The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.
All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.
Implementation | Developed by | Open source | Software license | Copyright holder | Written in | Latest stable version, release date | Origin | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Botan | Jack Lloyd | Yes | Simplified BSD License | Jack Lloyd | C++ | 3.5.0 (July 8, 2024 [1] ) [±] | US (Vermont) | ||||||||||
BoringSSL | Yes | OpenSSL-SSLeay dual-license, ISC license | Eric Young, Tim Hudson, Sun, OpenSSL project, Google, and others | C, C++, Go, assembly | ?? | Australia/EU | |||||||||||
Bouncy Castle | The Legion of the Bouncy Castle Inc. | Yes | MIT License | Legion of the Bouncy Castle Inc. | Java, C# |
| Australia | ||||||||||
BSAFE | Dell, formerly RSA Security | No | Proprietary | Dell | Java, C, assembly | SSL-J 6.6 (July 2, 2024 [7] ) [±] SSL-J 7.3.1 (October 7, 2024 [8] ) [±] | Australia | ||||||||||
cryptlib | Peter Gutmann | Yes | Sleepycat License and commercial license | Peter Gutmann | C | 3.4.5 (2019 [11] ) [±] | NZ | ||||||||||
GnuTLS | GnuTLS project | Yes | LGPL-2.1-or-later | Free Software Foundation | C | 3.8.5 [12] 2024-04-04 | EU (Greece and Sweden) | ||||||||||
Java Secure Socket Extension (JSSE) | Oracle | Yes | GNU GPLv2 and commercial license | Oracle | Java | 23.0.1 (October 15, 2024 [13] ) [±] | US | ||||||||||
LibreSSL | OpenBSD Project | Yes | Apache-1.0, BSD-4-Clause, ISC, and public domain | Eric Young, Tim Hudson, Sun, OpenSSL project, OpenBSD Project, and others | C, assembly | 4.0.0 [18] 2024-10-14 | Canada | ||||||||||
MatrixSSL [19] | PeerSec Networks | Yes | GNU GPLv2+ and commercial license | PeerSec Networks | C | 4.2.2 (September 11, 2019 [20] ) [±] | US | ||||||||||
Mbed TLS (previously PolarSSL) | Arm | Yes | Apache License 2.0, GNU GPLv2+ and commercial license | Arm Holdings | C | 3.6.2 [21] (15 October 2024) [±] | EU (Netherlands) | ||||||||||
Network Security Services (NSS) | Mozilla, AOL, Red Hat, Sun, Oracle, Google and others | Yes | MPL 2.0 | NSS contributors | C, assembly |
| US | ||||||||||
OpenSSL | OpenSSL project | Yes | Apache-2.0 [a] | Eric Young, Tim Hudson, Sun, OpenSSL project, and others | C, assembly | 3.4.0 [23] 2024-10-22 | Australia/EU | ||||||||||
Rustls | Joe Birr-Pixton, Dirkjan Ochtman, Daniel McCarney, Josh Aas, and open source contributors | Yes | Apache-2.0, MIT License and ISC | Open source contributors | Rust | v0.23.12 (July 23, 2024 [24] ) [±] | United Kingdom | ||||||||||
s2n | Amazon | Yes | Apache License 2.0, GNU GPLv2+ and commercial license | Amazon.com, Inc. | C | Continuous | US | ||||||||||
Schannel | Microsoft | No | Proprietary | Microsoft Corporation | Windows 11, 2021-10-05 | US | |||||||||||
Secure Transport | Apple Inc. | Yes | APSL 2.0 | Apple Inc. | 57337.20.44 (OS X 10.11.2), 2015-12-08 | US | |||||||||||
wolfSSL (previously CyaSSL) | wolfSSL [25] | Yes | GNU GPLv2+ and commercial license | wolfSSL Inc. [26] | C, assembly | 5.7.4 (October 24, 2024 [27] ) [±] | US | ||||||||||
Erlang/OTP SSL application | Ericsson | Yes | Apache License 2.0 | Ericsson | Erlang | OTP-21, 2018-06-19 | Sweden | ||||||||||
Implementation | Developed by | Open source | Software license | Copyright owner | Written in | Latest stable version, release date | Origin |
Several versions of the TLS protocol exist. SSL 2.0 is a deprecated [28] protocol version with significant weaknesses. SSL 3.0 (1996) and TLS 1.0 (1999) are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay. [29] TLS 1.1 (2006) fixed only one of the problems, by switching to random initialization vectors (IV) for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was addressed with RFC 7366. [30] A workaround for SSL 3.0 and TLS 1.0, roughly equivalent to random IVs from TLS 1.1, was widely adopted by many implementations in late 2011. [31] In 2014, the POODLE vulnerability of SSL 3.0 was discovered, which takes advantage of the known vulnerabilities in CBC, and an insecure fallback negotiation used in browsers. [32]
TLS 1.2 (2008) introduced a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future (rsa,sha256/sha384/sha512) over the SSL 3.0 conservative choice (rsa,sha1+md5), the TLS 1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides (rsa,sha1) and even (rsa,md5). [33]
Datagram Transport Layer Security (DTLS or Datagram TLS) 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLS 1.2 based on TLS 1.2 was published in January 2012. [34]
TLS 1.3 (2018) specified in RFC 8446 includes major optimizations and security improvements. QUIC (2021) specified in RFC 9000 and DTLS 1.3 (2022) specified in RFC 9147 builds on TLS 1.3. The publishing of TLS 1.3 and DTLS 1.3 obsoleted TLS 1.2 and DTLS 1.2.
Note that there are known vulnerabilities in SSL 2.0 and SSL 3.0. In 2021, IETF published RFC 8996 also forbidding negotiation of TLS 1.0, TLS 1.1, and DTLS 1.0 due to known vulnerabilities. NIST SP 800-52 requires support of TLS 1.3 by January 2024. Support of TLS 1.3 means that two compliant nodes will never negotiate TLS 1.2.
Implementation | SSL 2.0 (insecure) [35] | SSL 3.0 (insecure) [36] | TLS 1.0 (deprecated) [37] | TLS 1.1 (deprecated) [38] | TLS 1.2 [39] | TLS 1.3 | DTLS 1.0 (deprecated) [40] | DTLS 1.2 [34] |
---|---|---|---|---|---|---|---|---|
Botan | No | No [41] | No | No | Yes | Yes | No | Yes |
BoringSSL | Yes | Yes | Yes | Yes | Yes | Yes | ||
Bouncy Castle | No | No | Yes | Yes | Yes | Yes (draft version) | Yes | Yes |
BSAFE SSL-J [42] | No | Disabled by default | No [a] | No [a] | Yes | Yes | No | No |
cryptlib | No | Disabled by default at compile time | Yes | Yes | Yes | No | No | |
GnuTLS | No [b] | Disabled by default [43] | Yes | Yes | Yes | Yes [44] | Yes | Yes |
JSSE | No [b] | Disabled by default [45] | Disabled by default [46] | Disabled by default [46] | Yes | Yes | Yes | Yes |
LibreSSL | No [47] | No [48] | Yes | Yes | Yes | Yes | Yes | Yes [49] |
MatrixSSL | No | Disabled by default at compile time [50] | Yes | Yes | Yes | Yes | Yes | Yes |
Mbed TLS | No | No [51] | No [51] | No [51] | Yes | Yes (experimental) | Yes [52] | Yes [52] |
NSS | No [c] | Disabled by default [53] | Yes | Yes [54] | Yes [55] | Yes [56] | Yes [54] | Yes [57] |
OpenSSL | No [58] | Disabled by default | Yes | Yes [59] | Yes [59] | Yes | Yes | Yes [60] |
Rustls | No [61] | No [61] | No [61] | No [61] | Yes [61] | Yes [61] | No | No |
s2n [62] | No | Disabled by default | Yes | Yes | Yes | Yes | No | No |
Schannel XP, 2003 [63] | Disabled by default in MSIE 7 | Enabled by default | Enabled by default in MSIE 7 | No | No | No | No | No |
Schannel Vista [64] | Disabled by default | Enabled by default | Yes | No | No | No | No | No |
Schannel 2008 [64] | Disabled by default | Enabled by default | Yes | Disabled by default (KB4019276) | Disabled by default (KB4019276) | No | No | No |
Schannel 7, 2008R2 [65] | Disabled by default | Disabled by default in MSIE 11 | Yes | Enabled by default in MSIE 11 | Enabled by default in MSIE 11 | No | Yes [66] | No [66] |
Schannel 8, 2012 [65] | Disabled by default | Enabled by default | Yes | Disabled by default | Disabled by default | No | Yes | No |
Schannel 8.1, 2012R2, 10 RTM & v1511 [65] | Disabled by default | Disabled by default in MSIE 11 | Yes | Yes | Yes | No | Yes | No |
Schannel 10 v1607 / 2016 [67] | No | Disabled by default | Yes | Yes | Yes | No | Yes | Yes |
Schannel 11 / 2022 [68] | No | Disabled by default | Yes | Yes | Yes | Yes | Yes | Yes |
Secure Transport OS X 10.2-10.7, iOS 1-4 | Yes | Yes | Yes | No | No | No | No | |
Secure Transport OS X 10.8-10.10, iOS 5-8 | No [d] | Yes | Yes | Yes [d] | Yes [d] | Yes [d] | No | |
Secure Transport OS X 10.11, iOS 9 | No | No [d] | Yes | Yes | Yes | Yes | Unknown | |
Secure Transport OS X 10.13, iOS 11 | No | No [d] | Yes | Yes | Yes | Yes (draft version) [69] | Yes | Unknown |
wolfSSL | No | Disabled by default [70] | Disabled by default [71] | Yes | Yes | Yes | Yes | Yes |
Erlang/OTP SSL application [72] | No [e] | No [f] | Disabled by default [e] | Disabled by default [e] | Yes | Partially [g] | Disabled by default [e] | Yes |
Implementation | SSL 2.0 (insecure) [35] | SSL 3.0 (insecure) [36] | TLS 1.0 (deprecated) [37] | TLS 1.1 (deprecated) [38] | TLS 1.2 [39] | TLS 1.3 | DTLS 1.0 (deprecated) [40] | DTLS 1.2 [34] |
Required components for NSA Suite B Cryptography (RFC 6460) are:
Per CNSSP-15, the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.
Implementation | TLS 1.2 Suite B |
---|---|
Botan | Yes |
Bouncy Castle | Yes |
BSAFE | Yes [42] |
cryptlib | Yes |
GnuTLS | Yes |
JSSE | Yes [73] |
LibreSSL | Yes |
MatrixSSL | Yes |
Mbed TLS | Yes |
NSS | No [74] |
OpenSSL | Yes [60] |
Rustls | Yes [61] |
S2n | |
Schannel | Yes [75] |
Secure Transport | No |
wolfSSL | Yes |
Implementation | TLS 1.2 Suite B |
Note that certain certifications have received serious negative criticism from people who are actually involved in them. [76]
Implementation | FIPS 140-1, FIPS 140-2 [77] | FIPS 140-3 | |
---|---|---|---|
Level 1 | Level 2[ disputed – discuss ] | Level 1 | |
Botan [78] | |||
Bouncy Castle | BC-FJA 1.0.0 (#2768) BC-FJA 1.0.1 (#3152) | ||
BSAFE SSL-J [79] | Crypto-J 6.0 (1785, 1786) Crypto-J 6.1 / 6.1.1.0.1 (2057, 2058) Crypto-J 6.2 / 6.2.1.1 (2468, 2469) Crypto-J 6.2.4 (3172, 3184) Crypto-J 6.2.5 (#3819, #3820) Crypto-J 6.3 (#4696, #4697) | ||
cryptlib [80] | |||
GnuTLS [81] | Red Hat Enterprise Linux GnuTLS Cryptographic Module (#2780) | ||
JSSE | |||
LibreSSL [47] | no support | ||
MatrixSSL [82] | SafeZone FIPS Cryptographic Module: 1.1 (#2389) | ||
Mbed TLS [83] | |||
NSS [84] | Network Security Services: 3.2.2 (#247) Network Security Services Cryptographic Module: 3.11.4 (#815), 3.12.4 (#1278), 3.12.9.1 (#1837) | Netscape Security Module: 1 (#7 [notes 1] ), 1.01 (#47 [notes 2] ) Network Security Services: 3.2.2 (#248 [notes 3] ) Network Security Services Cryptographic Module: 3.11.4 (#814 [notes 4] ), 3.12.4 (#1279, #1280 [notes 5] ) | |
OpenSSL [85] | OpenSSL FIPS Object Module: 1.0 (#624), 1.1.1 (#733), 1.1.2 (#918), 1.2, 1.2.1, 1.2.2, 1.2.3 or 1.2.4 (#1051) 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7 or 2.0.8 (#1747) | ||
Rustls | aws-lc FIPS module [86] (#4759) | ||
Schannel [87] | Cryptographic modules in Windows NT 4.0, 95, 95, 2000, XP, Server 2003, CE 5, CE 6, Mobile 6.x, Vista, Server 2008, 7, Server 2008 R2, 8, Server 2012, RT, Surface, Phone 8 See details on Microsoft FIPS 140 Validated Cryptographic Modules | ||
Secure Transport | Apple FIPS Cryptographic Module: 1.0 (OS X 10.6, #1514), 1.1 (OS X 10.7, #1701) Apple OS X CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (OS X 10.8, #1964, #1956), 4.0 (OS X 10.9, #2015, #2016) Apple iOS CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (iOS 6, #1963, #1944), 4.0 (iOS 7, #2020, #2021) | ||
wolfSSL [88] | wolfCrypt FIPS Module: 4.0 (#3389) See details on NIST certificate for validated Operating Environments wolfCrypt FIPS Module: 3.6.0 (#2425) See details on NIST certificate for validated Operating Environments | wolfCrypt FIPS Module (#4178) See details on NIST certificate | |
Implementation | Level 1 | Level 2 | Level 1 |
FIPS 140-1, FIPS 140-2 | FIPS 140-3 |
This section lists the certificate verification functionality available in the various implementations.
Implementation | RSA [39] | RSA-EXPORT (insecure) [39] | DHE-RSA (forward secrecy) [39] | DHE-DSS (forward secrecy) [39] | ECDH-ECDSA [89] | ECDHE-ECDSA (forward secrecy) [89] | ECDH-RSA [89] | ECDHE-RSA (forward secrecy) [89] | GOST R 34.10-94, 34.10-2001 [90] |
---|---|---|---|---|---|---|---|---|---|
Botan | Disabled by default | No | Yes | Disabled by default | No | Yes | No | Yes | No |
BSAFE | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | No |
cryptlib | Yes | No | Yes | Yes | No | Yes | No | No | No |
GnuTLS | Yes | No | Yes | Disabled by default [43] | No | Yes | No | Yes | No |
JSSE | Yes | Disabled by default | Yes | Yes | Yes | Yes | Yes | Yes | No |
LibreSSL | Yes | No [47] | Yes | Yes | No | Yes | No | Yes | Yes [91] |
MatrixSSL | Yes | No | Yes | No | Yes | Yes | Yes | Yes | No |
Mbed TLS | Yes | No | Yes | No | Yes | Yes | Yes | Yes | No |
NSS | Yes | Disabled by default | Yes [92] | Yes | Yes | Yes | Yes | Yes | No [93] [94] |
OpenSSL | Yes | No [58] | Yes | Disabled by default [58] | No | Yes | No | Yes | Yes [95] |
Rustls | No | No | No | No | No | Yes [61] | No | Yes [61] | No |
Schannel XP/2003 | Yes | Yes | No | XP: Max 1024 bits 2003: 1024 bits only | No | No | No | No | No [96] |
Schannel Vista/2008 | Yes | Disabled by default | No | 1024 bits by default [97] | No | Yes | No | except AES_GCM | No [96] |
Schannel 8/2012 | Yes | Disabled by default | AES_GCM only [98] [99] [100] | 1024 bits by default [97] | No | Yes | No | except AES_GCM | No [96] |
Schannel 7/2008R2, 8.1/2012R2 | Yes | Disabled by default | Yes | 2048 bits by default [97] | No | Yes | No | except AES_GCM | No [96] |
Schannel 10 | Yes | Disabled by default | Yes | 2048 bits by default [97] | No | Yes | No | Yes | No [96] |
Secure Transport OS X 10.6 | Yes | Yes | except AES_GCM | Yes | Yes | except AES_GCM | yes | except AES_GCM | No |
Secure Transport OS X 10.8-10.10 | Yes | No | except AES_GCM | No | Yes | except AES_GCM | Yes | except AES_GCM | No |
Secure Transport OS X 10.11 | Yes | No | Yes | No | No | Yes | No | Yes | No |
wolfSSL | Yes | No | Yes | No | Yes | Yes | Yes | Yes | No |
Erlang/OTP SSL application | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | No |
Implementation | RSA [39] | RSA-EXPORT (insecure) [39] | DHE-RSA (forward secrecy) [39] | DHE-DSS (forward secrecy) [39] | ECDH-ECDSA [89] | ECDHE-ECDSA (forward secrecy) [89] | ECDH-RSA [89] | ECDHE-RSA (forward secrecy) [89] | GOST R 34.10-94, 34.10-2001 [90] |
Implementation | SRP [101] | SRP-DSS [101] | SRP-RSA [101] | PSK-RSA [102] | PSK [102] | DHE-PSK (forward secrecy) [102] | ECDHE-PSK (forward secrecy) [103] | KRB5 [104] | DH-ANON [39] (insecure) | ECDH-ANON [89] (insecure) |
---|---|---|---|---|---|---|---|---|---|---|
Botan | No | No | No | No | Yes | No | Yes | No | No | No |
BSAFE SSL-J | No | No | No | No | Yes [105] | No | No | No | Disabled by default | Disabled by default |
cryptlib | No | No | No | No | Yes | Yes | No | Unknown | No | No |
GnuTLS | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Disabled by default | Disabled by default |
JSSE | No | No | No | No | No | No | No | No | Disabled by default | Disabled by default |
LibreSSL | No [106] | No [106] | No [106] | No | No | No | No | No | Yes | Yes |
MatrixSSL | No | No | No | Yes | Yes | Yes | No | No | Disabled by default | No |
Mbed TLS | No | No | No | Yes | Yes | Yes | Yes | No | No | No |
NSS | No [107] | No [107] | No [107] | No [108] | No [108] | No [108] | No [108] | No | Client side only, disabled by default [109] | Disabled by default [110] |
OpenSSL | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes [111] | Disabled by default [112] | Disabled by default [112] |
Rustls | No | No | No | No | No | No | No | No | No | No |
Schannel | No | No | No | No | No | No | No | Yes | No | No |
Secure Transport | No | No | No | No | No | No | No | Unknown | Yes | Yes |
wolfSSL | Yes | Yes | Yes | Yes | Yes | Yes | Yes [113] | Yes | No | No |
Erlang/OTP SSL application | Disabled by default | Disabled by default | Disabled by default | Disabled by default | Disabled by default | Disabled by default | No | No | Disabled by default | Disabled by default |
Implementation | SRP [101] | SRP-DSS [101] | SRP-RSA [101] | PSK-RSA [102] | PSK [102] | DHE-PSK (forward secrecy) [102] | ECDHE-PSK (forward secrecy) [103] | KRB5 [104] | DH-ANON [39] (insecure) | ECDH-ANON [89] (insecure) |
Implementation | Application-defined | PKIX path validation [114] | CRL [115] | OCSP [116] | DANE (DNSSEC) [117] [118] | CT [119] |
---|---|---|---|---|---|---|
Botan | Yes | Yes | Yes | Yes | No | Unknown |
Bouncy Castle | Yes | Yes | Yes | Yes | Yes | Unknown |
BSAFE | Yes | Yes | Yes | Yes | No | Unknown |
cryptlib | Yes | Yes | Yes | Yes | No | Unknown |
GnuTLS | Yes | Yes | Yes | Yes | Yes | Unknown |
JSSE | Yes | Yes | Yes | Yes | No | No |
LibreSSL | Yes | Yes | Yes | Yes | No | Unknown |
MatrixSSL | Yes | Yes | Yes | Yes [120] | No | Unknown |
Mbed TLS | Yes | Yes | Yes | No [121] | No | Unknown |
NSS | Yes | Yes | Yes | Yes | No [122] | Unknown |
OpenSSL | Yes | Yes | Yes | Yes | Yes | Yes |
Rustls | Yes | Yes | Yes | No | No | No |
s2n | No [123] | Unknown [124] | Unknown [125] | |||
Schannel | Unknown | Yes | Yes [126] | Yes [126] | No | Unknown |
Secure Transport | Yes | Yes | Yes | Yes | No | Unknown |
wolfSSL | Yes | Yes | Yes | Yes | No | Unknown |
Erlang/OTP SSL application | Yes | Yes | Yes | No | No | Unknown |
Implementation | Application-defined | PKIX path validation | CRL | OCSP | DANE (DNSSEC) | CT |
Implementation | Block cipher with mode of operation | Stream cipher | None | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
AES GCM [127] | AES CCM [128] | AES CBC | Camellia GCM [129] | Camellia CBC [130] [129] | ARIA GCM [131] | ARIA CBC [131] | SEED CBC [132] | 3DES EDE CBC (insecure) [133] | GOST 28147-89 CNT (proposed) [90] [n 1] | ChaCha20-Poly1305 [134] | Null (insecure) [n 2] | |
Botan | Yes | Yes | Yes | Yes | Yes | No | No | Disabled by default | Disabled by default | No | Yes [135] | Not implemented |
BoringSSL | Yes | No | Yes | No | No | No | No | No | Yes | No | Yes | |
BSAFE SSL-J | Yes | Yes | Yes | No | No | No | No | No | Disabled by default | No | No | Disabled by default |
cryptlib | Yes | No | Yes | No | No | No | No | No | Yes | No | No | Not implemented |
GnuTLS | Yes | Yes [43] | Yes | Yes | Yes | No | No | No | Disabled by default [136] | No | Yes [137] | Disabled by default |
JSSE | Yes | No | Yes | No | No | No | No | No | Disabled by default [138] | No | Yes (JDK 12+) [139] | Disabled by default |
LibreSSL | Yes [47] | No | Yes | No | Yes [91] | No | No | No [47] | Yes | Yes [91] | Yes [47] | Disabled by default |
MatrixSSL | Yes | No | Yes | No | No | No | No | Yes | Disabled by default | No | Yes [140] | Disabled by default |
Mbed TLS | Yes | Yes [141] | Yes | Yes | Yes | Yes [142] | Yes [142] | No | No [51] | No | Yes [143] | Disabled by default at compile time |
NSS | Yes [144] | No | Yes | No [145] [n 3] | Yes [146] | No | No | Yes [147] | Yes | No [93] [94] | Yes [148] | Disabled by default |
OpenSSL | Yes [149] | Disabled by default [58] | Yes | No | Disabled by default [58] | Disabled by default [150] | No | Disabled by default [58] | Disabled by default [58] | Yes [95] | Yes [58] | Disabled by default |
Rustls | Yes [61] | No | No | No | No | No | No | No | No | No | Yes [61] | Not implemented |
Schannel XP/2003 | No | No | 2003 only [151] | No | No | No | No | No | Yes | No [96] | No | Disabled by default |
Schannel Vista/2008, 2008R2, 2012 | No | No | Yes | No | No | No | No | No | Yes | No [96] | No | Disabled by default |
Schannel 7, 8, 8.1/2012R2 | Yes except ECDHE_RSA [98] [99] | No | Yes | No | No | No | No | No | Yes | No [96] | No | Disabled by default |
Schannel 10 [152] | Yes | No | Yes | No | No | No | No | No | Yes | No [96] | No | Disabled by default |
Secure Transport OS X 10.6 - 10.10 | No | No | Yes | No | No | No | No | No | Yes | No | No | Disabled by default |
Secure Transport OS X 10.11 | Yes | No | Yes | No | No | No | No | No | Yes | No | No | Disabled by default |
wolfSSL | Yes | Yes | Yes | No | No | No | No | No | Yes | No | Yes | Disabled by default |
Erlang/OTP SSL application | Yes | No | Yes | No | No | No | No | No | Disabled by default | No | Experimental | Disable by default |
Implementation | Block cipher with mode of operation | Stream cipher | None | |||||||||
AES GCM [127] | AES CCM [128] | AES CBC | Camellia GCM [129] | Camellia CBC [130] [129] | ARIA GCM [131] | ARIA CBC [131] | SEED CBC [132] | 3DES EDE CBC (insecure) [133] | GOST 28147-89 CNT (proposed) [90] [n 1] | ChaCha20-Poly1305 [134] | Null (insecure) [n 2] |
Implementation | Block cipher with mode of operation | Stream cipher | ||||
---|---|---|---|---|---|---|
IDEA CBC [n 1] (insecure) [154] | DES CBC (insecure) [n 1] | DES-40 CBC (EXPORT, insecure) [n 2] | RC2-40 CBC (EXPORT, insecure) [n 2] | RC4-128 (insecure) [n 3] | RC4-40 (EXPORT, insecure) [n 4] [n 2] | |
Botan | No | No | No | No | No [155] | No |
BoringSSL | No | No | No | No | Disabled by default at compile time | No |
BSAFE SSL-J | No | Disabled by default | Disabled by default | No | Disabled by default | Disabled by default |
cryptlib | No | Disabled by default at compile time | No | No | Disabled by default at compile time | No |
GnuTLS | No | No | No | No | Disabled by default [43] | No |
JSSE | No | Disabled by default | Disabled by default | No | Disabled by default | Disabled by default [156] |
LibreSSL | Yes | Yes | No [47] | No [47] | Yes | No [47] |
MatrixSSL | Yes | No | No | No | Disabled by default | No |
Mbed TLS | No | Disabled by default at compile time | No | No | Disabled by default at compile time [52] | No |
NSS | Yes | Disabled by default | Disabled by default | Disabled by default | Lowest priority [157] [158] | Disabled by default |
OpenSSL | Disabled by default [58] | Disabled by default | No [58] | No [58] | Disabled by default | No [58] |
Rustls | No | No | No | No | No | No |
Schannel XP/2003 | No | Yes | Yes | Yes | Yes | Yes |
Schannel Vista/2008 | No | Disabled by default | Disabled by default | Disabled by default | Yes | Disabled by default |
Schannel 7/2008R2 | No | Disabled by default | Disabled by default | Disabled by default | Lowest priority will be disabled soon [159] | Disabled by default |
Schannel 8/2012 | No | Disabled by default | Disabled by default | Disabled by default | Only as fallback | Disabled by default |
Schannel 8.1/2012R2 | No | Disabled by default | Disabled by default | Disabled by default | Disabled by default [159] | Disabled by default |
Schannel 10 [152] | No | Disabled by default | Disabled by default | Disabled by default | Disabled by default [159] | Disabled by default |
Secure Transport OS X 10.6 | Yes | Yes | Yes | Yes | Yes | Yes |
Secure Transport OS X 10.7 | Yes | Unknown | Unknown | Unknown | Yes | Unknown |
Secure Transport OS X 10.8-10.9 | Yes | Disabled by default | Disabled by default | Disabled by default | Yes | Disabled by default |
Secure Transport OS X 10.10-10.11 | Yes | Disabled by default | Disabled by default | Disabled by default | Lowest priority | Disabled by default |
Secure Transport macOS 10.12 | Yes | Disabled by default | Disabled by default | Disabled by default | Disabled by default | Disabled by default |
wolfSSL | Disabled by default [160] | No | No | No | Disabled by default | No |
Erlang/OTP SSL application | no | Disabled by default | no | no | Disabled by default | no |
Implementation | Block cipher with mode of operation | Stream cipher | ||||
IDEA CBC [n 1] (insecure) [154] | DES CBC (insecure) [n 1] | DES-40 CBC (EXPORT, insecure) [n 2] | RC2-40 CBC (EXPORT, insecure) [n 2] | RC4-128 (insecure) [n 3] | RC4-40 (EXPORT, insecure) [n 4] [n 2] | |
This section lists the supported elliptic curves by each implementation.
applicable TLS version | TLS 1.3 and earlier | TLS 1.2 and earlier | ||||||
---|---|---|---|---|---|---|---|---|
Implementation | secp256r1 prime256v1 NIST P-256 (0x0017, [161] 23 [162] ) | secp384r1 NIST P-384 (0x0018, [161] 24 [162] ) | secp521r1 NIST P-521 (0x0019, [161] 25 [162] ) | X25519 (0x001D, [161] 29 [162] ) | X448 (0x001E, [161] 30 [162] ) | brainpoolP256r1 (26) [163] | brainpoolP384r1 (27) [163] | brainpoolP512r1 (28) [163] |
Botan | Yes | Yes | Yes | Yes [135] | No | Yes [164] | Yes [164] | Yes [164] |
BoringSSL | Yes | Yes | Yes (disabled by default) | Yes | No | No | No | No |
BSAFE | Yes | Yes | Yes | No | No | No | No | No |
GnuTLS | Yes | Yes | Yes | Yes [165] | Yes [166] | No | No | No |
JSSE | Yes | Yes | Yes | Yes x25519: JDK 13+ [167] Ed25519:JDK 15+ [168] | Yes x448: JDK 13+ [167] Ed448: JDK 15+ [168] | No | No | No |
LibreSSL | Yes | Yes | Yes | Yes [169] | No | Yes [47] | Yes [47] | Yes [47] |
MatrixSSL | Yes | Yes | Yes | TLS 1.3 only [170] | No | Yes | Yes | Yes |
Mbed TLS | Yes | Yes | Yes | Primitive only [171] | Primitive only [172] | Yes [173] | Yes [173] | Yes [173] |
NSS | Yes | Yes | Yes | Yes [174] | No [175] [176] | No [177] | No [177] | No [177] |
OpenSSL | Yes | Yes | Yes | Yes [178] [179] | Yes [180] [181] | Yes [60] | Yes [60] | Yes [60] |
Rustls | Yes | Yes | No | Yes | No | No | No | No |
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 | Yes | Yes | Yes | No | No | No | No | No |
Secure Transport | Yes | Yes | Yes | No | No | No | No | No |
wolfSSL | Yes | Yes | Yes | Yes [182] | Yes [183] | Yes | Yes | Yes |
Erlang/OTP SSL application | Yes | Yes | Yes | No | No | Yes | Yes | Yes |
Implementation | secp256r1 prime256v1 NIST P-256 (0x0017, 23) | secp384r1 NIST P-384 (0x0018, 24) | secp521r1 NIST P-521 (0x0019, 25) | X25519 (0x001D, 29) | X448 (0x001E, 30) | brainpoolP256r1 (26) | brainpoolP384r1 (27) | brainpoolP512r1 (28) |
Implementation | sect163k1 NIST K-163 (1) [89] | sect163r1 (2) [89] | sect163r2 NIST B-163 (3) [89] | sect193r1 (4) [89] | sect193r2 (5) [89] | sect233k1 NIST K-233 (6) [89] | sect233r1 NIST B-233 (7) [89] | sect239k1 (8) [89] | sect283k1 NIST K-283 (9) [89] | sect283r1 NIST B-283 (10) [89] | sect409k1 NIST K-409 (11) [89] | sect409r1 NIST B-409 (12) [89] | sect571k1 NIST K-571 (13) [89] | sect571r1 NIST B-571 (14) [89] |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Botan | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
BoringSSL | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
BSAFE | Yes | No | Yes | No | No | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes |
GnuTLS | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
JSSE | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] |
LibreSSL | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
MatrixSSL | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
Mbed TLS | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
NSS | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
OpenSSL | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Rustls | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
Secure Transport | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
wolfSSL | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
Erlang/OTP SSL application | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Implementation | sect163k1 NIST K-163 (1) | sect163r1 (2) | sect163r2 NIST B-163 (3) | sect193r1 (4) | sect193r2 (5) | sect233k1 NIST K-233 (6) | sect233r1 NIST B-233 (7) | sect239k1 (8) | sect283k1 NIST K-283 (9) | sect283r1 NIST B-283 (10) | sect409k1 NIST K-409 (11) | sect409r1 NIST B-409 (12) | sect571k1 NIST K-571 (13) | sect571r1 NIST B-571 (14) |
Implementation | secp160k1 (15) [89] | secp160r1 (16) [89] | secp160r2 (17) [89] | secp192k1 (18) [89] | secp192r1 prime192v1 NIST P-192 (19) [89] | secp224k1 (20) [89] | secp224r1 NIST P-244 (21) [89] | secp256k1 (22) [89] | arbitrary prime curves (0xFF01) [89] [186] | arbitrary char2 curves (0xFF02) [89] [186] |
---|---|---|---|---|---|---|---|---|---|---|
Botan | No | No | No | No | No | No | No | No | No | No |
BoringSSL | No | No | No | No | No | No | Yes | No | No | No |
BSAFE | No | No | No | No | Yes | No | Yes | No | No | No |
GnuTLS | No | No | No | No | Yes | No | Yes | No | No | No |
JSSE | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | Notes [a] [b] | No | No |
LibreSSL | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No |
MatrixSSL | No | No | No | No | Yes | No | Yes | No | No | No |
Mbed TLS | No | No | No | Yes | Yes | Yes | Yes | Yes | No | No |
NSS | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No |
OpenSSL | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No |
Rustls | No | No | No | No | No | No | No | No | No | No |
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 | No | No | No | No | No | No | No | No | No | No |
Secure Transport | No | No | No | No | Yes | No | No | No | No | No |
wolfSSL | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No |
Erlang/OTP SSL application | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No |
Implementation | secp160k1 (15) | secp160r1 (16) | secp160r2 (17) | secp192k1 (18) | secp192r1 prime192v1 NIST P-192 (19) | secp224k1 (20) | secp224r1 NIST P-244 (21) | secp256k1 (22) | arbitrary prime curves (0xFF01) | arbitrary char2 curves (0xFF02) |
Implementation | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA256/384 | AEAD | GOST 28147-89 IMIT [90] | GOST R 34.11-94 [90] |
---|---|---|---|---|---|---|
Botan | No | Yes | Yes | Yes | No | No |
BSAFE | Yes | Yes | Yes | Yes | No | No |
cryptlib | Yes | Yes | Yes | Yes | No | No |
GnuTLS | Yes | Yes | Yes | Yes | No | No |
JSSE | Disabled by Default | Yes | Yes | Yes | No | No |
LibreSSL | Yes | Yes | Yes | Yes | Yes [91] | Yes [91] |
MatrixSSL | Yes | Yes | Yes | Yes | No | No |
Mbed TLS | Yes | Yes | Yes | Yes | No | No |
NSS | Yes | Yes | Yes | Yes | No [93] [94] | No [93] [94] |
OpenSSL | Yes | Yes | Yes | Yes | Yes [95] | Yes [95] |
Rustls | No | No | No | Yes | No | No |
Schannel XP/2003, Vista/2008 | Yes | Yes | XP SP3, 2003 SP2 via hotfix [187] | No | No [96] | No [96] |
Schannel 7/2008R2, 8/2012, 8.1/2012R2 | Yes | Yes | Yes | except ECDHE_RSA [98] [99] [100] | No [96] | No [96] |
Schannel 10 | Yes | Yes | Yes | Yes [152] | No [96] | No [96] |
Secure Transport | Yes | Yes | Yes | Yes | No | No |
wolfSSL | Yes | Yes | Yes | Yes | No | No |
Erlang/OTP SSL application | Yes | Yes | Yes | Yes | No | No |
Implementation | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA256/384 | AEAD | GOST 28147-89 IMIT | GOST R 34.11-94 |
Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.
Implementation | DEFLATE [188] (insecure) |
---|---|
Botan | No |
BSAFE [42] | No |
cryptlib | No |
GnuTLS | Disabled by default |
JSSE | No |
LibreSSL | No [47] |
MatrixSSL | Disabled by default |
Mbed TLS | Disabled by default |
NSS | Disabled by default |
OpenSSL | Disabled by default |
Rustls | No |
Schannel | No |
Secure Transport | No |
wolfSSL | Disabled by default |
Erlang/OTP SSL application | No |
Implementation | DEFLATE |
In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security [ citation needed ]. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.
Implementation | Secure Renegotiation [189] | Server Name Indication [190] | ALPN [191] | Certificate Status Request [190] | OpenPGP [192] | Supplemental Data [193] | Session Ticket [194] | Keying Material Exporter [195] | Maximum Fragment Length [190] | Encrypt-then-MAC [30] | TLS Fallback SCSV [196] | Extended Master Secret [197] | ClientHello Padding [198] | Raw Public Keys [199] |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Botan | Yes | Yes | Yes [200] | No | No | No | Yes | Yes | Yes | Yes | Yes [201] | Yes [202] | No | Unknown |
BSAFE SSL-J | Yes | Yes | No | Yes | No | No | No | No | Yes | No | No | Yes | No | No |
cryptlib | Yes | Yes | No | No | No | Yes | No | No | No [203] | Yes | Yes | Yes | No | Unknown |
GnuTLS | Yes | Yes | Yes [204] | Yes | No [205] | Yes | Yes | Yes | Yes | Yes [43] | Yes [206] | Yes [43] | Yes [207] | Yes [208] |
JSSE | Yes | Yes [73] | Yes [73] | Yes | No | No | Yes | No | Yes | No | No | Yes | No | No |
LibreSSL | Yes | Yes | Yes [209] | Yes | No | No? | Yes | Yes? | No | No | Server side only [210] | No | Yes | No |
MatrixSSL | Yes | Yes | Yes [211] | Yes [140] | No | No | Yes | No | Yes | No | Yes [140] | Yes [140] | No | Unknown |
Mbed TLS | Yes | Yes | Yes [212] | No | No | No | Yes | No | Yes | Yes [213] | Yes [213] | Yes [213] | No | No |
NSS | Yes | Yes | Yes [214] | Yes | No [215] | No | Yes | Yes | No | No [216] | Yes [217] | Yes [218] | Yes [214] | Unknown |
OpenSSL | Yes | Yes | Yes [60] | Yes | No | No? | Yes | Yes | Yes | Yes | Yes [219] | Yes [58] | Yes [220] | Yes [221] |
Rustls | Yes | Yes | Yes | Yes | No | No | Yes | Yes | No | No | No [222] | Yes | No | Unknown |
Schannel XP/2003 | No | No | No | No | No | Yes | No | No | No | No | No | No | No | Unknown |
Schannel Vista/2008 | Yes | Yes | No | No | No | Yes | No | No | No | No | No | Yes [223] | No | Unknown |
Schannel 7/2008R2 | Yes | Yes | No | Yes | No | Yes | No | No | No | No | No | Yes [223] | No | Unknown |
Schannel 8/2012 | Yes | Yes | No | Yes | No | Yes | Client side only [224] | No | No | No | No | Yes [223] | No | Unknown |
Schannel 8.1/2012R2, 10 | Yes | Yes | Yes | Yes | No | Yes | Yes [224] | No | No | No | No | Yes [223] | No | Unknown |
Secure Transport | Yes | Yes | Unknown | No | No | Yes | No | No | No | No | No | No | No | Unknown |
wolfSSL | Yes | Yes | Yes [160] | Yes | No | No | Yes | No | Yes | Yes [225] | No | Yes | No | Yes [226] |
Erlang/OTP SSL application | Yes | Yes | Yes | No | No | No | No | No | No | No | Yes | No | No | Unknown |
Implementation | Secure Renegotiation | Server Name Indication | ALPN | Certificate Status Request | OpenPGP | Supplemental Data | Session Ticket | Keying Material Exporter | Maximum Fragment Length | Encrypt-then-MAC | TLS Fallback SCSV | Extended Master Secret | ClientHello Padding | Raw Public Keys |
This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.
Implementation | PKCS #11 device | Intel AES-NI | VIA PadLock | ARMv8-A | Intel SHA | NXP CAAM | TPM 2.0 | NXP SE050 | Microchip ATECC | STMicro STSAFE | Maxim MAXQ |
---|---|---|---|---|---|---|---|---|---|---|---|
Botan | Yes [227] | Yes | No | Yes | No | Yes [228] | No | No | No | No | |
BSAFE SSL-J [a] [b] | Yes | Yes | No | Yes | Yes | No | No [231] | No | No | No | No |
cryptlib | Yes | Yes | Yes | No | No | No | No | No | |||
Crypto++ | Yes | Yes | No | No | No | No | |||||
GnuTLS | Yes | Yes | Yes | Yes [232] | Yes | No [233] | No | No | No | No | |
JSSE | Yes | Yes [234] | No | No | No | No | No | No | No | ||
LibreSSL | No | Yes | Yes | No | No | No | No | No | |||
MatrixSSL | Yes | Yes | No | Yes | No | No | No | No | No | ||
Mbed TLS | Yes | Yes [235] | Yes | No | No | Partial [236] | Yes [237] | No | No | ||
NSS | Yes [238] | Yes [239] | No [240] | No | No | No | No | No | No | ||
OpenSSL | Yes [241] | Yes | Yes | Yes [242] | Yes | Partial | Partial [243] [244] | Partial [245] | No | Partial [246] | No |
Rustls | Yes | Yes | Yes | No | No | No | No | ||||
Schannel | No | Yes | No | No | No | No | No | No | No | ||
Secure Transport | No | Yes [247] [248] | No | Yes | No | No | No | No | No | ||
wolfSSL | Yes | Yes | No | Yes | Yes [249] | Yes [250] [251] | Yes [252] | Yes [253] | Yes [254] | Yes [255] | |
Implementation | PKCS #11 device | Intel AES-NI | VIA PadLock | ARMv8-A | Intel SHA | NXP CAAM | TPM 2.0 | NXP SE050 | Microchip ATECC | STMicro STSAFE | Maxim MAXQ |
This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.
Implementation | /dev/crypto | af_alg | Windows CSP | CommonCrypto | OpenSSL engine |
---|---|---|---|---|---|
Botan | No | No | No | No | Partial |
BSAFE | No | No | No | No | No |
cryptlib | No | No | No | No | No |
GnuTLS | Yes | Yes | No | No | No |
JSSE | No | No | Yes | No | No |
LibreSSL | No | No | No | No | No [256] |
MatrixSSL | No | No | No | Yes | Yes |
Mbed TLS | No | No | No | No | No |
NSS | No | No | No | No | No |
OpenSSL | Yes | Yes | No | No | Yes |
Rustls | No | Yes [257] | No | No | No |
Schannel | No | No | Yes | No | No |
Secure Transport | No | No | No | Yes | No |
wolfSSL | Yes | Yes | Partial | No | Yes [258] |
Erlang/OTP SSL application | No | No | No | No | Yes |
Implementation | /dev/crypto | af_alg | Windows CSP | CommonCrypto | OpenSSL engine |
Implementation | TPM support | Hardware token support | Objects identified via |
---|---|---|---|
Botan | Partial [202] | PKCS #11 | |
BSAFE SSL-J | No | No | |
cryptlib | No | PKCS #11 | User-defined label |
GnuTLS | Yes | PKCS #11 | RFC 7512 PKCS #11 URLs [259] |
JSSE | No | PKCS11 Java Cryptography Architecture, Java Cryptography Extension | |
LibreSSL | Yes | PKCS #11 (via 3rd party module) | Custom method |
MatrixSSL | No | PKCS #11 | |
Mbed TLS | No | PKCS #11 (via libpkcs11-helper) or standard hooks | Custom method |
NSS | No | PKCS #11 | |
OpenSSL | Yes | PKCS #11 (via 3rd party module) [260] | RFC 7512 PKCS #11 URLs [259] |
Rustls | No | Microsoft CryptoAPI [261] | Custom method |
Schannel | No | Microsoft CryptoAPI | UUID, User-defined label |
Secure Transport | |||
wolfSSL | Yes | PKCS #11 | |
Implementation | TPM support | Hardware token support | Objects identified via |
Implementation | Dependencies | Optional dependencies |
---|---|---|
Botan | C++20 | SQLite zlib (compression) bzip2 (compression) liblzma (compression) boost trousers (TPM) |
GnuTLS | libc nettle gmp | zlib (compression) p11-kit (PKCS #11) trousers (TPM) libunbound (DANE) |
JSSE | Java | |
MatrixSSL | none | zlib (compression) |
MatrixSSL-open | libc or newlib | |
Mbed TLS | libc | libpkcs11-helper (PKCS #11) zlib (compression) |
NSS | libc libnspr4 libsoftokn3 libplc4 libplds4 | zlib (compression) |
Rustls | rust core library | rust std library zlib-rs (compression) brotli (compression) ring (cryptography) aws-lc-rs (cryptography) |
OpenSSL | libc | zlib (compression) brotli (compression) zstd (compression) |
wolfSSL | None | libc zlib (compression) |
Erlang/OTP SSL application | libcrypto (from OpenSSL), Erlang/OTP and its public_key, crypto and asn1 applications | Erlang/OTP -inets (http fetching of CRLs) |
Implementation | Dependencies | Optional dependencies |
Implementation | Namespace | Build tools | API manual | Crypto back-end | OpenSSL compatibility Layer[ clarify ] |
---|---|---|---|---|---|
Botan | Botan::TLS | Makefile | Sphinx | Included (pluggable) | No |
Bouncy Castle | org.bouncycastle | Java Development Environment | Programmers reference manual (PDF) | Included (pluggable) | No |
BSAFE SSL-J | com.rsa.asn1 [a] com.rsa.certj [b] | Java class loader | Javadoc, Developer's guide (HTML) | Included | No |
cryptlib | crypt* | makefile, MSVC project workspaces | Programmers reference manual (PDF), architecture design manual (PDF) | Included (monolithic) | No |
GnuTLS | gnutls_* | Autoconf, automake, libtool | Manual and API reference (HTML, PDF) | External, libnettle | Yes (limited) |
JSSE | javax.net.ssl sun.security.ssl | Makefile | API Reference (HTML) + | Java Cryptography Architecture, Java Cryptography Extension | No |
MatrixSSL | matrixSsl_* ps* | Makefile, MSVC project workspaces, Xcode projects for OS X and iOS | API Reference (PDF), Integration Guide | Included (pluggable) | Yes (Subset: SSL_read, SSL_write, etc.) |
Mbed TLS | mbedtls_ssl_* mbedtls_sha1_* | Makefile, CMake, MSVC project workspaces, yotta | API Reference + High Level and Module Level Documentation (HTML) | Included (monolithic) | No |
NSS | CERT_* SEC_* | Makefile | Manual (HTML) | Included, PKCS#11 based [262] | Yes (separate package called nss_compat_ossl [263] ) |
OpenSSL | SSL_* SHA1_* | Makefile | Man pages | Included (monolithic) | — |
Rustls | rustls:: | cargo | API reference and design manual | Two options included (pluggable) | Yes [264] (subset) |
wolfSSL | wolfSSL_* CyaSSL_* | Autoconf, automake, libtool, MSVC project workspaces, XCode projects, CodeWarrior projects, MPLAB X projects, Keil, IAR, Clang, GCC, e2Studio | Manual and API Reference (HTML, PDF) | Included (monolithic) | Yes (about 60% of API) |
Implementation | Namespace | Build tools | API manual | Crypto back-end | OpenSSL compatibility layer |
Implementation | Platform requirements | Network requirements | Thread safety | Random seed | Able to cross-compile | No OS (bare metal) | Supported operating systems |
---|---|---|---|---|---|---|---|
Botan | C++11 | None | Thread-safe | Platform-dependent | Yes | Windows, Linux, macOS, Android, iOS, FreeBSD, OpenBSD, Solaris, AIX, HP-UX, QNX, BeOS, IncludeOS | |
BSAFE SSL-J | Java | Java SE network components | Thread-safe | Depends on java.security.SecureRandom | Yes | No | FreeBSD, Linux, macOS, Microsoft Windows, Android, AIX, Solaris |
cryptlib | C89 | POSIX send() and recv(). API to supply your own replacement | Thread-safe | Platform-dependent, including hardware sources | Yes | Yes | AMX, BeOS, ChorusOS, DOS, eCos, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, Palm OS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, macOS, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK |
GnuTLS | C89 | POSIX send() and recv(). API to supply your own replacement. | Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available. | Platform dependent | Yes | No | Generally any POSIX platforms or Windows, commonly tested platforms include Linux, Win32/64, macOS, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD. |
JSSE | Java | Java SE network components | Thread-safe | Depends on java.security.SecureRandom | Yes | Java based, platform-independent | |
MatrixSSL | C89 | None | Thread-safe | Platform dependent | Yes | Yes | All |
Mbed TLS | C89 | POSIX read() and write(). API to supply your own replacement. | Threading layer available (POSIX or own hooks) | Random seed set through entropy pool | Yes | Yes | Known to work on: Win32/64, Linux, macOS, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, eCos, SeggerOS, RISC OS |
NSS | C89, NSPR [265] | NSPR [265] PR_Send() and PR_Recv(). API to supply your own replacement. | Thread-safe | Platform dependent [266] | Yes (but cumbersome) | No | AIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, macOS, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation |
Rustls | Rust (programming language) | None | Thread-safe | Platform dependent | Yes | Yes | All supported by Rust (programming language) |
OpenSSL | C89 | None | Thread-safe | Platform dependent | Yes | No | Unix-like, DOS (with djgpp), Windows, OpenVMS, NetWare, eCos |
wolfSSL | C89 | POSIX send() and recv(). API to supply your own replacement. | Thread-safe | Random seed set through wolfCrypt | Yes | Yes | Win32/64, Linux, macOS, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Yocto Project, OpenEmbedded, WinCE, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, NonStop, TRON/ITRON/μITRON, eCos, Micrium μC/OS-III, FreeRTOS, SafeRTOS, NXP/Freescale MQX, Nucleus, TinyOS, HP/UX, AIX, ARC MQX, Keil RTX, TI-RTOS, uTasker, embOS, INtime, Mbed, uT-Kernel, RIOT, CMSIS-RTOS, FROSTED, Green Hills INTEGRITY, TOPPERS, PetaLinux, Apache mynewt |
Implementation | Platform requirements | Network requirements | Thread safety | Random seed | Able to cross-compile | No OS (bare metal) | Supported operating systems |
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.
OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.
In cryptography, Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. It was jointly developed by Mitsubishi Electric and NTT of Japan. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The cipher has security levels and processing abilities comparable to the Advanced Encryption Standard.
GnuTLS is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network transport layer, as well as interfaces to access X.509, PKCS #12, OpenPGP and other structures.
SEED is a block cipher developed by the Korea Information Security Agency (KISA). It is used broadly throughout South Korean industry, but seldom found elsewhere. It gained popularity in Korea because 40-bit encryption was not considered strong enough, so the Korea Information Security Agency developed its own standard. However, this decision has historically limited the competition of web browsers in Korea, as no major SSL libraries or web browsers supported the SEED algorithm, requiring users to use an ActiveX control in Internet Explorer for secure web sites.
Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. The DTLS protocol datagram preserves the semantics of the underlying transport—the application does not suffer from the delays associated with stream protocols, but because it uses User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP), the application has to deal with packet reordering, loss of datagram and data larger than the size of a datagram network packet. Because DTLS uses UDP or SCTP rather than TCP it avoids the TCP meltdown problem when being used to create a VPN tunnel.
Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.
The Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, is a standard for checking the revocation status of X.509 digital certificates. It allows the presenter of a certificate to bear the resource cost involved in providing Online Certificate Status Protocol (OCSP) responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546
In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest curves in ECC, and is not covered by any known patents. The reference implementation is public domain software.
SPDY is an obsolete open-specification communication protocol developed for transporting web content. SPDY became the basis for HTTP/2 specification. However, HTTP/2 diverged from SPDY and eventually HTTP/2 subsumed all usecases of SPDY. After HTTP/2 was ratified as a standard, major implementers, including Google, Mozilla, and Apple, deprecated SPDY in favor of HTTP/2. Since 2021, no modern browser supports SPDY.
A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS) or its deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.
Mbed TLS is an implementation of the TLS and SSL protocols and the respective cryptographic algorithms and support code required. It is distributed under the Apache License version 2.0. Stated on the website is that Mbed TLS aims to be "easy to understand, use, integrate and expand".
Application-Layer Protocol Negotiation (ALPN) is a Transport Layer Security (TLS) extension that allows the application layer to negotiate which protocol should be performed over a secure connection in a manner that avoids additional round trips and which is independent of the application-layer protocols. It is used to establish HTTP/2 connections without additional round trips.
DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC).
The tables below compare cryptography libraries that deal with cryptography algorithms and have application programming interface (API) function calls to each of the supported features.
POODLE is a security vulnerability which takes advantage of the fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014. On December 8, 2014, a variation of the POODLE vulnerability that affected TLS was announced.
The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users' servers, allowing the automated deployment of public key infrastructure at very low cost. It was designed by the Internet Security Research Group (ISRG) for their Let's Encrypt service.
ChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.
Version history for TLS/SSL support in web browsers tracks the implementation of Transport Layer Security protocol versions in major web browsers.
{{cite conference}}
: CS1 maint: multiple names: authors list (link)We've incorporated support for AES-NI in our AES and GCM modules.