Comparison of TLS implementations
The Transport Layer Security (TLS) protocol provides the ability to secure communications across networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.
All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.
Overview
Implementation | Developed by | Open source | Software license | Copyright owner | Written in | Latest stable version, release date | Origin |
---|---|---|---|---|---|---|---|
Botan | Jack Lloyd | Yes | Simplified BSD License | Jack Lloyd | C++ | 1.11.29 (March 20, 2016[1]) [±] |
US (Vermont) |
Bouncy Castle | The Legion of the Bouncy Castle Inc. | Yes | MIT License | Legion of the Bouncy Castle Inc. | Java, C# | 1.54 (Java) (December 30, 2015 [3]) [±] |
Australia |
cryptlib | Peter Gutmann | Yes | Sleepycat License and commercial license | Peter Gutmann | C | 3.4.3 (March 25, 2016 [5]) [±] | NZ |
GnuTLS | GnuTLS project | Yes | GNU LGPLv2.1+ | Free Software Foundation | C | 3.4.10 (March 3, 2016 [6]) [±] |
EU (Greece and Sweden) |
Java Secure Socket Extension (JSSE) | Oracle | Yes | GNU GPLv2 and commercial license | Oracle | Java | JDK 8, 2014-03-18 | US |
LibreSSL | OpenBSD Project | Yes | Apache License 1.0, 4-clause BSD License, ISC License, and some are public domain | Eric Young, Tim Hudson, Sun, OpenSSL project, OpenBSD Project, and others | C, assembly | 2.3.4 (May 3, 2016[7]) [±] |
Canada |
MatrixSSL[8] | PeerSec Networks | Yes | GNU GPLv2+ and commercial license | PeerSec Networks | C | 3.7.2b (July 13, 2015 [9]) [±] | US |
mbed TLS (previously PolarSSL) | ARM | Yes | Apache License 2.0, GNU GPLv2+ and commercial license | ARM Holdings | C | 2.2.1 (January 4, 2016 [10]) [±] 2.1.4 (January 4, 2016 [10]) [±] |
EU (Netherlands) |
Network Security Services (NSS) | Mozilla, AOL, Red Hat, Sun, Oracle, Google and others | Yes | MPL 2.0 | NSS contributors | C, assembly | 3.23 (March 8, 2016[11]) [±] 3.22.3 (March 14, 2016[12]) [±] |
US |
OpenSSL | OpenSSL project | Yes | OpenSSL-SSLeay dual-license | Eric Young, Tim Hudson, Sun, OpenSSL project, and others | C, assembly | 1.0.2h (May 3, 2016[15]) [±] |
Australia/EU |
RSA BSAFE | RSA Security | No[16] | Proprietary | RSA, The Security Division of EMC | MES: 4.0[17] SSL-J: 6.1.4[17] |
Australia | |
SChannel | Microsoft | No | Proprietary | Microsoft Inc. | Windows 10, 2015-07-29 | US | |
Secure Transport | Apple Inc. | Yes | APSL 2.0 | Apple Inc. | 57337.20.44 (OS X 10.11.2), 2015-12-08 | US | |
SharkSSL | Realtimelogic LLC[18] | No | Proprietary | Realtimelogic LLC | C, assembly | 3839 March 2016 | US |
TLSe | Eduard Suica | Yes | Public domain | Eduard Suica | C | 0.9, 2016-04-02 | EU (Romania) |
wolfSSL (previously CyaSSL) | wolfSSL[19] | Yes | GNU GPLv2+ and commercial license | wolfSSL Inc.[20] | C | 3.9.0 (March 18, 2016[21]) [±] | US |
Implementation | Developed by | Open source | Software license | Copyright owner | Written in | Latest stable version, release date | Origin |
Protocol support
Several versions of the TLS protocol exist. SSL 2.0 is a deprecated[22] protocol version with significant weaknesses. SSL 3.0 (1996) and TLS 1.0 (1999) are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay.[23] TLS 1.1 (2006) fixed only one of the problems, by switching to random IVs for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was addressed with RFC7366.[24] A workaround for SSL 3.0 and TLS 1.0, roughly equivalent to random IVs from TLS 1.1, was widely adopted by many implementations in late 2011,[25] so from a security perspective, all existing version of TLS 1.0, 1.1 and 1.2 provide equivalent strength in the base protocol and are suitable for 128-bit security according to NIST SP800-57 up to at least 2030. In 2014, the POODLE vulnerability of SSL 3.0 was discovered, which takes advantage the known vulnerabilities in CBC, and an insecure fallback negotiation used in browsers.[26]
TLS 1.2 (2008) is the latest published version of the base protocol, introducing a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future (rsa,sha256/sha384/sha512) over the SSL 3.0 conservative choice (rsa,sha1+md5), the TLS 1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides (rsa,sha1) and even (rsa,md5).[27]
Datagram Transport Layer Security (DTLS or Datagram TLS) 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLS 1.2 based on TLS 1.2 was published in January 2012[28]
Note that there are known vulnerabilities in SSL 2.0 and SSL 3.0. With the exception of the predictable IVs (for which an easy workaround exists) all currently known vulnerabilities affect all version of TLS 1.0/1.1/1.2 alike.[29]
Implementation | SSL 2.0 (insecure)[30] | SSL 3.0 (insecure)[31] | TLS 1.0[32] | TLS 1.1[33] | TLS 1.2[34] | TLS 1.3 (Draft)[35][36] |
DTLS 1.0[37] | DTLS 1.2[28] |
---|---|---|---|---|---|---|---|---|
Botan | No | No[38] | Yes | Yes | Yes | Yes | Yes | |
cryptlib | No | Disabled by default at compile time | Yes | Yes | Yes | No | No | |
GnuTLS | No[a] | Disabled by default[39] | Yes | Yes | Yes | Yes | Yes | |
JSSE | No[a] | Disabled by default[b] | Yes | Yes | Yes | No | No | |
LibreSSL | No[40] | No[41] | Yes | Yes | Yes | Yes | No | |
MatrixSSL | No[a] | Disabled by default at compile time[42] | Yes | Yes | Yes | Yes | Yes | |
mbed TLS | No | Disabled by default[43] | Yes | Yes | Yes | Yes[43] | Yes[43] | |
NSS | Disabled by default[a] | Disabled by default[44] | Yes | Yes[45] | Yes[46] | Yes[45] | Yes[47] | |
OpenSSL | Disabled by default[48] | Enabled by default | Yes | Yes[49] | Yes[49] | Yes | Yes[50] | |
RSA BSAFE[51] | No | Yes | Yes | Yes | Yes | No | No | |
SChannel XP, 2003[52] | Disabled by default in MSIE 7 | Enabled by default | Enabled by default in MSIE 7 | No | No | No | No | |
SChannel Vista, 2008[53] | Disabled by default | Enabled by default | Yes | No | No | No | No | |
SChannel 7, 2008R2[54] | Disabled by default | Disabled by default in MSIE 11 | Yes | Enabled by default in MSIE 11 | Enabled by default in MSIE 11 | Yes[55] | No[55] | |
SChannel 8, 2012[54] | Disabled by default | Enabled by default | Yes | Disabled by default | Disabled by default | Yes | No | |
SChannel 8.1, 2012R2, 10[54] | Disabled by default | Disabled by default in MSIE 11 | Yes | Yes | Yes | Yes | No | |
Secure Transport OS X 10.2-10.8, iOS 1-4 | Yes | Yes | Yes | No | No | No | No | |
Secure Transport OS X 10.9-10.10, iOS 5-8 | No[c] | Yes | Yes | Yes[c] | Yes[c] | Yes[c] | No | |
Secure Transport OS X 10.11, iOS 9 | No[c] | No[c] | Yes | Yes[c] | Yes[c] | Yes[c] | Unknown | |
SharkSSL | No | Disabled by default | Yes | Yes | Yes | No | No | |
TLSe | No | No | Yes | Yes | Yes | No | No | |
wolfSSL | No | Disabled by default[56] | Yes | Yes | Yes | Yes | Yes | |
Implementation | SSL 2.0 (insecure) | SSL 3.0 (insecure) | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 (Draft) |
DTLS 1.0 | DTLS 1.2 |
- ^ SSL 2.0 client hello is supported even though SSL 2.0 is not supported or is disabled because of the backward compatibilities.
- ^ SSL 3.0 support has been disabled by default as of Java 8 update 31.[57]
- ^ Secure Transport: SSL 2.0 was discontinued in OS X 10.8. SSL 3.0 was discontinued in OS X 10.11 and iOS 9.TLS 1.1, 1.2 and DTLS are available on iOS 5.0 and later, and OS X 10.8 and later.[58]
NSA Suite B Cryptography
Required components for NSA Suite B Cryptography (RFC 6460) are:
- Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits. For traffic flow, AES should be used with either the Counter Mode (CTR) for low bandwidth traffic or the Galois/Counter Mode (GCM) mode of operation for high bandwidth traffic (see Block cipher modes of operation) — symmetric encryption
- Elliptic Curve Digital Signature Algorithm (ECDSA) — digital signatures
- Elliptic Curve Diffie–Hellman (ECDH) — key agreement
- Secure Hash Algorithm 2 (SHA-256 and SHA-384) — message digest
Per CNSSP-15, the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.
Implementation | TLS 1.2 Suite B |
---|---|
Botan | Yes |
cryptlib | Yes |
GnuTLS | Yes |
JSSE | Yes[60] |
LibreSSL | Yes |
MatrixSSL | Yes |
mbed TLS | Yes |
NSS | No[61] |
OpenSSL | Yes[50] |
RSA BSAFE | Yes[51] |
SChannel | Yes[62] |
Secure Transport | No |
SharkSSL | Yes |
TLSe | Yes |
wolfSSL | Yes |
Implementation | TLS 1.2 Suite B |
Certifications
Note that certain certifications have received serious negative criticism from people who are actually involved in them.[63]
Implementation | FIPS 140-1, FIPS 140-2[64] | Common Criteria | |
---|---|---|---|
Level 1 | Level 2 | ||
Botan[65] | |||
cryptlib[66] | |||
GnuTLS[67] | no support | ||
JSSE | |||
LibreSSL[40] | no support | ||
MatrixSSL[68] | SafeZone FIPS Cryptographic Module: 1.1 (#2389) | ||
mbed TLS[69] | |||
NSS[70] | Network Security Services: 3.2.2 (#247) Network Security Services Cryptographic Module: 3.11.4 (#815), 3.12.4 (#1278), 3.12.9.1 (#1837) |
Netscape Security Module: 1 (#7[notes 1]), 1.01 (#47[notes 2]) Network Security Services: 3.2.2 (#248[notes 3]) Network Security Services Cryptographic Module: 3.11.4 (#814[notes 4]), 3.12.4 (#1279, #1280[notes 5]) |
|
OpenSSL[71] | OpenSSL FIPS Object Module: 1.0 (#624), 1.1.1 (#733), 1.1.2 (#918), 1.2, 1.2.1, 1.2.2, 1.2.3 or 1.2.4 (#1051) 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7 or 2.0.8 (#1747) |
||
RSA BSAFE[72] | Crypto-C ME 3.0.0.1, 4.0.1, 4.1 (#2294, #2300) Crypto-J 6.1 (#2057, #2058) |
||
SChannel[73] | Cryptographic modules in Windows NT 4.0, 95, 95, 2000, XP, Server 2003, CE 5, CE 6, Mobile 6.x, Vista, Server 2008, 7, Server 2008 R2, 8, Server 2012, RT, Surface, Phone 8 See details on Microsoft FIPS 140 Validated Cryptographic Modules |
||
Secure Transport | Apple FIPS Cryptographic Module: 1.0 (OS X 10.6, #1514), 1.1 (OS X 10.7, #1701) Apple OS X CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (OS X 10.8, #1964, #1956), 4.0 (OS X 10.9, #2015, #2016) Apple iOS CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (iOS 6, #1963, #1944), 4.0 (iOS 7 , #2020, #2021) |
||
SharkSSL | |||
TLSe | |||
wolfSSL[74] | wolfCrypt FIPS Module: 3.6.0 (#2425) | ||
Implementation | Level 1 | Level 2 | Common Criteria |
FIPS 140-1, FIPS 140-2 |
- ↑ with Sun Sparc 5 w/ Sun Solaris v 2.4SE (ITSEC-rated)
- ↑ with Sun Ultra-5 w/ Sun Trusted Solaris version 2.5.1 (ITSEC-rated)
- ↑ with Solaris v8.0 with AdminSuite 3.0.1 as specified in UK IT SEC CC Report No. P148 EAL4 on a SUN SPARC Ultra-1
- ↑ with these platforms; Red Hat Enterprise Linux Version 4 Update 1 AS on IBM xSeries 336 with Intel Xeon CPU, Trusted Solaris 8 4/01 on Sun Blade 2500 Workstation with UltraSPARC IIIi CPU
- ↑ with these platforms; Red Hat Enterprise Linux v5 running on an IBM System x3550, Red Hat Enterprise Linux v5 running on an HP ProLiant DL145, Sun Solaris 10 5/08 running on a Sun SunBlade 2000 workstation, Sun Solaris 10 5/08 running on a Sun W2100z workstation
Key exchange algorithms (certificate-only)
This section lists the certificate verification functionality available in the various implementations.
Implementation | RSA[34] | RSA-EXPORT (insecure)[34] | DHE-RSA (forward secrecy)[34] | DHE-DSS (forward secrecy)[34] | ECDH-ECDSA[75] | ECDHE-ECDSA (forward secrecy)[75] | ECDH-RSA[75] | ECDHE-RSA (forward secrecy)[75] | GOST R 34.10-94, 34.10-2001[76] |
---|---|---|---|---|---|---|---|---|---|
Botan | Yes | No | Yes | Yes | No | Yes | No | Yes | Yes[77] |
cryptlib | Yes | No | Yes | Yes | No | Yes | No | No | No |
GnuTLS | Yes | No | Yes | No[39] | No | Yes | No | Yes | No |
JSSE | Yes | Disabled by default | Max 2048 bit | Max 2048 bit | Yes | Yes | Yes | Yes | No[78] |
LibreSSL | Yes | No[40] | Yes | Yes | Yes | Yes | Yes | Yes | Yes[79] |
MatrixSSL | Yes | No | Yes | No | Yes | Yes | Yes | Yes | No |
mbed TLS | Yes | No | Yes | No | Yes | Yes | Yes | Yes | No |
NSS | Yes | Disabled by default | Yes[80] | Yes | Yes | Yes | Yes | Yes | No[81][82] |
OpenSSL | Yes | Disabled by default[83] | Yes | Yes | Yes | Yes | Yes | Yes | Yes[84] |
RSA BSAFE[51] | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | No |
SChannel XP/2003 | Yes | Yes | No | XP: Max 1024 bits 2003: 1024 bits only |
No | No | No | No | No[85] |
SChannel Vista/2008, 2008R2, 2012 | Yes | Disabled by default | No | 1024 bits only | No | Yes | No | except AES_GCM | No[85] |
SChannel 7, 8, 8.1/2012R2 | Yes | Disabled by default | AES_GCM only Client: 1024-4096bits(or more?) Server: 1024bits only[86][87][88] |
1024 bits only | No | Yes | No | except AES_GCM | No[85] |
SChannel 10 | Yes | Disabled by default | AES_GCM only Client: 1024-4096bits(or more?) Server: 2048bits only |
1024 bits only | No | Yes | No | Yes | No[85] |
Secure Transport OS X 10.6 | Yes | Yes | except AES_GCM | Yes | Yes | except AES_GCM | Yes | except AES_GCM | No |
Secure Transport OS X 10.8-10.10 | Yes | No | except AES_GCM | No | Yes | except AES_GCM | Yes | except AES_GCM | No |
Secure Transport OS X 10.11 | Yes | No | Yes | No | No | Yes | No | Yes | No |
SharkSSL | Yes | No | Yes | No | Yes | Yes | Yes | Yes | No |
TLSe | Yes | No | Yes | No | No | Yes | No | Yes | No |
wolfSSL | Yes | No | Yes | No | Yes | Yes | Yes | Yes | No |
Implementation | RSA | RSA EXPORT (insecure) | DHE-RSA (forward secrecy) | DHE-DSS (forward secrecy) | ECDH-ECDSA | ECDHE-ECDSA (forward secrecy) | ECDH-RSA | ECDHE-RSA (forward secrecy) | GOST R 34.10-94, 34.10-2001 |
Key exchange algorithms (alternative key-exchanges)
Implementation | SRP[89] | SRP-DSS[89] | SRP-RSA[89] | PSK-RSA[90] | PSK[90] | DHE-PSK (forward secrecy)[90] | ECDHE-PSK (forward secrecy)[91] | KRB5[92] | DH-ANON[34] (insecure) | ECDH-ANON[75] (insecure) |
---|---|---|---|---|---|---|---|---|---|---|
Botan | Yes | Yes | Yes | No | Yes | Yes | Yes | No | Yes | Yes |
cryptlib | No | No | No | No | Yes | Yes | No | Unknown | No | No |
GnuTLS | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Disabled by default | Disabled by default |
JSSE | No | No | No | No | No | No | No | Unknown | Disabled by default in Java 8 | Disabled by default in Java 8 |
LibreSSL | No[93] | No[93] | No[93] | No | No | No | No | No | Yes | Yes |
MatrixSSL | No | No | No | Yes | Yes | Yes | No | No | Disabled by default | No |
mbed TLS | No | No | No | Yes | Yes | Yes | Yes | No | No | No |
NSS | No[94] | No[94] | No[94] | No[95] | No[95] | No[95] | No[95] | No | Client side only, disabled by default[96] | Disabled by default[97] |
OpenSSL | Yes | Yes | Yes | No | Yes | No | No | Yes[98] | Disabled by default[48] | Disabled by default[48] |
RSA BSAFE[51] | No | No | No | No | No | No | No | Unknown | Yes | Yes |
SChannel | No | No | No | No | No | No | No | Yes | No | No |
Secure Transport | No | No | No | No | No | No | No | Unknown | Yes | Yes |
SharkSSL | No | No | No | No | Yes | No | No | Unknown | No | No |
TLSe | No | No | No | No | No | No | No | No | No | No |
wolfSSL | No | No | No | No | Yes | No | Yes[99] | No | No | No |
Implementation | SRP | SRP-DSS | SRP-RSA | PSK-RSA | PSK | DHE-PSK (forward secrecy) | ECDHE-PSK (forward secrecy) | KRB5 | DH-ANON (insecure) | ECDH-ANON (insecure) |
Certificate verification methods
Implementation | Application-defined | PKIX path validation[100] | CRL[101] | OCSP[102] | DANE (DNSSEC)[103] | Trust on First Use (TOFU) |
---|---|---|---|---|---|---|
Botan | Yes | Yes | Yes | Yes | No | No |
cryptlib | Yes | Yes | Unknown | Unknown | No | No |
GnuTLS | Yes | Yes | Yes | Yes | Yes | Yes |
JSSE | Yes | Yes | Yes | Yes | No | No |
LibreSSL | Yes | Yes | Yes | Yes | No | No |
MatrixSSL | Yes | Yes | Yes | No | No | No |
mbed TLS | Yes | Yes | Yes | Unknown | No | No |
NSS | Yes | Yes | Yes | Yes | No[104] | No |
OpenSSL | Yes | Yes | Yes | Yes | No | No |
RSA BSAFE[51] | Yes | Yes | Yes | Yes | No | No |
SChannel | Unknown | Yes | Yes[105] | Yes[105] | No | No |
Secure Transport | Yes | Yes | Yes | Yes | No | No |
SharkSSL | Yes | Yes | No | No | No | No |
TLSe | Yes | Yes | No | No | No | No |
wolfSSL | Yes | Yes | Yes | Yes | No | No |
Implementation | Application-defined | PKIX | CRL | OCSP | DANE | TOFU |
Encryption algorithms
Implementation | Block cipher with mode of operation | Stream cipher | None | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
AES GCM [106] |
AES CCM [107] |
AES CBC | Camellia GCM [108] |
Camellia CBC [109] |
ARIA GCM [110] |
ARIA CBC [110] |
SEED CBC [111] |
3DES EDE CBC | GOST 28147-89 CNT (proposed) [76][n 1] |
ChaCha20-Poly1305 (proposed) [112][n 1] |
Null (insecure) [n 2] | |
Botan | Yes | Yes | Yes | Yes | Yes | No | No | Yes | Yes | Yes[113] | Yes[114] | Disabled by default |
cryptlib | Yes | No | Yes | No | No | No | No | No | Yes | No | No | Disabled by default |
GnuTLS | Yes | Yes[39] | Yes | Yes | Yes | No | No | No | Yes | No | Disabled by default[39] | Disabled by default |
JSSE | Yes | No | Yes | No | No | No | No | No | Yes | No[78] | No | Disabled by default |
LibreSSL | Yes[40] | No | Yes | No | Yes[79] | No | No | No[40] | Yes | Yes[79] | Yes[40] | Disabled by default |
MatrixSSL | Yes | No | Yes | No | No | No | No | Yes | Disabled by default | No | No | Disabled by default |
mbed TLS | Yes | Yes [115] | Yes | Yes | Yes | No | No | No | Yes | No | No | Disabled by default at compile time |
NSS | 128 bit only[116][117] | No | Yes | No[118][n 3] | Yes[119] | No | No | Yes[120] | Yes | No[81][82] | Yes[121] | Disabled by default |
OpenSSL | Yes[122] | No | Yes | No | Yes | No | No | Yes | Yes | Yes[84] | Beta[123] | Disabled by default |
RSA BSAFE MES[51] | Yes | Yes | Yes | No | No | No | No | No | Yes | No | No | Disabled by default |
RSA BSAFE SSL-J[51] | Yes | No | Yes | No | No | No | No | No | Yes | No | No | Disabled by default |
SChannel XP/2003 | No | No | 2003 only[125] | No | No | No | No | No | Yes | No[85] | No | Disabled by default |
SChannel Vista/2008, 2008R2, 2012 | No | No | Yes | No | No | No | No | No | Yes | No[85] | No | Disabled by default |
SChannel 7, 8, 8.1/2012R2 | Yes except ECDHE_RSA [86][87] |
No | Yes | No | No | No | No | No | Yes | No[85] | No | Disabled by default |
Schannel 10[126] | Yes | No | Yes | No | No | No | No | No | Yes | No[85] | No | Disabled by default |
Secure Transport OS X 10.6 - 10.10 | No | No | Yes | No | No | No | No | No | Yes | No | No | Disabled by default |
Secure Transport OS X 10.11 | Yes | No | Yes | No | No | No | No | No | Yes | No | No | Disabled by default |
SharkSSL | Yes | Yes | Yes | No | No | No | No | No | Yes | No | Yes | Disabled by default |
TLSe | Yes | No | Yes | No | No | No | No | No | No | No | No | No |
wolfSSL | Yes | Yes | Yes | No | Yes | No | No | No | Yes | No | Yes | Disabled by default |
Implementation | AES GCM | AES CCM | AES CBC | Camellia GCM | Camellia CBC | ARIA GCM | ARIA CBC | SEED CBC | 3DES EDE CBC | GOST 28147-89 CNT (proposed) |
ChaCha20-Poly1305 (proposed) |
Null (insecure) |
Block cipher with mode of operation | Stream cipher | None |
- Notes
Obsolete algorithms
Implementation | Block cipher with mode of operation | Stream cipher | ||||
---|---|---|---|---|---|---|
IDEA CBC [n 1] |
DES CBC (insecure) [n 1] |
DES-40 CBC (EXPORT, insecure) [n 2] |
RC2-40 CBC (EXPORT, insecure) [n 2] |
RC4-128 (insecure) [n 3] |
RC4-40 (EXPORT, insecure) [n 4][n 2] | |
Botan | No | No | No | Disabled by default | No[128] | No |
cryptlib | No | Disabled by default at compile time | No | No | Disabled by default at compile time | No |
GnuTLS | No | No | No | No | Disabled by default[39] | No |
JSSE | No | Disabled by default | Disabled by default | No | Yes | Disabled by default [129] |
LibreSSL | Yes | Yes | No[40] | No[40] | Yes | No[40] |
MatrixSSL | Yes | No | No | No | Disabled by default | No |
mbed TLS | No | Disabled by default at compile time | No | No | Disabled by default at complile time[43] | No |
NSS | Yes | Disabled by default | Disabled by default | Disabled by default | Lowest priority[130][131] | Disabled by default |
OpenSSL | Yes | Yes | Disabled by default[83] | Disabled by default[83] | Yes | Disabled by default[83] |
RSA BSAFE MES[51] | No | No | No | No | Yes | No |
RSA BSAFE SSL-J[51] | No | Yes | Yes | No | Yes | Yes |
SChannel XP/2003 | No | Yes | Yes | Yes | Yes | Yes |
SChannel Vista/2008 | No | Disabled by default | Disabled by default | Disabled by default | Yes | Disabled by default |
SChannel 7/2008R2, 8/2012 | No | Disabled by default | Disabled by default | Disabled by default | Lowest priority[87][n 5] | Disabled by default |
SChannel 8.1/2012R2 | No | Disabled by default | Disabled by default | Disabled by default | Only as fallback[n 6][133][134] | Disabled by default |
Schannel 10[126] | No | Disabled by default | Disabled by default | Disabled by default | Only as fallback[n 6] | Disabled by default |
Secure Transport OS X 10.6 | Yes | Yes | Yes | Yes | Yes | Yes |
Secure Transport OS X 10.7 | Yes | Unknown | Unknown | Unknown | Yes | Unknown |
Secure Transport OS X 10.8-10.9 | Yes | Disabled by default | Disabled by default | Disabled by default | Yes | Disabled by default |
Secure Transport OS X 10.10-10.11 | Yes | Disabled by default | Disabled by default | Disabled by default | Lowest priority | Disabled by default |
SharkSSL | No | Disabled by default | No | No | Disabled by default | No |
TLSe | No | No | No | No | No | No |
wolfSSL | Yes[135] | No | No | No | Disabled by default | No |
Implementation | IDEA CBC | DES CBC (insecure) |
DES-40 CBC (EXPORT, insecure) |
RC2-40 CBC (EXPORT, insecure) |
RC4-128 (insecure) |
RC4-40 (EXPORT, insecure) |
Block cipher with mode of operation | Stream cipher |
- Notes
- 1 2 IDEA and DES have been removed from TLS 1.2.[127]
- 1 2 3 40 bits strength of cipher suites were designed to operate at reduced key lengths in order to comply with US regulations about the export of cryptographic software containing certain strong encryption algorithms (see Export of cryptography from the United States). These weak suites are forbidden in TLS 1.1 and later.
- ↑ The RC4 attacks weaken or break RC4 used in SSL/TLS. Use of RC4 is prohibited by RFC 7465.
- ↑ The RC4 attacks weaken or break RC4 used in SSL/TLS.
- ↑ RC4 can be disabled except as a fallback (Only when no cipher suites with other than RC4 is available, cipher suites with RC4 will be used as a fallback.)[132]
- 1 2 Only when no cipher suites with other than RC4 is available, cipher suites with RC4 will be used as a fallback.
Supported elliptic curves
This section lists the supported elliptic curves by each implementation.
Implementation | sect163k1 NIST K-163 (1)[75] |
sect163r1 (2)[75] |
sect163r2 NIST B-163 (3)[75] |
sect193r1 (4)[75] |
sect193r2 (5)[75] |
sect233k1 NIST K-233 (6)[75] |
sect233r1 NIST B-233 (7)[75] |
sect239k1 (8)[75] |
sect283k1 NIST K-283 (9)[75] |
sect283r1 NIST B-283 (10)[75] |
sect409k1 NIST K-409 (11)[75] |
sect409r1 NIST B-409 (12)[75] |
sect571k1 NIST K-571 (13)[75] |
sect571r1 NIST B-571 (14)[75] |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Botan | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
GnuTLS | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
JSSE | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
LibreSSL | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
MatrixSSL | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
mbed TLS | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
NSS | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
OpenSSL | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
RSA BSAFE[51] | Yes | No | Yes | No | No | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes |
SChannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
Secure Transport | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
SharkSSL | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
TLSe | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
wolfSSL | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
Implementation | sect163k1 NIST K-163 (1) |
sect163r1 (2) |
sect163r2 NIST B-163 (3) |
sect193r1 (4) |
sect193r2 (5) |
sect233k1 NIST K-233 (6) |
sect233r1 NIST B-233 (7) |
sect239k1 (8) |
sect283k1 NIST K-283 (9) |
sect283r1 NIST B-283 (10) |
sect409k1 NIST K-409 (11) |
sect409r1 NIST B-409 (12) |
sect571k1 NIST K-571 (13) |
sect571r1 NIST B-571 (14) |
Implementation | secp160k1 (15)[75] |
secp160r1 (16)[75] |
secp160r2 (17)[75] |
secp192k1 (18)[75] |
secp192r1 prime192v1 NIST P-192 (19)[75] |
secp224k1 (20)[75] |
secp224r1 NIST P-244 (21)[75] |
secp256k1 (22)[75] |
secp256r1 prime256v1 NIST P-256 (23)[75] |
secp384r1 NIST P-384 (24)[75] |
secp521r1 NIST P-521 (25)[75] |
arbitrary prime curves (0xFF01)[75][136] |
arbitrary char2 curves (0xFF02)[75][136] |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Botan | No | No | No | No | No | No | No | No | Yes | Yes | Yes | No | No |
GnuTLS | No | No | No | No | Yes | No | Yes | No | Yes | Yes | Yes | No | No |
JSSE | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No |
LibreSSL | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No |
MatrixSSL | No | No | No | No | Yes | No | Yes | No | Yes | Yes | Yes | No | No |
mbed TLS | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No |
NSS | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No |
OpenSSL | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No |
RSA BSAFE[51] | No | No | No | No | Yes | No | Yes | No | Yes | Yes | Yes | No | No |
SChannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 | No | No | No | No | No | No | No | No | Yes | Yes | Yes | No | No |
Secure Transport | No | No | No | No | Yes | No | No | No | Yes | No | Yes | No | No |
SharkSSL | No | No | No | No | Yes | No | Yes | No | Yes | Yes | Yes | No | No |
TLSe | No | No | No | No | No | No | Yes | No | Yes | Yes | Disabled | No | No |
wolfSSL | No | Yes | No | No | Yes | No | Yes | No | Yes | Yes | Yes | No | No |
Implementation | secp160k1 (15) |
secp160r1 (16) |
secp160r2 (17) |
secp192k1 (18) |
secp192r1 prime192v1 NIST P-192 (19) |
secp224k1 (20) |
secp224r1 NIST P-224 (21) |
secp256k1 (22) |
secp256r1 prime256v1 NIST P-256 (23) |
secp384r1 NIST P-384 (24) |
secp521r1 NIST P-521 (25) |
arbitrary prime curves (0xFF01) |
arbitrary char2 curves (0xFF02) |
Implementation | brainpoolP256r1 (26)[137] |
brainpoolP384r1 (27)[137] |
brainpoolP512r1 (28)[137] |
Curve25519 [138] |
Curve448 Ed448-Goldilocks [138] |
M221 Curve2213 [139] |
E222 [139] |
Curve1174 [139] |
E382 [139] |
M383 [139] |
Curve383187 [139] |
Curve41417 Curve3617 [139] |
M511 Curve511187 [139] |
E521 [139] |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Botan | Yes[140] | Yes[140] | Yes[140] | Yes[114] | No | No | No | No | No | No | No | No | No | No |
GnuTLS | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
JSSE | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
LibreSSL | Yes[40] | Yes[40] | Yes[40] | No | No | No | No | No | No | No | No | No | No | No |
MatrixSSL | Yes | Yes | Yes | No | No | No | No | No | No | No | No | No | No | No |
mbed TLS | Yes[141] | Yes[141] | Yes[141] | Yes[142] | No | No | No | No | No | No | No | No | No | No |
NSS | No[143] | No[143] | No[143] | No[144] | No | No | No | No | No | No | No | No | No | No |
OpenSSL | Yes[50] | Yes[50] | Yes[50] | No | No | No | No | No | No | No | No | No | No | No |
RSA BSAFE[51] | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
SChannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
Secure Transport | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
SharkSSL | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
TLSe | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
wolfSSL | No | No | No | Yes[145] | No | No | No | No | No | No | No | No | No | No |
Implementation | brainpoolP256r1 (26) |
brainpoolP384r1 (27) |
brainpoolP512r1 (28) |
Curve25519 | Curve448 Ed448-Goldilocks |
M221 Curve2213 |
E222 | Curve1174 | E382 | M383 | Curve383187 | Curve41417 Curve3617 |
M511 Curve511187 |
E521 |
Data integrity
Implementation | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA256/384 | AEAD | GOST 28147-89 IMIT[76] | GOST R 34.11-94[76] |
---|---|---|---|---|---|---|
Botan | Yes | Yes | Yes | Yes | Yes[113] | Yes[146] |
cryptlib | Yes | Yes | Yes | Yes | No | No |
GnuTLS | Yes | Yes | Yes | Yes | No | No |
JSSE | Yes | Yes | Yes | Yes | No[78] | No[78] |
LibreSSL | Yes | Yes | Yes | Yes | Yes[79] | Yes[79] |
MatrixSSL | Yes | Yes | Yes | Yes | No | No |
mbed TLS | Yes | Yes | Yes | Yes | No | No |
NSS | Yes | Yes | Yes | Yes | No[81][82] | No[81][82] |
OpenSSL | Yes | Yes | Yes | Yes | Yes[84] | Yes[84] |
RSA BSAFE[51] | Yes | Yes | Yes | Yes | No | No |
SChannel XP/2003, Vista/2008 | Yes | Yes | XP SP3, 2003 SP2 via hotfix[147] | No | No[85] | No[85] |
SChannel 7/2008R2, 8/2012, 8.1/2012R2 | Yes | Yes | Yes | except ECDHE_RSA[86][87][88] | No[85] | No[85] |
SChannel 10 | Yes | Yes | Yes | Yes[126] | No[85] | No[85] |
Secure Transport | Yes | Yes | Yes | No | No | No |
SharkSSL | Yes | Yes | Yes | Yes | No | No |
TLSe | Yes | Yes | Yes | Yes | No | No |
wolfSSL | Yes | Yes | Yes | Yes | No | No |
Implementation | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA256/384 | AEAD | GOST 28147-89 IMIT | GOST R 34.11-94 |
Compression
Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.
Implementation | DEFLATE[148] (insecure) |
---|---|
Botan | No |
cryptlib | No |
GnuTLS | Disabled by default |
JSSE | No |
LibreSSL | No[40] |
MatrixSSL | Disabled by default |
mbed TLS | Disabled by default |
NSS | Disabled by default |
OpenSSL | Disabled by default |
RSA BSAFE[51] | No |
SChannel | No |
Secure Transport | No |
SharkSSL | No |
TLSe | No |
wolfSSL | Disabled by default |
Implementation | DEFLATE |
Extensions
In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security . TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.
Implementation | Secure Renegotiation [149] |
Server Name Indication [150] |
ALPN [151] |
Certificate Status Request [150] |
OpenPGP [152] |
Supplemental Data [153] |
Session Ticket [154] |
Keying Material Exporter [155] |
Maximum Fragment Length [150] |
Truncated HMAC [150] |
Encrypt-then-MAC [156] |
TLS Fallback SCSV [157] |
Extended Master Secret [158] |
TLS Padding [159] |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Botan | Yes | Yes | No | No | No | No | Yes | Yes | Yes | No | No | Yes[160] | Yes[161] | No |
cryptlib | Yes | Yes | No | No | No | Yes | No | No | No[162] | No | Yes | Yes | Yes | No |
GnuTLS | Yes | Yes | Yes[163] | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes[39] | Yes[164] | Yes[39] | No |
JSSE | Yes | Yes[60] | Unknown | No | No | No | No | No | No | No | No | No | No | No |
LibreSSL | Yes | Yes | Yes[165] | Yes | No | No? | Yes | Yes? | No | No | No | Server side only[166] | No | Yes |
MatrixSSL | Yes | Yes | Yes[167] | No | No | No | Yes | No | Yes | Yes | No | No | No | No |
mbed TLS | Yes | Yes | Yes[168] | No | No | No | Yes | No | Yes | Disabled by default[43] | Yes[169] | Yes[169] | Yes[169] | No |
NSS | Yes | Yes | Yes[170] | Yes | No[171] | No | Yes | Yes | No | No | No[172] | Yes[173] | Yes[174] | Yes[170] |
OpenSSL | Yes | Yes | Yes[50] | Yes | No | No? | Yes | Yes? | No | No | No | Yes[175] | No | Yes[176] |
RSA BSAFE MES[51] | Yes | Yes | No | Yes | No | No | Yes | No | Yes | Yes | No | No | No | No |
RSA BSAFE SSL-J[51] | Yes | Yes | No | No | No | No | No | No | Yes | Yes | No | No | No | No |
SChannel XP/2003 | No | No | No | No | No | Yes | No | No | No | No | No | No | No | No |
SChannel Vista/2008 | Yes | Yes | No | No | No | Yes | No | No | No | No | No | No | No | No |
SChannel 7/2008R2 | Yes | Yes | No | Yes | No | Yes | No | No | No | No | No | No | No | No |
SChannel 8/2012 | Yes | Yes | No | Yes | No | Yes | Client side only[177] | No | No | No | No | No | No | No |
SChannel 8.1/2012R2, 10 | Yes | Yes | Yes | Yes | No | Yes | Yes[177] | No | No | No | No | No | No | No |
Secure Transport | Yes | Yes | Unknown | No | No | Yes | No | No | No | No | No | No | No | No |
SharkSSL | Yes | No | No | No | No | No | No | No | No | No | No | No | No | No |
TLSe | Yes | Yes | No | No | No | No | No | No | No | No | No | Yes | No | No |
wolfSSL | Yes | Yes | Yes[135] | No | No | No | Yes | No | Yes | Yes | No | No | No | No |
Implementation | Secure Renegotiation | Server Name Indication | ALPN | Certificate Status Request | OpenPGP | Supplemental Data | Session Ticket | Keying Material Exporter | Maximum Fragment Length | Truncated HMAC | Encrypt-then-MAC | TLS Fallback SCSV | Extended Master Secret | TLS Padding |
Assisted cryptography
This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.
Implementation | PKCS #11 device | Intel AES-NI | VIA PadLock | STM32F2 | Cavium NITROX | Cavium OCTEON | Freescale CAU/mmCAU | ARMv8-A | Microchip PIC32MZ | Intel IPP | TI TM4C12x |
---|---|---|---|---|---|---|---|---|---|---|---|
Botan | No | Yes | No | No | No | No | No | No | No | No | No |
cryptlib | Yes | Yes | Yes | No | No | No | No | No | No | No | No |
GnuTLS | Yes | Yes | Yes | No | No | No | No | No | No | No | No |
JSSE | Yes | Yes[178] | No | No | No | No | No | No | No | No | No |
LibreSSL | No | Yes | Yes | No | Yes | No | No | No | No | No | No |
MatrixSSL | Yes | Yes | No | No | No | No | No | Yes | No | No | No |
mbed TLS | Yes | Yes[179] | Yes | No | No | No | No | No | No | No | No |
NSS | Yes[180] | Yes[181] | No[182] | No | No | No | No | No | No | No | No |
OpenSSL | No | Yes | Yes | No | Yes | No | No | Yes[183] | No | No | No |
RSA BSAFE[51] | Yes | Yes | No | No | No | No | No | No | No | No | No |
SChannel | No | Yes | No | No | No | No | No | No | No | No | No |
Secure Transport | No | Yes[184][185] | No | No | No | No | No | Yes | No | No | No |
SharkSSL | No | No | No | Yes | No | No | Yes | No | No | No | No |
TLSe | No | No | No | No | No | No | No | No | No | No | No |
wolfSSL | No | Yes | No | Yes | Yes | Yes[186] | Yes | No | Yes | Yes | Yes |
Implementation | PKCS #11 device | Intel AES-NI | VIA PadLock | STM32F2 | Cavium NITROX | Cavium OCTEON | Freescale CAU/mmCAU | ARMv8-A | Microchip PIC32MZ | Intel IPP | TI TM4C12x |
System-specific backends
This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.
Implementation | /dev/crypto | Windows CSP | CommonCrypto | OpenSSL engine |
---|---|---|---|---|
Botan | No | No | No | No |
cryptlib | No | No | No | No |
GnuTLS | Yes | No | No | No |
JSSE | No | Yes | No | No |
LibreSSL | Yes | No | No | No[187] |
MatrixSSL | No | No | Yes | Yes |
mbed TLS | No | No | No | No |
NSS | No | No | No | No |
OpenSSL | Yes | No | No | Yes |
RSA BSAFE[51] | No | No | No | No |
SChannel | No | Yes | No | No |
Secure Transport | No | No | Yes | No |
SharkSSL | No | No | No | No |
TLSe | No | No | No | No |
wolfSSL | No | Partial | No | No |
Implementation | /dev/crypto | Windows CSP | CommonCrypto | OpenSSL engine |
Cryptographic module/token support
Implementation | TPM support | Hardware token support | Objects identified via |
---|---|---|---|
Botan | No | No | |
cryptlib | No | PKCS11 | User-defined label |
GnuTLS | Yes | PKCS11 | RFC7512 PKCS #11 URLs[188] |
JSSE | No | PKCS11 Java Cryptography Architecture, Java Cryptography Extension |
|
LibreSSL | Yes | PKCS11 (via 3rd party module) | Custom method |
MatrixSSL | No | PKCS11 | |
mbed TLS | No | PKCS11 (via libpkcs11-helper) or standard hooks | Custom method |
NSS | No | PKCS11 | |
OpenSSL | Yes | PKCS11 (via 3rd party module) | Custom method |
RSA BSAFE MES[51] | No | PKCS11 (via 3rd party module) | User-defined label |
RSA BSAFE SSL-J[51] | No | No | |
SChannel | No | Microsoft CryptoAPI | UUID, User-defined label |
Secure Transport | |||
SharkSSL | No | No | |
TLSe | No | No | |
wolfSSL | No | No | |
Implementation | TPM support | Hardware token support | Objects identified via |
Code dependencies
Implementation | Dependencies | Optional dependencies |
---|---|---|
Botan | C++11 | sqlite, zlib (compression), bzip2 (compression), liblzma (compression) |
GnuTLS | libc nettle gmp |
zlib (compression) p11-kit (PKCS #11) trousers (TPM) |
JSSE | Java | |
MatrixSSL | none | zlib (compression) |
MatrixSSL-open | libc or newlib | |
mbed TLS | libc | libpkcs11-helper (PKCS #11) zlib (compression) |
NSS | libc libnspr4 libsoftokn3 libplc4 libplds4 |
zlib (compression) |
OpenSSL | libc | zlib (compression) |
SharkSSL | None | |
TLSe | none | tomcrypt |
wolfSSL | None | libc, zlib (compression) |
Implementation | Dependencies | Optional dependencies |
Development environment
Implementation | Namespace | Build tools | API manual | Crypto back-end | OpenSSL compatibility Layer |
---|---|---|---|---|---|
Botan | Botan::TLS | Makefile | Sphinx | Included (monolithic) | No |
cryptlib | crypt* | makefile, MSVC project workspaces | Programmers reference manual (PDF), architecture design manual (PDF) | Included (monolithic) | No |
GnuTLS | gnutls_* | Autoconf, automake, libtool | Manual and API reference (HTML, PDF) | External, libnettle | Yes (limited) |
JSSE | javax.net.ssl | Makefile | API Reference (HTML) + | Java Cryptography Architecture, Java Cryptography Extension |
No |
MatrixSSL | matrixSsl_* ps* |
Makefile, MSVC project workspaces, Xcode projects for OS X and iOS | API Reference (PDF), Integration Guide | Included (pluggable) | Yes (Subset: SSL_read, SSL_write, etc.) |
mbed TLS | ssl_* sha1_* |
Makefile, CMake, MSVC project workspaces | API Reference + High Level and Module Level Documentation (HTML) | Included (monolithic) | No |
NSS | CERT_* SEC_* |
Makefile | Manual (HTML) | Included, PKCS#11 based[189] | Yes (separate package called nss_compat_ossl[190]) |
OpenSSL | SSL_* SHA1_* |
Makefile | Man pages | Included (monolithic) | N/A |
SharkSSL | SharkSsl* | Makefile | (online) HTML Manual and API Reference | Included (monolithic) | No |
TLSe | tls_* SSL_* |
Single C file | Work in progress | Included or tomcrypt | Yes (Subset: SSL_read, SSL_write, etc.) |
wolfSSL | CyaSSL_* SSL_* |
Autoconf, automake, libtool, MSVC project workspaces, XCode projects, CodeWarrior projects, MPLAB X projects, Keil, IAR, Clang, GCC | Manual and API Reference (HTML, PDF) | Included (monolithic) | Yes (about 10% of API) |
Implementation | Namespace | Build tools | API manual | Crypto back-end | OpenSSL compatibility layer |
Portability concerns
Implementation | Platform requirements | Network requirements | Thread safety | Random seed | Able to cross-compile | No OS (bare metal) | Supported operating systems |
---|---|---|---|---|---|---|---|
Botan | C++11 | None | Thread-safe | Platform-dependent | Yes | Most Windows and POSIX systems | |
cryptlib | C89 | POSIX send() and recv(). API to supply your own replacement | Thread-safe | Platform-dependent, including hardware sources | Yes | Yes | AMX, BeOS, ChorusOS, DOS, eCos, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, Palm OS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, OS X, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK |
GnuTLS | C89 | POSIX send() and recv(). API to supply your own replacement. | Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available. | Platform dependent | Yes | No | Generally any POSIX platforms or Windows, commonly tested platforms include GNU/Linux, Win32/64, OS X, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD. |
JSSE | Java | Java SE network components | Thread-safe | Depends on java.security.SecureRandom | Yes | Java based, platform-independent | |
MatrixSSL | C89 | None | Thread-safe | Platform dependent | Yes | Yes | All |
mbed TLS | C89 | POSIX read() and write(). API to supply your own replacement. | Threading layer available (POSIX or own hooks) | Random seed set through entropy pool | Yes | Yes | Known to work on: Win32/64, Linux, OS X, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, SeggerOS |
NSS | C89, NSPR[191] | NSPR[191] PR_Send() and PR_Recv(). API to supply your own replacement. | Thread-safe | Platform dependent[192] | Yes (but cumbersome) | No | AIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, OS X, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation |
OpenSSL | C89? | ? | Needs mutex callbacks | Set through native API | Yes | No | Unix, DOS (with djgpp), Windows, OpenVMS, MacOS, NetWare, eCos |
SharkSSL | C89 | None: Transport agnostic API | Thread-safe: multiple ports | Random seed set through entropy pool and/or HW | Yes | Yes | INTEGRITY, MQX, SMX, ThreadX, VxWorks, SeggerOS, OSE, Android, Win 32/64, Linux 32/64, uCLinux, OS X, OpenBSD, DD-WRT, OpenWrt |
TLSe | C89 | None | Thread-safe | Platform-independent | Yes | Linux, BSD, Windows, OS X | |
wolfSSL | C89 | POSIX send() and recv(). API to supply your own replacement. | Thread-safe, needs mutex hooks if PThreads or WinThreads not available, can be turned off | Random seed set through wolfCrypt | Yes | Yes | Win32/64, Linux, OS X, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, OpenCL, NonStop, TRON/ITRON/µITRON, Micrium's µC OS, FreeRTOS, SafeRTOS, Freescale MQX, Nucleus, TinyOS, HP/UX, Keil RTX, TI-RTOS |
Implementation | Platform requirements | Network requirements | Thread safety | Random seed | Able to cross-compile | No OS (bare metal) | Supported operating systems |
See also
- SCTP — with DTLS support
- DCCP — with DTLS support
- SRTP — with DTLS support (DTLS-SRTP) and Secure Real-Time Transport Control Protocol (SRTCP)
References
- ↑ "Version 1.11.29, 2016-03-20". 2016-03-20. Retrieved 2016-04-05.
- ↑ "Version 1.10.12, 2016-02-03". 2016-02-03. Retrieved 2016-02-25.
- ↑ "Latest Java Releases - bouncycastle.org". 2015-12-30. Retrieved 2015-01-08.
- ↑ "The Legion of the Bouncy Castle C# Cryptography APIs". 2015-12-28. Retrieved 2015-12-29.
- ↑ "cryptlib 3.4.3 released". 2016-03-25. Retrieved 2016-04-05.
- 1 2 "GnuTLS". 2016-03-10. Retrieved 2016-03-16.
- 1 2 "LibreSSL: Releases". 2016-05-03. Retrieved 2016-05-05.
- ↑ The features listed are for the closed source version
- ↑ "MatrixSSL - News". 2015-07-13. Retrieved 2015-07-14.
- 1 2 3 4 "mbed TLS 2.2.1, 2.1.4, 1.3.16 and PolarSSL 1.2.19 released". 2016-01-04. Retrieved 2016-01-25.
- ↑ "NSS 3.23 release notes". Mozilla. 2016-03-08. Retrieved 2016-03-09.
- ↑ "NSS 3.22.3 release notes". Mozilla. 2016-03-14. Retrieved 2016-03-15.
- ↑ "NSS 3.21.1 release notes". Mozilla. 2016-03-08. Retrieved 2016-03-09.
- ↑ "NSS 3.19.2.4 release notes". Mozilla. 2016-03-21. Retrieved 2016-03-22.
- 1 2 "OpenSSL: Newslog". Retrieved 2016-05-03.
- ↑ "Nsssl - AOLserver Wiki". Retrieved 2014-07-04.
- 1 2 "RSA BSAFE - EMC". Retrieved 2015-01-09.
- ↑ "SharkSSL product description". Retrieved 2014-04-21.
- ↑ "wolfSSL product description". Retrieved 2016-05-03.
- ↑ "wolfSSL Embedded SSL/TLS". Retrieved 2016-05-03.
- ↑ "wolfSSL ChangeLog". 2016-03-18. Retrieved 2016-04-04.
- ↑ RFC6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
- ↑ "CBC-Padding: Security Flaws in SSL, IPsec, WTLS,...", Serge Vaudenay, 2001
- ↑ RFC7366: Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security
- ↑ Rizzo/Duong BEAST Countermeasures
- ↑ Möller, Bodo; Duong, Thai; Kotowicz, Krzysztof (September 2014). "This POODLE Bites: Exploiting The SSL 3.0 Fallback" (PDF). Retrieved 15 October 2014.
- ↑ TLSv1.2's Major Differences from TLSv1.1
- 1 2 RFC 6347
- ↑ "Bard attack". CiteSeerX: 10
.1 ..1 .61 .5887 - ↑ The SSL Protocol <draft-hickman-netscape-ssl-00.txt>
- ↑ RFC 6101
- ↑ RFC 2246
- ↑ RFC 4346
- 1 2 3 4 5 6 RFC 5246
- ↑ draft-ietf-tls-tls13-11 - The Transport Layer Security (TLS) Protocol Version 1.3
- ↑ draft-ietf-tls-tls13-latest
- ↑ RFC 4347
- ↑ "Version 1.11.13, 2015-01-11 — Botan". 2015-01-11. Retrieved 2015-01-16.
- 1 2 3 4 5 6 7 "[gnutls-devel] GnuTLS 3.4.0 released". 2015-04-08. Retrieved 2015-04-16.
- 1 2 3 4 5 6 7 8 9 10 11 12 13 "OpenBSD 5.6 Released". 2014-11-01. Retrieved 2015-01-20.
- ↑ "LibreSSL 2.3.0 Released". 2015-09-23. Retrieved 2015-09-24.
- ↑ "MatrixSSL - News". Retrieved 2014-11-09.
- 1 2 3 4 5 "mbed TLS 2.0.0 released". 2015-07-10. Retrieved 2015-07-14.
- ↑ "NSS 3.19 release notes". Mozilla Developer Network. Mozilla. Retrieved 2015-05-06.
- 1 2 "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Retrieved 2012-10-27.
- ↑ "NSS 3.15.1 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-08-10.
- ↑ "NSS 3.16.2 release notes". Mozilla Developer Network. Mozilla. 2014-06-30. Retrieved 2014-06-30.
- 1 2 3 "Changes between 0.9.8n and 1.0.0 [29 Mar 2010]". Retrieved 2016-01-29.
- 1 2 "Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]". 2012-03-14. Archived from the original on December 5, 2014. Retrieved 2015-01-20.
- 1 2 3 4 5 6 "Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]". Archived from the original on September 4, 2014. Retrieved 2015-01-22.
- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 "RSA BSAFE Technical Specification Comparison Tables" (PDF).
- ↑ TLS cipher suites in Microsoft Windows XP and 2003
- ↑ SChannel Cipher Suites in Microsoft Windows Vista
- 1 2 3 TLS Cipher Suites in SChannel for Windows 7, 2008R2, 8, 2012
- 1 2 "An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. Retrieved 13 November 2012.
- ↑ "[wolfssl] wolfSSL 3.6.6 Released". 2015-08-20. Retrieved 2015-08-24.
- ↑ "Java™ SE Development Kit 8, Update 31 Release Notes". Retrieved 2015-01-22.
- ↑ "Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
- ↑ https://dev.ssllabs.com/ssltest/clients.html
- 1 2 http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html
- ↑ "Bug 663320 - (NSA-Suite-B-TLS) Implement RFC6460 (NSA Suite B profile for TLS)". Mozilla. Retrieved 2014-05-19.
- ↑ http://technet.microsoft.com/en-us/library/dd566200(v=ws.10).aspx
- ↑ "Secure or Compliant, Pick One" Steve Marquess blog
- ↑ http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
- ↑ "Is botan FIPS 140 certified?" Frequently Asked Questions — Botan
- ↑ "What about FIPS 140 certification?" cryptlib FAQ
- ↑ "As such we are not actively pursuing this kind of certification." GnuTLS 3.3.10 B.5 Certification
- ↑ Matrix SSL Toolkit
- ↑ Is PolarSSL FIPS certified?
- ↑ FIPS Validation - MozillaWiki
- ↑ OpenSSL and FIPS 140-2
- ↑ Validated 140-1 and 140-2 Cryptographic Modules
- ↑ Microsoft FIPS 140 Validated Cryptographic Modules
- ↑ wolfSSL - wolfCrypt FIPS 140-2 Validation
- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 RFC 4492
- 1 2 3 4 draft-chudov-cryptopro-cptls-04 - GOST 28147-89 Cipher Suites for Transport Layer Security (TLS)
- ↑ "Version 1.9.4, 2010-03-09 — Botan". 2010-03-09. Retrieved 2015-01-23.
- 1 2 3 4 Extensions to support JSSE in SChannel might be available.
- 1 2 3 4 5 "LibreSSL 2.1.2 released". 2014-12-09. Retrieved 2015-01-20.
- ↑ "NSS 3.20 release notes". Mozilla. 2015-08-19. Retrieved 2015-08-20.
- 1 2 3 4 Mozilla.org. "Bug 518787 - Add GOST crypto algorithm support in NSS". Retrieved 2014-07-01.
- 1 2 3 4 Mozilla.org. "Bug 608725 - Add Russian GOST cryptoalgorithms to NSS and Thunderbird". Retrieved 2014-07-01.
- 1 2 3 4 "Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015]". Retrieved 2015-06-17.
- 1 2 3 4 openssl/engines/ccgost/README.gost
- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Extensions to support GOST in SChannel might be available.
- 1 2 3 "Microsoft Security Bulletin MS14-066 - Critical (Section Update FAQ)". Microsoft. November 11, 2014. Retrieved 11 November 2014.
- 1 2 3 4 Thomlinson, Matt (November 11, 2014). "Hundreds of Millions of Microsoft Customers Now Benefit from Best-in-Class Encryption". Microsoft Security. Retrieved 11 November 2014.
- 1 2 Update adds new TLS cipher suites and changes cipher suite priorities in Windows 8.1 and Windows Server 2012 R2
- 1 2 3 RFC 5054
- 1 2 3 RFC 4279
- ↑ RFC 5489
- ↑ RFC 2712
- 1 2 3 "LibreSSL 2.0.4 released". Retrieved 2014-08-04.
- 1 2 3 "Bug 405155 - add support for TLS-SRP, rfc5054". Mozilla. Retrieved 2014-01-25.
- 1 2 3 4 "Bug 306435 - Mozilla browsers should support the new IETF TLS-PSK protocol to help reduce phishing". Mozilla. Retrieved 2014-01-25.
- ↑ "Bug 1170510 - Implement NSS server side support for DH_anon". Mozilla. Retrieved 2015-06-03.
- ↑ "Bug 236245 - Update ECC/TLS to conform to RFC 4492". Mozilla. Retrieved 2014-06-09.
- ↑ "Changes between 0.9.6h and 0.9.7 [31 Dec 2002]". Retrieved 2016-01-29.
- ↑ "wolfSSL (Formerly CyaSSL) Release 3.9.0 (03/18/2016)". 2016-03-18. Retrieved 2016-04-05.
- ↑ RFC 5280
- ↑ RFC 3280
- ↑ RFC 2560
- ↑ RFC 6698, RFC 7218
- ↑ "Bug 672600 - Use DNSSEC/DANE chain stapled into TLS handshake in certificate chain validation". Mozilla. Retrieved 2014-06-18.
- 1 2 "How Certificate Revocation Works". Microsoft TechNet. Microsoft. March 16, 2012. Retrieved July 10, 2013.
- ↑ RFC 5288, RFC 5289
- ↑ RFC 6655, RFC 7251
- ↑ RFC 6367
- ↑ RFC 5932, RFC 6367
- 1 2 RFC 6209
- ↑ RFC 4162
- ↑ draft-ietf-tls-chacha20-poly1305 The ChaCha20-Poly1305 AEAD Cipher for Transport Layer Security
- 1 2 "Version 0.7.1, 2001-05-16 — Botan". 2001-05-16. Retrieved 2015-01-23.
- 1 2 "Version 1.11.12, 2015-01-02 — Botan". 2015-01-02. Retrieved 2015-01-09.
- ↑ PolarSSL 1.3.8 release notes
- ↑ "NSS 3.15.2 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-09-26.
- ↑ "Bug 973755 - Implement AES-256 GCM cipher suites". Mozilla Developer Network. Mozilla. Retrieved 2015-12-04.
- ↑ "Bug 940119 - libssl does not support any TLS_ECDHE_*_CAMELLIA_*_GCM cipher suites". Mozilla. Retrieved 2013-11-19.
- ↑ "NSS 3.12 is released". Retrieved 2013-11-19.
- ↑ "NSS 3.12.3 Release Notes". Mozilla Developer Network. Mozilla. Retrieved 2014-07-01.
- ↑ "NSS 3.23 release notes". Mozilla Developer Network. Mozilla. Retrieved 2016-03-09.
- ↑ "openssl/CHANGES at OpenSSL_1_0_1-stable · openssl/openssl". Retrieved 2015-01-20.
- ↑ Implemented in 1.1.0 Alpha[124]
- ↑ Changes between 1.0.2g and 1.1.0
- ↑ Hofix 984963: TLS AES cipher suites for Microsoft Windows 2003
- 1 2 3 https://dev.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%2010%20Preview
- ↑ RFC 5469
- ↑ "Version 1.11.15, 2015-03-08 — Botan". 2015-03-08. Retrieved 2015-03-11.
- ↑ http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
- ↑ "NSS 3.15.3 release notes". Mozilla Developer Network. Mozilla. Retrieved 2014-07-13.
- ↑ "MFSA 2013-103: Miscellaneous Network Security Services (NSS) vulnerabilities". Mozilla. Mozilla. Retrieved 2014-07-13.
- ↑ Microsoft security advisory: Update for disabling RC4
- ↑ "Release Notes: Important Issues in Windows 8.1 Preview". Microsoft. 2013-06-24. Retrieved 2014-11-04.
- ↑ "W8.1(IE11) vs RC4 | Qualys Community". Retrieved 2014-11-04.
- 1 2 "wolfSSL (Formerly CyaSSL) Release 3.7.0 (10/26/2015)". 2015-10-26. Retrieved 2015-11-19.
- 1 2 Negotiation of arbitrary curves has been shown to be insecure for certain curve sizes Mavrogiannopoulos, Nikos and Vercautern, Frederik and Velichkov, Vesselin and Preneel, Bart (2012). A cross-protocol attack on the TLS protocol. Proceedings of the 2012 ACM conference on Computer and communications security (PDF). pp. 62–72. ISBN 978-1-4503-1651-4.
- 1 2 3 RFC 7027
- 1 2 Curve25519 for ephemeral key exchange in Transport Layer Security (TLS): draft-ietf-tls-curve25519
- 1 2 3 4 5 6 7 8 9 Additional Elliptic Curves for Transport Layer Security (TLS) Key Agreement: draft-josefsson-tls-additional-curves
- 1 2 3 "Version 1.11.5, 2013-11-10 — Botan". 2013-11-10. Retrieved 2015-01-23.
- 1 2 3 "PolarSSL 1.3.1 released". 2013-10-15. Retrieved 2015-01-23.
- ↑ "PolarSSL 1.3.3 released". 2013-12-31. Retrieved 2015-01-23.
- 1 2 3 "Bug 943639 - Support for Brainpool ECC Curve (rfc5639)". Mozilla. Retrieved 2014-01-25.
- ↑ "Bug 957105 - Add support for curve25519 Key Exchange and UMAC MAC support for TLS". Mozilla. Retrieved 2015-01-23.
- ↑ "wolfSSL (Formerly CyaSSL) Release 3.4.6 (03/30/2015)". 2015-03-30. Retrieved 2015-11-19.
- ↑ "Supported Algorithms — Botan". Retrieved 2015-01-23.
- ↑ "SHA2 and Windows". Retrieved 2014-09-08.
- ↑ RFC 3749
- ↑ RFC 5746
- 1 2 3 4 RFC 6066
- ↑ RFC 7301
- ↑ RFC 6091
- ↑ RFC 4680
- ↑ RFC 5077
- ↑ RFC 5705
- ↑ RFC 7366
- ↑ RFC 7507
- ↑ RFC 7627
- ↑ RFC 7685
- ↑ "Version 1.11.10, 2014-12-10 — Botan". 2014-12-10. Retrieved 2014-12-14.
- ↑ "Version 1.11.26, 2016-01-04 — Botan". 2016-01-04. Retrieved 2016-02-25.
- ↑ Present, but disabled by default due to lack of use by any implementation.
- ↑ "gnutls 3.2.0". Retrieved 2015-01-26.
- ↑ "gnutls 3.4.4". Retrieved 2015-08-25.
- ↑ "LibreSSL 2.1.3 released". 2015-01-22. Retrieved 2015-01-22.
- ↑ "LibreSSL 2.1.4 released". 2015-03-04. Retrieved 2015-03-04.
- ↑ "MatrixSSL - News". 2014-12-04. Retrieved 2015-01-26.
- ↑ "Download overview - PolarSSL". 2014-04-11. Retrieved 2015-01-26.
- 1 2 3 "mbed TLS 1.3.10 released". 2015-02-08. Retrieved 2015-02-09.
- 1 2 "NSS 3.15.5 release notes". Mozilla Developer Network. Mozilla. Retrieved 2015-01-26.
- ↑ "Bug 961416 - Support RFC6091 - Using OpenPGP Keys for Transport Layer Security Authentication (TLS1.2)". Mozilla. Retrieved 2014-06-18.
- ↑ "Bug 972145 - Implement the encrypt-then-MAC TLS extension". Mozilla. Retrieved 2014-11-06.
- ↑ "NSS 3.17.1 release notes". Retrieved 2014-10-17.
- ↑ "NSS 3.21 release notes". Retrieved 2015-11-14.
- ↑ http://www.openssl.org/news/secadv_20141015.txt
- ↑ "Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]". 2014-04-07. Retrieved 2015-02-10.
- 1 2 "What's New in TLS/SSL (Schannel SSP)". Retrieved 2014-06-18.
- ↑ http://stackoverflow.com/questions/14259671/java-ssl-provider-with-aes-ni-support
- ↑ "We've incorporated support for AES-NI in our AES and GCM modules". 2013-12-31. Retrieved 2014-01-07.
- ↑ Normally NSS's libssl performs all operations via the PKCS#11 interface, either to hardware or software tokens
- ↑ "Bug 706024 - AES-NI enhancements to NSS on Sandy Bridge systems". Retrieved 2013-09-28.
- ↑ "Bug 479744 - RFE : VIA Padlock ACE support (hardware RNG, AES, SHA1 and SHA256)". Retrieved 2014-04-11.
- ↑ http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddacb8f27ba4c8a8d51c306c150e1a8703b008f2
- ↑ http://www.opensource.apple.com/source/Security/Security-55179.13/sec/Security/SecECKey.c
- ↑ http://km.support.apple.com/library/APPLE/APPLECARE_ALLGEOS/HT5396/Crypto_Officer_Role_Guide_for_FIPS_140-2_Compliance_OS_X_Mountain_Lion_v10.8.pdf
- ↑ Sirius and wolfSSL on OCTEON https://www.sirius-networks.com/en/products/sirius-wolfssl-on-octeon.php?item=1
- ↑ "LibreSSL 2.2.1 Released". 2015-07-08. Retrieved 2016-01-30.
- ↑ RFC 7512
- ↑ On the fly replaceable/augmentable.
- ↑ http://fedoraproject.org/wiki/Nss_compat_ossl
- 1 2 Netscape Portable Runtime (NSPR)
- ↑ For Unix/Linux it uses /dev/urandom if available, for Windows it uses CAPI. For other platforms it gets data from clock, and tries to open system files. NSS has a set of platform dependent functions it uses to determine randomness.