Comparison of TLS implementations

Last updated

The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

Contents

All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.

Overview

ImplementationDeveloped byOpen sourceSoftware licenseCopyright holderWritten inLatest stable version, release dateOrigin
Botan Jack LloydYes Simplified BSD License Jack Lloyd C++ 3.5.0 (July 8, 2024;3 months ago (2024-07-08) [1] ) [±] US (Vermont)
BoringSSL Google Yes OpenSSL-SSLeay dual-license, ISC license Eric Young, Tim Hudson, Sun, OpenSSL project, Google, and others C, C++, Go, assembly  ??Australia/EU
Bouncy Castle The Legion of the Bouncy Castle Inc.Yes MIT License Legion of the Bouncy Castle Inc. Java, C#
Java1.77 / November 13, 2023;11 months ago (2023-11-13) [2]
Java LTSBC-LJA 2.73.5 / March 1, 2024;7 months ago (2024-03-01) [3]
Java FIPSBC-FJA 1.0.2.4 / September 28, 2023;12 months ago (2023-09-28) [4]
C#2.3.0 / February 5, 2024;8 months ago (2024-02-05) [5]
C# FIPSBC-FNA 1.0.2 / February 28, 2023;19 months ago (2023-02-28) [6]
Australia
BSAFE Dell, formerly RSA Security No Proprietary Dell Java, C, assembly SSL-J 6.6 (July 2, 2024;3 months ago (2024-07-02) [7] ) [±]

SSL-J 7.3.1 (October 7, 2024;18 days ago (2024-10-07) [8] ) [±]
Micro Edition Suite 4.6.2 (May 2, 2023;17 months ago (2023-05-02) [9] ) [±]
Micro Edition Suite 5.0.2.1 (September 18, 2023;13 months ago (2023-09-18) [10] ) [±]

Australia
cryptlib Peter Gutmann Yes Sleepycat License and commercial license Peter Gutmann C 3.4.5 (2019;5 years ago (2019) [11] ) [±] NZ
GnuTLS GnuTLS project Yes LGPL-2.1-or-later Free Software Foundation C 3.8.5 [12]   OOjs UI icon edit-ltr-progressive.svg 2024-04-04EU (Greece and Sweden)
Java Secure Socket Extension (JSSE) Oracle Yes GNU GPLv2 and commercial licenseOracle Java

23.0.1 (October 15, 2024;10 days ago (2024-10-15) [13] ) [±]
21.0.5 LTS (October 15, 2024;10 days ago (2024-10-15) [14] ) [±]
17.0.13 LTS (October 15, 2024;10 days ago (2024-10-15) [15] ) [±]
11.0.25 LTS (October 15, 2024;10 days ago (2024-10-15) [16] ) [±]
8u431 LTS (October 15, 2024;10 days ago (2024-10-15) [17] ) [±]

US
LibreSSL OpenBSD Project Yes Apache-1.0, BSD-4-Clause, ISC, and public domain Eric Young, Tim Hudson, Sun, OpenSSL project, OpenBSD Project, and others C, assembly 4.0.0 [18]   OOjs UI icon edit-ltr-progressive.svg 2024-10-14Canada
MatrixSSL [19] PeerSec NetworksYes GNU GPLv2+ and commercial licensePeerSec Networks C 4.2.2 (September 11, 2019;5 years ago (2019-09-11) [20] ) [±] US
Mbed TLS (previously PolarSSL) Arm Yes Apache License 2.0, GNU GPLv2+ and commercial license Arm Holdings C 3.6.2 [21] OOjs UI icon edit-ltr-progressive.svg (15 October 2024;10 days ago (15 October 2024)) [±] EU (Netherlands)
Network Security Services (NSS) Mozilla, AOL, Red Hat, Sun, Oracle, Google and othersYes MPL 2.0NSS contributors C, assembly
Standard3.84 / October 12, 2022;2 years ago (2022-10-12) [22]
Extended Support Release3.79.1 / August 18, 2022;2 years ago (2022-08-18) [22]
US
OpenSSL OpenSSL project Yes Apache-2.0 [lower-alpha 1] Eric Young, Tim Hudson, Sun, OpenSSL project, and others C, assembly 3.4.0 [23]   OOjs UI icon edit-ltr-progressive.svg 2024-10-22Australia/EU
Rustls Joe Birr-Pixton, Dirkjan Ochtman, Daniel McCarney, Josh Aas, and open source contributorsYes Apache-2.0, MIT License and ISC Open source contributors Rust v0.23.12 (July 23, 2024;3 months ago (2024-07-23) [24] ) [±] United Kingdom
s2n Amazon Yes Apache License 2.0, GNU GPLv2+ and commercial licenseAmazon.com, Inc. C ContinuousUS
Schannel Microsoft No Proprietary Microsoft CorporationWindows 11, 2021-10-05US
Secure Transport Apple Inc. Yes APSL 2.0 Apple Inc.57337.20.44 (OS X 10.11.2), 2015-12-08US
wolfSSL (previously CyaSSL)wolfSSL [25] Yes GNU GPLv2+ and commercial licensewolfSSL Inc. [26] C, assembly 5.6.4 (October 30, 2023;11 months ago (2023-10-30) [27] ) [±] US
Erlang/OTP SSL applicationEricssonYesApache License 2.0EricssonErlangOTP-21, 2018-06-19Sweden
ImplementationDeveloped byOpen sourceSoftware licenseCopyright ownerWritten inLatest stable version, release dateOrigin
  1. Apache-2.0 for OpenSSL 3.0 and later releases. OpenSSL-SSLeay dual-license for any release before OpenSSL 3.0.

TLS/SSL protocol version support

Several versions of the TLS protocol exist. SSL 2.0 is a deprecated [28] protocol version with significant weaknesses. SSL 3.0 (1996) and TLS 1.0 (1999) are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay. [29] TLS 1.1 (2006) fixed only one of the problems, by switching to random initialization vectors (IV) for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was addressed with RFC 7366. [30] A workaround for SSL 3.0 and TLS 1.0, roughly equivalent to random IVs from TLS 1.1, was widely adopted by many implementations in late 2011. [31] In 2014, the POODLE vulnerability of SSL 3.0 was discovered, which takes advantage of the known vulnerabilities in CBC, and an insecure fallback negotiation used in browsers. [32]

TLS 1.2 (2008) introduced a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future (rsa,sha256/sha384/sha512) over the SSL 3.0 conservative choice (rsa,sha1+md5), the TLS 1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides (rsa,sha1) and even (rsa,md5). [33]

Datagram Transport Layer Security (DTLS or Datagram TLS) 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLS 1.2 based on TLS 1.2 was published in January 2012. [34]

TLS 1.3 (2018) specified in RFC 8446 includes major optimizations and security improvements. QUIC (2021) specified in RFC 9000 and DTLS 1.3 (2022) specified in RFC 9147 builds on TLS 1.3. The publishing of TLS 1.3 and DTLS 1.3 obsoleted TLS 1.2 and DTLS 1.2.

Note that there are known vulnerabilities in SSL 2.0 and SSL 3.0. In 2021, IETF published RFC 8996 also forbidding negotiation of TLS 1.0, TLS 1.1, and DTLS 1.0 due to known vulnerabilities. NIST SP 800-52 requires support of TLS 1.3 by January 2024. Support of TLS 1.3 means that two compliant nodes will never negotiate TLS 1.2.

Implementation SSL 2.0 (insecure) [35] SSL 3.0 (insecure) [36] TLS 1.0 (deprecated) [37] TLS 1.1 (deprecated) [38] TLS 1.2 [39] TLS 1.3 DTLS 1.0 (deprecated) [40] DTLS 1.2 [34] DTLS 1.3 [ citation needed ]
Botan NoNo [41] NoNoYesYesNoYesNo
BoringSSL YesYesYesYesYesYesNo
Bouncy Castle NoNoYesYesYesYes
(draft version)		YesYesNo
BSAFE SSL-J [42] NoDisabled by defaultNo [lower-alpha 1] No [lower-alpha 1] YesYesNoNoNo
cryptlib NoDisabled by default at compile timeYesYesYesNoNoNo
GnuTLS No [lower-alpha 2] Disabled by default [43] YesYesYesYes [44] YesYesNo
JSSE No [lower-alpha 2] Disabled by default [45] Disabled by default [46] Disabled by default [46] YesYesYesYesNo
LibreSSL No [47] No [48] YesYesYesYesYesYes [49] No
MatrixSSL NoDisabled by default at compile time [50] YesYesYesYesYesYesNo
Mbed TLS NoNo [51] No [51] No [51] YesYes
(experimental)		Yes [52] Yes [52] No
NSS No [lower-alpha 3] Disabled by default [53] YesYes [54] Yes [55] Yes [56] Yes [54] Yes [57] No
OpenSSL No [58] Disabled by defaultYesYes [59] Yes [59] YesYesYes [60] No
Rustls No [61] No [61] No [61] No [61] Yes [61] Yes [61] NoNoNo
s2n [62] NoDisabled by defaultYesYesYesYesNoNoNo
Schannel XP, 2003 [63] Disabled by default in MSIE 7Enabled by defaultEnabled by default in MSIE 7NoNoNoNoNoNo
Schannel Vista [64] Disabled by defaultEnabled by defaultYesNoNoNoNoNoNo
Schannel 2008 [64] Disabled by defaultEnabled by defaultYesDisabled by default (KB4019276)Disabled by default (KB4019276)NoNoNoNo
Schannel 7, 2008R2 [65] Disabled by defaultDisabled by default in MSIE 11YesEnabled by default in MSIE 11Enabled by default in MSIE 11NoYes [66] No [66] No
Schannel 8, 2012 [65] Disabled by defaultEnabled by defaultYesDisabled by defaultDisabled by defaultNoYesNoNo
Schannel 8.1, 2012R2, 10 RTM & v1511 [65] Disabled by defaultDisabled by default in MSIE 11YesYesYesNoYesNoNo
Schannel 10 v1607 / 2016 [67] NoDisabled by defaultYesYesYesNoYesYesNo
Schannel 11 / 2022 [68] NoDisabled by defaultYesYesYesYesYesYesNo
Secure Transport

OS X 10.2-10.7, iOS 1-4

YesYesYesNoNoNoNoNo
Secure Transport OS X 10.8-10.10, iOS 5-8No [lower-alpha 4] YesYesYes [lower-alpha 4] Yes [lower-alpha 4] Yes [lower-alpha 4] NoNo
Secure Transport OS X 10.11, iOS 9NoNo [lower-alpha 4] YesYesYesYesUn­knownNo
Secure Transport OS X 10.13, iOS 11NoNo [lower-alpha 4] YesYesYesYes
(draft version) [69] 		YesUn­knownNo
wolfSSL NoDisabled by default [70] Disabled by default [71] YesYesYesYesYesYes
Erlang/OTP SSL application [72] No [lower-alpha 5] No [lower-alpha 6] Disabled by default [lower-alpha 5] Disabled by default [lower-alpha 5] YesPartially [lower-alpha 7] Disabled by default [lower-alpha 5] YesNo
Implementation SSL 2.0 (insecure) [35] SSL 3.0 (insecure) [36] TLS 1.0 (deprecated) [37] TLS 1.1 (deprecated) [38] TLS 1.2 [39] TLS 1.3 DTLS 1.0 (deprecated) [40] DTLS 1.2 [34] DTLS 1.3 [ citation needed ]
  1. 1 2 As of SSL-J 7.0, support for TLS 1.0 and 1.1 has been removed
  2. 1 2 SSL 2.0 client hello is supported for backward compatibility reasons even though SSL 2.0 is not supported.
  3. Server-side implementation of the SSL/TLS protocol still supports processing of received v2-compatible client hello messages. "NSS 3.24 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2016-08-26. Retrieved 2016-06-19.
  4. 1 2 3 4 5 6 Secure Transport: SSL 2.0 was discontinued in OS X 10.8. SSL 3.0 was discontinued in OS X 10.11 and iOS 9.TLS 1.1, 1.2 and DTLS are available on iOS 5.0 and later, and OS X 10.9 and later. "Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
  5. 1 2 3 4 Since OTP 22
  6. Since OTP 23
  7. "Erlang OTP SSL application TLS 1.3 compliance table".

NSA Suite B Cryptography

Required components for NSA Suite B Cryptography (RFC 6460) are:

Per CNSSP-15, the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.

Implementation TLS 1.2 Suite B
Botan Yes
Bouncy Castle Yes
BSAFE Yes [42]
cryptlib Yes
GnuTLS Yes
JSSE Yes [73]
LibreSSL Yes
MatrixSSL Yes
Mbed TLS Yes
NSS No [74]
OpenSSL Yes [60]
Rustls Yes [61]
S2n
Schannel Yes [75]
Secure Transport No
wolfSSL Yes
ImplementationTLS 1.2 Suite B

Certifications

Note that certain certifications have received serious negative criticism from people who are actually involved in them. [76]

Implementation FIPS 140-1, FIPS 140-2 [77] FIPS 140-3 Embedded FIPS Solution
Level 1Level 2[ disputed discuss ]Level 1
Botan [78]
Bouncy Castle BC-FJA 1.0.0 (#2768)
BC-FJA 1.0.1 (#3152)
BSAFE SSL-J [79] Crypto-J 6.0 (1785, 1786)
Crypto-J 6.1 / 6.1.1.0.1 (2057, 2058)
Crypto-J 6.2 / 6.2.1.1 (2468, 2469)
Crypto-J 6.2.4 (3172, 3184)
Crypto-J 6.2.5 (#3819, #3820)
Crypto-J 6.3 (#4696, #4697)
cryptlib [80]
GnuTLS [81] Red Hat Enterprise Linux GnuTLS Cryptographic Module (#2780)
JSSE
LibreSSL [47] no support
MatrixSSL [82] SafeZone FIPS Cryptographic Module: 1.1 (#2389)
Mbed TLS [83]
NSS [84] Network Security Services: 3.2.2 (#247)
Network Security Services Cryptographic Module: 3.11.4 (#815), 3.12.4 (#1278), 3.12.9.1 (#1837)		Netscape Security Module: 1 (#7 [notes 1] ), 1.01 (#47 [notes 2] )
Network Security Services: 3.2.2 (#248 [notes 3] )
Network Security Services Cryptographic Module: 3.11.4 (#814 [notes 4] ), 3.12.4 (#1279, #1280 [notes 5] )
OpenSSL [85] OpenSSL FIPS Object Module: 1.0 (#624), 1.1.1 (#733), 1.1.2 (#918), 1.2, 1.2.1, 1.2.2, 1.2.3 or 1.2.4 (#1051)
2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7 or 2.0.8 (#1747)
Rustls aws-lc FIPS module [86] (#4759)
Schannel [87] Cryptographic modules in Windows NT 4.0, 95, 95, 2000, XP, Server 2003, CE 5, CE 6, Mobile 6.x, Vista, Server 2008, 7, Server 2008 R2, 8, Server 2012, RT, Surface, Phone 8
See details on Microsoft FIPS 140 Validated Cryptographic Modules
Secure Transport Apple FIPS Cryptographic Module: 1.0 (OS X 10.6, #1514), 1.1 (OS X 10.7, #1701)
Apple OS X CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (OS X 10.8, #1964, #1956), 4.0 (OS X 10.9, #2015, #2016)
Apple iOS CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (iOS 6, #1963, #1944), 4.0 (iOS 7, #2020, #2021)
wolfSSL [88] wolfCrypt FIPS Module: 4.0 (#3389)
See details on NIST certificate for validated Operating Environments
wolfCrypt FIPS Module: 3.6.0 (#2425)
See details on NIST certificate for validated Operating Environments		wolfCrypt FIPS Module (#4178)
See details on NIST certificate 		Yes
ImplementationLevel 1Level 2Level 1Embedded FIPS Solution
FIPS 140-1, FIPS 140-2FIPS 140-3
  1. with Sun Sparc 5 w/ Sun Solaris v 2.4SE (ITSEC-rated)
  2. with Sun Ultra-5 w/ Sun Trusted Solaris version 2.5.1 (ITSEC-rated)
  3. with Solaris v8.0 with AdminSuite 3.0.1 as specified in UK IT SEC CC Report No. P148 EAL4 on a SUN SPARC Ultra-1
  4. with these platforms; Red Hat Enterprise Linux Version 4 Update 1 AS on IBM xSeries 336 with Intel Xeon CPU, Trusted Solaris 8 4/01 on Sun Blade 2500 Workstation with UltraSPARC IIIi CPU
  5. with these platforms; Red Hat Enterprise Linux v5 running on an IBM System x3550, Red Hat Enterprise Linux v5 running on an HP ProLiant DL145, Sun Solaris 10 5/08 running on a Sun SunBlade 2000 workstation, Sun Solaris 10 5/08 running on a Sun W2100z workstation

Key exchange algorithms (certificate-only)

This section lists the certificate verification functionality available in the various implementations.

Implementation RSA [39] RSA-EXPORT (insecure) [39] DHE-RSA (forward secrecy) [39] DHE-DSS (forward secrecy) [39] ECDH-ECDSA [89] ECDHE-ECDSA (forward secrecy) [89] ECDH-RSA [89] ECDHE-RSA (forward secrecy) [89] GOST R 34.10-94, 34.10-2001 [90]
Botan Disabled by defaultNoYesDisabled by defaultNoYesNoYesNo
BSAFE YesNoYesYesYesYesYesYesNo
cryptlib YesNoYesYesNoYesNoNoNo
GnuTLS YesNoYesDisabled by default [43] NoYesNoYesNo
JSSE YesDisabled by defaultYesYesYesYesYesYesNo
LibreSSL YesNo [47] YesYesNoYesNoYesYes [91]
MatrixSSL YesNoYesNoYesYesYesYesNo
Mbed TLS YesNoYesNoYesYesYesYesNo
NSS YesDisabled by defaultYes [92] YesYesYesYesYesNo [93] [94]
OpenSSL YesNo [58] YesDisabled by default [58] NoYesNoYesYes [95]
Rustls NoNoNoNoNoYes [61] NoYes [61] No
Schannel XP/2003 YesYesNoXP: Max 1024 bits
2003: 1024 bits only		NoNoNoNoNo [96]
Schannel Vista/2008 YesDisabled by defaultNo1024 bits by default [97] NoYesNoexcept AES_GCMNo [96]
Schannel 8/2012 YesDisabled by defaultAES_GCM only [98] [99] [100] 1024 bits by default [97] NoYesNoexcept AES_GCMNo [96]
Schannel 7/2008R2, 8.1/2012R2 YesDisabled by defaultYes2048 bits by default [97] NoYesNoexcept AES_GCMNo [96]
Schannel 10 YesDisabled by defaultYes2048 bits by default [97] NoYesNoYesNo [96]
Secure Transport OS X 10.6YesYesexcept AES_GCMYesYesexcept AES_GCMyesexcept AES_GCMNo
Secure Transport OS X 10.8-10.10YesNoexcept AES_GCMNoYesexcept AES_GCMYesexcept AES_GCMNo
Secure Transport OS X 10.11YesNoYesNoNoYesNoYesNo
wolfSSL YesNoYesNoYesYesYesYesNo
Erlang/OTP SSL applicationYesNoYesYesYesYesYesYesNo
Implementation RSA [39] RSA-EXPORT (insecure) [39] DHE-RSA (forward secrecy) [39] DHE-DSS (forward secrecy) [39] ECDH-ECDSA [89] ECDHE-ECDSA (forward secrecy) [89] ECDH-RSA [89] ECDHE-RSA (forward secrecy) [89] GOST R 34.10-94, 34.10-2001 [90]

Key exchange algorithms (alternative key-exchanges)

Implementation SRP [101] SRP-DSS [101] SRP-RSA [101] PSK-RSA [102] PSK [102] DHE-PSK (forward secrecy) [102] ECDHE-PSK (forward secrecy) [103] KRB5 [104] DH-ANON [39] (insecure) ECDH-ANON [89] (insecure)
Botan NoNoNoNoYesNoYesNoNoNo
BSAFE SSL-JNoNoNoNoYes [105] NoNoNoDisabled by defaultDisabled by default
cryptlib NoNoNoNoYesYesNoUn­knownNoNo
GnuTLS YesYesYesYesYesYesYesNoDisabled by defaultDisabled by default
JSSE NoNoNoNoNoNoNoNoDisabled by defaultDisabled by default
LibreSSL No [106] No [106] No [106] NoNoNoNoNoYesYes
MatrixSSL NoNoNoYesYesYesNoNoDisabled by defaultNo
Mbed TLS NoNoNoYesYesYesYesNoNoNo
NSS No [107] No [107] No [107] No [108] No [108] No [108] No [108] NoClient side only, disabled by default [109] Disabled by default [110]
OpenSSL YesYesYesYesYesYesYesYes [111] Disabled by default [112] Disabled by default [112]
Rustls NoNoNoNoNoNoNoNoNoNo
Schannel NoNoNoNoNoNoNoYesNoNo
Secure Transport NoNoNoNoNoNoNoUn­knownYesYes
wolfSSL YesYesYesYesYesYesYes [113] YesNoNo
Erlang/OTP SSL applicationDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultNoNoDisabled by defaultDisabled by default
Implementation SRP [101] SRP-DSS [101] SRP-RSA [101] PSK-RSA [102] PSK [102] DHE-PSK (forward secrecy) [102] ECDHE-PSK (forward secrecy) [103] KRB5 [104] DH-ANON [39] (insecure) ECDH-ANON [89] (insecure)

Certificate verification methods

ImplementationApplication-definedPKIX path validation [114] CRL [115] OCSP [116] DANE (DNSSEC) [117] [118] Trust on First Use (TOFU) CT [119]
Botan YesYesYesYesNoNoUn­known
Bouncy Castle YesYesYesYesYesNoUn­known
BSAFE YesYesYesYesNoNoUn­known
cryptlib YesYesYesYesNoNoUn­known
GnuTLS YesYesYesYesYesYesUn­known
JSSE YesYesYesYesNoNoNo
LibreSSL YesYesYesYesNoNoUn­known
MatrixSSL YesYesYesYes [120] NoNoUn­known
Mbed TLS YesYesYesNo [121] NoNoUn­known
NSS YesYesYesYesNo [122] NoUn­known
OpenSSL YesYesYesYesYesNoYes
Rustls YesYesYesNoNoNoNo
s2n No [123] Un­known [124] Un­known [125]
Schannel Un­knownYesYes [126] Yes [126] NoNoUn­known
Secure Transport YesYesYesYesNoNoUn­known
wolfSSL YesYesYesYesNoNoUn­known
Erlang/OTP SSL applicationYesYesYesNoNoNoUn­known
ImplementationApplication-definedPKIX path validationCRLOCSPDANE (DNSSEC)Trust on First Use (TOFU)CT

Encryption algorithms

Implementation Block cipher with mode of operation Stream cipher None
AES GCM
[127] 		AES CCM
[128] 		AES CBC Camellia GCM
[129] 		Camellia CBC
[130] [129] 		ARIA GCM
[131] 		ARIA CBC
[131] 		SEED CBC
[132] 		3DES EDE CBC
(insecure) [133] 		GOST 28147-89 CNT
(proposed)
[90] [n 1] 		ChaCha20-Poly1305
[134] 		Null
(insecure)
[n 2]
Botan YesYesYesYesYesNoNoDisabled by defaultDisabled by defaultNoYes [135] Not implemented
BoringSSL YesNoYesNoNoNoNoNoYesNoYes
BSAFE SSL-JYesYesYesNoNoNoNoNoDisabled by defaultNoNoDisabled by default
cryptlib YesNoYesNoNoNoNoNoYesNoNoNot implemented
GnuTLS YesYes [43] YesYesYesNoNoNoDisabled by default [136] NoYes [137] Disabled by default
JSSE YesNoYesNoNoNoNoNoDisabled by default [138] NoYes
(JDK 12+) [139] 		Disabled by default
LibreSSL Yes [47] NoYesNoYes [91] NoNoNo [47] YesYes [91] Yes [47] Disabled by default
MatrixSSL YesNoYesNoNoNoNoYesDisabled by defaultNoYes [140] Disabled by default
Mbed TLS YesYes [141] YesYesYesYes [142] Yes [142] NoNo [51] NoYes [143] Disabled by default at compile time
NSS Yes [144] NoYesNo [145] [n 3] Yes [146] NoNoYes [147] YesNo [93] [94] Yes [148] Disabled by default
OpenSSL Yes [149] Disabled by default [58] YesNoDisabled by default [58] Disabled by default [150] NoDisabled by default [58] Disabled by default [58] Yes [95] Yes [58] Disabled by default
Rustls Yes [61] NoNoNoNoNoNoNoNoNoYes [61] Not implemented
Schannel XP/2003 NoNo2003 only [151] NoNoNoNoNoYesNo [96] NoDisabled by default
Schannel Vista/2008, 2008R2, 2012 NoNoYesNoNoNoNoNoYesNo [96] NoDisabled by default
Schannel 7, 8, 8.1/2012R2 Yes except ECDHE_RSA
[98] [99] 		NoYesNoNoNoNoNoYesNo [96] NoDisabled by default
Schannel 10 [152] YesNoYesNoNoNoNoNoYesNo [96] NoDisabled by default
Secure Transport OS X 10.6 - 10.10NoNoYesNoNoNoNoNoYesNoNoDisabled by default
Secure Transport OS X 10.11YesNoYesNoNoNoNoNoYesNoNoDisabled by default
wolfSSL YesYesYesNoNoNoNoNoYesNoYesDisabled by default
Erlang/OTP SSL applicationYesNoYesNoNoNoNoNoDisabled by defaultNoExperimentalDisable by default
Implementation Block cipher with mode of operation Stream cipher None
AES GCM
[127] 		AES CCM
[128] 		AES CBC Camellia GCM
[129] 		Camellia CBC
[130] [129] 		ARIA GCM
[131] 		ARIA CBC
[131] 		SEED CBC
[132] 		3DES EDE CBC
(insecure) [133] 		GOST 28147-89 CNT
(proposed)
[90] [n 1] 		ChaCha20-Poly1305
[134] 		Null
(insecure)
[n 2]
Notes
  1. 1 2 This algorithm is not defined yet as TLS cipher suites in RFCs, is proposed in drafts.
  2. 1 2 authentication only, no encryption
  3. This algorithm is implemented in an NSS fork used by Pale Moon.

Obsolete algorithms

Implementation Block cipher with mode of operation Stream cipher
IDEA CBC
[n 1] (insecure) [154] 		DES CBC
(insecure)
[n 1] 		DES-40 CBC
(EXPORT, insecure)
[n 2] 		RC2-40 CBC
(EXPORT, insecure)
[n 2] 		RC4-128
(insecure)
[n 3] 		RC4-40
(EXPORT, insecure)
[n 4] [n 2]
Botan NoNoNoNoNo [155] No
BoringSSL NoNoNoNoDisabled by default at compile timeNo
BSAFE SSL-JNoDisabled by defaultDisabled by defaultNoDisabled by defaultDisabled by default
cryptlib NoDisabled by default at compile timeNoNoDisabled by default at compile timeNo
GnuTLS NoNoNoNoDisabled by default [43] No
JSSE NoDisabled by defaultDisabled by defaultNoDisabled by defaultDisabled by default [156]
LibreSSL YesYesNo [47] No [47] YesNo [47]
MatrixSSL YesNoNoNoDisabled by defaultNo
Mbed TLS NoDisabled by default at compile timeNoNoDisabled by default at compile time [52] No
NSS YesDisabled by defaultDisabled by defaultDisabled by defaultLowest priority [157] [158] Disabled by default
OpenSSL Disabled by default [58] Disabled by defaultNo [58] No [58] Disabled by defaultNo [58]
Rustls NoNoNoNoNoNo
Schannel XP/2003 NoYesYesYesYesYes
Schannel Vista/2008 NoDisabled by defaultDisabled by defaultDisabled by defaultYesDisabled by default
Schannel 7/2008R2 NoDisabled by defaultDisabled by defaultDisabled by defaultLowest priority
will be disabled soon [159] 		Disabled by default
Schannel 8/2012 NoDisabled by defaultDisabled by defaultDisabled by defaultOnly as fallbackDisabled by default
Schannel 8.1/2012R2 NoDisabled by defaultDisabled by defaultDisabled by defaultDisabled by default [159] Disabled by default
Schannel 10 [152] NoDisabled by defaultDisabled by defaultDisabled by defaultDisabled by default [159] Disabled by default
Secure Transport OS X 10.6YesYesYesYesYesYes
Secure Transport OS X 10.7YesUn­knownUn­knownUn­knownYesUn­known
Secure Transport OS X 10.8-10.9YesDisabled by defaultDisabled by defaultDisabled by defaultYesDisabled by default
Secure Transport OS X 10.10-10.11YesDisabled by defaultDisabled by defaultDisabled by defaultLowest priorityDisabled by default
Secure Transport macOS 10.12YesDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultDisabled by default
wolfSSL Disabled by default [160] NoNoNoDisabled by defaultNo
Erlang/OTP SSL applicationnoDisabled by defaultnonoDisabled by defaultno
Implementation Block cipher with mode of operation Stream cipher
IDEA CBC
[n 1] (insecure) [154] 		DES CBC
(insecure)
[n 1] 		DES-40 CBC
(EXPORT, insecure)
[n 2] 		RC2-40 CBC
(EXPORT, insecure)
[n 2] 		RC4-128
(insecure)
[n 3] 		RC4-40
(EXPORT, insecure)
[n 4] [n 2]
Notes
  1. 1 2 3 4 IDEA and DES have been removed from TLS 1.2. [153]
  2. 1 2 3 4 5 6 40 bits strength of cipher suites were designed to operate at reduced key lengths in order to comply with US regulations about the export of cryptographic software containing certain strong encryption algorithms (see Export of cryptography from the United States). These weak suites are forbidden in TLS 1.1 and later.
  3. 1 2 The RC4 attacks weaken or break RC4 used in SSL/TLS. Use of RC4 is prohibited by RFC 7465.
  4. 1 2 The RC4 attacks weaken or break RC4 used in SSL/TLS.

Supported elliptic curves

This section lists the supported elliptic curves by each implementation.

Defined curves in RFC 8446 (for TLS 1.3) and RFC 8422, 7027 (for TLS 1.2 and earlier)

applicable TLS versionTLS 1.3 and earlierTLS 1.2 and earlier
Implementation secp256r1
prime256v1
NIST P-256
(0x0017, [161] 23 [162] )		 secp384r1
NIST P-384
(0x0018, [161] 24 [162] )		 secp521r1
NIST P-521
(0x0019, [161] 25 [162] )		 X25519
(0x001D, [161] 29 [162] )		 X448
(0x001E, [161] 30 [162] )		 brainpoolP256r1
(26) [163] 		brainpoolP384r1
(27) [163] 		brainpoolP512r1
(28) [163]
Botan YesYesYesYes [135] NoYes [164] Yes [164] Yes [164]
BoringSSL YesYesYes (disabled by default)YesNoNoNoNo
BSAFE YesYesYesNoNoNoNoNo
GnuTLS YesYesYesYes [165] Yes [166] NoNoNo
JSSE YesYesYesYes
x25519: JDK 13+ [167]
Ed25519:JDK 15+ [168] 		Yes
x448: JDK 13+ [167]
Ed448: JDK 15+ [168] 		NoNoNo
LibreSSL YesYesYesYes [169] NoYes [47] Yes [47] Yes [47]
MatrixSSL YesYesYesTLS 1.3 only [170] NoYesYesYes
Mbed TLS YesYesYesPrimitive only [171] Primitive only [172] Yes [173] Yes [173] Yes [173]
NSS YesYesYesYes [174] No [175] [176] No [177] No [177] No [177]
OpenSSL YesYesYesYes [178] [179] Yes [180] [181] Yes [60] Yes [60] Yes [60]
Rustls YesYesNoYesNoNoNoNo
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 YesYesYesNoNoNoNoNo
Secure Transport YesYesYesNoNoNoNoNo
wolfSSL YesYesYesYes [182] Yes [183] YesYesYes
Erlang/OTP SSL applicationYesYesYesNoNoYesYesYes
Implementation secp256r1
prime256v1
NIST P-256
(0x0017, 23)		 secp384r1
NIST P-384
(0x0018, 24)		 secp521r1
NIST P-521
(0x0019, 25)		 X25519
(0x001D, 29)		 X448
(0x001E, 30)		 brainpoolP256r1
(26)		 brainpoolP384r1
(27)		 brainpoolP512r1
(28)

Proposed curves

ImplementationM221
Curve2213
[184] 		E222
[184] 		Curve1174
[184] 		E382
[184] 		M383
[184] 		Curve383187
[184] 		Curve41417
Curve3617
[184] 		M511
Curve511187
[184] 		E521
[184]
Botan NoNoNoNoNoNoNoNoNo
BoringSSL NoNoNoNoNoNoNoNoNo
BSAFE NoNoNoNoNoNoNoNoNo
GnuTLS NoNoNoNoNoNoNoNoNo
JSSE NoNoNoNoNoNoNoNoNo
LibreSSL NoNoNoNoNoNoNoNoNo
MatrixSSL NoNoNoNoNoNoNoNoNo
Mbed TLS NoNoNoNoNoNoNoNoNo
NSS NoNoNoNoNoNoNoNoNo
OpenSSL NoNoNoNoNoNoNoNoNo
Rustls NoNoNoNoNoNoNoNoNo
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 NoNoNoNoNoNoNoNoNo
Secure Transport NoNoNoNoNoNoNoNoNo
wolfSSL NoNoNoNoNoNoNoNoNo
Erlang/OTP SSL applicationNoNoNoNoNoNoNoNoNo
ImplementationM221
Curve2213		E222Curve1174E382M383Curve383187Curve41417
Curve3617		M511
Curve511187		E521

Deprecated curves in RFC 8422

Implementationsect163k1
NIST K-163
(1) [89] 		sect163r1
(2) [89] 		sect163r2
NIST B-163
(3) [89] 		sect193r1
(4) [89] 		sect193r2
(5) [89] 		sect233k1
NIST K-233
(6) [89] 		sect233r1
NIST B-233
(7) [89] 		sect239k1
(8) [89] 		sect283k1
NIST K-283
(9) [89] 		sect283r1
NIST B-283
(10) [89] 		sect409k1
NIST K-409
(11) [89] 		sect409r1
NIST B-409
(12) [89] 		sect571k1
NIST K-571
(13) [89] 		sect571r1
NIST B-571
(14) [89]
Botan NoNoNoNoNoNoNoNoNoNoNoNoNoNo
BoringSSL NoNoNoNoNoNoNoNoNoNoNoNoNoNo
BSAFE YesNoYesNoNoYesYesNoYesYesYesYesYesYes
GnuTLS NoNoNoNoNoNoNoNoNoNoNoNoNoNo
JSSE Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2]
LibreSSL YesYesYesYesYesYesYesYesYesYesYesYesYesYes
MatrixSSL NoNoNoNoNoNoNoNoNoNoNoNoNoNo
Mbed TLS NoNoNoNoNoNoNoNoNoNoNoNoNoNo
NSS YesYesYesYesYesYesYesYesYesYesYesYesYesYes
OpenSSL YesYesYesYesYesYesYesYesYesYesYesYesYesYes
Rustls NoNoNoNoNoNoNoNoNoNoNoNoNoNo
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 NoNoNoNoNoNoNoNoNoNoNoNoNoNo
Secure Transport NoNoNoNoNoNoNoNoNoNoNoNoNoNo
wolfSSL NoNoNoNoNoNoNoNoNoNoNoNoNoNo
Erlang/OTP SSL applicationYesYesYesYesYesYesYesYesYesYesYesYesYesYes
Implementationsect163k1
NIST K-163
(1)		sect163r1
(2)		sect163r2
NIST B-163
(3)		sect193r1
(4)		sect193r2
(5)		sect233k1
NIST K-233
(6)		sect233r1
NIST B-233
(7)		sect239k1
(8)		sect283k1
NIST K-283
(9)		sect283r1
NIST B-283
(10)		sect409k1
NIST K-409
(11)		sect409r1
NIST B-409
(12)		sect571k1
NIST K-571
(13)		sect571r1
NIST B-571
(14)
Implementationsecp160k1
(15) [89] 		secp160r1
(16) [89] 		secp160r2
(17) [89] 		secp192k1
(18) [89] 		secp192r1
prime192v1
NIST P-192
(19) [89] 		secp224k1
(20) [89] 		secp224r1
NIST P-244
(21) [89] 		secp256k1
(22) [89] 		arbitrary prime curves
(0xFF01) [89] [187] 		arbitrary char2 curves
(0xFF02) [89] [187]
Botan NoNoNoNoNoNoNoNoNoNo
BoringSSL NoNoNoNoNoNoYesNoNoNo
BSAFE NoNoNoNoYesNoYesNoNoNo
GnuTLS NoNoNoNoYesNoYesNoNoNo
JSSE Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] Notes [lower-alpha 1] [lower-alpha 2] NoNo
LibreSSL YesYesYesYesYesYesYesYesNoNo
MatrixSSL NoNoNoNoYesNoYesNoNoNo
Mbed TLS NoNoNoYesYesYesYesYesNoNo
NSS YesYesYesYesYesYesYesYesNoNo
OpenSSL YesYesYesYesYesYesYesYesNoNo
Rustls NoNoNoNoNoNoNoNoNoNo
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 NoNoNoNoNoNoNoNoNoNo
Secure Transport NoNoNoNoYesNoNoNoNoNo
wolfSSL YesYesYesYesYesYesYesYesNoNo
Erlang/OTP SSL applicationYesYesYesYesYesYesYesYesNoNo
Implementationsecp160k1
(15)		secp160r1
(16)		secp160r2
(17)		secp192k1
(18)		secp192r1
prime192v1
NIST P-192
(19)		secp224k1
(20)		secp224r1
NIST P-244
(21)		secp256k1
(22)		arbitrary prime curves
(0xFF01)		arbitrary char2 curves
(0xFF02)
Notes
  1. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 These elliptic curves were "Disabled by Default" in current JDK families as part of JDK-8236730. [185]
  2. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 These elliptic curves were subsequently removed in JDK 16+ as part of JDK-8252601. [186]

Data integrity

Implementation HMAC-MD5 HMAC-SHA1 HMAC-SHA256/384 AEAD GOST 28147-89 IMIT [90] GOST R 34.11-94 [90]
Botan NoYesYesYesNoNo
BSAFE YesYesYesYesNoNo
cryptlib YesYesYesYesNoNo
GnuTLS YesYesYesYesNoNo
JSSE Disabled by DefaultYesYesYesNoNo
LibreSSL YesYesYesYesYes [91] Yes [91]
MatrixSSL YesYesYesYesNoNo
Mbed TLS YesYesYesYesNoNo
NSS YesYesYesYesNo [93] [94] No [93] [94]
OpenSSL YesYesYesYesYes [95] Yes [95]
Rustls NoNoNoYesNoNo
Schannel XP/2003, Vista/2008 YesYesXP SP3, 2003 SP2 via hotfix [188] NoNo [96] No [96]
Schannel 7/2008R2, 8/2012, 8.1/2012R2 YesYesYesexcept ECDHE_RSA [98] [99] [100] No [96] No [96]
Schannel 10 YesYesYesYes [152] No [96] No [96]
Secure Transport YesYesYesYesNoNo
wolfSSL YesYesYesYesNoNo
Erlang/OTP SSL applicationYesYesYesYesNoNo
ImplementationHMAC-MD5HMAC-SHA1HMAC-SHA256/384AEADGOST 28147-89 IMITGOST R 34.11-94

Compression

Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.

ImplementationDEFLATE [189]
(insecure)
Botan No
BSAFE [42] No
cryptlib No
GnuTLS Disabled by default
JSSE No
LibreSSL No [47]
MatrixSSL Disabled by default
Mbed TLS Disabled by default
NSS Disabled by default
OpenSSL Disabled by default
Rustls No
Schannel No
Secure Transport No
wolfSSL Disabled by default
Erlang/OTP SSL applicationNo
ImplementationDEFLATE

Extensions

In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security [ citation needed ]. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.

ImplementationSecure Renegotiation
[190] 		Server Name Indication
[191] 		ALPN
[192] 		Certificate Status Request
[191] 		OpenPGP
[193] 		Supplemental Data
[194] 		Session Ticket
[195] 		Keying Material Exporter
[196] 		Maximum Fragment Length
[191] 		Truncated HMAC
[191] 		Encrypt-then-MAC
[30] 		TLS Fallback SCSV
[197] 		Extended Master Secret
[198] 		ClientHello Padding
[199] 		Raw Public Keys
[200]
Botan YesYesYes [201] NoNoNoYesYesYesNoYesYes [202] Yes [203] NoUn­known
BSAFE SSL-JYesYesNoYesNoNoNoNoYesNoNoNoYesNoNo
cryptlib YesYesNoNoNoYesNoNoNo [204] NoYesYesYesNoUn­known
GnuTLS YesYesYes [205] YesNo [206] YesYesYesYesNoYes [43] Yes [207] Yes [43] Yes [208] Yes [209]
JSSE YesYes [73] Yes [73] YesNoNoYesNoYesNoNoNoYesNoNo
LibreSSL YesYesYes [210] YesNoNo?YesYes?NoNoNoServer side only [211] NoYesNo
MatrixSSL YesYesYes [212] Yes [140] NoNoYesNoYesYesNoYes [140] Yes [140] NoUn­known
Mbed TLS YesYesYes [213] NoNoNoYesNoYesDisabled by default [52] Yes [214] Yes [214] Yes [214] NoNo
NSS YesYesYes [215] YesNo [216] NoYesYesNoNoNo [217] Yes [218] Yes [219] Yes [215] Un­known
OpenSSL YesYesYes [60] YesNoNo?YesYesYesNoYesYes [220] Yes [58] Yes [221] Yes [222]
Rustls YesYesYesYesNoNoYesYesNoNoNoNo [223] YesNoUn­known
Schannel XP/2003 NoNoNoNoNoYesNoNoNoNoNoNoNoNoUn­known
Schannel Vista/2008 YesYesNoNoNoYesNoNoNoNoNoNoYes [224] NoUn­known
Schannel 7/2008R2 YesYesNoYesNoYesNoNoNoNoNoNoYes [224] NoUn­known
Schannel 8/2012 YesYesNoYesNoYesClient side only [225] NoNoNoNoNoYes [224] NoUn­known
Schannel 8.1/2012R2, 10 YesYesYesYesNoYesYes [225] NoNoNoNoNoYes [224] NoUn­known
Secure Transport YesYesUn­knownNoNoYesNoNoNoNoNoNoNoNoUn­known
wolfSSL YesYesYes [160] YesNoNoYesNoYesYesYes [226] NoYesNoYes [227]
Erlang/OTP SSL applicationYesYesYesNoNoNoNoNoNoNoNoYesNoNoUn­known
ImplementationSecure RenegotiationServer Name IndicationALPNCertificate Status RequestOpenPGPSupplemental DataSession TicketKeying Material ExporterMaximum Fragment LengthTruncated HMACEncrypt-then-MACTLS Fallback SCSVExtended Master SecretClientHello PaddingRaw Public Keys

Assisted cryptography

This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.

Implementation PKCS #11 device Intel AES-NI VIA PadLock ARMv8-A Intel SGX Intel QAT Intel SHA NXP CAAM
Botan Yes [228] YesNoYesNoNoNo
BSAFE SSL-J [lower-alpha 1] [lower-alpha 2] YesYesNoYesNoNoYesNo
cryptlib YesYesYesNoNo
Crypto++ YesNoYes
GnuTLS YesYesYesYes [231] NoNoYes
JSSE YesYes [232] NoNoNoNo
LibreSSL NoYesYesNoNo
MatrixSSL YesYesNoYesNoNo
Mbed TLS YesYes [233] YesNoNoNo
NSS Yes [234] Yes [235] No [236] NoNoNo
OpenSSL Yes [237] YesYesYes [238] NoYesPartial
Rustls YesYesYes
Schannel NoYesNoNoNoNo
Secure Transport NoYes [239] [240] NoYesNoNo
wolfSSL YesYesNoYesYesYes [241] Yes [242]
ImplementationPKCS #11 deviceIntel AES-NIVIA PadLockARMv8-AIntel SGXIntel QATIntel SHANXP CAAM
  1. Pure Java implementations relies on JVM processor optimization capabilities, such as OpenJDK support for AES-NI [229]
  2. BSAFE SSL-J can be configured to run in native mode, using BSAFE Crypto-C Micro Edition to benefit from processor optimization. [230]

System-specific backends

This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.

Implementation /dev/crypto af_alg Windows CSP CommonCrypto OpenSSL engine
Botan NoNoNoNoPartial
BSAFE NoNoNoNoNo
cryptlib NoNoNoNoNo
GnuTLS YesYesNoNoNo
JSSE NoNoYesNoNo
LibreSSL NoNoNoNoNo [243]
MatrixSSL NoNoNoYesYes
Mbed TLS NoNoNoNoNo
NSS NoNoNoNoNo
OpenSSL YesYesNoNoYes
Rustls NoYes [244] NoNoNo
Schannel NoNoYesNoNo
Secure Transport NoNoNoYesNo
wolfSSL YesYesPartialNoYes [245]
Erlang/OTP SSL applicationNoNoNoNoYes
Implementation/dev/cryptoaf_algWindows CSPCommonCryptoOpenSSL engine

Cryptographic module/token support

Implementation TPM supportHardware token supportObjects identified via
Botan Partial [203] PKCS #11
BSAFE SSL-JNoNo
cryptlib No PKCS #11 User-defined label
GnuTLS Yes PKCS #11 RFC 7512 PKCS #11 URLs [246]
JSSE No PKCS11 Java Cryptography Architecture,
Java Cryptography Extension
LibreSSL Yes PKCS #11 (via 3rd party module)Custom method
MatrixSSL No PKCS #11
Mbed TLS No PKCS #11 (via libpkcs11-helper) or standard hooksCustom method
NSS No PKCS #11
OpenSSL Yes PKCS #11 (via 3rd party module) [247] RFC 7512 PKCS #11 URLs [246]
Rustls No Microsoft CryptoAPI [248] Custom method
Schannel No Microsoft CryptoAPI UUID, User-defined label
Secure Transport
wolfSSL Yes PKCS #11
ImplementationTPM supportHardware token supportObjects identified via

Code dependencies

ImplementationDependenciesOptional dependencies
Botan C++20 SQLite
zlib (compression)
bzip2 (compression)
liblzma (compression)
boost
trousers (TPM)
GnuTLS libc
nettle
gmp		zlib (compression)
p11-kit (PKCS #11)
trousers (TPM)
libunbound (DANE)
JSSE Java
MatrixSSL nonezlib (compression)
MatrixSSL-open libc or newlib
Mbed TLS libclibpkcs11-helper (PKCS #11)
zlib (compression)
NSS libc
libnspr4
libsoftokn3
libplc4
libplds4		zlib (compression)
Rustls rust core libraryrust std library
zlib-rs (compression)
brotli (compression)
ring (cryptography)
aws-lc-rs (cryptography)
OpenSSL libczlib (compression)
brotli (compression)
zstd (compression)
wolfSSL Nonelibc
zlib (compression)
Erlang/OTP SSL applicationlibcrypto (from OpenSSL), Erlang/OTP and its public_key, crypto and asn1 applicationsErlang/OTP -inets (http fetching of CRLs)
ImplementationDependenciesOptional dependencies

Development environment

ImplementationNamespaceBuild toolsAPI manualCrypto back-endOpenSSL compatibility Layer[ clarify ]
Botan Botan::TLSMakefileSphinxIncluded (pluggable)No
Bouncy Castle org.bouncycastleJava Development EnvironmentProgrammers reference manual (PDF)Included (pluggable)No
BSAFE SSL-Jcom.rsa.asn1 [a]

com.rsa.certj [b]
com.rsa.jcp [c]
com.rsa.jsafe [d]
com.rsa.ssl [e]
com.rsa.jsse [f]

Java classloader Javadoc, Developer's guide (HTML)IncludedNo
cryptlib crypt*makefile, MSVC project workspacesProgrammers reference manual (PDF), architecture design manual (PDF)Included (monolithic)No
GnuTLS gnutls_*Autoconf, automake, libtoolManual and API reference (HTML, PDF)External, libnettle Yes (limited)
JSSE javax.net.ssl

sun.security.ssl

MakefileAPI Reference (HTML) +

JSSE Reference Guide

Java Cryptography Architecture,
Java Cryptography Extension 		No
MatrixSSL matrixSsl_*

ps*

Makefile, MSVC project workspaces, Xcode projects for OS X and iOSAPI Reference (PDF), Integration GuideIncluded (pluggable)Yes (Subset: SSL_read, SSL_write, etc.)
Mbed TLS mbedtls_ssl_*

mbedtls_sha1_*
mbedtls_md5_*
mbedtls_x509*
...

Makefile, CMake, MSVC project workspaces, yottaAPI Reference + High Level and Module Level Documentation (HTML)Included (monolithic)No
NSS CERT_*

SEC_*
SECKEY_*
NSS_*
PK11_*
SSL_*
...

MakefileManual (HTML)Included, PKCS#11 based [249] Yes (separate package called nss_compat_ossl [250] )
OpenSSL SSL_*

SHA1_*
MD5_*
EVP_*
...

MakefileMan pagesIncluded (monolithic)
Rustls rustls::cargo API reference and design manual Two options included (pluggable)Yes [251] (subset)
wolfSSL wolfSSL_*

CyaSSL_*
SSL_*

Autoconf, automake, libtool, MSVC project workspaces, XCode projects, CodeWarrior projects, MPLAB X projects, Keil, IAR, Clang, GCC, e2StudioManual and API Reference (HTML, PDF)Included (monolithic)Yes (about 60% of API)
ImplementationNamespaceBuild toolsAPI manualCrypto back-endOpenSSL compatibility layer
  1. ^
    ASN.1 manipulation classes
  2. ^
    Cert-J proprietary API
  3. ^
    Certificate Path manipulation classes
  4. ^
    Crypto-J proprietary API, JCE, CMS and PKI
    5. API
  5. ^
    SSLJ proprietary API
  6. ^
    JSSE API

Portability concerns

ImplementationPlatform requirementsNetwork requirementsThread safetyRandom seedAble to cross-compileNo OS (bare metal)Supported operating systems
Botan C++11NoneThread-safePlatform-dependentYesWindows, Linux, macOS, Android, iOS, FreeBSD, OpenBSD, Solaris, AIX, HP-UX, QNX, BeOS, IncludeOS
BSAFE SSL-JJavaJava SE network componentsThread-safeDepends on java.security.SecureRandomYesNoFreeBSD, Linux, macOS, Microsoft Windows, Android, AIX, Solaris
cryptlib C89POSIX send() and recv(). API to supply your own replacementThread-safePlatform-dependent, including hardware sourcesYesYesAMX, BeOS, ChorusOS, DOS, eCos, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, Palm OS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, macOS, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK
GnuTLS C89POSIX send() and recv(). API to supply your own replacement.Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available.Platform dependentYesNoGenerally any POSIX platforms or Windows, commonly tested platforms include Linux, Win32/64, macOS, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD.
JSSE JavaJava SE network componentsThread-safeDepends on java.security.SecureRandomYesJava based, platform-independent
MatrixSSL C89NoneThread-safePlatform dependentYesYesAll
Mbed TLS C89POSIX read() and write(). API to supply your own replacement.Threading layer available (POSIX or own hooks)Random seed set through entropy poolYesYesKnown to work on: Win32/64, Linux, macOS, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, eCos, SeggerOS, RISC OS
NSS C89, NSPR [252] NSPR [252] PR_Send() and PR_Recv(). API to supply your own replacement.Thread-safePlatform dependent [253] Yes (but cumbersome)NoAIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, macOS, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation
Rustls Rust (programming language) NoneThread-safePlatform dependentYesYesAll supported by Rust (programming language)
OpenSSL C89NoneThread-safePlatform dependentYesNoUnix-like, DOS (with djgpp), Windows, OpenVMS, NetWare, eCos
wolfSSL C89POSIX send() and recv(). API to supply your own replacement.Thread-safeRandom seed set through wolfCryptYesYesWin32/64, Linux, macOS, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Yocto Project, OpenEmbedded, WinCE, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, NonStop, TRON/ITRON/μITRON, eCos, Micrium μC/OS-III, FreeRTOS, SafeRTOS, NXP/Freescale MQX, Nucleus, TinyOS, HP/UX, AIX, ARC MQX, Keil RTX, TI-RTOS, uTasker, embOS, INtime, Mbed, uT-Kernel, RIOT, CMSIS-RTOS, FROSTED, Green Hills INTEGRITY, TOPPERS, PetaLinux, Apache mynewt
ImplementationPlatform requirementsNetwork requirementsThread safetyRandom seedAble to cross-compileNo OS (bare metal)Supported operating systems

See also

Related Research Articles

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

<span class="mw-page-title-main">OpenSSL</span> Open-source implementation of the SSL and TLS protocols

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

In cryptography, Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. It was jointly developed by Mitsubishi Electric and NTT of Japan. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The cipher has security levels and processing abilities comparable to the Advanced Encryption Standard.

<span class="mw-page-title-main">GnuTLS</span> Free software library implementing TLS

GnuTLS is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network transport layer, as well as interfaces to access X.509, PKCS #12, OpenPGP and other structures.

SEED is a block cipher developed by the Korea Information Security Agency (KISA). It is used broadly throughout South Korean industry, but seldom found elsewhere. It gained popularity in Korea because 40-bit encryption was not considered strong enough, so the Korea Information Security Agency developed its own standard. However, this decision has historically limited the competition of web browsers in Korea, as no major SSL libraries or web browsers supported the SEED algorithm, requiring users to use an ActiveX control in Internet Explorer for secure web sites.

Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. The DTLS protocol datagram preserves the semantics of the underlying transport—the application does not suffer from the delays associated with stream protocols, but because it uses User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP), the application has to deal with packet reordering, loss of datagram and data larger than the size of a datagram network packet. Because DTLS uses UDP or SCTP rather than TCP it avoids the TCP meltdown problem when being used to create a VPN tunnel.

<span class="mw-page-title-main">Network Security Services</span> Collection of cryptographic computer libraries

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

The Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, is a standard for checking the revocation status of X.509 digital certificates. It allows the presenter of a certificate to bear the resource cost involved in providing Online Certificate Status Protocol (OCSP) responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the CA, with the aim of improving both security and performance.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest curves in ECC, and is not covered by any known patents. The reference implementation is public domain software.

A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS) or its deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

Mbed TLS is an implementation of the TLS and SSL protocols and the respective cryptographic algorithms and support code required. It is distributed under the Apache License version 2.0. Stated on the website is that Mbed TLS aims to be "easy to understand, use, integrate and expand".

wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an open source implementation of TLS written in the C programming language. It includes SSL/TLS client libraries and an SSL/TLS server implementation as well as support for multiple APIs, including those defined by SSL and TLS. wolfSSL also includes an OpenSSL compatibility interface with the most commonly used OpenSSL functions.

Application-Layer Protocol Negotiation (ALPN) is a Transport Layer Security (TLS) extension that allows the application layer to negotiate which protocol should be performed over a secure connection in a manner that avoids additional round trips and which is independent of the application-layer protocols. It is used to establish HTTP/2 connections without additional round trips.

MatrixSSL is an open-source TLS/SSL implementation designed for custom applications in embedded hardware environments.

The tables below compare cryptography libraries that deal with cryptography algorithms and have application programming interface (API) function calls to each of the supported features.

POODLE is a security vulnerability which takes advantage of the fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014. On December 8, 2014, a variation of the POODLE vulnerability that affected TLS was announced.

ChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.

Version history for TLS/SSL support in web browsers tracks the implementation of Transport Layer Security protocol versions in major web browsers.

References

  1. "Botan: Release Notes" . Retrieved 2024-08-13.
  2. "Release Notes - bouncycastle.org". 2023-11-13. Retrieved 2023-11-18.
  3. "Java LTS Resources - bouncycastle.org". 2024-03-01. Retrieved 2024-03-31.
  4. "Java FIPS Resources - bouncycastle.org". 2023-09-28. Retrieved 2022-09-29.
  5. "The Legion of the Bouncy Castle C# Cryptography APIs". 2024-02-05. Retrieved 2024-02-06.
  6. "C# .NET FIPS Resources - bouncycastle.org". 2023-02-28. Retrieved 2023-02-28.
  7. "Dell BSAFE SSL-J 6.6 Release Advisory". Dell .
  8. "Dell BSAFE SSL-J 7.3.1 Release Advisory". Dell .
  9. "Dell BSAFE Micro Edition Suite 4.6.2 Release Advisory".
  10. "Dell BSAFE Micro Edition Suite 5.0.2.1 Release Advisory".
  11. Gutmann, Peter (2019). "Downloading". cryptlib. University of Auckland School of Computer Science. Retrieved 2019-08-07.
  12. "gnutls 3.8.5".
  13. "Java™ SE Development Kit 23, 23.0.1 Release Notes". Oracle Corporation . Retrieved 2024-10-16.
  14. "Java™ SE Development Kit 21, 21.0.5 Release Notes". Oracle Corporation . Retrieved 2024-10-16.
  15. "Java™ SE Development Kit 17, 17.0.13 Release Notes". Oracle Corporation . Retrieved 2024-10-16.
  16. "Java™ SE Development Kit 11, 11.0.25 Release Notes". Oracle Corporation . Retrieved 2024-10-16.
  17. "Java™ SE Development Kit 8, Update 431 Release Notes". Oracle Corporation . Retrieved 2024-10-16.
  18. "LibreSSL 4.0.0 Released". 14 October 2024. Retrieved 15 October 2024.
  19. The features listed are for the closed source version
  20. "MatrixSSL 4.2.2 Open release". 2019-09-11. Retrieved 2020-03-20.
  21. "Release 3.6.2". 15 October 2024. Retrieved 22 October 2024.
  22. 1 2 "NSS:Release versions". Mozilla Wiki. Retrieved 7 November 2022.
  23. "OpenSSL 3.4.0". 22 October 2024. Retrieved 22 October 2024.
  24. "rustls/rustls releases". Github. Retrieved 28 August 2024.
  25. "wolfSSL product description" . Retrieved 2016-05-03.
  26. "wolfSSL Embedded SSL/TLS" . Retrieved 2016-05-03.
  27. "wolfSSL ChangeLog". 2023-10-31. Retrieved 2023-10-31.
  28. Prohibiting Secure Sockets Layer (SSL) Version 2.0. doi: 10.17487/RFC6176 . RFC 6176.
  29. Vaudenay, Serge (2001). "CBC-Padding: Security Flaws in SSL, IPsec, WTLS,..." (PDF).
  30. 1 2 Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security. doi: 10.17487/RFC7366 . RFC 7366.
  31. "Rizzo/Duong BEAST Countermeasures". Archived from the original on 2016-03-11.
  32. Möller, Bodo; Duong, Thai; Kotowicz, Krzysztof (September 2014). "This POODLE Bites: Exploiting The SSL 3.0 Fallback" (PDF). Archived from the original (PDF) on 15 October 2014. Retrieved 15 October 2014.
  33. "TLSv1.2's Major Differences from TLSv1.1". The Transport Layer Security (TLS) Protocol Version 1.2. sec. 1.2. doi: 10.17487/RFC5246 . RFC 5246.
  34. 1 2 3 RFC 6347. doi: 10.17487/RFC6347 .
  35. 1 2 Elgamal, Taher; Hickman, Kipp E. B. (19 April 1995). The SSL Protocol. I-D draft-hickman-netscape-ssl-00.
  36. 1 2 RFC 6101. doi: 10.17487/RFC6101 .
  37. 1 2 RFC 2246. doi: 10.17487/RFC2246 .
  38. 1 2 RFC 4346. doi: 10.17487/RFC4346 .
  39. 1 2 3 4 5 6 7 8 9 10 11 12 RFC 5246. doi: 10.17487/RFC5246 .
  40. 1 2 RFC 4347. doi: 10.17487/RFC4347 .
  41. "Version 1.11.13, 2015-01-11 — Botan". 2015-01-11. Archived from the original on 2015-01-09. Retrieved 2015-01-16.
  42. 1 2 3 "RSA BSAFE Technical Specification Comparison Tables" (PDF). Archived from the original (PDF) on 2015-09-24. Retrieved 2015-01-09.
  43. 1 2 3 4 5 6 "[gnutls-devel] GnuTLS 3.4.0 released". 2015-04-08. Retrieved 2015-04-16.
  44. "[gnutls-devel] GnuTLS 3.6.3". 2018-07-16. Retrieved 2018-09-16.
  45. "Java SE Development Kit 8, Update 31 Release Notes" . Retrieved 2024-01-14.
  46. 1 2 "Release Note: Disable TLS 1.0 and 1.1" . Retrieved 2024-01-14.
  47. 1 2 3 4 5 6 7 8 9 10 11 12 13 "OpenBSD 5.6 Released". 2014-11-01. Retrieved 2015-01-20.
  48. "LibreSSL 2.3.0 Released". 2015-09-23. Retrieved 2015-09-24.
  49. "LibreSSL 3.3.3 Released". 2021-05-04. Retrieved 2021-05-04.
  50. "MatrixSSL - News". Archived from the original on 2015-02-14. Retrieved 2014-11-09.
  51. 1 2 3 4 "Mbed TLS 3.0.0 branch released". GitHub . 2021-07-07. Retrieved 2021-08-13.
  52. 1 2 3 4 "mbed TLS 2.0.0 released". 2015-07-10. Retrieved 2015-07-14.
  53. "NSS 3.19 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2015-06-05. Retrieved 2015-05-06.
  54. 1 2 "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2013-01-17. Retrieved 2012-10-27.
  55. "NSS 3.15.1 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-08-10.
  56. "NSS 3.39 release notes". Mozilla Developer Network. Mozilla. 2018-08-31. Archived from the original on 2021-12-07. Retrieved 2018-09-15.
  57. "NSS 3.16.2 release notes". Mozilla Developer Network. Mozilla. 2014-06-30. Archived from the original on 2021-12-07. Retrieved 2014-06-30.
  58. 1 2 3 4 5 6 7 8 9 10 11 12 13 "OpenSSL 1.1.0 Series Release Notes". www.openssl.org. Archived from the original on 2018-03-17. Retrieved 2016-09-03.
  59. 1 2 "Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]". 2012-03-14. Archived from the original on December 5, 2014. Retrieved 2015-01-20.
  60. 1 2 3 4 5 6 "Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]". Archived from the original on September 4, 2014. Retrieved 2015-01-22.
  61. 1 2 3 4 5 6 7 8 9 10 11 "rustls implemented and unimplemented features documentation" . Retrieved 2024-08-28.
  62. "S2N Readme". GitHub . 2019-12-21.
  63. "TLS Cipher Suites (Windows)". msdn.microsoft.com. 14 July 2023.
  64. 1 2 "TLS Cipher Suites in Windows Vista (Windows)". msdn.microsoft.com. 25 October 2021.
  65. 1 2 3 "Cipher Suites in TLS/SSL (Schannel SSP) (Windows)". msdn.microsoft.com. 14 July 2023.
  66. 1 2 "An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. Retrieved 13 November 2012.
  67. "Protocols in TLS/SSL (Schannel SSP)". Microsoft. 2022-05-25. Retrieved 2023-11-18.
  68. "Protocols in TLS/SSL (Schannel SSP)". 25 May 2022. Retrieved 6 November 2022.
  69. "@badger: the 1.3 stuff is apparently in iOS 11 and macOS 10.13". 2018-03-09. Retrieved 2018-03-09.
  70. "[wolfssl] wolfSSL 3.6.6 Released". 2015-08-20. Retrieved 2015-08-24.
  71. "[wolfssl] wolfSSL 3.13.0 Released". 2017-12-21. Retrieved 2022-01-17.
  72. "Erlang -- Standards Compliance".
  73. 1 2 3 "Security Enhancements in JDK 8". docs.oracle.com.
  74. "Bug 663320 - (NSA-Suite-B-TLS) Implement RFC6460 (NSA Suite B profile for TLS)". Mozilla. Retrieved 2014-05-19.
  75. "Introducing Compliance to Suite B Cryptography". 18 September 2012.
  76. "Speeds and Feeds › Secure or Compliant, Pick One". Archived from the original on December 27, 2013.
  77. "Search - Cryptographic Module Validation Program - CSRC". csrc.nist.gov. Archived from the original on 2014-12-26. Retrieved 2014-03-18.
  78. ""Is botan FIPS 140 certified?" Frequently Asked Questions — Botan". Archived from the original on 2014-11-29. Retrieved 2014-11-16.
  79. "Search - Cryptographic Module Validation Program - CSRC". csrc.nist.gov. 11 October 2016.
  80. "cryptlib". 11 October 2013. Archived from the original on 11 October 2013.
  81. "B.5 Certification". GnuTLS 3.7.7. Retrieved 26 September 2022.
  82. "Matrix SSL Toolkit" (PDF).
  83. "Is mbed TLS FIPS certified? - Mbed TLS documentation". Mbed TLS documentation.
  84. "FIPS Validation - MozillaWiki". wiki.mozilla.org.
  85. "OpenSSL and FIPS 140-2". Archived from the original on 2013-05-28. Retrieved 2014-11-15.
  86. "rustls FIPS documentation" . Retrieved 2024-08-28.
  87. "Microsoft FIPS 140 Validated Cryptographic Modules".
  88. "wolfCrypt FIPS 140-2 Information - wolfSSL Embedded SSL/TLS Library".
  89. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 RFC 4492. doi: 10.17487/RFC4492 .
  90. 1 2 3 4 5 "LibreSSL 2.1.2 released". 2014-12-09. Retrieved 2015-01-20.
  91. "NSS 3.20 release notes". Mozilla. 2015-08-19. Archived from the original on 2021-12-07. Retrieved 2015-08-20.
  92. 1 2 3 4 Mozilla.org. "Bug 518787 - Add GOST crypto algorithm support in NSS" . Retrieved 2014-07-01.
  93. 1 2 3 4 Mozilla.org. "Bug 608725 - Add Russian GOST cryptoalgorithms to NSS and Thunderbird" . Retrieved 2014-07-01.
  94. 1 2 3 4 "OpenSSL: CVS Web Interface". Archived from the original on 2013-04-15. Retrieved 2014-11-12.
  95. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Extensions to support GOST in Schannel might be available.[ citation needed ]
  96. 1 2 3 4 "Microsoft Security Advisory 3174644". 14 October 2022.
  97. 1 2 3 "Microsoft Security Bulletin MS14-066 - Critical (Section Update FAQ)". Microsoft. November 11, 2014. Retrieved 11 November 2014.
  98. 1 2 3 Thomlinson, Matt (November 11, 2014). "Hundreds of Millions of Microsoft Customers Now Benefit from Best-in-Class Encryption". Microsoft Security. Retrieved 11 November 2014.
  99. 1 2 "Update adds new TLS cipher suites and changes cipher suite priorities in Windows 8.1 and Windows Server 2012 R2". support.microsoft.com.
  100. 1 2 3 4 5 6 RFC 5054. doi: 10.17487/RFC5054 .
  101. 1 2 3 4 5 6 RFC 4279. doi: 10.17487/RFC4279 .
  102. 1 2 RFC 5489. doi: 10.17487/RFC5489 .
  103. 1 2 RFC 2712. doi: 10.17487/RFC2712 .
  104. "RSA BSAFE SSL-J 6.2.4 Release Notes". 2018-09-05. Archived from the original on 2018-09-10.
  105. 1 2 3 "LibreSSL 2.0.4 released" . Retrieved 2014-08-04.
  106. 1 2 3 "Bug 405155 - add support for TLS-SRP, rfc5054". Mozilla. Retrieved 2014-01-25.
  107. 1 2 3 4 "Bug 306435 - Mozilla browsers should support the new IETF TLS-PSK protocol to help reduce phishing". Mozilla. Retrieved 2014-01-25.
  108. "Bug 1170510 - Implement NSS server side support for DH_anon". Mozilla. Retrieved 2015-06-03.
  109. "Bug 236245 - Update ECC/TLS to conform to RFC 4492". Mozilla. Retrieved 2014-06-09.
  110. "Changes between 0.9.6h and 0.9.7 [31 Dec 2002]" . Retrieved 2016-01-29.
  111. 1 2 "Changes between 0.9.8n and 1.0.0 [29 Mar 2010]" . Retrieved 2016-01-29.
  112. "wolfSSL (Formerly CyaSSL) Release 3.9.0 (03/18/2016)". 2016-03-18. Retrieved 2016-04-05.
  113. RFC 5280. doi: 10.17487/RFC5280 .
  114. RFC 3280. doi: 10.17487/RFC3280 .
  115. RFC 2560. doi: 10.17487/RFC2560 .
  116. RFC 6698. doi: 10.17487/RFC6698 .
  117. RFC 7218. doi: 10.17487/RFC7218 .
  118. Laurie, B.; Langley, A.; Kasper, E. (June 2013). Certificate Transparency. IETF. doi: 10.17487/RFC6962 . ISSN   2070-1721. RFC 6962 . Retrieved 2020-08-31.
  119. "MatrixSSL 3.8.3". Archived from the original on 2017-01-19. Retrieved 2017-01-18.
  120. "mbed TLS 2.0 defaults implement best practices" . Retrieved 2017-01-18.
  121. "Bug 672600 - Use DNSSEC/DANE chain stapled into TLS handshake in certificate chain validation". Mozilla. Retrieved 2014-06-18.
  122. "CRL Validation · Issue #3499 · aws/s2n-tls". GitHub. Retrieved 2022-11-01.
  123. "OCSP digest support for SHA-256 · Issue #2854 · aws/s2n-tls · GitHub". GitHub. Retrieved 2022-11-01.
  124. "[RFC 6962] s2n Client can Validate Signed Certificate Timestamp TLS Extension · Issue #457 · aws/s2n-tls · GitHub". GitHub. Retrieved 2022-11-01.
  125. 1 2 "How Certificate Revocation Works". Microsoft TechNet . Microsoft. March 16, 2012. Retrieved July 10, 2013.
  126. 1 2
  127. 1 2 RFC 6655, RFC 7251
  128. 1 2 3 4 RFC 6367. doi: 10.17487/RFC6367 .
  129. 1 2 RFC 5932. doi: 10.17487/RFC5932 .
  130. 1 2 3 4 RFC 6209. doi: 10.17487/RFC6209 .
  131. 1 2 RFC 4162. doi: 10.17487/RFC4162 .
  132. 1 2 "Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN". sweet32.info.
  133. 1 2 RFC 7905. doi: 10.17487/RFC7905 .
  134. 1 2 "Version 1.11.12, 2015-01-02 — Botan". 2015-01-02. Retrieved 2015-01-09.
  135. "gnutls 3.6.0". 2017-09-21. Retrieved 2018-01-07.
  136. "gnutls 3.4.12". 2016-05-20. Archived from the original on 2016-10-13. Retrieved 2016-05-29.
  137. "Java SE DevelopmentK Kit 10 - 10.0.1 Release Notes". 2018-04-17. Retrieved 2024-01-14.
  138. "JDK 12 Release Notes" . Retrieved 2024-01-14.
  139. 1 2 3 4 "Changes in 3.8.3". GitHub . Retrieved 2016-06-19.[ permanent dead link ]
  140. "PolarSSL 1.3.8 release notes". Archived from the original on 2014-07-14.
  141. 1 2 "Mbed TLS 2.11.0, 2.7.4 and 2.1.13 released" . Retrieved 2018-08-30.
  142. "Mbed TLS 2.12.0, 2.7.5 and 2.1.14 released" . Retrieved 2018-08-30.
  143. "NSS 3.25 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2021-12-07. Retrieved 2016-07-01.
  144. "Bug 940119 - libssl does not support any TLS_ECDHE_*_CAMELLIA_*_GCM cipher suites". Mozilla. Retrieved 2013-11-19.
  145. "NSS 3.12 is released" . Retrieved 2013-11-19.
  146. "NSS 3.12.3 Release Notes". Mozilla Developer Network. Mozilla. Archived from the original on 2023-04-02. Retrieved 2023-04-01.
  147. "NSS 3.23 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2021-04-14. Retrieved 2016-03-09.
  148. "openssl/CHANGES at OpenSSL_1_0_1-stable · openssl/openssl". GitHub . Retrieved 2015-01-20.
  149. "OpenSSL 1.1.1 Series Release Notes". www.openssl.org. Archived from the original on 2024-01-16.
  150. "Cipher Suites in TLS/SSL (Schannel SSP) - Win32 apps". docs.microsoft.com. 14 July 2023.
  151. 1 2 3 "Qualys SSL Labs - Projects / User Agent Capabilities: IE 11 / Win 10 Preview". dev.ssllabs.com. Archived from the original on 2023-07-14.
  152. RFC 5469
  153. 1 2 "Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN".
  154. "Version 1.11.15, 2015-03-08 — Botan". 2015-03-08. Retrieved 2015-03-11.
  155. "Java Cryptography Architecture Oracle Providers Documentation". docs.oracle.com.
  156. "NSS 3.15.3 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2014-06-05. Retrieved 2014-07-13.
  157. "MFSA 2013-103: Miscellaneous Network Security Services (NSS) vulnerabilities". Mozilla. Retrieved 2014-07-13.
  158. 1 2 3 "RC4 is now disabled in Microsoft Edge and Internet Explorer 11 - Microsoft Edge Dev BlogMicrosoft Edge Dev Blog". blogs.windows.com. 2016-08-09.
  159. 1 2 "wolfSSL (Formerly CyaSSL) Release 3.7.0 (10/26/2015)". 2015-10-26. Retrieved 2015-11-19.
  160. 1 2 3 4 5 RFC 8446
  161. 1 2 3 4 5 RFC 8422
  162. 1 2 3 RFC 7027
  163. 1 2 3 "Version 1.11.5, 2013-11-10 — Botan". 2013-11-10. Retrieved 2015-01-23.
  164. "An overview of the new features in GnuTLS 3.5.0". 2016-05-02. Retrieved 2016-12-09.
  165. "gnutls 3.6.12". 2020-02-01. Retrieved 2021-08-31.
  166. 1 2 "JDK 13 Early-Access Release Notes". Archived from the original on 2020-04-01. Retrieved 2019-06-20.
  167. 1 2 "JEP 339: Edwards-Curve Digital Signature Algorithm (EdDSA)" . Retrieved 2024-01-14.
  168. "LibreSSL 2.5.1 release notes". OpenBSD. 2017-01-31. Retrieved 2017-02-23.
  169. "MatrixSSL 4.0 changelog". GitHub . Retrieved 2018-09-18.
  170. "PolarSSL 1.3.3 released". 2013-12-31. Archived from the original on 2014-01-07. Retrieved 2015-01-23.
  171. "Mbed TLS 2.9.0, 2.7.3 and 2.1.12 released" . Retrieved 2018-08-30.
  172. 1 2 3 "PolarSSL 1.3.1 released". 2013-10-15. Archived from the original on 2015-01-23. Retrieved 2015-01-23.
  173. "Bug 957105 - Add support for curve25519 Key Exchange and UMAC MAC support for TLS". Mozilla. Retrieved 2017-02-23.
  174. "Bug 1305243 - Support for X448". Mozilla. Retrieved 2022-08-04.
  175. "Bug 1597057 - Curve448 or named Ed448-Goldilocks support needed (both X448 key exchange and Ed448 signature algorithm )". Mozilla. Retrieved 2022-08-04.
  176. 1 2 3 "Bug 943639 - Support for Brainpool ECC Curve (rfc5639)". Mozilla. Retrieved 2014-01-25.
  177. "OpenSSL 1.1.0x Release Notes". 25 August 2016. Archived from the original on 18 May 2018. Retrieved 18 May 2018.
  178. "OpenSSL GitHub Issue #487 Tracker". GitHub . 2 December 2015. Retrieved 18 May 2018.
  179. "OpenSSL CHANGES". 1 May 2018. Archived from the original on 18 May 2018. Retrieved 18 May 2018.
  180. "OpenSSL GitHub Issue #5049 Tracker". GitHub . 9 January 2018. Retrieved 18 May 2018.
  181. "wolfSSL (Formerly CyaSSL) Release 3.4.6 (03/30/2015)". 2015-03-30. Retrieved 2015-11-19.
  182. "wolfSSL Release 4.4.0 (04/22/2020)". 2020-04-22. Retrieved 2022-10-18.
  183. 1 2 3 4 5 6 7 8 9 Simon, Josefsson; Manuel, Pégourié-Gonnard. Additional Elliptic Curves for Transport Layer Security (TLS) Key Agreement. I-D draft-josefsson-tls-additional-curves.
  184. "Release Note: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default. (Java 7u281, 8u271, 11.0.9, 14)". JDK Bug System (JBS). Retrieved 6 January 2022.
  185. "Release Note: Removal of Legacy Elliptic Curves (Java 16)". JDK Bug System (JBS). Retrieved 6 January 2022.
  186. 1 2 Negotiation of arbitrary curves has been shown to be insecure for certain curve sizes Mavrogiannopoulos, Nikos and Vercautern, Frederik and Velichkov, Vesselin and Preneel, Bart (2012). "A cross-protocol attack on the TLS protocol" (PDF). Proceedings of the 2012 ACM conference on Computer and communications security. Association for Computing Machinery. pp. 62–72. doi:10.1145/2382196.2382206. ISBN   978-1-4503-1651-4.{{cite conference}}: CS1 maint: multiple names: authors list (link)
  187. "SHA2 and Windows" . Retrieved 2024-04-28.
  188. RFC 3749
  189. RFC 5746
  190. 1 2 3 4 RFC 6066
  191. RFC 7301
  192. RFC 6091
  193. RFC 4680
  194. RFC 5077. doi: 10.17487/RFC5077 .
  195. RFC 5705. doi: 10.17487/RFC5705 .
  196. RFC 7507. doi: 10.17487/RFC7507 .
  197. RFC 7627
  198. RFC 7685
  199. RFC 7250
  200. "Version 1.11.16, 2015-03-29 — Botan". 2016-03-29. Retrieved 2016-09-08.
  201. "Version 1.11.10, 2014-12-10 — Botan". 2014-12-10. Retrieved 2014-12-14.
  202. 1 2 "Version 1.11.26, 2016-01-04 — Botan". 2016-01-04. Retrieved 2016-02-25.
  203. Present, but disabled by default due to lack of use by any implementation.
  204. "gnutls 3.2.0". Archived from the original on 2016-01-31. Retrieved 2015-01-26.
  205. Mavrogiannopoulos, Nikos (August 21, 2017). "[gnutls-help] GnuTLS 3.6.0 released".
  206. "gnutls 3.4.4". Archived from the original on 2017-07-17. Retrieved 2015-08-25.
  207. "%DUMBFW priority keyword" . Retrieved 2017-04-30.
  208. "gnutls 3.6.6". 2019-01-25. Retrieved 2019-09-01.
  209. "LibreSSL 2.1.3 released". 2015-01-22. Retrieved 2015-01-22.
  210. "LibreSSL 2.1.4 released". 2015-03-04. Retrieved 2015-03-04.
  211. "MatrixSSL - News". 2014-12-04. Archived from the original on 2015-02-14. Retrieved 2015-01-26.
  212. "Download overview - PolarSSL". 2014-04-11. Archived from the original on 2015-02-09. Retrieved 2015-01-26.
  213. 1 2 3 "mbed TLS 1.3.10 released". 2015-02-08. Archived from the original on 2015-02-09. Retrieved 2015-02-09.
  214. 1 2 "NSS 3.15.5 release notes". Mozilla Developer Network. Mozilla. Archived from the original on January 26, 2015. Retrieved 2015-01-26.
  215. "Bug 961416 - Support RFC6091 - Using OpenPGP Keys for Transport Layer Security Authentication (TLS1.2)". Mozilla. Retrieved 2014-06-18.
  216. "Bug 972145 - Implement the encrypt-then-MAC TLS extension". Mozilla. Retrieved 2014-11-06.
  217. "NSS 3.17.1 release notes". Archived from the original on 2019-04-19. Retrieved 2014-10-17.
  218. "NSS 3.21 release notes". Archived from the original on 2021-12-07. Retrieved 2015-11-14.
  219. "OpenSSL Security Advisory [15 Oct 2014]". 2014-10-15.
  220. "Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]". 2014-04-07. Archived from the original on 2015-01-20. Retrieved 2015-02-10.
  221. "OpenSSL Announces Final Release of OpenSSL 3.2.0". 2023-11-23. Retrieved 2024-10-11.
  222. rustls does not implement earlier versions that would warrant protection against insecure downgrade
  223. 1 2 3 4 "Microsoft Security Bulletin MS15-121". March 2023. Retrieved 2024-04-28.
  224. 1 2 "What's New in TLS/SSL (Schannel SSP)". 31 August 2016. Retrieved 2024-04-28.
  225. "wolfSSL Version 4.2.0 is Now Available!". 22 October 2019. Retrieved 2021-08-13.
  226. "wolfSSL supports Raw Public Keys" . Retrieved 2024-10-25.
  227. "Version 1.11.31, 2015-08-30 — Botan". 2016-08-30. Retrieved 2016-09-08.
  228. "JEP 164: Leverage CPU Instructions for AES Cryptography". openjdk.java.net.
  229. "RSA SecurID PASSCODE Request". sso.rsasecurity.com.
  230. Mavrogiannopoulos, Nikos (October 9, 2016). "[gnutls-devel] gnutls 3.5.5".
  231. "Java SSL provider with AES-NI support". stackoverflow.com.
  232. "PolarSSL 1.3.3 released". 2013-12-31. Archived from the original on 2014-01-07. Retrieved 2014-01-07. We've incorporated support for AES-NI in our AES and GCM modules.
  233. Normally NSS's libssl performs all operations via the PKCS#11 interface, either to hardware or software tokens
  234. "Bug 706024 - AES-NI enhancements to NSS on Sandy Bridge systems" . Retrieved 2013-09-28.
  235. "Bug 479744 - RFE : VIA Padlock ACE support (hardware RNG, AES, SHA1 and SHA256)" . Retrieved 2014-04-11.
  236. https://habrahabr.ru/post/134725/, http://forum.rutoken.ru/topic/1639/, https://dev.rutoken.ru/pages/viewpage.action?pageId=18055184 (in Russian)
  237. "git.openssl.org Git - openssl.git/commitdiff". git.openssl.org.
  238. https://opensource.apple.com/source/Security/Security-55179.13/sec/Security/SecECKey.c
  239. "Crypto Officer Role Guide for FIPS 140-2 Compliance OS X Mountain Lion v10.8" (PDF). Apple Inc. 2013.
  240. "wolfSSL Asynchronous Intel QuickAssist Support - wolfSSL". 18 January 2017.
  241. "CAAM support in wolfSSL". 10 March 2020.
  242. "LibreSSL 2.2.1 Released". 2015-07-08. Retrieved 2016-01-30.
  243. "ktls integration for rustls" . Retrieved 2024-08-29.
  244. "wolfProvider". 2021-11-10. Retrieved 2022-01-17.
  245. 1 2 The PKCS #11 URI Scheme. doi: 10.17487/RFC7512 . RFC 7512.
  246. "libp11: PKCS#11 wrapper library". 19 January 2018 via GitHub.
  247. "Windows CNG bridge for rustls" . Retrieved 2024-08-29.
  248. On the fly replaceable/augmentable.
  249. "Nss compat ossl - Fedora Project Wiki". fedoraproject.org.
  250. "rustls-openssl compatibility layer" . Retrieved 2024-08-29.
  251. 1 2 "NSPR". Mozilla Developer Network.
  252. For Unix/Linux it uses /dev/urandom if available, for Windows it uses CAPI. For other platforms it gets data from clock, and tries to open system files. NSS has a set of platform dependent functions it uses to determine randomness.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.