Comparison of TLS implementations
{{Short description|none}}
{{About|TLS libraries comparison|cryptographic libraries comparison|Comparison of cryptography libraries}}
{{redirect|Secure Transport|the transportation of valuables|Armored car (valuables)}}
The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.
All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.
Overview
{{sort-under}}
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" |
| Implementation
! Developed by ! Open source ! Software license ! Copyright holder ! Written in ! Latest stable version, release date ! Origin |
|---|
| Botan
| Jack Lloyd | {{yes}} | {{free|Simplified BSD License}} | Jack Lloyd | C++ | {{Latest stable software release/Botan}} | US (Vermont) |
| BoringSSL
| {{yes}} | {{free|OpenSSL-SSLeay dual-license, ISC license}} | Eric Young, Tim Hudson, Sun, OpenSSL project, Google, and others | ?? | Australia/EU |
| Bouncy Castle
| The Legion of the Bouncy Castle Inc. | {{Yes}} | {{free|MIT License}} | Legion of the Bouncy Castle Inc. | {{Latest stable software release/Bouncy Castle}} | Australia |
| BSAFE
| Dell, formerly RSA Security | {{no}} | {{proprietary}} | Dell | SSL-J {{Latest stable software release/BSAFE SSL-J}} Micro Edition Suite {{Latest stable software release/BSAFE Micro Edition Suite}} | Australia |
| cryptlib
| {{yes}} | {{free|Sleepycat License}} and commercial license | C | {{Latest stable software release/cryptlib}} | NZ |
| GnuTLS
| {{yes}} | {{free|LGPL-2.1-or-later}} | C | {{wikidata|property|preferred|references|edit|Q1533305|P348|P548=Q2804309}} {{wikidata|qualifier|raw|preferred|single|Q1533305|P348|P548=Q2804309|P577}} | EU (Greece and Sweden) |
| Java Secure Socket Extension (JSSE)
| Oracle | {{Yes}} | {{free|GNU GPLv2}} and commercial license | Oracle | Java | {{Latest stable software release/Java (software platform)}} | US |
| LibreSSL
| {{yes}} | {{free|Apache-1.0, BSD-4-Clause, ISC, and public domain}} | Eric Young, Tim Hudson, Sun, OpenSSL project, OpenBSD Project, and others | {{wikidata|property|preferred|references|edit|Q16590706|P348|P548=Q2804309}} {{wikidata|qualifier|raw|preferred|single|Q16590706|P348|P548=Q2804309|P577}} | Canada |
| MatrixSSLThe features listed are for the closed source version
| PeerSec Networks | {{yes}} | {{free|GNU GPLv2+}} and commercial license | PeerSec Networks | C | {{Latest stable software release/MatrixSSL}} | US |
| Mbed TLS (previously PolarSSL)
| Arm | {{yes}} | {{free|Apache License 2.0, GNU GPLv2+}} and commercial license | C | {{Latest stable software release/Mbed TLS}} | EU (Netherlands) |
| Network Security Services (NSS)
| Mozilla, AOL, Red Hat, Sun, Oracle, Google and others | {{yes}} | {{free|MPL 2.0}} | NSS contributors | {{Latest stable software release/Network Security Services}} | US |
| OpenSSL
| {{yes}} | {{free|Apache-2.0}} | Eric Young, Tim Hudson, Sun, OpenSSL project, and others | {{wikidata|property|preferred|references|edit|Q1052790|P348|P548=Q2804309}} {{wikidata|qualifier|raw|preferred|single|Q1052790|P348|P548=Q2804309|P577}} | Australia/EU |
| Rustls
| Joe Birr-Pixton, Dirkjan Ochtman, Daniel McCarney, Josh Aas, and open source contributors | {{yes}} | {{free|Apache-2.0, MIT License and ISC}} | Open source contributors | Rust | {{Latest stable software release/Rustls}} | United Kingdom |
| s2n
| Amazon | {{yes}} | {{free|Apache License 2.0, GNU GPLv2+}} and commercial license | Amazon.com, Inc. | C | Continuous | US |
| Schannel
| {{no}} | {{proprietary}} | Microsoft Corporation | | Windows 11, 2021-10-05 | US |
| Secure Transport
| {{Yes}} | {{free|APSL 2.0}} | Apple Inc. | | 57337.20.44 (OS X 10.11.2), 2015-12-08 | US |
| wolfSSL (previously CyaSSL)
| {{yes}} | {{free|GNU GPLv2+}} and commercial license | wolfSSL Inc.{{cite web | url=https://www.wolfssl.com | title=wolfSSL Embedded SSL/TLS | accessdate=2016-05-03}} | {{Latest stable software release/wolfSSL}} | US |
| Erlang/OTP SSL application
| Ericsson | {{yes}} | {{free|Apache License 2.0}} | Ericsson |Erlang |OTP-21, 2018-06-19 |Sweden |
| class="sortbottom"
! Implementation ! Developed by ! Open source ! Software license ! Copyright owner ! Written in ! Latest stable version, release date ! Origin |
{{Reflist|group=lower-alpha|refs=
Apache-2.0 for OpenSSL 3.0 and later releases. OpenSSL-SSLeay dual-license for any release before OpenSSL 3.0.
}}
<span class="anchor" id="TLS version support"></span>TLS/SSL protocol version support
Several versions of the TLS protocol exist. SSL 2.0 is a deprecated{{cite IETF |rfc=6176 |title=Prohibiting Secure Sockets Layer (SSL) Version 2.0}} protocol version with significant weaknesses. SSL 3.0 (1996) and TLS 1.0 (1999) are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay.{{cite web|url=http://infoscience.epfl.ch/record/52417/files/IC_TECH_REPORT_200150.pdf|title=CBC-Padding: Security Flaws in SSL, IPsec, WTLS,...|first=Serge|last=Vaudenay|date=2001}} TLS 1.1 (2006) fixed only one of the problems, by switching to random initialization vectors (IV) for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was addressed with RFC 7366.{{cite IETF |rfc=7366 |title=Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security}} A workaround for SSL 3.0 and TLS 1.0, roughly equivalent to random IVs from TLS 1.1, was widely adopted by many implementations in late 2011.{{cite web|url=https://www.educatedguesswork.org/2011/11/rizzoduong_beast_countermeasur.html|title=Rizzo/Duong BEAST Countermeasures|archive-url=https://web.archive.org/web/20160311153448/https://educatedguesswork.org/2011/11/rizzoduong_beast_countermeasur.html|archive-date=2016-03-11|url-status=dead}} In 2014, the POODLE vulnerability of SSL 3.0 was discovered, which takes advantage of the known vulnerabilities in CBC, and an insecure fallback negotiation used in browsers.{{cite web | url=https://www.openssl.org/~bodo/ssl-poodle.pdf | title=This POODLE Bites: Exploiting The SSL 3.0 Fallback | date=September 2014 | access-date=15 October 2014 |last1=Möller |first1=Bodo |last2=Duong |first2=Thai |last3=Kotowicz |first3=Krzysztof | archive-url=https://web.archive.org/web/20141015204410/https://www.openssl.org/~bodo/ssl-poodle.pdf | archive-date=15 October 2014 | url-status=dead}}
TLS 1.2 (2008) introduced a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future (rsa,sha256/sha384/sha512) over the SSL 3.0 conservative choice (rsa,sha1+md5), the TLS 1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides (rsa,sha1) and even (rsa,md5).{{cite IETF |rfc=5246 |title=The Transport Layer Security (TLS) Protocol Version 1.2 |section=1.2 |sectionname=TLSv1.2's Major Differences from TLSv1.1}}
Datagram Transport Layer Security (DTLS or Datagram TLS) 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLS 1.2 based on TLS 1.2 was published in January 2012.{{Cite IETF |rfc=6347}}
TLS 1.3 (2018) specified in RFC 8446 includes major optimizations and security improvements. QUIC (2021) specified in RFC 9000 and DTLS 1.3 (2022) specified in RFC 9147 builds on TLS 1.3. The publishing of TLS 1.3 and DTLS 1.3 obsoleted TLS 1.2 and DTLS 1.2.
Note that there are known vulnerabilities in SSL 2.0 and SSL 3.0. In 2021, IETF published RFC 8996 also forbidding negotiation of TLS 1.0, TLS 1.1, and DTLS 1.0 due to known vulnerabilities. NIST SP 800-52 requires support of TLS 1.3 by January 2024. Support of TLS 1.3 means that two compliant nodes will never negotiate TLS 1.2.
{{Reflist|group=lower-alpha|refs=
As of SSL-J 7.0, support for TLS 1.0 and 1.1 has been removed
}}
NSA Suite B Cryptography
Required components for NSA Suite B Cryptography (RFC 6460) are:
- Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits. For traffic flow, AES should be used with either the Counter Mode (CTR) for low bandwidth traffic or the Galois/Counter Mode (GCM) mode of operation for high bandwidth traffic (see Block cipher modes of operation) — symmetric encryption
- Elliptic Curve Digital Signature Algorithm (ECDSA) — digital signatures
- Elliptic Curve Diffie–Hellman (ECDH) — key agreement
- Secure Hash Algorithm 2 (SHA-256 and SHA-384) — message digest
Per CNSSP-15, the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" |
| Implementation |
|---|
| Botan
| {{yes}} |
| Bouncy Castle
| {{yes}} |
| BSAFE |
| cryptlib
| {{yes}} |
| GnuTLS
| {{yes}} |
| JSSE |
| LibreSSL
| {{yes}} |
| MatrixSSL
| {{yes}} |
| Mbed TLS
| {{yes}} |
| NSS |
| OpenSSL |
| Rustls |
| S2n
| |
| Schannel |
| Secure Transport
| {{no}} |
| wolfSSL
| {{yes}} |
| class="sortbottom"
! Implementation ! TLS 1.2 Suite B |
Certifications
Note that certain certifications have received serious negative criticism from people who are actually involved in them.{{Cite web|url=http://index.html/|archiveurl=https://web.archive.org/web/20131227190128/http://veridicalsystems.com/blog/secure-or-compliant-pick-one/|url-status=dead|title=Speeds and Feeds › Secure or Compliant, Pick One|archivedate=December 27, 2013}}
{{Reflist |group="notes"}}
Key exchange algorithms (certificate-only)
This section lists the certificate verification functionality available in the various implementations.
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" |
| Implementation
! RSA-EXPORT (insecure) ! DHE-RSA (forward secrecy) ! DHE-DSS (forward secrecy) ! ECDH-ECDSA{{cite IETF|rfc=4492}} ! ECDHE-ECDSA (forward secrecy) ! ECDHE-RSA (forward secrecy) ! GOST R 34.10-94, 34.10-2001{{cite IETF |draft=draft-chudov-cryptopro-cptls-04 |title=GOST 28147-89 Cipher Suites for Transport Layer Security (TLS)}} |
|---|
| Botan
| {{yes|Disabled by default}} | {{Yes|No}} | {{yes}} | {{yes|Disabled by default}} | {{yes|No}} | {{yes}} | {{yes|No}} | {{yes}} | {{yes|No}} |
| BSAFE
| {{okay|Yes}} | {{Yes|No}} | {{yes}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} | {{okay|Yes}} | {{yes}} | {{yes|No}} |
| cryptlib
| {{okay|Yes}} | {{Yes|No}} | {{yes}} | {{okay|Yes}} | {{yes|No}} | {{yes}} | {{yes|No}} | {{no}} | {{yes|No}} |
| GnuTLS
| {{okay|Yes}} | {{yes|No}} | {{yes}} | {{yes|No}} | {{yes}} | {{yes|No}} | {{yes}} | {{yes|No}} |
| JSSE
| {{okay|Yes}} | {{Yes|Disabled by default}} | {{yes}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} | {{okay|Yes}} | {{yes}} | {{yes|No}} |
| LibreSSL
| {{okay|Yes}} | {{yes}} | {{okay|Yes}} | {{Yes|No}} | {{yes}} | {{Yes|No}} | {{yes}} |
| MatrixSSL
| {{okay|Yes}} | {{Yes|No}} | {{yes}} | {{yes|No}} | {{okay|Yes}} | {{yes}} | {{okay|Yes}} | {{yes}} | {{yes|No}} |
| Mbed TLS
| {{okay|Yes}} | {{Yes|No}} | {{yes}} | {{yes|No}} | {{okay|Yes}} | {{yes}} | {{okay|Yes}} | {{yes}} | {{yes|No}} |
| NSS
| {{okay|Yes}} | {{Yes|Disabled by default}} | {{Yes}}{{cite web | url = https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20_release_notes | title = NSS 3.20 release notes | publisher = Mozilla | date = 2015-08-19 | accessdate = 2015-08-20 | archive-date = 2021-12-07 | archive-url = https://web.archive.org/web/20211207015903/https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20_release_notes | url-status = dead }} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} | {{okay|Yes}} | {{yes}} | {{yes|No}}{{cite web|url=https://bugzilla.mozilla.org/show_bug.cgi?id=518787|title=Bug 518787 - Add GOST crypto algorithm support in NSS |author=Mozilla.org|accessdate=2014-07-01}}{{cite web|url=https://bugzilla.mozilla.org/show_bug.cgi?id=608725|title=Bug 608725 - Add Russian GOST cryptoalgorithms to NSS and Thunderbird |author=Mozilla.org|accessdate=2014-07-01}} |
| OpenSSL
| {{okay|Yes}} | {{yes}} | {{Yes|No}} | {{yes}} | {{Yes|No}} | {{yes}} |
| Rustls
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} |
| Schannel XP/2003
| {{okay|Yes}} | {{No|Yes}} | {{okay|No}} | {{no|XP: Max 1024 bits | {{yes|No}} | {{no}} | {{yes|No}} | {{no}} | {{yes|No}}Extensions to support GOST in Schannel might be available.{{citation needed|date=November 2014}} |
| Schannel Vista/2008
| {{okay|Yes}} | {{Yes|Disabled by default}} | {{okay|No}} | {{no|1024 bits by default}}{{Cite web | url=https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/3174644 | title=Microsoft Security Advisory 3174644| date=14 October 2022}} | {{yes|No}} | {{yes}} | {{yes|No}} | {{partial|except AES_GCM}} |
| Schannel 8/2012
| {{okay|Yes}} | {{Yes|Disabled by default}} | {{partial|AES_GCM only}}{{cite web | url=https://technet.microsoft.com/library/security/MS14-066#ID0E5MAC | title=Microsoft Security Bulletin MS14-066 - Critical (Section Update FAQ) | publisher=Microsoft | date=November 11, 2014 | accessdate=11 November 2014}}{{cite web | url=http://blogs.microsoft.com/cybertrust/2014/11/11/hundreds-of-millions-of-microsoft-customers-now-benefit-from-best-in-class-encryption/ | title=Hundreds of Millions of Microsoft Customers Now Benefit from Best-in-Class Encryption | publisher=Microsoft Security | date=November 11, 2014 | accessdate=11 November 2014 | author=Thomlinson, Matt}}{{Cite web|url=https://support.microsoft.com/en-us/topic/update-adds-new-tls-cipher-suites-and-changes-cipher-suite-priorities-in-windows-8-1-and-windows-server-2012-r2-8e395e43-c8ef-27d8-b60c-0fc57d526d94|title=Update adds new TLS cipher suites and changes cipher suite priorities in Windows 8.1 and Windows Server 2012 R2|website=support.microsoft.com}} | {{yes|No}} | {{yes}} | {{yes|No}} | {{partial|except AES_GCM}} |
| Schannel 7/2008R2, 8.1/2012R2
| {{okay|Yes}} | {{Yes|Disabled by default}} | {{yes}} | {{okay|2048 bits by default}} | {{yes|No}} | {{yes}} | {{yes|No}} | {{partial|except AES_GCM}} |
| Schannel 10
| {{okay|Yes}} | {{Yes|Disabled by default}} | {{yes}} | {{okay|2048 bits by default}} | {{yes|No}} | {{yes}} | {{yes|No}} | {{yes}} |
| Secure Transport OS X 10.6
| {{okay|Yes}} | {{No|Yes}} | {{partial|except AES_GCM}} | {{okay|Yes}} | {{okay|Yes}} | {{partial|except AES_GCM}} | {{okay|yes}} | {{partial|except AES_GCM}} | {{yes|No}} |
| Secure Transport OS X 10.8-10.10
| {{okay|Yes}} | {{Yes|No}} | {{partial|except AES_GCM}} | {{yes|No}} | {{okay|Yes}} | {{partial|except AES_GCM}} | {{okay|Yes}} | {{partial|except AES_GCM}} | {{yes|No}} |
| Secure Transport OS X 10.11
| {{okay|Yes}} | {{Yes|No}} | {{yes}} | {{yes|No}} | {{yes|No}} | {{yes}} | {{yes|No}} | {{yes}} | {{yes|No}} |
| wolfSSL
| {{okay|Yes}} | {{Yes|No}} | {{yes}} | {{yes|No}} | {{okay|Yes}} | {{yes}} | {{okay|Yes}} | {{yes}} | {{yes|No}} |
| Erlang/OTP SSL application
| {{okay|Yes}} | {{yes|No}} | {{yes}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} | {{okay|Yes}} | {{yes}} | {{yes|No}} |
| class="sortbottom"
! Implementation ! RSA ! RSA-EXPORT (insecure) ! DHE-RSA (forward secrecy) ! DHE-DSS (forward secrecy) ! ECDHE-ECDSA (forward secrecy) ! ECDHE-RSA (forward secrecy) ! GOST R 34.10-94, 34.10-2001 |
Key exchange algorithms (alternative key-exchanges)
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" |
| Implementation
! PSK-RSA{{cite IETF|rfc=4279}} ! PSK ! DHE-PSK (forward secrecy) ! ECDHE-PSK (forward secrecy){{cite IETF|rfc=5489}} ! DH-ANON (insecure) ! ECDH-ANON (insecure) |
|---|
| Botan
| {{no}} | {{no}} | {{no}} | {{no}} | {{yes}} | {{no}} | {{yes}} | {{no}} | {{Yes|No}} | {{Yes|No}} |
| BSAFE SSL-J
| {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} |
| cryptlib
| {{no}} | {{no}} | {{no}} | {{no}} | {{yes}} | {{yes}} | {{no}} | {{unknown}} | {{Yes|No}} | {{Yes|No}} |
| GnuTLS
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{no}} | {{Yes|Disabled by default}} | {{Yes|Disabled by default}} |
| JSSE
| {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{Yes|Disabled by default}} | {{Yes|Disabled by default}} |
| LibreSSL
| {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{No|Yes}} | {{No|Yes}} |
| MatrixSSL
| {{no}} | {{no}} | {{no}} | {{yes}} | {{yes}} | {{yes}} | {{no}} | {{no}} | {{Yes|Disabled by default}} | {{Yes|No}} |
| Mbed TLS
| {{no}} | {{no}} | {{no}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{no}} | {{Yes|No}} | {{Yes|No}} |
| NSS
| {{no}} | {{Yes|Client side only, disabled by default}}{{cite web|url=https://bugzilla.mozilla.org/show_bug.cgi?id=1170510|title=Bug 1170510 - Implement NSS server side support for DH_anon |publisher=Mozilla|accessdate=2015-06-03}} | {{Yes|Disabled by default}}{{cite web|url=https://bugzilla.mozilla.org/show_bug.cgi?id=236245|title=Bug 236245 - Update ECC/TLS to conform to RFC 4492 |publisher=Mozilla|accessdate=2014-06-09}} |
| OpenSSL
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{Yes|Disabled by default}}{{cite web|url=https://www.openssl.org/news/changelog.html#x29|title=Changes between 0.9.8n and 1.0.0 [29 Mar 2010]|accessdate=2016-01-29}} |
| Rustls
| {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{yes|No}} | {{yes|No}} |
| Schannel
| {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{yes}} | {{Yes|No}} | {{Yes|No}} |
| Secure Transport
| {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{unknown}} | {{No|Yes}} | {{No|Yes}} |
| wolfSSL
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{Yes|No}} | {{Yes|No}} |
| Erlang/OTP SSL application
| {{yes |Disabled by default}} | {{yes |Disabled by default}} | {{yes |Disabled by default}} | {{yes |Disabled by default}} | {{yes |Disabled by default}} | {{yes |Disabled by default}} | {{No}} | {{No}} | {{yes |Disabled by default}} | {{yes |Disabled by default}} |
| class="sortbottom" |
| Implementation
! SRP ! PSK ! DHE-PSK (forward secrecy) ! ECDHE-PSK (forward secrecy) ! KRB5 ! DH-ANON (insecure) ! ECDH-ANON (insecure) |
Certificate verification methods
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" |
| Implementation
! Application-defined ! PKIX path validation{{cite IETF|rfc=5280}} ! DANE (DNSSEC){{cite IETF|rfc=6698}}{{cite IETF|rfc=7218}} ! CT{{cite IETF |title=Certificate Transparency |rfc=6962 |idlink=Certificate Transparency |last1=Laurie |authorlink1=Ben Laurie |first1=B. |last2=Langley |first2=A. |last3=Kasper |first3=E. |date=June 2013 |publisher=IETF |access-date=2020-08-31 |issn=2070-1721}} |
|---|
| Botan
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{no}} | {{unknown}} |
| Bouncy Castle
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{unknown}} |
| BSAFE
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{no}} | {{unknown}} |
| cryptlib
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{no}} | {{unknown}} |
| GnuTLS
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{unknown}} |
| JSSE
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{no}} | {{no}} |
| LibreSSL
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{no}} | {{unknown}} |
| MatrixSSL
| {{yes}} | {{yes}} | {{yes}} | {{no}} | {{unknown}} |
| Mbed TLS
| {{yes}} | {{yes}} | {{yes}} | {{no}} | {{unknown}} |
| NSS
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{unknown}} |
| OpenSSL
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} |
| Rustls
| {{yes}} | {{yes}} | {{yes}} | {{no}} | {{no}} | {{no}} |
| s2n
| | | |
| Schannel
| {{unknown}} | {{yes}} | {{yes}}{{cite web |url=https://technet.microsoft.com/en-us/library/ee619754(WS.10).aspx |title=How Certificate Revocation Works |author= |date=March 16, 2012 |website=Microsoft TechNet |publisher=Microsoft |accessdate=July 10, 2013}} | {{no}} | {{unknown}} |
| Secure Transport
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{no}} | {{unknown}} |
| wolfSSL
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{no}} | {{unknown}} |
| Erlang/OTP SSL application
| {{yes}} | {{yes}} | {{yes}} | {{no}} | {{no}} | {{unknown}} |
| class="sortbottom" |
| Implementation
! Application-defined ! PKIX path validation ! CRL ! OCSP ! DANE (DNSSEC) ! CT |
Encryption algorithms
; Notes
{{Reflist|group="n"}}
= Obsolete algorithms =
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" | ||
| rowspan="2"|Implementation | colspan="4"|Block cipher with mode of operation | colspan="2"|Stream cipher |
|---|---|---|
| IDEA CBC {{refn|group="n"|name="removal_from_tls1.2"|IDEA and DES have been removed from TLS 1.2.RFC 5469}}(insecure){{Cite web | url=https://sweet32.info |title = Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN}} ! DES-40 CBC ! RC2-40 CBC ! RC4-128 ! RC4-40 | ||
| Botan
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | ||
| BoringSSL
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|Disabled by default at compile time}} | {{yes|No}} | ||
| BSAFE SSL-J
| {{yes|No}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{yes|No}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | ||
| cryptlib
| {{yes|No}} | {{yes|Disabled by default at compile time}} | {{yes|No}} | {{yes|No}} | {{yes|Disabled by default at compile time}} | {{yes|No}} | ||
| GnuTLS
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | ||
| JSSE
| {{yes|No}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{yes|No}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} {{cite web|url=http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html|title=Java Cryptography Architecture Oracle Providers Documentation|website=docs.oracle.com}} | ||
| LibreSSL
| {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | ||
| MatrixSSL
| {{no|Yes}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|Disabled by default}} | {{yes|No}} | ||
| Mbed TLS
| {{yes|No}} | {{yes|Disabled by default at compile time}} | {{yes|No}} | {{yes|No}} | {{yes|Disabled by default at compile time}} | {{yes|No}} | ||
| NSS
| {{no|Yes}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{Partial|Lowest priority}}{{cite web|url=https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.15.3_release_notes|work=Mozilla Developer Network|title=NSS 3.15.3 release notes|publisher=Mozilla|accessdate=2014-07-13|archive-date=2014-06-05|archive-url=https://web.archive.org/web/20140605001016/https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.15.3_release_notes|url-status=dead}}{{cite web|url=https://www.mozilla.org/security/announce/2013/mfsa2013-103.html|work=Mozilla|title=MFSA 2013-103: Miscellaneous Network Security Services (NSS) vulnerabilities|accessdate=2014-07-13}} | {{yes|Disabled by default}} | ||
| OpenSSL
| {{yes|Disabled by default}} | {{yes|Disabled by default}} | ||
| Rustls
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | ||
| Schannel XP/2003
| {{yes|No}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | ||
| Schannel Vista/2008
| {{yes|No}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{no|Yes}} | {{yes|Disabled by default}} | ||
| Schannel 7/2008R2
| {{yes|No}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{Partial|Lowest priority | {{yes|Disabled by default}} | ||
| Schannel 8/2012
| {{yes|No}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{Partial|Only as fallback}} | {{yes|Disabled by default}} | ||
| Schannel 8.1/2012R2
| {{yes|No}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | ||
| Schannel 10
| {{yes|No}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | ||
| Secure Transport OS X 10.6
| {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | ||
| Secure Transport OS X 10.7
| {{no|Yes}} | {{unknown}} | {{unknown}} | {{unknown}} | {{no|Yes}} | {{unknown}} | ||
| Secure Transport OS X 10.8-10.9
| {{no|Yes}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{no|Yes}} | {{yes|Disabled by default}} | ||
| Secure Transport OS X 10.10-10.11
| {{no|Yes}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{Partial|Lowest priority}} | {{yes|Disabled by default}} | ||
| Secure Transport macOS 10.12
| {{no|Yes}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | {{yes|Disabled by default}} | ||
| wolfSSL
| {{yes|Disabled by default}}{{cite web|url=https://www.wolfssl.com/wolfSSL/Docs-wolfssl-changelog.html|title=wolfSSL (Formerly CyaSSL) Release 3.7.0 (10/26/2015)|date=2015-10-26|accessdate=2015-11-19}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|Disabled by default}} | {{yes|No}} | ||
| Erlang/OTP SSL application
| {{yes |no}} | {{yes |Disabled by default}} | {{yes |no}} | {{yes|no}} | {{yes |Disabled by default}} | {{yes|no}} | ||
| class="sortbottom" | ||
| rowspan="2"|Implementation | colspan="4"|Block cipher with mode of operation | colspan="2"|Stream cipher |
| IDEA CBC (insecure) ! DES-40 CBC ! RC2-40 CBC ! RC4-128 ! RC4-40 |
; Notes
{{Reflist|group="n"}}
Supported elliptic curves
This section lists the supported elliptic curves by each implementation.
= Defined curves in RFC 8446 (for TLS 1.3) and RFC 8422, 7027 (for TLS 1.2 and earlier) =
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" | |
| applicable TLS version
! colspan="5"|TLS 1.3 and earlier | colspan="3"|TLS 1.2 and earlier |
|---|---|
| Implementation
! secp256r1 ! secp384r1 ! secp521r1 ! brainpoolP256r1 ! brainpoolP384r1 ! brainpoolP512r1 | |
| Botan
| {{yes}} | {{yes}} | {{yes}} | {{no}} | |
| BoringSSL
| {{yes}} | {{yes}} | {{okay|Yes}} (disabled by default) | {{yes}} | {{no}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | |
| BSAFE
| {{yes}} | {{yes}} | {{yes}} | {{no}} | {{no}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | |
| GnuTLS
| {{yes}} | {{yes}} | {{yes}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | |
| JSSE
| {{yes}} | {{yes}} | {{yes}} | {{yes|Yes}} | {{yes|Yes}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | |
| LibreSSL
| {{yes}} | {{yes}} | {{yes}} | {{no}} | |
| MatrixSSL
| {{yes}} | {{yes}} | {{yes}} | {{partial|TLS 1.3 only}}{{cite web|url=https://github.com/matrixssl/matrixssl/blob/4-0-0-open/doc/CHANGES_v4.0.md|title=MatrixSSL 4.0 changelog|website=GitHub|accessdate=2018-09-18}} | {{no}} | {{yes}} | {{yes}} | {{yes}} | |
| Mbed TLS
| {{yes}} | {{yes}} | {{yes}} | {{partial|Primitive only}}{{cite web|url=https://tls.mbed.org/tech-updates/releases/mbedtls-2.9.0-2.7.3-and-2.1.12-released|title=Mbed TLS 2.9.0, 2.7.3 and 2.1.12 released|access-date=2018-08-30}} | |
| NSS
| {{yes}} | {{yes}} | {{yes}} | {{no}}{{cite web|url=https://bugzilla.mozilla.org/show_bug.cgi?id=1305243|title=Bug 1305243 - Support for X448 |publisher=Mozilla|accessdate=2022-08-04}}{{cite web|url=https://bugzilla.mozilla.org/show_bug.cgi?id=1597057|title=Bug 1597057 - Curve448 or named Ed448-Goldilocks support needed (both X448 key exchange and Ed448 signature algorithm ) |publisher=Mozilla|accessdate=2022-08-04}} | |
| OpenSSL
| {{yes}} | {{yes}} | {{yes}} | {{yes}}{{cite web | url = https://www.openssl.org/news/cl110.txt | title = OpenSSL 1.1.0x Release Notes | date = 25 August 2016 | access-date = 18 May 2018 | archive-date = 18 May 2018 | archive-url = https://web.archive.org/web/20180518200620/https://www.openssl.org/news/cl110.txt | url-status = dead | url = https://github.com/openssl/openssl/issues/487 | title = OpenSSL GitHub Issue #487 Tracker | website = GitHub | date = 2 December 2015 | access-date = 18 May 2018 }} | {{yes}}{{cite web | url = https://www.openssl.org/news/cl111.txt | title = OpenSSL CHANGES | date = 1 May 2018 | access-date = 18 May 2018 | archive-url = https://web.archive.org/web/20180518200747/https://www.openssl.org/news/cl111.txt | archive-date = 18 May 2018 | url-status = dead | url = https://github.com/openssl/openssl/issues/5049 | title = OpenSSL GitHub Issue #5049 Tracker | website = GitHub | date = 9 January 2018 | access-date = 18 May 2018 }} | |
| Rustls
| {{yes}} | {{yes}} | {{no}} | {{yes}} | {{no}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | |
| Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10
| {{yes}} | {{yes}} | {{yes}} | {{no}} | {{no}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | |
| Secure Transport
| {{yes}} | {{yes}} | {{yes}} | {{no}} | {{no}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | |
| wolfSSL
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | |
| Erlang/OTP SSL application
| {{yes}} | {{yes}} | {{yes}} | {{no}} | {{no}} | {{yes}} | {{yes}} | {{yes}} | |
| class="sortbottom" | |
| Implementation
! secp256r1 ! secp384r1 ! secp521r1 ! X25519 ! X448 ! brainpoolP256r1 ! brainpoolP384r1 ! brainpoolP512r1 |
= Deprecated curves in RFC 8422 =
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" |
| Implementation
! sect163k1 ! sect163r2 ! sect233k1 ! sect233r1 ! sect283k1 ! sect283r1 ! sect409k1 ! sect409r1 |
|---|
| Botan
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} |
| BoringSSL
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} |
| BSAFE
| {{no|Yes}} | {{yes|No}} | {{no|Yes}} | {{yes|No}} | {{yes|No}} | {{no|Yes}} | {{no|Yes}} | {{yes|No}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} |
| GnuTLS
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} |
| JSSE
| {{yes|Notes}}{{refn|group=lower-alpha|name="JSSEDisableEC"|These elliptic curves were "Disabled by Default" in current JDK families as part of JDK-8236730.{{cite web |title=Release Note: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default |url=https://bugs.openjdk.org/browse/JDK-8236730 |website=JDK Bug System (JBS) |access-date=25 December 2024}}}}{{refn|group=lower-alpha|name="JSSERemoveEC"|These elliptic curves were subsequently removed in JDK 16+ as part of JDK-8252601.{{cite web |title=Release Note: Removal of Legacy Elliptic Curves |url=https://bugs.openjdk.org/browse/JDK-8252601 |website=JDK Bug System (JBS) |access-date=25 December 2024}}}} |
| LibreSSL
| {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} |
| MatrixSSL
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} |
| Mbed TLS
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} |
| NSS
| {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} |
| OpenSSL
| {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} |
| Rustls
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} |
| Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} |
| Secure Transport
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} |
| wolfSSL
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} | {{okay|No}} |
| Erlang/OTP SSL application
| {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} |
| class="sortbottom" |
| Implementation
! sect163k1 ! sect163r1 ! sect163r2 ! sect193r1 ! sect193r2 ! sect233k1 ! sect233r1 ! sect239k1 ! sect283k1 ! sect283r1 ! sect409k1 ! sect409r1 ! sect571k1 ! sect571r1 |
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" |
| Implementation
! secp192r1 ! secp224r1 ! arbitrary prime curves |
|---|
| Botan
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{okay|No}} | {{yes|No}} | {{yes|No}} |
| BoringSSL
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{no|Yes}} | {{okay|No}} | {{yes|No}} | {{yes|No}} |
| BSAFE
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{no|Yes}} | {{yes|No}} | {{no|Yes}} | {{okay|No}} | {{yes|No}} | {{yes|No}} |
| GnuTLS
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{no|Yes}} | {{yes|No}} | {{no|Yes}} | {{okay|No}} | {{yes|No}} | {{yes|No}} |
| JSSE
| {{yes|No}} | {{yes|No}} |
| LibreSSL
| {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{yes}} | {{yes|No}} | {{yes|No}} |
| MatrixSSL
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{no|Yes}} | {{yes|No}} | {{no|Yes}} | {{okay|No}} | {{yes|No}} | {{yes|No}} |
| Mbed TLS
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{yes}} | {{yes|No}} | {{yes|No}} |
| NSS
| {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{yes}} | {{yes|No}} | {{yes|No}} |
| OpenSSL
| {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{yes}} | {{yes|No}} | {{yes|No}} |
| Rustls
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{okay|No}} | {{yes|No}} | {{yes|No}} |
| Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{okay|No}} | {{yes|No}} | {{yes|No}} |
| Secure Transport
| {{yes|No}} | {{yes|No}} | {{yes|No}} | {{yes|No}} | {{no|Yes}} | {{yes|No}} | {{yes|No}} | {{okay|No}} | {{yes|No}} | {{yes|No}} |
| wolfSSL
| {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{yes}} | {{yes|No}} | {{yes|No}} |
| Erlang/OTP SSL application
| {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{no|Yes}} | {{yes}} | {{yes|No}} | {{yes|No}} |
| class="sortbottom" |
| Implementation
! secp160k1 ! secp160r1 ! secp160r2 ! secp192k1 ! secp192r1 ! secp224k1 ! secp224r1 ! secp256k1 ! arbitrary prime curves ! arbitrary char2 curves |
; Notes
{{Reflist|group=lower-alpha}}
Data integrity
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" |
| Implementation
! AEAD |
|---|
| Botan
| {{No Y}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} | {{No Y}} | {{No Y}} |
| BSAFE
| {{Yes N}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} | {{No Y}} | {{No Y}} |
| cryptlib
| {{Yes N}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} | {{No Y}} | {{No Y}} |
| GnuTLS
| {{Yes N}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} | {{No Y}} | {{No Y}} |
| JSSE
| {{yes|Disabled by Default}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} | {{No Y}} | {{No Y}} |
| LibreSSL
| {{Yes N}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} |
| MatrixSSL
| {{Yes N}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} | {{No Y}} | {{No Y}} |
| Mbed TLS
| {{Yes N}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} | {{No Y}} | {{No Y}} |
| NSS
| {{Yes N}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} |
| OpenSSL
| {{Yes N}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} |
| Rustls
| {{No Y}} | {{No Y}} | {{No Y}} | {{yes}} | {{No Y}} | {{No Y}} |
| Schannel XP/2003, Vista/2008
| {{Yes N}} | {{okay|Yes}} | {{partial|XP SP3, 2003 SP2 via hotfix}} | {{no}} |
| Schannel 7/2008R2, 8/2012, 8.1/2012R2
| {{Yes N}} | {{okay|Yes}} | {{okay|Yes}} |
| Schannel 10
| {{Yes N}} | {{okay|Yes}} | {{okay|Yes}} |
| Secure Transport
| {{Yes N}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} | {{No Y}} | {{No Y}} |
| wolfSSL
| {{Yes N}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} | {{No Y}} | {{No Y}} |
| Erlang/OTP SSL application
| {{Yes N}} | {{okay|Yes}} | {{okay|Yes}} | {{yes}} | {{No Y}} | {{No Y}} |
| class="sortbottom"
! Implementation ! HMAC-MD5 ! HMAC-SHA1 ! HMAC-SHA256/384 ! AEAD ! GOST 28147-89 IMIT ! GOST R 34.11-94 |
Compression
Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" |
| Implementation
! DEFLATERFC 3749 |
|---|
| Botan
| {{yes|No}} |
| BSAFE
| {{yes|No}} |
| cryptlib
| {{yes|No}} |
| GnuTLS
| {{yes|Disabled by default}} |
| JSSE
| {{yes|No}} |
| LibreSSL |
| MatrixSSL
| {{yes|Disabled by default}} |
| Mbed TLS
| {{yes|Disabled by default}} |
| NSS
| {{yes|Disabled by default}} |
| OpenSSL
| {{Yes|Disabled by default}} |
| Rustls
| {{yes|No}} |
| Schannel
| {{yes|No}} |
| Secure Transport
| {{yes|No}} |
| wolfSSL
| {{yes|Disabled by default}} |
| Erlang/OTP SSL application
| {{yes|No}} |
| class="sortbottom"
! Implementation ! DEFLATE |
Extensions
In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security {{citation needed|date=August 2014}}. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" |
| Implementation
! Secure Renegotiation ! Server Name Indication ! Supplemental Data ! Session Ticket ! Keying Material Exporter ! TLS Fallback SCSV ! Extended Master Secret ! ClientHello Padding ! Raw Public Keys |
|---|
| Botan
| {{yes}} | {{yes}} | {{no}} | {{no}} | {{no}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{no}} | {{unknown}} |
| BSAFE SSL-J
| {{yes}} | {{yes}} | {{no}} | {{yes}} | {{no}} | {{no}} | {{no}} | {{no}} | {{yes}} | {{no}} | {{no}} | {{yes}} | {{no}} | {{no}} |
| cryptlib
| {{yes}} | {{yes}} | {{no}} | {{no}} | {{no}} | {{yes}} | {{no}} | {{no}} | {{no}}Present, but disabled by default due to lack of use by any implementation. | {{yes}} | {{yes}} | {{yes}} | {{no}} | {{unknown}} |
| GnuTLS
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{yes}} |
| JSSE
| {{yes}} | {{yes}} | {{no}} | {{no}} | {{yes}} | {{no}} | {{yes}} | {{no}} | {{no}} | {{yes}} | {{no}} | {{no}} |
| LibreSSL
| {{yes}} | {{yes}} | {{yes}} | {{no}} | {{no}}? | {{yes}} | {{yes}}? | {{no}} | {{no}} | {{partial|Server side only}}{{cite web| title = LibreSSL 2.1.4 released| url = https://marc.info/?l=openbsd-announce&m=142543818707898| date = 2015-03-04| accessdate = 2015-03-04}} | {{no}} | {{yes}} | {{no}} |
| MatrixSSL
| {{yes}} | {{yes}} | {{no}} | {{no}} | {{yes}} | {{no}} | {{yes}} | {{no}} | {{no}} | {{unknown}} |
| Mbed TLS
| {{yes}} | {{yes}} | {{no}} | {{no}} | {{no}} | {{yes}} | {{no}} | {{yes}} | {{no}} | {{no}} |
| NSS
| {{yes}} | {{yes}} | {{yes}} | {{no}} | {{yes}} | {{yes}} | {{no}} | {{unknown}} |
| OpenSSL
| {{yes}} | {{yes}} | {{yes}} | {{no}} | {{no}}? | {{yes}} | {{yes}} | {{yes}} | {{yes}} |
| Rustls
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{no}} | {{no}} | {{yes}} | {{yes}} | {{no}} | {{no}} | {{no}} rustls does not implement earlier versions that would warrant protection against insecure downgrade | {{yes}} | {{no}} | {{unknown}} |
| Schannel XP/2003
| {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{yes}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{unknown}} |
| Schannel Vista/2008
| {{yes}} | {{yes}} | {{no}} | {{no}} | {{no}} | {{yes}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{unknown}} |
| Schannel 7/2008R2
| {{yes}} | {{yes}} | {{no}} | {{yes}} | {{no}} | {{yes}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{unknown}} |
| Schannel 8/2012
| {{yes}} | {{yes}} | {{no}} | {{yes}} | {{no}} | {{yes}} | {{partial|Client side only}}{{cite web|url=https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831771(v=ws.11)|title=What's New in TLS/SSL (Schannel SSP)|date=31 August 2016 |accessdate=2024-04-28}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{unknown}} |
| Schannel 8.1/2012R2, 10
| {{yes}} | {{yes}} | {{yes}} | {{yes}} | {{no}} | {{yes}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{unknown}} |
| Secure Transport
| {{yes}} | {{yes}} | {{unknown}} | {{no}} | {{no}} | {{yes}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{unknown}} |
| wolfSSL
| {{yes}} | {{yes}} | {{yes}} | {{no}} | {{no}} | {{yes}} | {{no}} | {{yes}} | {{no}} | {{yes}} | {{no}} |
| Erlang/OTP SSL application
| {{yes}} | {{yes}} | {{yes}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{no}} | {{yes}} | {{no}} | {{no}} | {{unknown}} |
| class="sortbottom"
! Implementation ! Secure Renegotiation ! Server Name Indication ! ALPN ! Certificate Status Request ! OpenPGP ! Supplemental Data ! Session Ticket ! Keying Material Exporter ! Maximum Fragment Length ! Encrypt-then-MAC ! TLS Fallback SCSV ! Extended Master Secret ! ClientHello Padding ! Raw Public Keys |
Assisted cryptography
This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.
{{Reflist|group=lower-alpha}}
System-specific backends
This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" |
| Implementation
! /dev/crypto ! af_alg ! CommonCrypto |
|---|
| Botan
| {{no}} | {{no}} | {{no}} | {{no}} | {{partial}} |
| BSAFE
| {{no}} | {{no}} | {{no}} | {{no}} | {{no}} |
| cryptlib
| {{no}} | {{no}} | {{no}} | {{no}} | {{no}} |
| GnuTLS
| {{yes}} | {{yes}} | {{no}} | {{no}} | {{no}} |
| JSSE
| {{no}} | {{no}} | {{yes}} | {{no}} | {{no}} |
| LibreSSL
| {{no}} | {{no}} | {{no}} | {{no}} |
| MatrixSSL
| {{no}} | {{no}} | {{no}} | {{yes}} | {{yes}} |
| Mbed TLS
| {{no}} | {{no}} | {{no}} | {{no}} | {{no}} |
| NSS
| {{no}} | {{no}} | {{no}} | {{no}} | {{no}} |
| OpenSSL
| {{yes}} | {{yes}} | {{no}} | {{no}} | {{yes}} |
| Rustls
| {{no}} | {{yes}} {{cite web|title=ktls integration for rustls|website=GitHub |accessdate=2024-08-29|url=https://github.com/rustls/ktls}} | {{no}} | {{no}} | {{no}} |
| Schannel
| {{no}} | {{no}} | {{yes}} | {{no}} | {{no}} |
| Secure Transport
| {{no}} | {{no}} | {{no}} | {{yes}} | {{no}} |
| wolfSSL
| {{yes}} | {{yes}} | {{partial}} | {{no}} |
| Erlang/OTP SSL application
| {{no}} | {{no}} | {{no}} | {{no}} | {{yes}} |
| class="sortbottom"
! Implementation ! /dev/crypto ! af_alg ! Windows CSP ! CommonCrypto ! OpenSSL engine |
Cryptographic module/token support
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" |
| Implementation
! TPM support ! Hardware token support ! Objects identified via |
|---|
| Botan
| {{yes|PKCS #11}} | |
| BSAFE SSL-J
| {{no}} | {{no}} | |
| cryptlib
| {{no}} | {{yes|PKCS #11}} | User-defined label |
| GnuTLS
| {{yes}} | {{yes|PKCS #11}} | RFC 7512 PKCS #11 URLs{{cite IETF |rfc=7512 |title=The PKCS #11 URI Scheme}} |
| JSSE
| {{no}} | {{yes|PKCS11 Java Cryptography Architecture, | |
| LibreSSL
| {{yes}} | {{partial|PKCS #11 (via 3rd party module)}} | Custom method |
| MatrixSSL
| {{no}} | {{yes|PKCS #11}} | |
| Mbed TLS
| {{no}} | {{yes|PKCS #11 (via libpkcs11-helper) or standard hooks}} | Custom method |
| NSS
| {{no}} | {{yes|PKCS #11}} | |
| OpenSSL
| {{yes}} | {{partial|PKCS #11 (via 3rd party module)}}{{cite web|url=https://github.com/OpenSC/libp11|title=libp11: PKCS#11 wrapper library|date=19 January 2018|publisher=|via=GitHub}} |
| Rustls
| {{no}} | {{yes|Microsoft CryptoAPI}} {{cite web|url=https://github.com/rustls/rustls-cng|title=Windows CNG bridge for rustls|website=GitHub |accessdate=2024-08-29}} | Custom method |
| Schannel
| {{no}} | {{yes|Microsoft CryptoAPI}} | UUID, User-defined label |
| Secure Transport
| | | |
| wolfSSL
| {{yes}} | {{yes|PKCS #11}} | |
| class="sortbottom"
! Implementation ! TPM support ! Hardware token support ! Objects identified via |
Code dependencies
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" |
| Implementation
! Dependencies ! Optional dependencies |
|---|
| Botan
| C++20 | SQLite |
| GnuTLS
| libc | zlib (compression) |
| JSSE
| Java | |
| MatrixSSL
| none | zlib (compression) |
| MatrixSSL-open
| libc or newlib | |
| Mbed TLS
| libc | libpkcs11-helper (PKCS #11) |
| NSS
| libc | zlib (compression) |
| Rustls
| rust {{mono|core}} library | rust {{mono|std}} library |
| OpenSSL
| libc | zlib (compression) |
| wolfSSL
| None | libc |
| Erlang/OTP SSL application
| libcrypto (from OpenSSL), Erlang/OTP and its public_key, crypto and asn1 applications | Erlang/OTP -inets (http fetching of CRLs) |
| class="sortbottom"
! Implementation ! Dependencies ! Optional dependencies |
Development environment
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" |
| Implementation
! Namespace ! Build tools ! API manual ! Crypto back-end ! {{clarify span|OpenSSL compatibility Layer|date=November 2013}} |
|---|
| Botan
| Botan::TLS | Makefile | Sphinx | Included (pluggable) | {{no}} |
| Bouncy Castle
| org.bouncycastle | Java Development Environment | Programmers reference manual (PDF) | Included (pluggable) | {{no}} |
| BSAFE SSL-J
|com.rsa.asn1{{cref2|group=dev_env_footnotes|a}} com.rsa.certj{{cref2|group=dev_env_footnotes|b}} com.rsa.jcp{{cref2|group=dev_env_footnotes|c}} com.rsa.jsafe{{cref2|group=dev_env_footnotes|d}} com.rsa.ssl{{cref2|group=dev_env_footnotes|e}} com.rsa.jsse{{cref2|group=dev_env_footnotes|f}} | Javadoc, Developer's guide (HTML) | Included | {{no}} |
| cryptlib
| crypt* | makefile, MSVC project workspaces | Programmers reference manual (PDF), architecture design manual (PDF) | Included (monolithic) | {{no}} |
| GnuTLS
| gnutls_* | Autoconf, automake, libtool | Manual and API reference (HTML, PDF) | External, libnettle | {{yes}} (limited) |
| JSSE
| javax.net.ssl sun.security.ssl | Makefile | API Reference (HTML) + {{Javadoc:SE-guide|security/jsse/JSSERefGuide.html|JSSE Reference Guide}} | Java Cryptography Architecture, | {{No}} |
| MatrixSSL
| matrixSsl_* ps* | Makefile, MSVC project workspaces, Xcode projects for OS X and iOS | API Reference (PDF), Integration Guide | Included (pluggable) | {{yes}} (Subset: SSL_read, SSL_write, etc.) |
| Mbed TLS
| mbedtls_ssl_* mbedtls_sha1_* mbedtls_md5_* mbedtls_x509* ... | Makefile, CMake, MSVC project workspaces, yotta | API Reference + High Level and Module Level Documentation (HTML) | Included (monolithic) | {{no}} |
| NSS
| CERT_* SEC_* SECKEY_* NSS_* PK11_* SSL_* ... | Makefile | Manual (HTML) | Included, PKCS#11 basedOn the fly replaceable/augmentable. | {{yes}} (separate package called nss_compat_ossl{{cite web|url=http://fedoraproject.org/wiki/Nss_compat_ossl|title=Nss compat ossl - Fedora Project Wiki|website=fedoraproject.org}}) |
| OpenSSL
| SSL_* SHA1_* MD5_* EVP_* ... | Makefile | Man pages | Included (monolithic) | {{N/a}} |
| Rustls
| {{code|rustls::}} | cargo | [https://docs.rs/rustls/0.23.12/rustls/ API reference] and [https://docs.rs/rustls/0.23.12/rustls/manual/ design manual] | Two options included (pluggable) | {{yes}}{{cite web|url=https://github.com/rustls/rustls-openssl-compat/|title=rustls-openssl compatibility layer|website=GitHub |accessdate=2024-08-29}} (subset) |
| wolfSSL
| wolfSSL_* CyaSSL_* SSL_* | Autoconf, automake, libtool, MSVC project workspaces, XCode projects, CodeWarrior projects, MPLAB X projects, Keil, IAR, Clang, GCC, e2Studio | Manual and API Reference (HTML, PDF) | Included (monolithic) | {{yes}} (about 60% of API) |
| class="sortbottom"
! Implementation ! Namespace ! Build tools ! API manual ! Crypto back-end ! OpenSSL compatibility layer |
{{cnote2 begin | liststyle=lower-alpha}}
{{cnote2 | group=dev_env_footnotes| a | ASN.1 manipulation classes}}
{{cnote2 | group=dev_env_footnotes| b | Cert-J proprietary API}}
{{cnote2 | group=dev_env_footnotes| c | Certificate Path manipulation classes}}
{{cnote2 | group=dev_env_footnotes| d | Crypto-J proprietary API, JCE, CMS and PKI}} API
{{cnote2 | group=dev_env_footnotes| e | SSLJ proprietary API}}
{{cnote2 | group=dev_env_footnotes| f | JSSE API}}
{{cnote2 end}}
Portability concerns
| class="wikitable sortable sort-under" style="text-align: left; font-size: smaller" |
| Implementation
! Platform requirements ! Network requirements ! Thread safety ! Random seed ! Able to cross-compile ! No OS (bare metal) ! Supported operating systems |
|---|
| Botan
| C++11 | None | {{yes|Thread-safe}} | Platform-dependent | {{yes}} | | Windows, Linux, macOS, Android, iOS, FreeBSD, OpenBSD, Solaris, AIX, HP-UX, QNX, BeOS, IncludeOS |
| BSAFE SSL-J
| Java | Java SE network components | {{yes|Thread-safe}} | Depends on java.security.SecureRandom | {{yes}} | {{no}} | FreeBSD, Linux, macOS, Microsoft Windows, Android, AIX, Solaris |
| cryptlib
| C89 | POSIX send() and recv(). API to supply your own replacement | {{yes|Thread-safe}} | Platform-dependent, including hardware sources | {{yes}} | {{yes}} | AMX, BeOS, ChorusOS, DOS, eCos, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, Palm OS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, macOS, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK |
| GnuTLS
| C89 | POSIX send() and recv(). API to supply your own replacement. | {{partial|Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available.}} | Platform dependent | {{yes}} | {{no}} | Generally any POSIX platforms or Windows, commonly tested platforms include Linux, Win32/64, macOS, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD. |
| JSSE
| Java | Java SE network components | {{yes|Thread-safe}} | Depends on java.security.SecureRandom | {{yes}} | | Java based, platform-independent |
| MatrixSSL
| C89 | None | {{yes|Thread-safe}} | Platform dependent | {{yes}} | {{yes}} | All |
| Mbed TLS
| C89 | POSIX read() and write(). API to supply your own replacement. | {{partial|Threading layer available (POSIX or own hooks)}} | Random seed set through entropy pool | {{yes}} | {{yes}} | Known to work on: Win32/64, Linux, macOS, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, eCos, SeggerOS, RISC OS |
| NSS
| C89, NSPR{{cite web|url=https://www.mozilla.org/projects/nspr/|title=NSPR|website=Mozilla Developer Network}} | NSPR PR_Send() and PR_Recv(). API to supply your own replacement. | {{yes|Thread-safe}} | {{yes}} (but cumbersome) | {{no}} | AIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, macOS, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation |
| Rustls
| None | {{yes|Thread-safe}} | Platform dependent | {{yes}} | {{yes}} | All supported by Rust (programming language) |
| OpenSSL
| C89 | None | {{yes|Thread-safe}} | Platform dependent | {{yes}} | {{no}} | Unix-like, DOS (with djgpp), Windows, OpenVMS, NetWare, eCos |
| wolfSSL
| C89 | POSIX send() and recv(). API to supply your own replacement. | {{yes|Thread-safe}} | Random seed set through wolfCrypt | {{yes}} | {{yes}} | Win32/64, Linux, macOS, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Yocto Project, OpenEmbedded, WinCE, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, NonStop, TRON/ITRON/μITRON, eCos, Micrium μC/OS-III, FreeRTOS, SafeRTOS, NXP/Freescale MQX, Nucleus, TinyOS, HP/UX, AIX, ARC MQX, Keil RTX, TI-RTOS, uTasker, embOS, INtime, Mbed, uT-Kernel, RIOT, CMSIS-RTOS, FROSTED, Green Hills INTEGRITY, TOPPERS, PetaLinux, Apache mynewt |
| class="sortbottom"
! Implementation ! Platform requirements ! Network requirements ! Thread safety ! Random seed ! Able to cross-compile ! No OS (bare metal) ! Supported operating systems |
See also
References
{{Reflist|30em}}
{{SSL/TLS}}
{{DEFAULTSORT:Comparison Of TLS implementations}}