBS | grep -q "\-lcrypto"
+	      if test $? -ne 0; then
+	        if test -n "$OPENSSL_ROOT"; then
+	          L="$OPENSSL_ROOT/lib"; LIBS="$LIBS -L$L -lcrypto"
+	        else
+	          LIBS="$LIBS -lcrypto"
+	        fi
+	      fi
+	      AC_TRY_LINK([#define OPENSSL_FIPS
+	#include <openssl/ssl.h>
+	#include <openssl/fips.h>],
+	        [int res = FIPS_mode_set(1);],
+	        [sc_cv_have_libcrypto='yes'],
+	        [sc_cv_have_libcrypto='no']
+	      )
+	      if test "$sc_cv_have_libcrypto" != 'yes'; then
+	        LIBS="$LIBS0"
+	      fi
+	    ]
+	  )
+	  if test "$sc_cv_have_libcrypto" = 'yes'; then
+	    AC_DEFINE(HAVE_LIBCRYPTO)
+	  fi
+	  AC_MSG_RESULT($sc_cv_have_libcrypto)
+	fi
 
-if test -n "$WITH_FIPS"; then
-  if test "$sc_cv_have_openssl_fips_h" = 'yes' -a "$sc_cv_have_libcrypto" = 'yes'; then
-    AC_DEFINE(WITH_FIPS)
-    AC_DEFINE(OPENSSL_FIPS)
-  else
-    AC_MSG_WARN([not all components of OpenSSL FIPS found, disabling it]);
-  fi
+	if test -n "$WITH_FIPS"; then
+	  if test "$sc_cv_have_openssl_fips_h" = 'yes' -a "$sc_cv_have_libcrypto" = 'yes'; then
+	    AC_DEFINE(WITH_FIPS)
+	    AC_DEFINE(OPENSSL_FIPS)
+	  else
+	    AC_MSG_WARN([not all components of OpenSSL FIPS found, disabling it]);
+	  fi
+	fi
 fi
 
 AC_MSG_CHECKING(whether to include tun/tap address support)
@@ -1437,44 +1507,47 @@ AC_CHECK_FUNC(setenv, AC_DEFINE(HAVE_SETENV),
 dnl Search for unsetenv()
 AC_CHECK_FUNC(unsetenv, AC_DEFINE(HAVE_UNSETENV))
 
-AC_CHECK_FUNC(TLS_client_method, AC_DEFINE(HAVE_TLS_client_method) ac_cv_have_tls_client_method=yes, AC_CHECK_LIB(crypt, TLS_client_method, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(TLS_server_method, AC_DEFINE(HAVE_TLS_server_method) ac_cv_have_tls_server_method=yes, AC_CHECK_LIB(crypt, TLS_server_method, [LIBS=-lcrypt $LIBS]))
-if test -n "$WITH_OPENSSL_METHOD" -o -z "$ac_cv_have_tls_client_method" -o -z "$ac_cv_have_tls_server_method" ; then
-dnl Search for SSLv2_client_method, SSLv2_server_method
-AC_CHECK_FUNC(SSLv2_client_method, AC_DEFINE(HAVE_SSLv2_client_method), AC_CHECK_LIB(crypt, SSLv2_client_method, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(SSLv2_server_method, AC_DEFINE(HAVE_SSLv2_server_method), AC_CHECK_LIB(crypt, SSLv2_server_method, [LIBS=-lcrypt $LIBS]))
-dnl 
-AC_CHECK_FUNC(SSLv3_client_method, AC_DEFINE(HAVE_SSLv3_client_method), AC_CHECK_LIB(crypt, SSLv3_client_method, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(SSLv3_server_method, AC_DEFINE(HAVE_SSLv3_server_method), AC_CHECK_LIB(crypt, SSLv3_server_method, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(SSLv23_client_method, AC_DEFINE(HAVE_SSLv23_client_method), AC_CHECK_LIB(crypt, SSLv23_client_method, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(SSLv23_server_method, AC_DEFINE(HAVE_SSLv23_server_method), AC_CHECK_LIB(crypt, SSLv23_server_method, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(TLSv1_client_method, AC_DEFINE(HAVE_TLSv1_client_method), AC_CHECK_LIB(crypt, TLSv1_client_method, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(TLSv1_server_method, AC_DEFINE(HAVE_TLSv1_server_method), AC_CHECK_LIB(crypt, TLSv1_server_method, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(TLSv1_1_client_method, AC_DEFINE(HAVE_TLSv1_1_client_method), AC_CHECK_LIB(crypt, TLSv1_1_client_method, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(TLSv1_1_server_method, AC_DEFINE(HAVE_TLSv1_1_server_method), AC_CHECK_LIB(crypt, TLSv1_1_server_method, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(TLSv1_2_client_method, AC_DEFINE(HAVE_TLSv1_2_client_method), AC_CHECK_LIB(crypt, TLSv1_2_client_method, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_CHECK_LIB(crypt, TLSv1_2_server_method, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS]))
-fi # $WITH_OPENSSL_METHOD
-
-AC_CHECK_FUNC(SSL_CTX_set_default_verify_paths, AC_DEFINE(HAVE_SSL_CTX_set_default_verify_paths))
-AC_CHECK_FUNC(RAND_egd, AC_DEFINE(HAVE_RAND_egd), AC_CHECK_LIB(crypt, RAND_egd, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(DH_set0_pqg, AC_DEFINE(HAVE_DH_set0_pqg), AC_CHECK_LIB(crypt, DH_set0_pqg, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(ASN1_STRING_get0_data, AC_DEFINE(HAVE_ASN1_STRING_get0_data), AC_CHECK_LIB(crypt, ASN1_STRING_get0_data, [LIBS=-lcrypt $LIBS]))
-AC_CHECK_FUNC(RAND_status, AC_DEFINE(HAVE_RAND_status))
-AC_CHECK_FUNC(SSL_CTX_clear_mode, AC_DEFINE(HAVE_SSL_CTX_clear_mode))
-
-AC_MSG_CHECKING(for type EC_KEY)
-AC_CACHE_VAL(sc_cv_type_EC_TYPE,
-[AC_TRY_COMPILE([#include <openssl/ec.h>
-],[EC_KEY *s;],
-[sc_cv_type_EC_KEY=yes],
-[sc_cv_type_EC_KEY=no])])
-if test $sc_cv_type_EC_KEY = yes; then
-   AC_DEFINE(HAVE_TYPE_EC_KEY)
-fi
-AC_MSG_RESULT($sc_cv_type_EC_KEY)
+if test "$WITH_WOLFSSL" = "no"
+then
+	AC_CHECK_FUNC(TLS_client_method, AC_DEFINE(HAVE_TLS_client_method) ac_cv_have_tls_client_method=yes, AC_CHECK_LIB(crypt, TLS_client_method, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(TLS_server_method, AC_DEFINE(HAVE_TLS_server_method) ac_cv_have_tls_server_method=yes, AC_CHECK_LIB(crypt, TLS_server_method, [LIBS=-lcrypt $LIBS]))
+	if test -n "$WITH_OPENSSL_METHOD" -o -z "$ac_cv_have_tls_client_method" -o -z "$ac_cv_have_tls_server_method" ; then
+	dnl Search for SSLv2_client_method, SSLv2_server_method
+	AC_CHECK_FUNC(SSLv2_client_method, AC_DEFINE(HAVE_SSLv2_client_method), AC_CHECK_LIB(crypt, SSLv2_client_method, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(SSLv2_server_method, AC_DEFINE(HAVE_SSLv2_server_method), AC_CHECK_LIB(crypt, SSLv2_server_method, [LIBS=-lcrypt $LIBS]))
+
+	AC_CHECK_FUNC(SSLv3_client_method, AC_DEFINE(HAVE_SSLv3_client_method), AC_CHECK_LIB(crypt, SSLv3_client_method, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(SSLv3_server_method, AC_DEFINE(HAVE_SSLv3_server_method), AC_CHECK_LIB(crypt, SSLv3_server_method, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(SSLv23_client_method, AC_DEFINE(HAVE_SSLv23_client_method), AC_CHECK_LIB(crypt, SSLv23_client_method, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(SSLv23_server_method, AC_DEFINE(HAVE_SSLv23_server_method), AC_CHECK_LIB(crypt, SSLv23_server_method, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(TLSv1_client_method, AC_DEFINE(HAVE_TLSv1_client_method), AC_CHECK_LIB(crypt, TLSv1_client_method, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(TLSv1_server_method, AC_DEFINE(HAVE_TLSv1_server_method), AC_CHECK_LIB(crypt, TLSv1_server_method, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(TLSv1_1_client_method, AC_DEFINE(HAVE_TLSv1_1_client_method), AC_CHECK_LIB(crypt, TLSv1_1_client_method, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(TLSv1_1_server_method, AC_DEFINE(HAVE_TLSv1_1_server_method), AC_CHECK_LIB(crypt, TLSv1_1_server_method, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(TLSv1_2_client_method, AC_DEFINE(HAVE_TLSv1_2_client_method), AC_CHECK_LIB(crypt, TLSv1_2_client_method, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_CHECK_LIB(crypt, TLSv1_2_server_method, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS]))
+	fi # $WITH_OPENSSL_METHOD
+
+	AC_CHECK_FUNC(SSL_CTX_set_default_verify_paths, AC_DEFINE(HAVE_SSL_CTX_set_default_verify_paths))
+	AC_CHECK_FUNC(RAND_egd, AC_DEFINE(HAVE_RAND_egd), AC_CHECK_LIB(crypt, RAND_egd, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(DH_set0_pqg, AC_DEFINE(HAVE_DH_set0_pqg), AC_CHECK_LIB(crypt, DH_set0_pqg, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(ASN1_STRING_get0_data, AC_DEFINE(HAVE_ASN1_STRING_get0_data), AC_CHECK_LIB(crypt, ASN1_STRING_get0_data, [LIBS=-lcrypt $LIBS]))
+	AC_CHECK_FUNC(RAND_status, AC_DEFINE(HAVE_RAND_status))
+	AC_CHECK_FUNC(SSL_CTX_clear_mode, AC_DEFINE(HAVE_SSL_CTX_clear_mode))
+
+	AC_MSG_CHECKING(for type EC_KEY)
+	AC_CACHE_VAL(sc_cv_type_EC_TYPE,
+	[AC_TRY_COMPILE([#include <openssl/ec.h>
+	],[EC_KEY *s;],
+	[sc_cv_type_EC_KEY=yes],
+	[sc_cv_type_EC_KEY=no])])
+	if test $sc_cv_type_EC_KEY = yes; then
+	   AC_DEFINE(HAVE_TYPE_EC_KEY)
+	fi
+	AC_MSG_RESULT($sc_cv_type_EC_KEY)
+fi
 
 
 dnl Run time checks
@@ -1976,18 +2049,21 @@ if test "$GCC" = yes; then
    CFLAGS="$CFLAGS"
 fi
 
-# FIPS support requires compiling with fipsld.
-# fipsld requires the FIPSLD_CC variable to be set to the original CC.
-# This check must be done after all other checks that require compiling
-# so that fipsld is not used by the configure script itself.
-if test -n "$WITH_FIPS"; then
-  if test "$sc_cv_have_openssl_fips_h" = 'yes' -a "$sc_cv_have_libcrypto" = 'yes'; then
-    FIPSLD_CC=$CC
-    if test "${FIPSLD+set}" != set ; then
-        FIPSLD=fipsld
-    fi
-    CC="FIPSLD_CC=$CC $FIPSLD"
-  fi
+if test "$WITH_WOLFSSL" = "no"
+then
+	# FIPS support requires compiling with fipsld.
+	# fipsld requires the FIPSLD_CC variable to be set to the original CC.
+	# This check must be done after all other checks that require compiling
+	# so that fipsld is not used by the configure script itself.
+	if test -n "$WITH_FIPS"; then
+	  if test "$sc_cv_have_openssl_fips_h" = 'yes' -a "$sc_cv_have_libcrypto" = 'yes'; then
+	    FIPSLD_CC=$CC
+	    if test "${FIPSLD+set}" != set ; then
+	        FIPSLD=fipsld
+	    fi
+	    CC="FIPSLD_CC=$CC $FIPSLD"
+	  fi
+	fi
 fi
 AC_SUBST(FIPSLD_CC)
 
@@ -2018,7 +2094,7 @@ AC_MSG_RESULT($sc_cv_var_environ)
 if test "$BUILD_DATE"; then
   AC_DEFINE_UNQUOTED(BUILD_DATE, ["$BUILD_DATE"])
 else
-  AC_DEFINE(BUILD_DATE, [__DATE__" "__TIME__])
+  AC_DEFINE([BUILD_DATE], [__DATE__" "__TIME__], [])
 fi
 
 AC_OUTPUT(Makefile)
diff --git a/sysincludes.h b/sysincludes.h
index afcedd3..66fb76d 100644
--- a/sysincludes.h
+++ b/sysincludes.h
@@ -181,6 +181,9 @@
 #  endif
 #endif /* WITH_READLINE */
 #if WITH_OPENSSL
+#if WITH_WOLFSSL
+#include <wolfssl/options.h>
+#endif
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
diff --git a/xio-openssl.c b/xio-openssl.c
index 132e8ea..b32959f 100644
--- a/xio-openssl.c
+++ b/xio-openssl.c
@@ -625,9 +625,14 @@ int _xioopen_openssl_listen(struct single *xfd,
 	    Msg(level, "I/O error");	/*!*/
 	    while (err = ERR_get_error()) {
 	       ERR_error_string_n(err, error_string, sizeof(error_string));
-	       Msg4(level, "SSL_accept(): %s / %s / %s / %s", error_string,
-		    ERR_lib_error_string(err), ERR_func_error_string(err),
-		    ERR_reason_error_string(err));
+       #ifdef WITH_WOLFSSL
+          Msg2(level, "SSL_accept(): %s / %s", error_string,
+               ERR_reason_error_string(err));
+       #else
+          Msg4(level, "SSL_accept(): %s / %s / %s / %s", error_string,
+               ERR_lib_error_string(err), ERR_func_error_string(err),
+               ERR_reason_error_string(err));
+       #endif
 	    }
 	    /* Msg1(level, "SSL_accept(): %s", ERR_error_string(e, buf));*/
 	 }
@@ -719,7 +724,12 @@ int
    bool opt_fips = false;
    const SSL_METHOD *method = NULL;
    char *me_str = NULL;	/* method string */
+/* By default, let wolfSSL pick the strongest cipher */
+#ifdef WITH_WOLFSSL
+   char *ci_str = NULL;
+#else
    char *ci_str = "HIGH:-NULL:-PSK:-aNULL";	/* cipher string */
+#endif
    char *opt_key  = NULL;	/* file name of client private key */
    char *opt_dhparam = NULL;	/* file name of DH params */
    char *opt_cafile = NULL;	/* certificate authority file */
@@ -767,6 +777,10 @@ int
    OpenSSL_add_all_digests();
    sycSSL_load_error_strings();
 
+#if defined(WITH_WOLFSSL) && defined(DEBUG_WOLFSSL)
+   wolfSSL_Debugging_ON();
+#endif
+
    /* OpenSSL preparation */
    sycSSL_library_init();
    
@@ -786,7 +800,13 @@ int
 #endif
 #if HAVE_SSLv23_client_method
 	 } else if (!strcasecmp(me_str, "SSL23")) {
+    #if defined(WITH_WOLFSSL) && defined(WOLFSSL_TLS13)
+      /* Can't use sycSSLv23_client_method because wolfSSL will default to
+       * TLS 1.3, which doesn't work with socat." */
+       method = sycTLSv1_2_client_method();
+    #else
 	    method = sycSSLv23_client_method();
+    #endif
 #endif
 #if HAVE_TLSv1_client_method
 	 } else if (!strcasecmp(me_str, "TLS1") || !strcasecmp(me_str, "TLS1.0")) {
@@ -808,9 +828,9 @@ int
 	    Error1("openssl-method=\"%s\": method unknown or not provided by library", me_str);
 	 }
       } else {
-#if   HAVE_TLS_client_method
+#if   HAVE_TLS_client_method && !(defined(WITH_WOLFSSL) && defined(WOLFSSL_TLS13))
 	 method = TLS_client_method();
-#elif HAVE_SSLv23_client_method
+#elif HAVE_SSLv23_client_method && !(defined(WITH_WOLFSSL) && defined(WOLFSSL_TLS13))
 	 method = sycSSLv23_client_method();
 #elif HAVE_TLSv1_2_client_method
 	 method = sycTLSv1_2_client_method();
@@ -840,7 +860,13 @@ int
 #endif
 #if HAVE_SSLv23_server_method
 	 } else if (!strcasecmp(me_str, "SSL23")) {
+    #if defined(WITH_WOLFSSL) && defined(WOLFSSL_TLS13)
+       /* Can't use sycSSLv23_server_method because wolfSSL will default to
+        * TLS 1.3, which doesn't work with socat." */
+       method = sycTLSv1_2_server_method();
+    #else
 	    method = sycSSLv23_server_method();
+    #endif
 #endif
 #if HAVE_TLSv1_server_method
 	 } else if (!strcasecmp(me_str, "TLS1") || !strcasecmp(me_str, "TLS1.0")) {
@@ -862,9 +888,9 @@ int
 	    Error1("openssl-method=\"%s\": method unknown or not provided by library", me_str);
 	 }
       } else {
-#if   HAVE_TLS_server_method
+#if   HAVE_TLS_server_method && !(defined(WITH_WOLFSSL) && defined(WOLFSSL_TLS13))
 	 method = TLS_server_method();
-#elif HAVE_SSLv23_server_method
+#elif HAVE_SSLv23_server_method && !(defined(WITH_WOLFSSL) && defined(WOLFSSL_TLS13))
 	 method = sycSSLv23_server_method();
 #elif HAVE_TLSv1_2_server_method
 	 method = sycTLSv1_2_server_method();
@@ -1140,7 +1166,7 @@ static int openssl_SSL_ERROR_SSL(int level, const char *funcname) {
       Debug1("ERR_get_error(): %lx", e);
       if
 	 (
-#if defined(OPENSSL_IS_BORINGSSL)
+#if defined(OPENSSL_IS_BORINGSSL) || defined(WITH_WOLFSSL)
 	  0  /* BoringSSL's RNG always succeeds. */
 #elif defined(HAVE_RAND_status)
 	  ERR_GET_LIB(e) == ERR_LIB_RAND && RAND_status() != 1
@@ -1568,9 +1594,14 @@ static int xioSSL_connect(struct single *xfd, const char *opt_commonname,
 	    Msg(level, "I/O error");	/*!*/
 	    while (err = ERR_get_error()) {
 	       ERR_error_string_n(err, error_string, sizeof(error_string));
-	       Msg4(level, "SSL_connect(): %s / %s / %s / %s", error_string,
-		    ERR_lib_error_string(err), ERR_func_error_string(err),
-		    ERR_reason_error_string(err));
+       #ifdef WITH_WOLFSSL
+          Msg2(level, "SSL_connect(): %s / %s", error_string,
+               ERR_reason_error_string(err));
+       #else
+          Msg4(level, "SSL_connect(): %s / %s / %s / %s", error_string,
+               ERR_lib_error_string(err), ERR_func_error_string(err),
+               ERR_reason_error_string(err));
+       #endif
 	    }
 	 }
 	 status = STAT_RETRYLATER;
@@ -1628,9 +1659,14 @@ ssize_t xioread_openssl(struct single *pipe, void *buff, size_t bufsiz) {
 	    Error("I/O error");	/*!*/
 	    while (err = ERR_get_error()) {
 	       ERR_error_string_n(err, error_string, sizeof(error_string));
-	       Error4("SSL_read(): %s / %s / %s / %s", error_string,
-		      ERR_lib_error_string(err), ERR_func_error_string(err),
-		      ERR_reason_error_string(err));
+       #ifdef WITH_WOLFSSL
+          Error2("SSL_read(): %s / %s", error_string,
+                 ERR_reason_error_string(err));
+       #else
+          Error4("SSL_read(): %s / %s / %s / %s", error_string,
+                 ERR_lib_error_string(err), ERR_func_error_string(err),
+                 ERR_reason_error_string(err));
+       #endif
 	    }
 	 }
 	 break;
@@ -1687,9 +1723,14 @@ ssize_t xiowrite_openssl(struct single *pipe, const void *buff, size_t bufsiz) {
 	    Error("I/O error");	/*!*/
 	    while (err = ERR_get_error()) {
 	       ERR_error_string_n(err, error_string, sizeof(error_string));
-	       Error4("SSL_write(): %s / %s / %s / %s", error_string,
-		      ERR_lib_error_string(err), ERR_func_error_string(err),
-		      ERR_reason_error_string(err));
+       #ifdef WITH_WOLFSSL
+          Error2("SSL_write(): %s / %s", error_string,
+                 ERR_reason_error_string(err));
+       #else
+          Error4("SSL_write(): %s / %s / %s / %s", error_string,
+                 ERR_lib_error_string(err), ERR_func_error_string(err),
+                 ERR_reason_error_string(err));
+       #endif
 	    }
 	 }
 	 break;