Comparison of TLS implementations
The Transport Layer Security protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.
All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.
Overview
| Implementation | Developed by | Open source | Software license | Copyright holder | Written in | Latest stable version, release date | Origin |
| Botan | Jack Lloyd | Jack Lloyd | C++ | US | |||
| BoringSSL | Eric Young, Tim Hudson, Sun, OpenSSL project, Google, and others | C, C++, Go, assembly | No stable releases | Australia/EU | |||
| Bouncy Castle | The Legion of the Bouncy Castle Inc. | Legion of the Bouncy Castle Inc. | Java, C# | Australia | |||
| BSAFE | Dell, formerly RSA Security | Dell | Java, C, assembly | SSL-J Micro Edition Suite | Australia | ||
| cryptlib | Peter Gutmann | and commercial license | Peter Gutmann | C | NZ | ||
| GnuTLS | GnuTLS project | Free Software Foundation | C | EU | |||
| Java Secure Socket Extension | Oracle | and commercial license | Oracle | Java | US | ||
| LibreSSL | OpenBSD Project | Eric Young, Tim Hudson, Sun, OpenSSL project, OpenBSD Project, and others | C, assembly | Canada | |||
| MatrixSSL | PeerSec Networks | and commercial license | PeerSec Networks | C | US | ||
| Mbed TLS | Arm | and commercial license | Arm Holdings | C | EU | ||
| Network Security Services | Mozilla, AOL, Red Hat, Sun, Oracle, Google and others | NSS contributors | C, assembly | US | |||
| OpenSSL | OpenSSL project | Eric Young, Tim Hudson, Sun, OpenSSL project, and others | C, assembly | Australia/EU | |||
| Rustls | Joe Birr-Pixton, Dirkjan Ochtman, Daniel McCarney, Josh Aas, and open source contributors | Open source contributors | Rust | United Kingdom | |||
| s2n | Amazon | and commercial license | Amazon.com, Inc. | C | Continuous | US | |
| Schannel | Microsoft | Microsoft Corporation | Windows 11, 2021-10-05 | US | |||
| Secure Transport | Apple Inc. | Apple Inc. | 57337.20.44, 2015-12-08 | US | |||
| wolfSSL | wolfSSL | and commercial license | wolfSSL Inc. | C, assembly | US | ||
| Erlang/OTP SSL application | Ericsson | Ericsson | Erlang | OTP-21, 2018-06-19 | Sweden | ||
| Implementation | Developed by | Open source | Software license | Copyright owner | Written in | Latest stable version, release date | Origin |
TLS/SSL protocol version support
Several versions of the TLS protocol exist. SSL 2.0 is a deprecated protocol version with significant weaknesses. SSL 3.0 and TLS 1.0 are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay. TLS 1.1 fixed only one of the problems, by switching to random initialization vectors for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was addressed with RFC 7366. A workaround for SSL 3.0 and TLS 1.0, roughly equivalent to random IVs from TLS 1.1, was widely adopted by many implementations in late 2011. In 2014, the POODLE vulnerability of SSL 3.0 was discovered, which takes advantage of the known vulnerabilities in CBC, and an insecure fallback negotiation used in browsers.TLS 1.2 introduced a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future over the SSL 3.0 conservative choice, the TLS 1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides and even.
Datagram Transport Layer Security 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLS 1.2 based on TLS 1.2 was published in January 2012.
TLS 1.3 specified in RFC 8446 includes major optimizations and security improvements. QUIC specified in RFC 9000 and DTLS 1.3 specified in RFC 9147 builds on TLS 1.3. The publishing of TLS 1.3 and DTLS 1.3 obsoleted TLS 1.2 and DTLS 1.2.
Note that there are known vulnerabilities in SSL 2.0 and SSL 3.0. In 2021, IETF published RFC 8996 also forbidding negotiation of TLS 1.0, TLS 1.1, and DTLS 1.0 due to known vulnerabilities. NIST SP 800-52 requires support of TLS 1.3 by January 2024. Support of TLS 1.3 means that two compliant nodes will never negotiate TLS 1.2.
| Implementation | SSL 2.0 | SSL 3.0 | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | DTLS 1.0 | DTLS 1.2 | DTLS 1.3 |
| Botan | |||||||||
| BoringSSL | |||||||||
| Bouncy Castle | |||||||||
| BSAFE SSL-J | |||||||||
| cryptlib | |||||||||
| GnuTLS | |||||||||
| JSSE | |||||||||
| LibreSSL | |||||||||
| MatrixSSL | |||||||||
| Mbed TLS | |||||||||
| NSS | |||||||||
| OpenSSL | |||||||||
| Rustls | |||||||||
| s2n | |||||||||
| Schannel XP, 2003 | |||||||||
| Schannel Vista | |||||||||
| Schannel 2008 | |||||||||
| Schannel 7, 2008R2 | |||||||||
| Schannel 8, 2012 | |||||||||
| Schannel 8.1, 2012R2, 10 RTM & v1511 | |||||||||
| Schannel 10 v1607 / 2016 | |||||||||
| Schannel 11 / 2022 | |||||||||
| Secure Transport OS X 10.2–10.7, iOS 1–4 | |||||||||
| Secure Transport OS X 10.8–10.10, iOS 5–8 | |||||||||
| Secure Transport OS X 10.11, iOS 9 | |||||||||
| Secure Transport OS X 10.13, iOS 11 | |||||||||
| wolfSSL | |||||||||
| Erlang/OTP SSL application | |||||||||
| Implementation | SSL 2.0 | SSL 3.0 | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | DTLS 1.0 | DTLS 1.2 | DTLS 1.3 |
NSA Suite B Cryptography
Required components for Suite B Cryptography">NSA Suite B Cryptography">Suite B Cryptography are:- Advanced Encryption Standard with key sizes of 128 and 256 bits. For traffic flow, AES should be used with either the Counter Mode for low bandwidth traffic or the Galois/Counter Mode mode of operation for high bandwidth traffic — symmetric encryption
- Elliptic Curve Digital Signature Algorithm — digital signatures
- Elliptic Curve Diffie–Hellman — key agreement
- Secure Hash Algorithm 2 — message digest
| Implementation | TLS 1.2 Suite B |
| Botan | |
| Bouncy Castle | |
| BSAFE | |
| cryptlib | |
| GnuTLS | |
| JSSE | |
| LibreSSL | |
| MatrixSSL | |
| Mbed TLS | |
| NSS | |
| OpenSSL | |
| Rustls | |
| S2n | |
| Schannel | |
| Secure Transport | |
| wolfSSL | |
| Implementation | TLS 1.2 Suite B |
Certifications
Note that certain certifications have received serious negative criticism from people who are actually involved in them.Key exchange algorithms (certificate-only)
This section lists the certificate verification functionality available in the various implementations.| Implementation | RSA | RSA-EXPORT | DHE-RSA | DHE-DSS | ECDH-ECDSA | ECDHE-ECDSA | ECDH-RSA | ECDHE-RSA | GOST R 34.10-94, 34.10-2001 |
| Botan | |||||||||
| BSAFE | |||||||||
| cryptlib | |||||||||
| GnuTLS | |||||||||
| JSSE | |||||||||
| LibreSSL | |||||||||
| MatrixSSL | |||||||||
| Mbed TLS | |||||||||
| NSS | |||||||||
| OpenSSL | |||||||||
| Rustls | |||||||||
| Schannel XP/2003 | |||||||||
| Schannel Vista/2008 | |||||||||
| Schannel 8/2012 | |||||||||
| Schannel 7/2008R2, 8.1/2012R2 | |||||||||
| Schannel 10 | |||||||||
| Secure Transport OS X 10.6 | |||||||||
| Secure Transport OS X 10.8-10.10 | |||||||||
| Secure Transport OS X 10.11 | |||||||||
| wolfSSL | |||||||||
| Erlang/OTP SSL application | |||||||||
| Implementation | RSA | RSA-EXPORT | DHE-RSA | DHE-DSS | ECDH-ECDSA | ECDHE-ECDSA | ECDH-RSA | ECDHE-RSA | GOST R 34.10-94, 34.10-2001 |
Encryption algorithms
; NotesObsolete algorithms
; NotesSupported elliptic curves
This section lists the supported elliptic curves by each implementation.Deprecated curves in RFC 8422
| Implementation | secp160k1 | secp160r1 | secp160r2 | secp192k1 | secp192r1 prime192v1 | secp224k1 | secp224r1 | secp256k1 | arbitrary prime curves | arbitrary char2 curves |
| Botan | ||||||||||
| BoringSSL | ||||||||||
| BSAFE | ||||||||||
| GnuTLS | ||||||||||
| JSSE | ||||||||||
| LibreSSL | ||||||||||
| MatrixSSL | ||||||||||
| Mbed TLS | ||||||||||
| NSS | ||||||||||
| OpenSSL | ||||||||||
| Rustls | ||||||||||
| Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 | ||||||||||
| Secure Transport | ||||||||||
| wolfSSL | ||||||||||
| Erlang/OTP SSL application | ||||||||||
| Implementation | secp160k1 | secp160r1 | secp160r2 | secp192k1 | secp192r1 prime192v1 | secp224k1 | secp224r1 | secp256k1 | arbitrary prime curves | arbitrary char2 curves |
; Notes
Compression
Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.| Implementation | DEFLATE |
| Botan | |
| BSAFE | |
| cryptlib | |
| GnuTLS | |
| JSSE | |
| LibreSSL | |
| MatrixSSL | |
| Mbed TLS | |
| NSS | |
| OpenSSL | |
| Rustls | |
| Schannel | |
| Secure Transport | |
| wolfSSL | |
| Erlang/OTP SSL application | |
| Implementation | DEFLATE |
Extensions
In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.| Implementation | Secure Renegotiation | Server Name Indication | ALPN | Certificate Status Request | OpenPGP | Supplemental Data | Session Ticket | Keying Material Exporter | Maximum Fragment Length | Encrypt-then-MAC | TLS Fallback SCSV | Extended Master Secret | ClientHello Padding | Raw Public Keys |
| Botan | ||||||||||||||
| BSAFE SSL-J | ||||||||||||||
| cryptlib | ||||||||||||||
| GnuTLS | ||||||||||||||
| JSSE | ||||||||||||||
| LibreSSL | ? | ? | ||||||||||||
| MatrixSSL | ||||||||||||||
| Mbed TLS | ||||||||||||||
| NSS | ||||||||||||||
| OpenSSL | ? | |||||||||||||
| Rustls | ||||||||||||||
| Schannel XP/2003 | ||||||||||||||
| Schannel Vista/2008 | ||||||||||||||
| Schannel 7/2008R2 | ||||||||||||||
| Schannel 8/2012 | ||||||||||||||
| Schannel 8.1/2012R2, 10 | ||||||||||||||
| Secure Transport | ||||||||||||||
| wolfSSL | ||||||||||||||
| Erlang/OTP SSL application | ||||||||||||||
| Implementation | Secure Renegotiation | Server Name Indication | ALPN | Certificate Status Request | OpenPGP | Supplemental Data | Session Ticket | Keying Material Exporter | Maximum Fragment Length | Encrypt-then-MAC | TLS Fallback SCSV | Extended Master Secret | ClientHello Padding | Raw Public Keys |
Assisted cryptography
This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.| Implementation | PKCS #11 device | Intel AES-NI | VIA PadLock | ARMv8-A | Intel SHA | NXP CAAM | TPM 2.0 | NXP SE050 | Microchip ATECC | STMicro STSAFE | Maxim MAXQ |
| Botan | |||||||||||
| BSAFE SSL-J | |||||||||||
| cryptlib | |||||||||||
| Crypto++ | |||||||||||
| GnuTLS | |||||||||||
| JSSE | |||||||||||
| LibreSSL | |||||||||||
| MatrixSSL | |||||||||||
| Mbed TLS | |||||||||||
| NSS | |||||||||||
| OpenSSL | |||||||||||
| Rustls | |||||||||||
| Schannel | |||||||||||
| Secure Transport | |||||||||||
| wolfSSL | |||||||||||
| Implementation | PKCS #11 device | Intel AES-NI | VIA PadLock | ARMv8-A | Intel SHA | NXP CAAM | TPM 2.0 | NXP SE050 | Microchip ATECC | STMicro STSAFE | Maxim MAXQ |
System-specific backends
This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.| Implementation | /dev/crypto | af_alg | Windows CSP | CommonCrypto | OpenSSL engine |
| Botan | |||||
| BSAFE | |||||
| cryptlib | |||||
| GnuTLS | |||||
| JSSE | |||||
| LibreSSL | |||||
| MatrixSSL | |||||
| Mbed TLS | |||||
| NSS | |||||
| OpenSSL | |||||
| Rustls | |||||
| Schannel | |||||
| Secure Transport | |||||
| wolfSSL | |||||
| Erlang/OTP SSL application | |||||
| Implementation | /dev/crypto | af_alg | Windows CSP | CommonCrypto | OpenSSL engine |