Comparison_of_TLS_implementations

Comparison of TLS implementations

Add article description

The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

This article is about TLS libraries comparison. For cryptographic libraries comparison, see Comparison of cryptography libraries.

"Secure Transport" redirects here. For the transportation of valuables, see Armoured car (valuables).

This article uses bare URLs, which are uninformative and vulnerable to link rot. (September 2022)

All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.

Overview

More information Implementation, Developed by ...

Implementation

Developed by

Open source

Software license

Written in

Latest stable version, release date

Origin

Botan

Jack Lloyd

Yes

Simplified BSD License

Jack Lloyd

C++

3.2.0 (October 9, 2023; 6 months ago (2023-10-09)^[1]) [±]

US (Vermont)

BoringSSL

Google

Yes

OpenSSL-SSLeay dual-license, ISC license

Eric Young, Tim Hudson, Sun, OpenSSL project, Google, and others

C, C++, Go, assembly

Australia/EU

Bouncy Castle

The Legion of the Bouncy Castle Inc.

Yes

MIT License

Legion of the Bouncy Castle Inc.

Java, C#

Java	1.77 / November 13, 2023; 5 months ago (2023-11-13)^[2]
Java LTS	BC-LJA 2.73.5 / March 1, 2024; 53 days ago (2024-03-01)^[3]
Java FIPS	BC-FJA 1.0.2.4 / September 28, 2023; 6 months ago (2023-09-28)^[4]
C#	2.3.0 / February 5, 2024; 2 months ago (2024-02-05)^[5]
C# FIPS	BC-FNA 1.0.2 / February 28, 2023; 13 months ago (2023-02-28)^[6]

Australia

BSAFE

Dell, formerly RSA Security

Proprietary

Dell

Java, C, assembly

SSL-J 6.5.1 (July 10, 2023; 9 months ago (2023-07-10)^[7]) [±]

SSL-J 7.2 (December 20, 2023; 4 months ago (2023-12-20)^[8]) [±]
Micro Edition Suite 4.6.2 (May 2, 2023; 11 months ago (2023-05-02)^[9]) [±]
Micro Edition Suite 5.0.2.1 (September 18, 2023; 7 months ago (2023-09-18)^[10]) [±]

Australia

cryptlib

Peter Gutmann

Yes

Sleepycat License and commercial license

Peter Gutmann

3.4.5 (2019; 5 years ago (2019)^[11]) [±]

GnuTLS

GnuTLS project

Yes

LGPL-2.1-or-later

Free Software Foundation

3.8.5^[12]

2024-04-04

EU (Greece and Sweden)

Java Secure Socket Extension (JSSE)

Oracle

Yes

GNU GPLv2 and commercial license

Oracle

Java

22.0.1 (April 19, 2024; 4 days ago (2024-04-19)) [±]

21.0.0 LTS (September 19, 2023; 7 months ago (2023-09-19)) [±]
17.0.6 LTS (February 18, 2023; 14 months ago (2023-02-18)) [±]
11.0.17 LTS (October 18, 2022; 18 months ago (2022-10-18)^[13]) [±]
8u401 LTS (January 16, 2024; 3 months ago (2024-01-16)^[14]) [±]

LibreSSL

OpenBSD Project

Yes

Apache-1.0, BSD-4-Clause, ISC, and public domain

Eric Young, Tim Hudson, Sun, OpenSSL project, OpenBSD Project, and others

C, assembly

3.9.1^[15]

2024-03-27

Canada

MatrixSSL^[16]

PeerSec Networks

Yes

GNU GPLv2+ and commercial license

PeerSec Networks

4.2.2 (September 11, 2019; 4 years ago (2019-09-11) ^[17]) [±]

Mbed TLS (previously PolarSSL)

Arm

Yes

Apache License 2.0, GNU GPLv2+ and commercial license

Arm Holdings

3.6.0^[18]

(28 March 2024; 26 days ago (28 March 2024)) [±]

EU (Netherlands)

Network Security Services (NSS)

Mozilla, AOL, Red Hat, Sun, Oracle, Google and others

Yes

MPL 2.0

NSS contributors

C, assembly

Standard	3.84 / October 12, 2022; 18 months ago (2022-10-12)^[19]
Extended Support Release	3.79.1 / August 18, 2022; 20 months ago (2022-08-18)^[19]

OpenSSL

OpenSSL project

Yes

Apache-2.0^{[lower-alpha 1]}

Eric Young, Tim Hudson, Sun, OpenSSL project, and others

C, assembly

3.3.0^[20]

2024-04-09

Australia/EU

s2n

Amazon

Yes

Apache License 2.0, GNU GPLv2+ and commercial license

Amazon, Inc.

Continuous

Schannel

Microsoft

Proprietary

Microsoft Inc.

Windows 11, 2021-10-05

Secure Transport

Apple Inc.

Yes

APSL 2.0

Apple Inc.

57337.20.44 (OS X 10.11.2), 2015-12-08

wolfSSL (previously CyaSSL)

wolfSSL^[21]

Yes

GNU GPLv2+ and commercial license

wolfSSL Inc.^[22]

C, assembly

5.6.4 (October 30, 2023; 5 months ago (2023-10-30)^[23]) [±]

Erlang/OTP SSL application

Ericsson

Yes

Apache License 2.0

Ericsson

Erlang

OTP-21, 2018-06-19

Sweden

Implementation

Developed by

Open source

Software license

Written in

Latest stable version, release date

Origin

Apache-2.0 for OpenSSL 3.0 and later releases. OpenSSL-SSLeay dual-license for any release before OpenSSL 3.0.

TLS/SSL protocol version support

Several versions of the TLS protocol exist. SSL 2.0 is a deprecated^[24] protocol version with significant weaknesses. SSL 3.0 (1996) and TLS 1.0 (1999) are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay.^[25] TLS 1.1 (2006) fixed only one of the problems, by switching to random initialization vectors (IV) for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was addressed with RFC 7366.^[26] A workaround for SSL 3.0 and TLS 1.0, roughly equivalent to random IVs from TLS 1.1, was widely adopted by many implementations in late 2011.^[27] In 2014, the POODLE vulnerability of SSL 3.0 was discovered, which takes advantage of the known vulnerabilities in CBC, and an insecure fallback negotiation used in browsers.^[28]

TLS 1.2 (2008) introduced a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future (rsa,sha256/sha384/sha512) over the SSL 3.0 conservative choice (rsa,sha1+md5), the TLS 1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides (rsa,sha1) and even (rsa,md5).^[29]

Datagram Transport Layer Security (DTLS or Datagram TLS) 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLS 1.2 based on TLS 1.2 was published in January 2012.^[30]

TLS 1.3 (2018) specified in RFC 8446 includes major optimizations and security improvements. QUIC (2021) specified in RFC 9000 and DTLS 1.3 (2022) specified in RFC 9147 builds on TLS 1.3. The publishing of TLS 1.3 and DTLS 1.3 obsoleted TLS 1.2 and DTLS 1.2.

Note that there are known vulnerabilities in SSL 2.0 and SSL 3.0. In 2021, IETF published RFC 8996 also forbidding negotiation of TLS 1.0, TLS 1.1, and DTLS 1.0 due to known vulnerabilities. NIST SP 800-52 requires support of TLS 1.3 by January 2024. Support of TLS 1.3 means that two compliant nodes will never negotiate TLS 1.2.

More information Implementation, SSL 2.0 (insecure) ...

Implementation	SSL 2.0 (insecure)^[31]	SSL 3.0 (insecure)^[32]	TLS 1.0 (deprecated)^[33]	TLS 1.1 (deprecated)^[34]	TLS 1.2^[35]	TLS 1.3	DTLS 1.0 (deprecated)^[36]	DTLS 1.2^[30]
Botan	No	No^[37]	No	No	Yes	Yes	No	Yes
BoringSSL			Yes	Yes	Yes	Yes	Yes	Yes
Bouncy Castle	No	No	Yes	Yes	Yes	Yes (draft version)	Yes	Yes
BSAFE SSL-J^[38]	No	Disabled by default	No^{[lower-alpha 1]}	No^{[lower-alpha 1]}	Yes	Yes	No	No
cryptlib	No	Disabled by default at compile time	Yes	Yes	Yes		No	No
GnuTLS	No^{[lower-alpha 2]}	Disabled by default^[39]	Yes	Yes	Yes	Yes^[40]	Yes	Yes
JSSE	No^{[lower-alpha 2]}	Disabled by default^[41]	Disabled by default^[42]	Disabled by default^[42]	Yes	Yes	Yes	Yes
LibreSSL	No^[43]	No^[44]	Yes	Yes	Yes	Yes	Yes	Yes^[45]
MatrixSSL	No	Disabled by default at compile time^[46]	Yes	Yes	Yes	Yes	Yes	Yes
Mbed TLS	No	No^[47]	No^[47]	No^[47]	Yes	Yes (experimental)	Yes^[48]	Yes^[48]
NSS	No^{[lower-alpha 3]}	Disabled by default^[49]	Yes	Yes^[50]	Yes^[51]	Yes^[52]	Yes^[50]	Yes^[53]
OpenSSL	No^[54]	Disabled by default	Yes	Yes^[55]	Yes^[55]	Yes	Yes	Yes^[56]
s2n^[57]	No	Disabled by default	Yes	Yes	Yes	Yes	No	No
Schannel XP, 2003^[58]	Disabled by default in MSIE 7	Enabled by default	Enabled by default in MSIE 7	No	No	No	No	No
Schannel Vista^[59]	Disabled by default	Enabled by default	Yes	No	No	No	No	No
Schannel 2008^[59]	Disabled by default	Enabled by default	Yes	Disabled by default (KB4019276)	Disabled by default (KB4019276)	No	No	No
Schannel 7, 2008R2^[60]	Disabled by default	Disabled by default in MSIE 11	Yes	Enabled by default in MSIE 11	Enabled by default in MSIE 11	No	Yes^[61]	No^[61]
Schannel 8, 2012^[60]	Disabled by default	Enabled by default	Yes	Disabled by default	Disabled by default	No	Yes	No
Schannel 8.1, 2012R2, 10 v1507 & v1511^[60]	Disabled by default	Disabled by default in MSIE 11	Yes	Yes	Yes	No	Yes	No
Schannel 10 v1607 / 2016^[62]	No	Disabled by default	Yes	Yes	Yes	No	Yes	Yes
Schannel 11 / 2022^[63]	No	Disabled by default	Yes	Yes	Yes	Yes	Yes	Yes
Secure Transport OS X 10.2-10.7, iOS 1-4	Yes	Yes	Yes	No	No		No	No
Secure Transport OS X 10.8-10.10, iOS 5-8	No^{[lower-alpha 4]}	Yes	Yes	Yes^{[lower-alpha 4]}	Yes^{[lower-alpha 4]}		Yes^{[lower-alpha 4]}	No
Secure Transport OS X 10.11, iOS 9	No	No^{[lower-alpha 4]}	Yes	Yes	Yes		Yes	Unknown
Secure Transport OS X 10.13, iOS 11	No	No^{[lower-alpha 4]}	Yes	Yes	Yes	Yes (draft version)^[64]	Yes	Unknown
wolfSSL	No	Disabled by default^[65]	Disabled by default^[66]	Yes	Yes	Yes	Yes	Yes
Erlang/OTP SSL application^[67]	No ^{[lower-alpha 5]}	No ^{[lower-alpha 6]}	Disabled by default ^{[lower-alpha 5]}	Disabled by default ^{[lower-alpha 5]}	Yes	Partially ^{[lower-alpha 7]}	Disabled by default ^{[lower-alpha 5]}	Yes
Implementation	SSL 2.0 (insecure)^[31]	SSL 3.0 (insecure)^[32]	TLS 1.0 (deprecated)^[33]	TLS 1.1 (deprecated)^[34]	TLS 1.2^[35]	TLS 1.3	DTLS 1.0 (deprecated)^[36]	DTLS 1.2^[30]

As of SSL-J 7.0, support for TLS 1.0 and 1.1 has been removed
SSL 2.0 client hello is supported for backward compatibility reasons even though SSL 2.0 is not supported.
Server-side implementation of the SSL/TLS protocol still supports processing of received v2-compatible client hello messages."NSS 3.24 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2016-08-26. Retrieved 2016-06-19.
Secure Transport: SSL 2.0 was discontinued in OS X 10.8. SSL 3.0 was discontinued in OS X 10.11 and iOS 9.TLS 1.1, 1.2 and DTLS are available on iOS 5.0 and later, and OS X 10.9 and later."Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
Since OTP 22
Since OTP 23
"Erlang OTP SSL application TLS 1.3 compliance table".

NSA Suite B Cryptography

Required components for NSA Suite B Cryptography (RFC 6460) are:

Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits. For traffic flow, AES should be used with either the Counter Mode (CTR) for low bandwidth traffic or the Galois/Counter Mode (GCM) mode of operation for high bandwidth traffic (see Block cipher modes of operation) — symmetric encryption
Elliptic Curve Digital Signature Algorithm (ECDSA) — digital signatures
Elliptic Curve Diffie–Hellman (ECDH) — key agreement
Secure Hash Algorithm 2 (SHA-256 and SHA-384) — message digest

Per CNSSP-15, the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.

More information Implementation, TLS 1.2 Suite B ...

Implementation	TLS 1.2 Suite B
Botan	Yes
Bouncy Castle	Yes
BSAFE	Yes^[38]
cryptlib	Yes
GnuTLS	Yes
JSSE	Yes^[68]
LibreSSL	Yes
MatrixSSL	Yes
Mbed TLS	Yes
NSS	No^[69]
OpenSSL	Yes^[56]
S2n
Schannel	Yes^[70]
Secure Transport	No
wolfSSL	Yes
Implementation	TLS 1.2 Suite B

Certifications

Note that certain certifications have received serious negative criticism from people who are actually involved in them.^[71]

More information Implementation, Embedded FIPS Solution ...

Implementation	FIPS 140-1, FIPS 140-2^[72]		Embedded FIPS Solution
Implementation	Level 1	Level 2^{[disputed – discuss]}	Embedded FIPS Solution
Botan^[73]
Bouncy Castle	BC-FJA 1.0.0 (#2768) BC-FJA 1.0.1 (#3152)
BSAFE SSL-J^[74]	Crypto-J 6.0 (1785, 1786) Crypto-J 6.1 / 6.1.1.0.1 (2057, 2058) Crypto-J 6.2 / 6.2.1.1 (2468, 2469) Crypto-J 6.2.4 (3172, 3184) Crypto-J 6.2.5 (#3819, #3820)
cryptlib^[75]
GnuTLS^[76]	Red Hat Enterprise Linux GnuTLS Cryptographic Module (#2780)
JSSE
LibreSSL^[43]	no support
MatrixSSL^[77]	SafeZone FIPS Cryptographic Module: 1.1 (#2389)
Mbed TLS^[78]
NSS^[79]	Network Security Services: 3.2.2 (#247) Network Security Services Cryptographic Module: 3.11.4 (#815), 3.12.4 (#1278), 3.12.9.1 (#1837)	Netscape Security Module: 1 (#7^{[notes 1]}), 1.01 (#47^{[notes 2]}) Network Security Services: 3.2.2 (#248^{[notes 3]}) Network Security Services Cryptographic Module: 3.11.4 (#814^{[notes 4]}), 3.12.4 (#1279, #1280^{[notes 5]})
OpenSSL^[80]	OpenSSL FIPS Object Module: 1.0 (#624), 1.1.1 (#733), 1.1.2 (#918), 1.2, 1.2.1, 1.2.2, 1.2.3 or 1.2.4 (#1051) 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7 or 2.0.8 (#1747)
Schannel^[81]	Cryptographic modules in Windows NT 4.0, 95, 95, 2000, XP, Server 2003, CE 5, CE 6, Mobile 6.x, Vista, Server 2008, 7, Server 2008 R2, 8, Server 2012, RT, Surface, Phone 8 See details on Microsoft FIPS 140 Validated Cryptographic Modules
Secure Transport	Apple FIPS Cryptographic Module: 1.0 (OS X 10.6, #1514), 1.1 (OS X 10.7, #1701) Apple OS X CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (OS X 10.8, #1964, #1956), 4.0 (OS X 10.9, #2015, #2016) Apple iOS CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (iOS 6, #1963, #1944), 4.0 (iOS 7, #2020, #2021)
wolfSSL^[82]	wolfCrypt FIPS Module: 4.0 (#3389) See details on NIST certificate for validated Operating Environments wolfCrypt FIPS Module: 3.6.0 (#2425) See details on NIST certificate for validated Operating Environments		Yes
Implementation	Level 1	Level 2	Embedded FIPS Solution
Implementation	FIPS 140-1, FIPS 140-2		Embedded FIPS Solution

[N 1]
with Sun Sparc 5 w/ Sun Solaris v 2.4SE (ITSEC-rated)
[N 2]
with Sun Ultra-5 w/ Sun Trusted Solaris version 2.5.1 (ITSEC-rated)
[N 3]
with Solaris v8.0 with AdminSuite 3.0.1 as specified in UK IT SEC CC Report No. P148 EAL4 on a SUN SPARC Ultra-1
[N 4]
with these platforms; Red Hat Enterprise Linux Version 4 Update 1 AS on IBM xSeries 336 with Intel Xeon CPU, Trusted Solaris 8 4/01 on Sun Blade 2500 Workstation with UltraSPARC IIIi CPU
[N 5]
with these platforms; Red Hat Enterprise Linux v5 running on an IBM System x3550, Red Hat Enterprise Linux v5 running on an HP ProLiant DL145, Sun Solaris 10 5/08 running on a Sun SunBlade 2000 workstation, Sun Solaris 10 5/08 running on a Sun W2100z workstation

Key exchange algorithms (certificate-only)

This section lists the certificate verification functionality available in the various implementations.

More information Implementation, RSA ...

Implementation	RSA^[35]	RSA-EXPORT (insecure)^[35]	DHE-RSA (forward secrecy)^[35]	DHE-DSS (forward secrecy)^[35]	ECDH-ECDSA^[83]	ECDHE-ECDSA (forward secrecy)^[83]	ECDH-RSA^[83]	ECDHE-RSA (forward secrecy)^[83]	GOST R 34.10-94, 34.10-2001^[84]
Botan	Disabled by default	No	Yes	Disabled by default	No	Yes	No	Yes	No
BSAFE	Yes	No	Yes	Yes	Yes	Yes	Yes	Yes	No
cryptlib	Yes	No	Yes	Yes	No	Yes	No	No	No
GnuTLS	Yes	No	Yes	Disabled by default^[39]	No	Yes	No	Yes	No
JSSE	Yes	Disabled by default	Yes	Yes	Yes	Yes	Yes	Yes	No
LibreSSL	Yes	No^[43]	Yes	Yes	No	Yes	No	Yes	Yes^[85]
MatrixSSL	Yes	No	Yes	No	Yes	Yes	Yes	Yes	No
Mbed TLS	Yes	No	Yes	No	Yes	Yes	Yes	Yes	No
NSS	Yes	Disabled by default	Yes^[86]	Yes	Yes	Yes	Yes	Yes	No^[87]^[88]
OpenSSL	Yes	No^[54]	Yes	Disabled by default^[54]	No	Yes	No	Yes	Yes^[89]
Schannel XP/2003	Yes	Yes	No	XP: Max 1024 bits 2003: 1024 bits only	No	No	No	No	No^[90]
Schannel Vista/2008	Yes	Disabled by default	No	1024 bits by default^[91]	No	Yes	No	except AES_GCM	No^[90]
Schannel 8/2012	Yes	Disabled by default	AES_GCM only^[92]^[93]^[94]	1024 bits by default^[91]	No	Yes	No	except AES_GCM	No^[90]
Schannel 7/2008R2, 8.1/2012R2	Yes	Disabled by default	Yes	2048 bits by default^[91]	No	Yes	No	except AES_GCM	No^[90]
Schannel 10	Yes	Disabled by default	Yes	2048 bits by default^[91]	No	Yes	No	Yes	No^[90]
Secure Transport OS X 10.6	Yes	Yes	except AES_GCM	Yes	Yes	except AES_GCM	yes	except AES_GCM	No
Secure Transport OS X 10.8-10.10	Yes	No	except AES_GCM	No	Yes	except AES_GCM	Yes	except AES_GCM	No
Secure Transport OS X 10.11	Yes	No	Yes	No	No	Yes	No	Yes	No
wolfSSL	Yes	No	Yes	No	Yes	Yes	Yes	Yes	No
Erlang/OTP SSL application	Yes	No	Yes	Yes	Yes	Yes	Yes	Yes	No
Implementation	RSA^[35]	RSA-EXPORT (insecure)^[35]	DHE-RSA (forward secrecy)^[35]	DHE-DSS (forward secrecy)^[35]	ECDH-ECDSA^[83]	ECDHE-ECDSA (forward secrecy)^[83]	ECDH-RSA^[83]	ECDHE-RSA (forward secrecy)^[83]	GOST R 34.10-94, 34.10-2001^[84]

Key exchange algorithms (alternative key-exchanges)

More information Implementation, SRP ...

Implementation	SRP^[95]	SRP-DSS^[95]	SRP-RSA^[95]	PSK-RSA^[96]	PSK^[96]	DHE-PSK (forward secrecy)^[96]	ECDHE-PSK (forward secrecy)^[97]	KRB5^[98]	DH-ANON^[35] (insecure)	ECDH-ANON^[83] (insecure)
Botan	No	No	No	No	Yes	No	Yes	No	No	No
BSAFE SSL-J	No	No	No	No	Yes^[99]	No	No	No	Disabled by default	Disabled by default
cryptlib	No	No	No	No	Yes	Yes	No	Unknown	No	No
GnuTLS	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	Disabled by default	Disabled by default
JSSE	No	No	No	No	No	No	No	No	Disabled by default	Disabled by default
LibreSSL	No^[100]	No^[100]	No^[100]	No	No	No	No	No	Yes	Yes
MatrixSSL	No	No	No	Yes	Yes	Yes	No	No	Disabled by default	No
Mbed TLS	No	No	No	Yes	Yes	Yes	Yes	No	No	No
NSS	No^[101]	No^[101]	No^[101]	No^[102]	No^[102]	No^[102]	No^[102]	No	Client side only, disabled by default^[103]	Disabled by default^[104]
OpenSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes^[105]	Disabled by default^[106]	Disabled by default^[106]
Schannel	No	No	No	No	No	No	No	Yes	No	No
Secure Transport	No	No	No	No	No	No	No	Unknown	Yes	Yes
wolfSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes^[107]	Yes	No	No
Erlang/OTP SSL application	Disabled by default	Disabled by default	Disabled by default	Disabled by default	Disabled by default	Disabled by default	No	No	Disabled by default	Disabled by default
Implementation	SRP^[95]	SRP-DSS^[95]	SRP-RSA^[95]	PSK-RSA^[96]	PSK^[96]	DHE-PSK (forward secrecy)^[96]	ECDHE-PSK (forward secrecy)^[97]	KRB5^[98]	DH-ANON^[35] (insecure)	ECDH-ANON^[83] (insecure)

Certificate verification methods

More information Implementation, Application-defined ...

Implementation	Application-defined	PKIX path validation^[108]	CRL^[109]	OCSP^[110]	DANE (DNSSEC)^[111]	Trust on First Use (TOFU)	CT^[112]
Botan	Yes	Yes	Yes	Yes	No	No	Unknown
Bouncy Castle	Yes	Yes	Yes	Yes	Yes	No	Unknown
BSAFE	Yes	Yes	Yes	Yes	No	No	Unknown
cryptlib	Yes	Yes	Yes	Yes	No	No	Unknown
GnuTLS	Yes	Yes	Yes	Yes	Yes	Yes	Unknown
JSSE	Yes	Yes	Yes	Yes	No	No	No
LibreSSL	Yes	Yes	Yes	Yes	No	No	Unknown
MatrixSSL	Yes	Yes	Yes	Yes^[113]	No	No	Unknown
Mbed TLS	Yes	Yes	Yes	No^[114]	No	No	Unknown
NSS	Yes	Yes	Yes	Yes	No^[115]	No	Unknown
OpenSSL	Yes	Yes	Yes	Yes	Yes	No	Yes
s2n			No ^[116]	Unknown ^[117]			Unknown ^[118]
Schannel	Unknown	Yes	Yes^[119]	Yes^[119]	No	No	Unknown
Secure Transport	Yes	Yes	Yes	Yes	No	No	Unknown
wolfSSL	Yes	Yes	Yes	Yes	No	No	Unknown
Erlang/OTP SSL application	Yes	Yes	Yes	No	No	No	Unknown
Implementation	Application-defined	PKIX path validation	CRL	OCSP	DANE (DNSSEC)	Trust on First Use (TOFU)	CT

Encryption algorithms

More information Implementation, Block cipher with mode of operation ...

Implementation	Block cipher with mode of operation										Stream cipher	None
Implementation	AES GCM ^[120]	AES CCM ^[121]	AES CBC	Camellia GCM ^[122]	Camellia CBC ^[123]	ARIA GCM ^[124]	ARIA CBC ^[124]	SEED CBC ^[125]	3DES EDE CBC (insecure)^[126]	GOST 28147-89 CNT (proposed) ^[84]^{[n 1]}	ChaCha20-Poly1305 ^[127]	Null (insecure) ^{[n 2]}
Botan	Yes	Yes	Yes	Yes	Yes	No	No	Disabled by default	Disabled by default	No	Yes^[128]	Not implemented
BoringSSL	Yes	No	Yes	No	No	No	No	No	Yes	No	Yes
BSAFE SSL-J	Yes	Yes	Yes	No	No	No	No	No	Disabled by default	No	No	Disabled by default
cryptlib	Yes	No	Yes	No	No	No	No	No	Yes	No	No	Not implemented
GnuTLS	Yes	Yes^[39]	Yes	Yes	Yes	No	No	No	Disabled by default^[129]	No	Yes^[130]	Disabled by default
JSSE	Yes	No	Yes	No	No	No	No	No	Disabled by default^[131]	No	Yes (JDK 12+)^[132]	Disabled by default
LibreSSL	Yes^[43]	No	Yes	No	Yes^[85]	No	No	No^[43]	Yes	Yes^[85]	Yes^[43]	Disabled by default
MatrixSSL	Yes	No	Yes	No	No	No	No	Yes	Disabled by default	No	Yes^[133]	Disabled by default
Mbed TLS	Yes	Yes ^[134]	Yes	Yes	Yes	Yes^[135]	Yes^[135]	No	No^[47]	No	Yes^[136]	Disabled by default at compile time
NSS	Yes^[137]	No	Yes	No^[138]^{[n 3]}	Yes^[139]	No	No	Yes^[140]	Yes	No^[87]^[88]	Yes^[141]	Disabled by default
OpenSSL	Yes^[142]	Disabled by default^[54]	Yes	No	Disabled by default^[54]	Disabled by default^[143]	No	Disabled by default^[54]	Disabled by default^[54]	Yes^[89]	Yes^[54]	Disabled by default
Schannel XP/2003	No	No	2003 only^[144]	No	No	No	No	No	Yes	No^[90]	No	Disabled by default
Schannel Vista/2008, 2008R2, 2012	No	No	Yes	No	No	No	No	No	Yes	No^[90]	No	Disabled by default
Schannel 7, 8, 8.1/2012R2	Yes except ECDHE_RSA ^[92]^[93]	No	Yes	No	No	No	No	No	Yes	No^[90]	No	Disabled by default
Schannel 10^[145]	Yes	No	Yes	No	No	No	No	No	Yes	No^[90]	No	Disabled by default
Secure Transport OS X 10.6 - 10.10	No	No	Yes	No	No	No	No	No	Yes	No	No	Disabled by default
Secure Transport OS X 10.11	Yes	No	Yes	No	No	No	No	No	Yes	No	No	Disabled by default
wolfSSL	Yes	Yes	Yes	No	No	No	No	No	Yes	No	Yes	Disabled by default
Erlang/OTP SSL application	Yes	No	Yes	No	No	No	No	No	Disabled by default	No	Experimental	Disable by default
Implementation	Block cipher with mode of operation										Stream cipher	None
Implementation	AES GCM ^[120]	AES CCM ^[121]	AES CBC	Camellia GCM ^[122]	Camellia CBC ^[123]	ARIA GCM ^[124]	ARIA CBC ^[124]	SEED CBC ^[125]	3DES EDE CBC (insecure)^[126]	GOST 28147-89 CNT (proposed) ^[84]^{[n 1]}	ChaCha20-Poly1305 ^[127]	Null (insecure) ^{[n 2]}

Notes

[n 1]
This algorithm is not defined yet as TLS cipher suites in RFCs, is proposed in drafts.
[n 2]
authentication only, no encryption
[n 3]
This algorithm is implemented in an NSS fork used by Pale Moon.

Obsolete algorithms

More information Implementation, Block cipher with mode of operation ...

Implementation	Block cipher with mode of operation				Stream cipher
Implementation	IDEA CBC ^{[n 1]}(insecure)^[147]	DES CBC (insecure) ^{[n 1]}	DES-40 CBC (EXPORT, insecure) ^{[n 2]}	RC2-40 CBC (EXPORT, insecure) ^{[n 2]}	RC4-128 (insecure) ^{[n 3]}	RC4-40 (EXPORT, insecure) ^{[n 4]}^{[n 2]}
Botan	No	No	No	No	No^[148]	No
BoringSSL	No	No	No	No	Disabled by default at compile time	No
BSAFE SSL-J	No	Disabled by default	Disabled by default	No	Disabled by default	Disabled by default
cryptlib	No	Disabled by default at compile time	No	No	Disabled by default at compile time	No
GnuTLS	No	No	No	No	Disabled by default^[39]	No
JSSE	No	Disabled by default	Disabled by default	No	Disabled by default	Disabled by default ^[149]
LibreSSL	Yes	Yes	No^[43]	No^[43]	Yes	No^[43]
MatrixSSL	Yes	No	No	No	Disabled by default	No
Mbed TLS	No	Disabled by default at compile time	No	No	Disabled by default at compile time^[48]	No
NSS	Yes	Disabled by default	Disabled by default	Disabled by default	Lowest priority^[150]^[151]	Disabled by default
OpenSSL	Disabled by default^[54]	Disabled by default	No^[54]	No^[54]	Disabled by default	No^[54]
Schannel XP/2003	No	Yes	Yes	Yes	Yes	Yes
Schannel Vista/2008	No	Disabled by default	Disabled by default	Disabled by default	Yes	Disabled by default
Schannel 7/2008R2	No	Disabled by default	Disabled by default	Disabled by default	Lowest priority will be disabled soon^[152]	Disabled by default
Schannel 8/2012	No	Disabled by default	Disabled by default	Disabled by default	Only as fallback	Disabled by default
Schannel 8.1/2012R2	No	Disabled by default	Disabled by default	Disabled by default	Disabled by default^[152]	Disabled by default
Schannel 10^[145]	No	Disabled by default	Disabled by default	Disabled by default	Disabled by default^[152]	Disabled by default
Secure Transport OS X 10.6	Yes	Yes	Yes	Yes	Yes	Yes
Secure Transport OS X 10.7	Yes	Unknown	Unknown	Unknown	Yes	Unknown
Secure Transport OS X 10.8-10.9	Yes	Disabled by default	Disabled by default	Disabled by default	Yes	Disabled by default
Secure Transport OS X 10.10-10.11	Yes	Disabled by default	Disabled by default	Disabled by default	Lowest priority	Disabled by default
Secure Transport macOS 10.12	Yes	Disabled by default	Disabled by default	Disabled by default	Disabled by default	Disabled by default
wolfSSL	Disabled by default^[153]	No	No	No	Disabled by default	No
Erlang/OTP SSL application	no	Disabled by default	no	no	Disabled by default	no
Implementation	Block cipher with mode of operation				Stream cipher
Implementation	IDEA CBC ^{[n 1]}(insecure)^[147]	DES CBC (insecure) ^{[n 1]}	DES-40 CBC (EXPORT, insecure) ^{[n 2]}	RC2-40 CBC (EXPORT, insecure) ^{[n 2]}	RC4-128 (insecure) ^{[n 3]}	RC4-40 (EXPORT, insecure) ^{[n 4]}^{[n 2]}

Notes

[n 1]
IDEA and DES have been removed from TLS 1.2.^[146]
[n 2]
40 bits strength of cipher suites were designed to operate at reduced key lengths in order to comply with US regulations about the export of cryptographic software containing certain strong encryption algorithms (see Export of cryptography from the United States). These weak suites are forbidden in TLS 1.1 and later.
[n 3]
The RC4 attacks weaken or break RC4 used in SSL/TLS. Use of RC4 is prohibited by RFC 7465.
[n 4]
The RC4 attacks weaken or break RC4 used in SSL/TLS.

Supported elliptic curves

This section lists the supported elliptic curves by each implementation.

Defined curves in RFC 8446 (for TLS 1.3) and RFC 8422, 7027 (for TLS 1.2 and earlier)

More information applicable TLS version, TLS 1.3 and earlier ...

applicable TLS version	TLS 1.3 and earlier					TLS 1.2 and earlier
Implementation	secp256r1 prime256v1 NIST P-256 (0x0017,^[154] 23^[155])	secp384r1 NIST P-384 (0x0018,^[154] 24^[155])	secp521r1 NIST P-521 (0x0019,^[154] 25^[155])	X25519 (0x001D,^[154] 29^[155])	X448 (0x001E,^[154] 30^[155])	brainpoolP256r1 (26)^[156]	brainpoolP384r1 (27)^[156]	brainpoolP512r1 (28)^[156]
Botan	Yes	Yes	Yes	Yes^[128]	No	Yes^[157]	Yes^[157]	Yes^[157]
BoringSSL	Yes	Yes	Yes (disabled by default)	Yes	No	No	No	No
BSAFE	Yes	Yes	Yes	No	No	No	No	No
GnuTLS	Yes	Yes	Yes	Yes^[158]	Yes^[159]	No	No	No
JSSE	Yes	Yes	Yes	Yes x25519: JDK 13+^[160] Ed25519:JDK 15+^[161]	Yes x448: JDK 13+^[160] Ed448: JDK 15+^[161]	No	No	No
LibreSSL	Yes	Yes	Yes	Yes^[162]	No	Yes^[43]	Yes^[43]	Yes^[43]
MatrixSSL	Yes	Yes	Yes	TLS 1.3 only^[163]	No	Yes	Yes	Yes
Mbed TLS	Yes	Yes	Yes	Primitive only^[164]	Primitive only^[165]	Yes^[166]	Yes^[166]	Yes^[166]
NSS	Yes	Yes	Yes	Yes^[167]	No^[168]^[169]	No^[170]	No^[170]	No^[170]
OpenSSL	Yes	Yes	Yes	Yes^[171]^[172]	Yes^[173]^[174]	Yes^[56]	Yes^[56]	Yes^[56]
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10	Yes	Yes	Yes	No	No	No	No	No
Secure Transport	Yes	Yes	Yes	No	No	No	No	No
wolfSSL	Yes	Yes	Yes	Yes^[175]	Yes^[176]	Yes	Yes	Yes
Erlang/OTP SSL application	Yes	Yes	Yes	No	No	Yes	Yes	Yes
Implementation	secp256r1 prime256v1 NIST P-256 (0x0017, 23)	secp384r1 NIST P-384 (0x0018, 24)	secp521r1 NIST P-521 (0x0019, 25)	X25519 (0x001D, 29)	X448 (0x001E, 30)	brainpoolP256r1 (26)	brainpoolP384r1 (27)	brainpoolP512r1 (28)

Proposed curves

More information Implementation, M221Curve2213 ...

Implementation	M221 Curve2213 ^[177]	E222 ^[177]	Curve1174 ^[177]	E382 ^[177]	M383 ^[177]	Curve383187 ^[177]	Curve41417 Curve3617 ^[177]	M511 Curve511187 ^[177]	E521 ^[177]
Botan	No	No	No	No	No	No	No	No	No
BoringSSL	No	No	No	No	No	No	No	No	No
BSAFE	No	No	No	No	No	No	No	No	No
GnuTLS	No	No	No	No	No	No	No	No	No
JSSE	No	No	No	No	No	No	No	No	No
LibreSSL	No	No	No	No	No	No	No	No	No
MatrixSSL	No	No	No	No	No	No	No	No	No
Mbed TLS	No	No	No	No	No	No	No	No	No
NSS	No	No	No	No	No	No	No	No	No
OpenSSL	No	No	No	No	No	No	No	No	No
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10	No	No	No	No	No	No	No	No	No
Secure Transport	No	No	No	No	No	No	No	No	No
wolfSSL	No	No	No	No	No	No	No	No	No
Erlang/OTP SSL application	No	No	No	No	No	No	No	No	No
Implementation	M221 Curve2213	E222	Curve1174	E382	M383	Curve383187	Curve41417 Curve3617	M511 Curve511187	E521

Deprecated curves in RFC 8422

More information Implementation, sect163k1NIST K-163 (1) ...

Implementation	sect163k1 NIST K-163 (1)^[83]	sect163r1 (2)^[83]	sect163r2 NIST B-163 (3)^[83]	sect193r1 (4)^[83]	sect193r2 (5)^[83]	sect233k1 NIST K-233 (6)^[83]	sect233r1 NIST B-233 (7)^[83]	sect239k1 (8)^[83]	sect283k1 NIST K-283 (9)^[83]	sect283r1 NIST B-283 (10)^[83]	sect409k1 NIST K-409 (11)^[83]	sect409r1 NIST B-409 (12)^[83]	sect571k1 NIST K-571 (13)^[83]	sect571r1 NIST B-571 (14)^[83]
Botan	No	No	No	No	No	No	No	No	No	No	No	No	No	No
BoringSSL	No	No	No	No	No	No	No	No	No	No	No	No	No	No
BSAFE	Yes	No	Yes	No	No	Yes	Yes	No	Yes	Yes	Yes	Yes	Yes	Yes
GnuTLS	No	No	No	No	No	No	No	No	No	No	No	No	No	No
JSSE	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}
LibreSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
MatrixSSL	No	No	No	No	No	No	No	No	No	No	No	No	No	No
Mbed TLS	No	No	No	No	No	No	No	No	No	No	No	No	No	No
NSS	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
OpenSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10	No	No	No	No	No	No	No	No	No	No	No	No	No	No
Secure Transport	No	No	No	No	No	No	No	No	No	No	No	No	No	No
wolfSSL	No	No	No	No	No	No	No	No	No	No	No	No	No	No
Erlang/OTP SSL application	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Implementation	sect163k1 NIST K-163 (1)	sect163r1 (2)	sect163r2 NIST B-163 (3)	sect193r1 (4)	sect193r2 (5)	sect233k1 NIST K-233 (6)	sect233r1 NIST B-233 (7)	sect239k1 (8)	sect283k1 NIST K-283 (9)	sect283r1 NIST B-283 (10)	sect409k1 NIST K-409 (11)	sect409r1 NIST B-409 (12)	sect571k1 NIST K-571 (13)	sect571r1 NIST B-571 (14)

More information Implementation, secp160k1 (15) ...

Implementation	secp160k1 (15)^[83]	secp160r1 (16)^[83]	secp160r2 (17)^[83]	secp192k1 (18)^[83]	secp192r1 prime192v1 NIST P-192 (19)^[83]	secp224k1 (20)^[83]	secp224r1 NIST P-244 (21)^[83]	secp256k1 (22)^[83]	arbitrary prime curves (0xFF01)^[83]^[180]	arbitrary char2 curves (0xFF02)^[83]^[180]
Botan	No	No	No	No	No	No	No	No	No	No
BoringSSL	No	No	No	No	No	No	Yes	No	No	No
BSAFE	No	No	No	No	Yes	No	Yes	No	No	No
GnuTLS	No	No	No	No	Yes	No	Yes	No	No	No
JSSE	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	Notes^{[lower-alpha 1]}^{[lower-alpha 2]}	No	No
LibreSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
MatrixSSL	No	No	No	No	Yes	No	Yes	No	No	No
Mbed TLS	No	No	No	Yes	Yes	Yes	Yes	Yes	No	No
NSS	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
OpenSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10	No	No	No	No	No	No	No	No	No	No
Secure Transport	No	No	No	No	Yes	No	No	No	No	No
wolfSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
Erlang/OTP SSL application	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
Implementation	secp160k1 (15)	secp160r1 (16)	secp160r2 (17)	secp192k1 (18)	secp192r1 prime192v1 NIST P-192 (19)	secp224k1 (20)	secp224r1 NIST P-244 (21)	secp256k1 (22)	arbitrary prime curves (0xFF01)	arbitrary char2 curves (0xFF02)

Notes

These elliptic curves were "Disabled by Default" in current JDK families as part of JDK-8236730.^[178]
These elliptic curves were subsequently removed in JDK 16+ as part of JDK-8252601.^[179]

Data integrity

More information Implementation, HMAC-MD5 ...

Implementation	HMAC-MD5	HMAC-SHA1	HMAC-SHA256/384	AEAD	GOST 28147-89 IMIT^[84]	GOST R 34.11-94^[84]
Botan	No	Yes	Yes	Yes	No	No
BSAFE	Yes	Yes	Yes	Yes	No	No
cryptlib	Yes	Yes	Yes	Yes	No	No
GnuTLS	Yes	Yes	Yes	Yes	No	No
JSSE	Disabled by Default	Yes	Yes	Yes	No	No
LibreSSL	Yes	Yes	Yes	Yes	Yes^[85]	Yes^[85]
MatrixSSL	Yes	Yes	Yes	Yes	No	No
Mbed TLS	Yes	Yes	Yes	Yes	No	No
NSS	Yes	Yes	Yes	Yes	No^[87]^[88]	No^[87]^[88]
OpenSSL	Yes	Yes	Yes	Yes	Yes^[89]	Yes^[89]
Schannel XP/2003, Vista/2008	Yes	Yes	XP SP3, 2003 SP2 via hotfix^[181]	No	No^[90]	No^[90]
Schannel 7/2008R2, 8/2012, 8.1/2012R2	Yes	Yes	Yes	except ECDHE_RSA^[92]^[93]^[94]	No^[90]	No^[90]
Schannel 10	Yes	Yes	Yes	Yes^[145]	No^[90]	No^[90]
Secure Transport	Yes	Yes	Yes	Yes	No	No
wolfSSL	Yes	Yes	Yes	Yes	No	No
Erlang/OTP SSL application	Yes	Yes	Yes	Yes	No	No
Implementation	HMAC-MD5	HMAC-SHA1	HMAC-SHA256/384	AEAD	GOST 28147-89 IMIT	GOST R 34.11-94

Compression

Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.

More information Implementation, DEFLATE (insecure) ...

Implementation	DEFLATE^[182] (insecure)
Botan	No
BSAFE^[38]	No
cryptlib	No
GnuTLS	Disabled by default
JSSE	No
LibreSSL	No^[43]
MatrixSSL	Disabled by default
Mbed TLS	Disabled by default
NSS	Disabled by default
OpenSSL	Disabled by default
Schannel	No
Secure Transport	No
wolfSSL	Disabled by default
Erlang/OTP SSL application	No
Implementation	DEFLATE

Extensions

In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security ^{[citation needed]}. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.

More information Implementation, Secure Renegotiation ...

Implementation	Secure Renegotiation ^[183]	Server Name Indication ^[184]	ALPN ^[185]	Certificate Status Request ^[184]	OpenPGP ^[186]	Supplemental Data ^[187]	Session Ticket ^[188]	Keying Material Exporter ^[189]	Maximum Fragment Length ^[184]	Truncated HMAC ^[184]	Encrypt-then-MAC ^[190]	TLS Fallback SCSV ^[191]	Extended Master Secret ^[192]	ClientHello Padding ^[193]	Raw Public Keys ^[194]
Botan	Yes	Yes	Yes^[195]	No	No	No	Yes	Yes	Yes	No	Yes	Yes^[196]	Yes^[197]	No	Unknown
BSAFE SSL-J	Yes	Yes	No	Yes	No	No	No	No	Yes	No	No	No	Yes	No	No
cryptlib	Yes	Yes	No	No	No	Yes	No	No	No^[198]	No	Yes	Yes	Yes	No	Unknown
GnuTLS	Yes	Yes	Yes^[199]	Yes	No^[200]	Yes	Yes	Yes	Yes	No	Yes^[39]	Yes^[201]	Yes^[39]	Yes^[202]	Yes^[203]
JSSE	Yes	Yes^[68]	Yes^[68]	Yes	No	No	Yes	No	Yes	No	No	No	Yes	No	No
LibreSSL	Yes	Yes	Yes^[204]	Yes	No	No?	Yes	Yes?	No	No	No	Server side only^[205]	No	Yes	No
MatrixSSL	Yes	Yes	Yes^[206]	Yes^[133]	No	No	Yes	No	Yes	Yes	No	Yes^[133]	Yes^[133]	No	Unknown
Mbed TLS	Yes	Yes	Yes^[207]	No	No	No	Yes	No	Yes	Disabled by default^[48]	Yes^[208]	Yes^[208]	Yes^[208]	No	No
NSS	Yes	Yes	Yes^[209]	Yes	No^[210]	No	Yes	Yes	No	No	No^[211]	Yes^[212]	Yes^[213]	Yes^[209]	Unknown
OpenSSL	Yes	Yes	Yes^[56]	Yes	No	No?	Yes	Yes	Yes	No	Yes	Yes^[214]	Yes^[54]	Yes^[215]	Yes^[216]
Schannel XP/2003	No	No	No	No	No	Yes	No	No	No	No	No	No	No	No	Unknown
Schannel Vista/2008	Yes	Yes	No	No	No	Yes	No	No	No	No	No	No	Yes^[217]	No	Unknown
Schannel 7/2008R2	Yes	Yes	No	Yes	No	Yes	No	No	No	No	No	No	Yes^[217]	No	Unknown
Schannel 8/2012	Yes	Yes	No	Yes	No	Yes	Client side only^[218]	No	No	No	No	No	Yes^[217]	No	Unknown
Schannel 8.1/2012R2, 10	Yes	Yes	Yes	Yes	No	Yes	Yes^[218]	No	No	No	No	No	Yes^[217]	No	Unknown
Secure Transport	Yes	Yes	Unknown	No	No	Yes	No	No	No	No	No	No	No	No	Unknown
wolfSSL	Yes	Yes	Yes^[153]	Yes	No	No	Yes	No	Yes	Yes	Yes^[219]	No	Yes	No	Unknown
Erlang/OTP SSL application	Yes	Yes	Yes	No	No	No	No	No	No	No	No	Yes	No	No	Unknown
Implementation	Secure Renegotiation	Server Name Indication	ALPN	Certificate Status Request	OpenPGP	Supplemental Data	Session Ticket	Keying Material Exporter	Maximum Fragment Length	Truncated HMAC	Encrypt-then-MAC	TLS Fallback SCSV	Extended Master Secret	ClientHello Padding	Raw Public Keys

Assisted cryptography

This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.

More information Implementation, PKCS #11 device ...

Implementation	PKCS #11 device	Intel AES-NI	VIA PadLock	ARMv8-A	Intel SGX	Intel QAT	Intel SHA	NXP CAAM
Botan	Yes^[220]	Yes	No	Yes	No	No		No
BSAFE SSL-J ^{[lower-alpha 1]}^{[lower-alpha 2]}	Yes	Yes	No	Yes	No	No	Yes	No
cryptlib	Yes	Yes	Yes	No		No
Crypto++		Yes				No	Yes
GnuTLS	Yes	Yes	Yes	Yes^[223]	No	No	Yes
JSSE	Yes	Yes^[224]	No	No		No		No
LibreSSL	No	Yes	Yes	No		No
MatrixSSL	Yes	Yes	No	Yes		No		No
Mbed TLS	Yes	Yes^[225]	Yes	No		No		No
NSS	Yes^[226]	Yes^[227]	No^[228]	No		No		No
OpenSSL	Yes^[229]	Yes	Yes	Yes^[230]		No	Yes	Partial
Schannel	No	Yes	No	No		No		No
Secure Transport	No	Yes^[231]^[232]	No	Yes		No		No
wolfSSL	Yes	Yes	No	Yes	Yes	Yes^[233]		Yes^[234]
Implementation	PKCS #11 device	Intel AES-NI	VIA PadLock	ARMv8-A	Intel SGX	Intel QAT	Intel SHA	NXP CAAM

Pure Java implementations relies on JVM processor optimization capabilities, such as OpenJDK support for AES-NI^[221]
BSAFE SSL-J can be configured to run in native mode, using BSAFE Crypto-C Micro Edition to benefit from processor optimization.^[222]

System-specific backends

This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.

More information Implementation, /dev/crypto ...

Implementation	/dev/crypto	af_alg	Windows CSP	CommonCrypto	OpenSSL engine
Botan	No	No	No	No	Partial
BSAFE	No	No	No	No	No
cryptlib	No	No	No	No	No
GnuTLS	Yes	Yes	No	No	No
JSSE	No	No	Yes	No	No
LibreSSL	No	No	No	No	No^[235]
MatrixSSL	No	No	No	Yes	Yes
Mbed TLS	No	No	No	No	No
NSS	No	No	No	No	No
OpenSSL	Yes	Yes	No	No	Yes
Schannel	No	No	Yes	No	No
Secure Transport	No	No	No	Yes	No
wolfSSL	Yes	Yes	Partial	No	Yes^[236]
Erlang/OTP SSL application	No	No	No	No	Yes
Implementation	/dev/crypto	af_alg	Windows CSP	CommonCrypto	OpenSSL engine

Cryptographic module/token support

More information Implementation, TPM support ...

Implementation	TPM support	Hardware token support	Objects identified via
Botan	Partial^[197]	PKCS #11
BSAFE SSL-J	No	No
cryptlib	No	PKCS #11	User-defined label
GnuTLS	Yes	PKCS #11	RFC 7512 PKCS #11 URLs^[237]
JSSE	No	PKCS11 Java Cryptography Architecture, Java Cryptography Extension
LibreSSL	Yes	PKCS #11 (via 3rd party module)	Custom method
MatrixSSL	No	PKCS #11
Mbed TLS	No	PKCS #11 (via libpkcs11-helper) or standard hooks	Custom method
NSS	No	PKCS #11
OpenSSL	Yes	PKCS #11 (via 3rd party module)^[238]	RFC 7512 PKCS #11 URLs^[237]
Schannel	No	Microsoft CryptoAPI	UUID, User-defined label
Secure Transport
wolfSSL	Yes	PKCS #11
Implementation	TPM support	Hardware token support	Objects identified via

Code dependencies

More information Implementation, Dependencies ...

Implementation	Dependencies	Optional dependencies
Botan	C++20	SQLite zlib (compression) bzip2 (compression) liblzma (compression) boost trousers (TPM)
GnuTLS	libc nettle gmp	zlib (compression) p11-kit (PKCS #11) trousers (TPM) libunbound (DANE)
JSSE	Java
MatrixSSL	none	zlib (compression)
MatrixSSL-open	libc or newlib
Mbed TLS	libc	libpkcs11-helper (PKCS #11) zlib (compression)
NSS	libc libnspr4 libsoftokn3 libplc4 libplds4	zlib (compression)
OpenSSL	libc	zlib (compression) brotli (compression) zstd (compression)
wolfSSL	None	libc zlib (compression)
Erlang/OTP SSL application	libcrypto (from OpenSSL), Erlang/OTP and its public_key, crypto and asn1 applications	Erlang/OTP -inets (http fetching of CRLs)
Implementation	Dependencies	Optional dependencies

Development environment

More information Implementation, Namespace ...

Implementation	Namespace	Build tools	API manual	Crypto back-end	OpenSSL compatibility Layer^[clarify]
Botan	Botan::TLS	Makefile	Sphinx	Included (pluggable)	No
Bouncy Castle	org.bouncycastle	Java Development Environment	Programmers reference manual (PDF)	Included (pluggable)	No
BSAFE SSL-J	com.rsa.asn1^[a] com.rsa.certj^[b] com.rsa.jcp^[c] com.rsa.jsafe^[d] com.rsa.ssl^[e] com.rsa.jsse^[f]	Java classloader	Javadoc, Developer's guide (HTML)	Included	No
cryptlib	crypt*	makefile, MSVC project workspaces	Programmers reference manual (PDF), architecture design manual (PDF)	Included (monolithic)	No
GnuTLS	gnutls_*	Autoconf, automake, libtool	Manual and API reference (HTML, PDF)	External, libnettle	Yes (limited)
JSSE	javax.net.ssl sun.security.ssl	Makefile	API Reference (HTML) + JSSE Reference Guide	Java Cryptography Architecture, Java Cryptography Extension	No
MatrixSSL	matrixSsl_* ps*	Makefile, MSVC project workspaces, Xcode projects for OS X and iOS	API Reference (PDF), Integration Guide	Included (pluggable)	Yes (Subset: SSL_read, SSL_write, etc.)
Mbed TLS	mbedtls_ssl_* mbedtls_sha1_* mbedtls_md5_* mbedtls_x509* ...	Makefile, CMake, MSVC project workspaces, yotta	API Reference + High Level and Module Level Documentation (HTML)	Included (monolithic)	No
NSS	CERT_* SEC_* SECKEY_* NSS_* PK11_* SSL_* ...	Makefile	Manual (HTML)	Included, PKCS#11 based^[239]	Yes (separate package called nss_compat_ossl^[240])
OpenSSL	SSL_* SHA1_* MD5_* EVP_* ...	Makefile	Man pages	Included (monolithic)	—
wolfSSL	wolfSSL_* CyaSSL_* SSL_*	Autoconf, automake, libtool, MSVC project workspaces, XCode projects, CodeWarrior projects, MPLAB X projects, Keil, IAR, Clang, GCC, e2Studio	Manual and API Reference (HTML, PDF)	Included (monolithic)	Yes (about 60% of API)
Implementation	Namespace	Build tools	API manual	Crypto back-end	OpenSSL compatibility layer

^
ASN.1 manipulation classes
^
Cert-J proprietary API
^
Certificate Path manipulation classes
^
Crypto-J proprietary API, JCE, CMS and PKI
^
SSLJ proprietary API
^
JSSE API

Portability concerns

More information Implementation, Platform requirements ...

Implementation	Platform requirements	Network requirements	Thread safety	Random seed	Able to cross-compile	No OS (bare metal)	Supported operating systems
Botan	C++11	None	Thread-safe	Platform-dependent	Yes		Windows, Linux, macOS, Android, iOS, FreeBSD, OpenBSD, Solaris, AIX, HP-UX, QNX, BeOS, IncludeOS
BSAFE SSL-J	Java	Java SE network components	Thread-safe	Depends on java.security.SecureRandom	Yes	No	FreeBSD, Linux, macOS, Microsoft Windows, Android, AIX, Solaris
cryptlib	C89	POSIX send() and recv(). API to supply your own replacement	Thread-safe	Platform-dependent, including hardware sources	Yes	Yes	AMX, BeOS, ChorusOS, DOS, eCos, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, Palm OS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, macOS, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK
GnuTLS	C89	POSIX send() and recv(). API to supply your own replacement.	Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available.	Platform dependent	Yes	No	Generally any POSIX platforms or Windows, commonly tested platforms include Linux, Win32/64, macOS, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD.
JSSE	Java	Java SE network components	Thread-safe	Depends on java.security.SecureRandom	Yes		Java based, platform-independent
MatrixSSL	C89	None	Thread-safe	Platform dependent	Yes	Yes	All
Mbed TLS	C89	POSIX read() and write(). API to supply your own replacement.	Threading layer available (POSIX or own hooks)	Random seed set through entropy pool	Yes	Yes	Known to work on: Win32/64, Linux, macOS, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, eCos, SeggerOS, RISC OS
NSS	C89, NSPR^[241]	NSPR^[241] PR_Send() and PR_Recv(). API to supply your own replacement.	Thread-safe	Platform dependent^[242]	Yes (but cumbersome)	No	AIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, macOS, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation
OpenSSL	C89	None	Thread-safe	Platform dependent	Yes	No	Unix-like, DOS (with djgpp), Windows, OpenVMS, NetWare, eCos
wolfSSL	C89	POSIX send() and recv(). API to supply your own replacement.	Thread-safe	Random seed set through wolfCrypt	Yes	Yes	Win32/64, Linux, macOS, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Yocto Project, OpenEmbedded, WinCE, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, NonStop, TRON/ITRON/µITRON, eCos, Micrium µC/OS-III, FreeRTOS, SafeRTOS, NXP/Freescale MQX, Nucleus, TinyOS, HP/UX, AIX, ARC MQX, Keil RTX, TI-RTOS, uTasker, embOS, INtime, Mbed, uT-Kernel, RIOT, CMSIS-RTOS, FROSTED, Green Hills INTEGRITY, TOPPERS, PetaLinux, Apache mynewt
Implementation	Platform requirements	Network requirements	Thread safety	Random seed	Able to cross-compile	No OS (bare metal)	Supported operating systems

References

[1]
"Botan: Release Notes". Retrieved 2023-10-09.
[2]
"Release Notes - bouncycastle.org". 2023-11-13. Retrieved 2023-11-18.
[3]
"Java LTS Resources - bouncycastle.org". 2024-03-01. Retrieved 2024-03-31.
[4]
"Java FIPS Resources - bouncycastle.org". 2023-09-28. Retrieved 2022-09-29.
[5]
"The Legion of the Bouncy Castle C# Cryptography APIs". 2024-02-05. Retrieved 2024-02-06.
[6]
"C# .NET FIPS Resources - bouncycastle.org". 2023-02-28. Retrieved 2023-02-28.
[7]
"Dell BSAFE SSL-J 6.5.1 Release Advisory". Dell.
[8]
"Dell BSAFE SSL-J 7.2 Release Advisory". Dell.
[9]
"Dell BSAFE Micro Edition Suite 4.6.2 Release Advisory".
[10]
"Dell BSAFE Micro Edition Suite 5.0.2.1 Release Advisory".
[11]
Gutmann, Peter (2019). "Downloading". cryptlib. University of Auckland School of Computer Science. Retrieved 2019-08-07.
[12]
"gnutls 3.8.5".
[13]
"JDK Releases". Oracle Corporation. Retrieved 2022-12-09.
[14]
"JDK Releases". Oracle Corporation. Retrieved 2024-01-17.
[15]
Brent Cook (28 March 2024). "LibreSSL 3.8.4 and 3.9.1 released". Retrieved 28 March 2024.
[16]
The features listed are for the closed source version
[17]
"MatrixSSL 4.2.2 Open release". 2019-09-11. Retrieved 2020-03-20.
[18]
"Release 3.6.0". 28 March 2024. Retrieved 23 April 2024.
[19]
"NSS:Release versions". Mozilla Wiki. Retrieved 7 November 2022.
[20]
"OpenSSL version 3.3.0 published". 9 April 2024. Retrieved 11 April 2024.
[21]
"wolfSSL product description". Retrieved 2016-05-03.
[22]
"wolfSSL Embedded SSL/TLS". Retrieved 2016-05-03.
[23]
"wolfSSL ChangeLog". 2023-10-31. Retrieved 2023-10-31.
[24]
Prohibiting Secure Sockets Layer (SSL) Version 2.0. doi:10.17487/RFC6176. RFC 6176.
[25]
Vaudenay, Serge (2001). "CBC-Padding: Security Flaws in SSL, IPsec, WTLS,..." (PDF).
[26]
Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security. doi:10.17487/RFC7366. RFC 7366.
[27]
"Rizzo/Duong BEAST Countermeasures". Archived from the original on 2016-03-11.
[28]
Möller, Bodo; Duong, Thai; Kotowicz, Krzysztof (September 2014). "This POODLE Bites: Exploiting The SSL 3.0 Fallback" (PDF). Retrieved 15 October 2014.
[29]
"TLSv1.2's Major Differences from TLSv1.1". The Transport Layer Security (TLS) Protocol Version 1.2. sec. 1.2. doi:10.17487/RFC5246. RFC 5246.
[30]
RFC 6347
[31]
Elgamal, Taher; Hickman, Kipp E. B. (19 April 1995). The SSL Protocol. I-D draft-hickman-netscape-ssl-00.
[32]
RFC 6101
[33]
RFC 2246
[34]
RFC 4346
[35]
RFC 5246
[36]
RFC 4347
[37]
"Version 1.11.13, 2015-01-11 — Botan". 2015-01-11. Archived from the original on 2015-01-09. Retrieved 2015-01-16.
[38]
"RSA BSAFE Technical Specification Comparison Tables" (PDF). Archived from the original (PDF) on 2015-09-24. Retrieved 2015-01-09.
[39]
"[gnutls-devel] GnuTLS 3.4.0 released". 2015-04-08. Retrieved 2015-04-16.
[40]
"[gnutls-devel] GnuTLS 3.6.3". 2018-07-16. Retrieved 2018-09-16.
[41]
"Java™ SE Development Kit 8, Update 31 Release Notes". Retrieved 2024-01-14.
[42]
"Release Note: Disable TLS 1.0 and 1.1". Retrieved 2024-01-14.
[43]
"OpenBSD 5.6 Released". 2014-11-01. Retrieved 2015-01-20.
[44]
"LibreSSL 2.3.0 Released". 2015-09-23. Retrieved 2015-09-24.
[45]
"LibreSSL 3.3.3 Released". 2021-05-04. Retrieved 2021-05-04.
[46]
"MatrixSSL - News". Archived from the original on 2015-02-14. Retrieved 2014-11-09.
[47]
"Mbed TLS 3.0.0 branch released". GitHub. 2021-07-07. Retrieved 2021-08-13.
[48]
"mbed TLS 2.0.0 released". 2015-07-10. Retrieved 2015-07-14.
[49]
"NSS 3.19 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2015-06-05. Retrieved 2015-05-06.
[50]
"NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2013-01-17. Retrieved 2012-10-27.
[51]
"NSS 3.15.1 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-08-10.
[52]
"NSS 3.39 release notes". Mozilla Developer Network. Mozilla. 2018-08-31. Archived from the original on 2021-12-07. Retrieved 2018-09-15.
[53]
"NSS 3.16.2 release notes". Mozilla Developer Network. Mozilla. 2014-06-30. Archived from the original on 2021-12-07. Retrieved 2014-06-30.
[54]
"OpenSSL 1.1.0 Series Release Notes". www.openssl.org. Archived from the original on 2018-03-17. Retrieved 2016-09-03.
[55]
"Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]". 2012-03-14. Archived from the original on December 5, 2014. Retrieved 2015-01-20.
[56]
"Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]". Archived from the original on September 4, 2014. Retrieved 2015-01-22.
[57]
"S2N Readme". GitHub. 2019-12-21.
[58]
"TLS Cipher Suites (Windows)". msdn.microsoft.com. 14 July 2023.
[59]
"TLS Cipher Suites in Windows Vista (Windows)". msdn.microsoft.com. 25 October 2021.
[60]
"Cipher Suites in TLS/SSL (Schannel SSP) (Windows)". msdn.microsoft.com. 14 July 2023.
[61]
"An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. Retrieved 13 November 2012.
[62]
"Protocols in TLS/SSL (Schannel SSP)". Microsoft. 2022-05-25. Retrieved 2023-11-18.
[63]
"Protocols in TLS/SSL (Schannel SSP)". 25 May 2022. Retrieved 6 November 2022.
[64]
"@badger: the 1.3 stuff is apparently in iOS 11 and macOS 10.13". 2018-03-09. Retrieved 2018-03-09.
[65]
"[wolfssl] wolfSSL 3.6.6 Released". 2015-08-20. Retrieved 2015-08-24.
[66]
"[wolfssl] wolfSSL 3.13.0 Released". 2017-12-21. Retrieved 2022-01-17.
[67]
"Erlang -- Standards Compliance".
[68]
"Security Enhancements in JDK 8". docs.oracle.com.
[69]
"Bug 663320 - (NSA-Suite-B-TLS) Implement RFC6460 (NSA Suite B profile for TLS)". Mozilla. Retrieved 2014-05-19.
[70]
"Introducing Compliance to Suite B Cryptography". 18 September 2012.
[71]
"Speeds and Feeds › Secure or Compliant, Pick One". Archived from the original on December 27, 2013.
[72]
"Search - Cryptographic Module Validation Program - CSRC". csrc.nist.gov. Archived from the original on 2014-12-26. Retrieved 2014-03-18.
[73]
""Is botan FIPS 140 certified?" Frequently Asked Questions — Botan". Archived from the original on 2014-11-29. Retrieved 2014-11-16.
[74]
"Search - Cryptographic Module Validation Program - CSRC". csrc.nist.gov. 11 October 2016.
[75]
"cryptlib". 11 October 2013. Archived from the original on 11 October 2013.
[76]
"B.5 Certification". GnuTLS 3.7.7. Retrieved 26 September 2022.
[77]
"Matrix SSL Toolkit" (PDF).
[78]
"Is mbed TLS FIPS certified? - Mbed TLS documentation". Mbed TLS documentation.
[79]
"FIPS Validation - MozillaWiki". wiki.mozilla.org.
[80]
"OpenSSL and FIPS 140-2". Archived from the original on 2013-05-28. Retrieved 2014-11-15.
[81]
"Microsoft FIPS 140 Validated Cryptographic Modules".
[82]
"wolfCrypt FIPS 140-2 Information - wolfSSL Embedded SSL/TLS Library".
[83]
RFC 4492
[84]
GOST 28147-89 Cipher Suites for Transport Layer Security (TLS). I-D draft-chudov-cryptopro-cptls-04.
[85]
"LibreSSL 2.1.2 released". 2014-12-09. Retrieved 2015-01-20.
[86]
"NSS 3.20 release notes". Mozilla. 2015-08-19. Archived from the original on 2021-12-07. Retrieved 2015-08-20.
[87]
Mozilla.org. "Bug 518787 - Add GOST crypto algorithm support in NSS". Retrieved 2014-07-01.
[88]
Mozilla.org. "Bug 608725 - Add Russian GOST cryptoalgorithms to NSS and Thunderbird". Retrieved 2014-07-01.
[89]
"OpenSSL: CVS Web Interface". Archived from the original on 2013-04-15. Retrieved 2014-11-12.
[90]
Extensions to support GOST in Schannel might be available.^{[citation needed]}
[91]
"Microsoft Security Advisory 3174644". 14 October 2022.
[92]
"Microsoft Security Bulletin MS14-066 - Critical (Section Update FAQ)". Microsoft. November 11, 2014. Retrieved 11 November 2014.
[93]
Thomlinson, Matt (November 11, 2014). "Hundreds of Millions of Microsoft Customers Now Benefit from Best-in-Class Encryption". Microsoft Security. Retrieved 11 November 2014.
[94]
"Update adds new TLS cipher suites and changes cipher suite priorities in Windows 8.1 and Windows Server 2012 R2". support.microsoft.com.
[95]
RFC 5054
[96]
RFC 4279
[97]
RFC 5489
[98]
RFC 2712
[99]
"RSA BSAFE SSL-J 6.2.4 Release Notes". 2018-09-05. Archived from the original on 2018-09-10.
[100]
"LibreSSL 2.0.4 released". Retrieved 2014-08-04.
[101]
"Bug 405155 - add support for TLS-SRP, rfc5054". Mozilla. Retrieved 2014-01-25.
[102]
"Bug 306435 - Mozilla browsers should support the new IETF TLS-PSK protocol to help reduce phishing". Mozilla. Retrieved 2014-01-25.
[103]
"Bug 1170510 - Implement NSS server side support for DH_anon". Mozilla. Retrieved 2015-06-03.
[104]
"Bug 236245 - Update ECC/TLS to conform to RFC 4492". Mozilla. Retrieved 2014-06-09.
[105]
"Changes between 0.9.6h and 0.9.7 [31 Dec 2002]". Retrieved 2016-01-29.
[106]
"Changes between 0.9.8n and 1.0.0 [29 Mar 2010]". Retrieved 2016-01-29.
[107]
"wolfSSL (Formerly CyaSSL) Release 3.9.0 (03/18/2016)". 2016-03-18. Retrieved 2016-04-05.
[108]
RFC 5280
[109]
RFC 3280
[110]
RFC 2560
[111]
RFC 6698, RFC 7218
[112]
Laurie, B.; Langley, A.; Kasper, E. (June 2013). Certificate Transparency. IETF. doi:10.17487/RFC6962. ISSN 2070-1721. RFC 6962. Retrieved 2020-08-31.
[113]
"MatrixSSL 3.8.3". Archived from the original on 2017-01-19. Retrieved 2017-01-18.
[114]
"mbed TLS 2.0 defaults implement best practices". Retrieved 2017-01-18.
[115]
"Bug 672600 - Use DNSSEC/DANE chain stapled into TLS handshake in certificate chain validation". Mozilla. Retrieved 2014-06-18.
[116]
"CRL Validation · Issue #3499 · aws/s2n-tls". GitHub. Retrieved 2022-11-01.
[117]
"OCSP digest support for SHA-256 · Issue #2854 · aws/s2n-tls · GitHub". GitHub. Retrieved 2022-11-01.
[118]
"[RFC 6962] s2n Client can Validate Signed Certificate Timestamp TLS Extension · Issue #457 · aws/s2n-tls · GitHub". GitHub. Retrieved 2022-11-01.
[119]
"How Certificate Revocation Works". Microsoft TechNet. Microsoft. March 16, 2012. Retrieved July 10, 2013.
[120]
RFC 5288, RFC 5289
[121]
RFC 6655, RFC 7251
[122]
RFC 6367
[123]
RFC 5932, RFC 6367
[124]
RFC 6209
[125]
RFC 4162
[126]
"Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN". sweet32.info.
[127]
RFC 7905
[128]
"Version 1.11.12, 2015-01-02 — Botan". 2015-01-02. Retrieved 2015-01-09.
[129]
"gnutls 3.6.0". 2017-09-21. Retrieved 2018-01-07.
[130]
"gnutls 3.4.12". 2016-05-20. Archived from the original on 2016-10-13. Retrieved 2016-05-29.
[131]
"Java SE DevelopmentK Kit 10 - 10.0.1 Release Notes". 2018-04-17. Retrieved 2024-01-14.
[132]
"JDK 12 Release Notes". Retrieved 2024-01-14.
[133]
"Changes in 3.8.3". GitHub. Retrieved 2016-06-19.^{[permanent dead link]}
[134]
"PolarSSL 1.3.8 release notes". Archived from the original on 2014-07-14.
[135]
"Mbed TLS 2.11.0, 2.7.4 and 2.1.13 released". Retrieved 2018-08-30.
[136]
"Mbed TLS 2.12.0, 2.7.5 and 2.1.14 released". Retrieved 2018-08-30.
[137]
"NSS 3.25 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2021-12-07. Retrieved 2016-07-01.
[138]
"Bug 940119 - libssl does not support any TLS_ECDHE_*_CAMELLIA_*_GCM cipher suites". Mozilla. Retrieved 2013-11-19.
[139]
"NSS 3.12 is released". Retrieved 2013-11-19.
[140]
"NSS 3.12.3 Release Notes". Mozilla Developer Network. Mozilla. Archived from the original on 2023-04-02. Retrieved 2023-04-01.
[141]
"NSS 3.23 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2021-04-14. Retrieved 2016-03-09.
[142]
"openssl/CHANGES at OpenSSL_1_0_1-stable · openssl/openssl". GitHub. Retrieved 2015-01-20.
[143]
"/news/openssl-1.1.1-notes.doc". www.openssl.org.
[144]
"Cipher Suites in TLS/SSL (Schannel SSP) - Win32 apps". docs.microsoft.com. 14 July 2023.
[145]
"Qualys SSL Labs - Projects / User Agent Capabilities: IE 11 / Win 10 Preview". dev.ssllabs.com.
[146]
RFC 5469
[147]
"Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN".
[148]
"Version 1.11.15, 2015-03-08 — Botan". 2015-03-08. Retrieved 2015-03-11.
[149]
"Java Cryptography Architecture Oracle Providers Documentation". docs.oracle.com.
[150]
"NSS 3.15.3 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2014-06-05. Retrieved 2014-07-13.
[151]
"MFSA 2013-103: Miscellaneous Network Security Services (NSS) vulnerabilities". Mozilla. Retrieved 2014-07-13.
[152]
"RC4 is now disabled in Microsoft Edge and Internet Explorer 11 - Microsoft Edge Dev BlogMicrosoft Edge Dev Blog". blogs.windows.com. 2016-08-09.
[153]
"wolfSSL (Formerly CyaSSL) Release 3.7.0 (10/26/2015)". 2015-10-26. Retrieved 2015-11-19.
[154]
RFC 8446
[155]
RFC 8422
[156]
RFC 7027
[157]
"Version 1.11.5, 2013-11-10 — Botan". 2013-11-10. Retrieved 2015-01-23.
[158]
"An overview of the new features in GnuTLS 3.5.0". 2016-05-02. Retrieved 2016-12-09.
[159]
"gnutls 3.6.12". 2020-02-01. Retrieved 2021-08-31.
[160]
"JDK 13 Early-Access Release Notes". Archived from the original on 2020-04-01. Retrieved 2019-06-20.
[161]
"JEP 339: Edwards-Curve Digital Signature Algorithm (EdDSA)". Retrieved 2024-01-14.
[162]
"LibreSSL 2.5.1 release notes". OpenBSD. 2017-01-31. Retrieved 2017-02-23.
[163]
"MatrixSSL 4.0 changelog". GitHub. Retrieved 2018-09-18.
[164]
"PolarSSL 1.3.3 released". 2013-12-31. Archived from the original on 2014-01-07. Retrieved 2015-01-23.
[165]
"Mbed TLS 2.9.0, 2.7.3 and 2.1.12 released". Retrieved 2018-08-30.
[166]
"PolarSSL 1.3.1 released". 2013-10-15. Archived from the original on 2015-01-23. Retrieved 2015-01-23.
[167]
"Bug 957105 - Add support for curve25519 Key Exchange and UMAC MAC support for TLS". Mozilla. Retrieved 2017-02-23.
[168]
"Bug 1305243 - Support for X448". Mozilla. Retrieved 2022-08-04.
[169]
"Bug 1597057 - Curve448 or named Ed448-Goldilocks support needed (both X448 key exchange and Ed448 signature algorithm )". Mozilla. Retrieved 2022-08-04.
[170]
"Bug 943639 - Support for Brainpool ECC Curve (rfc5639)". Mozilla. Retrieved 2014-01-25.
[171]
"OpenSSL 1.1.0x Release Notes". 25 August 2016. Archived from the original on 18 May 2018. Retrieved 18 May 2018.
[172]
"OpenSSL GitHub Issue #487 Tracker". GitHub. 2 December 2015. Retrieved 18 May 2018.
[173]
"OpenSSL 1.1.1x Release Notes". 1 May 2018. Retrieved 18 May 2018.
[174]
"OpenSSL GitHub Issue #5049 Tracker". GitHub. 9 January 2018. Retrieved 18 May 2018.
[175]
"wolfSSL (Formerly CyaSSL) Release 3.4.6 (03/30/2015)". 2015-03-30. Retrieved 2015-11-19.
[176]
"wolfSSL Release 4.4.0 (04/22/2020)". 2020-04-22. Retrieved 2022-10-18.
[177]
Simon, Josefsson; Manuel, Pégourié-Gonnard. Additional Elliptic Curves for Transport Layer Security (TLS) Key Agreement. I-D draft-josefsson-tls-additional-curves.
[178]
"Release Note: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default. (Java 7u281, 8u271, 11.0.9, 14)". JDK Bug System (JBS). Retrieved 6 January 2022.
[179]
"Release Note: Removal of Legacy Elliptic Curves (Java 16)". JDK Bug System (JBS). Retrieved 6 January 2022.
[180]
Negotiation of arbitrary curves has been shown to be insecure for certain curve sizes Mavrogiannopoulos, Nikos and Vercautern, Frederik and Velichkov, Vesselin and Preneel, Bart (2012). "A cross-protocol attack on the TLS protocol" (PDF). Proceedings of the 2012 ACM conference on Computer and communications security. Association for Computing Machinery. pp. 62–72. doi:10.1145/2382196.2382206. ISBN 978-1-4503-1651-4.{{cite conference}}: CS1 maint: multiple names: authors list (link)
[181]
"SHA2 and Windows". Retrieved 2014-09-08.
[182]
RFC 3749
[183]
RFC 5746
[184]
RFC 6066
[185]
RFC 7301
[186]
RFC 6091
[187]
RFC 4680
[188]
RFC 5077
[189]
RFC 5705
[190]
RFC 7366
[191]
RFC 7507
[192]
RFC 7627
[193]
RFC 7685
[194]
RFC 7250
[195]
"Version 1.11.16, 2015-03-29 — Botan". 2016-03-29. Retrieved 2016-09-08.
[196]
"Version 1.11.10, 2014-12-10 — Botan". 2014-12-10. Retrieved 2014-12-14.
[197]
"Version 1.11.26, 2016-01-04 — Botan". 2016-01-04. Retrieved 2016-02-25.
[198]
Present, but disabled by default due to lack of use by any implementation.
[199]
"gnutls 3.2.0". Archived from the original on 2016-01-31. Retrieved 2015-01-26.
[200]
Mavrogiannopoulos, Nikos (August 21, 2017). "[gnutls-help] GnuTLS 3.6.0 released".
[201]
"gnutls 3.4.4". Archived from the original on 2017-07-17. Retrieved 2015-08-25.
[202]
"%DUMBFW priority keyword". Retrieved 2017-04-30.
[203]
"gnutls 3.6.6". 2019-01-25. Retrieved 2019-09-01.
[204]
"LibreSSL 2.1.3 released". 2015-01-22. Retrieved 2015-01-22.
[205]
"LibreSSL 2.1.4 released". 2015-03-04. Retrieved 2015-03-04.
[206]
"MatrixSSL - News". 2014-12-04. Archived from the original on 2015-02-14. Retrieved 2015-01-26.
[207]
"Download overview - PolarSSL". 2014-04-11. Archived from the original on 2015-02-09. Retrieved 2015-01-26.
[208]
"mbed TLS 1.3.10 released". 2015-02-08. Archived from the original on 2015-02-09. Retrieved 2015-02-09.
[209]
"NSS 3.15.5 release notes". Mozilla Developer Network. Mozilla. Archived from the original on January 26, 2015. Retrieved 2015-01-26.
[210]
"Bug 961416 - Support RFC6091 - Using OpenPGP Keys for Transport Layer Security Authentication (TLS1.2)". Mozilla. Retrieved 2014-06-18.
[211]
"Bug 972145 - Implement the encrypt-then-MAC TLS extension". Mozilla. Retrieved 2014-11-06.
[212]
"NSS 3.17.1 release notes". Archived from the original on 2019-04-19. Retrieved 2014-10-17.
[213]
"NSS 3.21 release notes". Archived from the original on 2021-12-07. Retrieved 2015-11-14.
[214]
"OpenSSL Security Advisory [15 Oct 2014]". 2014-10-15.
[215]
"Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]". 2014-04-07. Archived from the original on 2015-01-20. Retrieved 2015-02-10.
[216]
"OpenSSL Announces Final Release of OpenSSL 3.2.0". 2023-11-23.
[217]
"Microsoft Security Bulletin MS15-121". Retrieved 2017-11-29.
[218]
"What's New in TLS/SSL (Schannel SSP)". Retrieved 2014-06-18.
[219]
"wolfSSL Version 4.2.0 is Now Available!". 22 October 2019. Retrieved 2021-08-13.
[220]
"Version 1.11.31, 2015-08-30 — Botan". 2016-08-30. Retrieved 2016-09-08.
[221]
"JEP 164: Leverage CPU Instructions for AES Cryptography". openjdk.java.net.
[222]
"RSA SecurID PASSCODE Request". sso.rsasecurity.com.
[223]
Mavrogiannopoulos, Nikos (October 9, 2016). "[gnutls-devel] gnutls 3.5.5".
[224]
"Java SSL provider with AES-NI support". stackoverflow.com.
[225]
"PolarSSL 1.3.3 released". 2013-12-31. Archived from the original on 2014-01-07. Retrieved 2014-01-07. We've incorporated support for AES-NI in our AES and GCM modules.
[226]
Normally NSS's libssl performs all operations via the PKCS#11 interface, either to hardware or software tokens
[227]
"Bug 706024 - AES-NI enhancements to NSS on Sandy Bridge systems". Retrieved 2013-09-28.
[228]
"Bug 479744 - RFE : VIA Padlock ACE support (hardware RNG, AES, SHA1 and SHA256)". Retrieved 2014-04-11.
[229]
https://habrahabr.ru/post/134725/, http://forum.rutoken.ru/topic/1639/, https://dev.rutoken.ru/pages/viewpage.action?pageId=18055184 (in Russian)
[230]
"git.openssl.org Git - openssl.git/commitdiff". git.openssl.org.
[231]
https://opensource.apple.com/source/Security/Security-55179.13/sec/Security/SecECKey.c
[232]
"Crypto Officer Role Guide for FIPS 140-2 Compliance OS X Mountain Lion v10.8" (PDF). Apple Inc. 2013.
[233]
"wolfSSL Asynchronous Intel QuickAssist Support - wolfSSL". 18 January 2017.
[234]
"CAAM support in wolfSSL". 10 March 2020.
[235]
"LibreSSL 2.2.1 Released". 2015-07-08. Retrieved 2016-01-30.
[236]
"wolfProvider". 2021-11-10. Retrieved 2022-01-17.
[237]
The PKCS #11 URI Scheme. doi:10.17487/RFC7512. RFC 7512.
[238]
"libp11: PKCS#11 wrapper library". 19 January 2018 – via GitHub.
[239]
On the fly replaceable/augmentable.
[240]
"Nss compat ossl - Fedora Project Wiki". fedoraproject.org.
[241]
"NSPR". Mozilla Developer Network.
[242]
For Unix/Linux it uses /dev/urandom if available, for Windows it uses CAPI. For other platforms it gets data from clock, and tries to open system files. NSS has a set of platform dependent functions it uses to determine randomness.

Share this article:

This article uses material from the Wikipedia article Comparison_of_TLS_implementations, and is written by contributors. Text is available under a CC BY-SA 4.0 International License; additional terms may apply. Images, videos and audio are available under their respective licenses.

Comparison_of_TLS_implementations

Overview

TLS/SSL protocol version support

NSA Suite B Cryptography

Certifications

Key exchange algorithms (certificate-only)

Key exchange algorithms (alternative key-exchanges)

Certificate verification methods

Encryption algorithms

Obsolete algorithms

Supported elliptic curves

Defined curves in RFC 8446 (for TLS 1.3) and RFC 8422, 7027 (for TLS 1.2 and earlier)

Proposed curves

Deprecated curves in RFC 8422

Data integrity

Compression

Extensions

Assisted cryptography

System-specific backends

Cryptographic module/token support

Code dependencies

Development environment

Portability concerns

See also

References

Share this article: