EthernetClientSecure
EthernetClientSecure is a lightweight library designed to enable TLS/SSL-secured Ethernet communication on ESP32-based systems.
Espressif - ESP32
x 1
WIZnet - W5500
x 1
Project Introduction
EthernetClientSecure is a lightweight library designed to enable TLS/SSL-secured Ethernet communication on ESP32-based systems.
It combines Ethernet3 and SSLClient to provide a secure client interface for Ethernet applications, allowing developers to build encrypted connections with server authentication and optional mutual TLS support.
What makes this project especially interesting is that it does not primarily rely on the ESP32’s native lwIP software networking path.
Instead, it is built on top of the W5500 Ethernet controller’s hardware socket architecture, using the transport capabilities already implemented inside the W5500 chip and then adding TLS on top through SSLClient.
Key Characteristics
Communication Stack: ESP32 → SPI → W5500
When the application calls EthernetClientSecure, SSLClient handles TLS encryption on the ESP32 CPU, then passes the encrypted data to Ethernet3, which translates it into W5500 socket commands over SPI. The W5500 then processes TCP/IP entirely in hardware and drives the physical Ethernet link — so the ESP32 only deals with TLS, and the W5500 handles everything below it.
Why TOE Ethernet over WiFi
Although the ESP32 has built-in WiFi, this project uses the WIZnet W5500 as the network controller for the following reasons.
Stability Wired Ethernet is unaffected by channel interference or AP congestion, making it more reliable for long-lived MQTT or HTTPS sessions in IoT and industrial environments.
CPU headroom ESP32's WiFi runs a software TCP/IP stack (lwIP) that consumes CPU cycles. The W5500 offloads TCP/IP to hardware, freeing the ESP32 to focus on TLS processing and application logic.
Deterministic timing A software stack is subject to RTOS scheduling variability. The W5500 processes socket commands in hardware, providing consistent response timing regardless of CPU load.
Arduino-native driver with Ethernet3 Ethernet3 is a W5500 driver built on the Arduino ecosystem. It implements the Arduino Client interface, allowing it to integrate directly with SSLClient as the transport layer without any additional glue code.
Why Ethernet3
SSLClient requires a transport layer that implements the Arduino Client interface so it can wrap it with TLS. Ethernet3 does exactly that — its EthernetClient fully inherits from the Arduino Client base class, which means it can be passed directly into SSLClient without any adapter. This is what allows the entire secure stack to be composed cleanly from two existing libraries.
What is SSLClient
SSLClient is an Arduino TLS wrapper library by OPEnSLab-OSU, built on top of BearSSL. It adds TLS/SSL to any transport layer that implements the Arduino Client interface, handling the TLS handshake, certificate validation via Trust Anchors, and optionally mutual TLS (mTLS) with a client certificate and private key.
WiFi or Ethernet — Which Does SSLClient Support
Both. Since SSLClient wraps any Client-compatible transport, it works equally with EthernetClient (Ethernet3) and WiFiClient. That said, ESP32 already provides a built-in WiFiClientSecure for WiFi, so SSLClient is most useful where no native secure client exists — such as W5500-based wired Ethernet, which is exactly the gap this project fills.
// Ethernet 조합
EthernetClient ethClient;
SSLClient secureClient(ðClient, TAs, TAs_NUM, A5);
// WiFi 조합 — 똑같이 동작
WiFiClient wifiClient;
SSLClient secureClient(&wifiClient, TAs, TAs_NUM, A5);
Ethernet3
Ethernet3 is an Arduino Ethernet library for the W5500, designed to provide an easy-to-use, high-level networking interface for embedded applications. It simplifies TCP, UDP, DHCP, and socket-based communication while leveraging the W5500’s hardware TCP/IP engine.
| Item | Ethernet3 + SSLClient | ioLibrary / Bare-metal W5500 |
|---|---|---|
| Networking base | W5500 hardware socket-based TCP/IP | W5500 hardware socket-based TCP/IP |
| Software abstraction | High-level Arduino-style API | Low-level socket and driver API |
| Ease of use | Easy to use in Arduino applications | Requires more low-level integration work |
| TLS support | Straightforward with SSLClient | Not directly provided in Arduino Client form |
| Best fit | Rapid application development | Platform porting and low-level embedded development |
| Flexibility | Simpler but more opinionated | More flexible and hardware-oriented |
What is EthernetClientSecure?
EthernetClientSecure is a secure Ethernet client library for Arduino and ESP32 that adds TLS/SSL support over Ethernet connections. It wraps SSLClient and EthernetClient to provide certificate validation and optional mutual TLS (mTLS) support in a simple embedded-friendly interface.
Does EthernetClientSecure use ESP32 lwIP for Ethernet communication?
EthernetClientSecure is designed around EthernetClient and SSLClient, not around the ESP32’s native lwIP-based Ethernet stack. In this project structure, Ethernet transport is handled through the underlying Ethernet client layer, while TLS is added by SSLClient on top. This makes the library especially suitable for W5500-based hardware socket Ethernet designs rather than a native lwIP-centered software networking path.
How does EthernetClientSecure work?
EthernetClientSecure works by combining an Ethernet transport client with a TLS layer.
The lower layer manages Ethernet communication, and SSLClient adds secure TLS functionality, including server certificate verification and optional client authentication. This allows embedded developers to build secure Ethernet applications without implementing a separate TLS stack from scratch.
