Comparison of TLS implementations

From Wikipedia, the free encyclopedia
  (Redirected from Comparison of TLS Implementations)
Jump to: navigation, search

The Transport Layer Security (TLS) protocol provides the ability to secure communications across networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free and open source software.

All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.

Overview[edit]

Implementation Developed by Open source Software license Copyright owner Written in Latest stable version / release date Origin
Botan Jack Lloyd Yes Simplified BSD License Jack Lloyd C++ 1.11.16 (March 29, 2015; 19 days ago (2015-03-29)[1]) [±] US (Vermont)
Bouncy Castle The Legion of the Bouncy Castle Inc. Yes MIT License Legion of the Bouncy Castle Inc. Java / C# 1.52 (Java) (March 1, 2015; 47 days ago (2015-03-01) [2]) [±]

1.7 (C#) (April 7, 2011; 4 years ago (2011-04-07) [3]) [±]

Australia
cryptlib Peter Gutmann Yes Sleepycat License and commercial license Peter Gutmann C 3.4.2 (December 17, 2012; 2 years ago (2012-12-17) [4]) [±] NZ
GnuTLS GnuTLS project Yes GNU LGPLv2.1+ Free Software Foundation C 3.4.0 (April 8, 2015; 9 days ago (2015-04-08) [5]) [±]

3.3.14 (March 30, 2015; 18 days ago (2015-03-30) [5]) [±]

EU (Greece and Sweden)
Java Secure Socket Extension (JSSE) Oracle Yes GNU GPLv2 and commercial license Oracle Java JDK 8 / 2014-03-18 US
LibreSSL OpenBSD Project Yes Apache License 1.0, 4-clause BSD License, ISC License, and some are public domain Eric Young, Tim Hudson, Sun, OpenSSL project, OpenBSD Project, and others C, assembly 2.1.6 (March 19, 2015; 29 days ago (2015-03-19)[6]) [±] Canada
MatrixSSL[7] PeerSec Networks Yes GNU GPLv2+ and commercial license PeerSec Networks C 3.7.2 (April 14, 2015; 3 days ago (2015-04-14) [8]) [±] US
mbed TLS (previously PolarSSL) Offspark Yes GNU GPLv2+ and commercial license Brainspark B.V. (brainspark.nl) C 1.3.10 (February 8, 2015; 2 months ago (2015-02-08) [9]) [±]

1.2.13 (February 16, 2015; 60 days ago (2015-02-16)[10]) [±]

EU (Netherlands)
Network Security Services (NSS) Mozilla, AOL, Red Hat, Sun, Oracle, Google and others Yes MPL 2.0 NSS contributors C, assembly 3.18 (March 19, 2015; 29 days ago (2015-03-19)[11]) [±]

3.16.2.3 (October 27, 2014; 5 months ago (2014-10-27)[12]) [±]

US
OpenSSL OpenSSL project Yes OpenSSL / SSLeay dual-license Eric Young, Tim Hudson, Sun, OpenSSL project, and others C, assembly 1.0.2a (March 19, 2015; 29 days ago (2015-03-19)[13]) [±]

1.0.1m (March 19, 2015; 29 days ago (2015-03-19)[13]) [±]
1.0.0r (March 19, 2015; 29 days ago (2015-03-19)[13]) [±]
0.9.8zf (March 19, 2015; 29 days ago (2015-03-19)[13]) [±]

Australia/EU
RSA BSAFE RSA Security No[14] Proprietary RSA, The Security Division of EMC MES: 4.0[15]
SSL-J: 6.1.4[15]
Australia
SChannel Microsoft No Proprietary Microsoft Inc. Windows 8.1 / 2013-11-13 US
Secure Transport Apple Inc. Yes APSL 2.0 Apple Inc. 55471.14 (OS X 10.9.2) / 2014-02-25 US
SharkSSL Realtimelogic LLC[16] No Proprietary Realtimelogic LLC 2.1 / 2014-01-12 US
wolfSSL (previously CyaSSL) wolfSSL Yes GNU GPLv2+ and commercial license wolfSSL Inc. C 3.4.6 (March 30, 2015; 18 days ago (2015-03-30)[17]) [±] US
Implementation Developed by Open source Software license Copyright owner Written in Latest stable version / release date Origin

Protocol support[edit]

Several versions of the TLS protocol exist. SSL 2.0 is a deprecated[18] protocol version with significant weaknesses. SSL 3.0 (1996) and TLS 1.0 (1999) are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay.[19] TLS 1.1 (2006) fixed only one of the problems, by switching to random IVs for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was ignored and is still present in TLS 1.2 today. A workaround for SSL 3.0 and TLS 1.0, roughly equivalent to random IVs from TLS 1.1, was widely adopted by many implementations in late 2011,[20] so from a security perspective, all existing version of TLS 1.0, 1.1 and 1.2 provide equivalent strength in the base protocol and are suitable for 128-bit security according to NIST SP800-57 up to at least 2030. In 2014, the POODLE vulnerability of SSL 3.0 was discovered, which makes SSL 3.0 insecure and no workaround exists other than abandoning SSL 3.0 completely.[21]

TLS 1.2 (2008) is the latest published version of the base protocol, introducing a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future (rsa,sha256/sha384/sha512) over the SSL 3.0 conservative choice (rsa,sha1+md5), the TLS 1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides (rsa,sha1) and even (rsa,md5).[22]

Datagram Transport Layer Security (DTLS or Datagram TLS) 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLS 1.2 based on TLS 1.2 was published in January 2012[23]

Note that there are known vulnerabilities in SSL 2.0 and SSL 3.0. With the exception of the predictable IVs (for which an easy workaround exists) all currently known vulnerabilities affect all version of TLS 1.0/1.1/1.2 alike.[24]

Implementation SSL 2.0 (insecure)[25] SSL 3.0 (insecure)[26] TLS 1.0[27] TLS 1.1[28] TLS 1.2[29] DTLS 1.0[30] DTLS 1.2[23]
Botan No No[31] Yes Yes Yes Yes Yes
cryptlib No Enabled by default Yes Yes Yes No No
GnuTLS No[a] Disabled by default[32] Yes Yes Yes Yes Yes
JSSE No[a] Disabled by default[b] Yes Yes Yes No No
LibreSSL No[33] Disabled by default[34] Yes Yes Yes Yes No
MatrixSSL No[a] Disabled by default at compile time[35] Yes Yes Yes Yes Yes
mbed TLS No[a] Enabled by default Yes Yes Yes Beta[36] Beta[36]
NSS Disabled by default[a] Enabled by default[37] Yes Yes[38] Yes[39] Yes[38] Yes[40]
OpenSSL Enabled by default Enabled by default Yes Yes[41] Yes[41] Yes Yes[42]
RSA BSAFE[43] No Yes Yes Yes Yes No No
SChannel XP / 2003[44] Disabled by default in MSIE 7 Enabled by default Enabled by default in MSIE 7 No No No No
SChannel Vista / 2008[45] Disabled by default Enabled by default Yes No No No No
SChannel 7 / 2008R2[46] Disabled by default Disabled by default in MSIE 11 Yes Enabled by default in MSIE 11 Enabled by default in MSIE 11 Yes[47] Yes[47]
SChannel 8 / 2012[46] Disabled by default Enabled by default Yes Disabled by default Disabled by default Yes Yes
SChannel 8.1 / 2012R2, 10 Technical Preview[46] Disabled by default Disabled by default in MSIE 11 Yes Yes Yes Yes Yes
Secure Transport OS X 10.2-10.7 / iOS 1-4 Yes Yes Yes No No No No
Secure Transport OS X 10.8-10.10 / iOS 5-8 No[c] Yes Yes Yes[c] Yes[c] Yes[c] No
SharkSSL No Enabled by default Yes Yes Yes No No
wolfSSL No Enabled by default Yes Yes Yes Yes Yes
Implementation SSL 2.0 (insecure) SSL 3.0 (insecure) TLS 1.0 TLS 1.1 TLS 1.2 DTLS 1.0 DTLS 1.2
  1. ^ SSL 2.0 client hello is supported even though SSL 2.0 is not supported or is disabled because of the backward compatibilities.
  2. ^ SSL 3.0 support has been disabled by default as of Java 8 update 31.[48]
  3. ^ Secure Transport: SSL 2.0 was discontinued in OS X 10.8. TLS 1.1, 1.2 and DTLS are available on iOS 5.0 and later, and OS X 10.8 and later.[49]

NSA Suite B Cryptography[edit]

Required components for NSA Suite B Cryptography (RFC 6460) are:

Per CNSSP-15, the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.

Implementation TLS 1.2 Suite B
Botan Yes
cryptlib Yes
GnuTLS Yes
JSSE Yes[50]
LibreSSL No
MatrixSSL Yes
mbed TLS Yes
NSS No[51]
OpenSSL Yes[42]
RSA BSAFE Yes[43]
SChannel Yes[52]
Secure Transport No
SharkSSL Yes
wolfSSL Yes
Implementation TLS 1.2 Suite B

Certifications[edit]

Note that certain certifications have received serious negative criticism from people who are actually involved in them.[53]

Implementation FIPS 140-1, FIPS 140-2[54] Common Criteria
Level 1 Level 2[disputed ]
Botan[55]
cryptlib[56]
GnuTLS[57] no support
JSSE
LibreSSL[33] no support
MatrixSSL[58] SafeZone FIPS Cryptographic Module: 1.0.3 and 1.0.3A (#1931)
mbed TLS[59]
NSS[60] Network Security Services: 3.2.2 (#247)
Network Security Services Cryptographic Module: 3.11.4 (#815), 3.12.4 (#1278), 3.12.9.1 (#1837)
Netscape Security Module: 1 (#7[notes 1]), 1.01 (#47[notes 2])
Network Security Services: 3.2.2 (#248[notes 3])
Network Security Services Cryptographic Module: 3.11.4 (#814[notes 4]), 3.12.4 (#1279, #1280[notes 5])
OpenSSL[61] OpenSSL FIPS Object Module: 1.0 (#624), 1.1.1 (#733), 1.1.2 (#918), 1.2, 1.2.1, 1.2.2, 1.2.3 or 1.2.4 (#1051)
2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7 or 2.0.8 (#1747)
RSA BSAFE[62] Crypto-C ME 3.0.0.1, 4.0.1, 4.1 (#2294, #2300)
Crypto-J 6.1 (#2057, #2058)
SChannel[63] Cryptographic modules in Windows NT 4.0, 95, 95, 2000, XP, Server 2003, CE 5, CE 6, Mobile 6.x, Vista, Server 2008, 7, Server 2008 R2, 8, Server 2012, RT, Surface, Phone 8
See details on Microsoft FIPS 140 Validated Cryptographic Modules
Secure Transport Apple FIPS Cryptographic Module: 1.0 (OS X 10.6, #1514), 1.1 (OS X 10.7, #1701)
Apple OS X CoreCrypto Module / CoreCrypto Kernel Module: 3.0 (OS X 10.8, #1964, #1956), 4.0 (OS X 10.9, #2015, #2016)
Apple iOS CoreCrypto Module / CoreCrypto Kernel Module: 3.0 (iOS 6, #1963, #1944), 4.0 (iOS 7 , #2020, #2021)
SharkSSL
wolfSSL[64] (expected in 1Q2015)
Implementation Level 1 Level 2 Common Criteria
FIPS 140-1, FIPS 140-2
  1. ^ with Sun Sparc 5 w/ Sun Solaris v 2.4SE (ITSEC-rated)
  2. ^ with Sun Ultra-5 w/ Sun Trusted Solaris version 2.5.1 (ITSEC-rated)
  3. ^ with Solaris v8.0 with AdminSuite 3.0.1 as specified in UK IT SEC CC Report No. P148 EAL4 on a SUN SPARC Ultra-1
  4. ^ with these platforms; Red Hat Enterprise Linux Version 4 Update 1 AS on IBM xSeries 336 with Intel Xeon CPU, Trusted Solaris 8 4/01 on Sun Blade 2500 Workstation with UltraSPARC IIIi CPU
  5. ^ with these platforms; Red Hat Enterprise Linux v5 running on an IBM System x3550, Red Hat Enterprise Linux v5 running on an HP ProLiant DL145, Sun Solaris 10 5/08 running on a Sun SunBlade 2000 workstation, Sun Solaris 10 5/08 running on a Sun W2100z workstation

Key exchange algorithms (certificate-only)[edit]

This section lists the certificate verification functionality available in the various implementations.

Implementation RSA[29] RSA-EXPORT (insecure)[29] DHE-RSA (forward secrecy)[29] DHE-DSS (forward secrecy)[29] ECDH-ECDSA[65] ECDHE-ECDSA (forward secrecy)[65] ECDH-RSA[65] ECDHE-RSA (forward secrecy)[65] GOST R 34.10-94 / 34.10-2001[66]
Botan Yes No Yes Yes No Yes No Yes Yes[67]
cryptlib Yes No Yes Yes No Yes No No No
GnuTLS Yes No Yes No[32] No Yes No Yes No
JSSE Yes Disabled by default Max 2048 bit Max 2048 bit Yes Yes Yes Yes No[68]
LibreSSL Yes No[33] Yes Yes Yes Yes Yes Yes Yes[69]
MatrixSSL Yes No Yes No Yes Yes Yes Yes No
mbed TLS Yes No Yes No Yes Yes Yes Yes No
NSS Yes Disabled by default Client side only[70] Client side only[70] Yes Yes Yes Yes No[71][72]
OpenSSL Yes Yes Yes Yes Yes Yes Yes Yes Yes[73]
RSA BSAFE[43] Yes No Yes Yes Yes Yes Yes Yes No
SChannel XP/2003 Yes Yes No Max 1024 bit No No No No No[74]
SChannel Vista/2008, 2008R2, 2012 Yes disabled by default No Max 1024 bit No Yes No except AES_GCM No[74]
SChannel 7, 8, 8.1/2012R2 Yes disabled by default AES_GCM only
1024bits only[75][76][77]
Max 1024 bit No Yes No except AES_GCM No[74]
SChannel 10 Technical Preview Yes disabled by default AES_GCM only
1024bits only
Max 1024 bit No Yes No Yes No[74]
Secure Transport Yes No Yes Yes Yes Yes Yes Yes No
SharkSSL Yes No Yes No Yes Yes Yes Yes No
wolfSSL Yes No Yes No Yes Yes Yes Yes No
Implementation RSA RSA EXPORT (insecure) DHE-RSA (forward secrecy) DHE-DSS (forward secrecy) ECDH-ECDSA ECDHE-ECDSA (forward secrecy) ECDH-RSA ECDHE-RSA (forward secrecy) GOST R 34.10-94 / 34.10-2001

Key exchange algorithms (alternative key-exchanges)[edit]

Implementation SRP[78] SRP-DSS[78] SRP-RSA[78] PSK-RSA[79] PSK[79] DHE-PSK (forward secrecy)[79] ECDHE-PSK (forward secrecy)[80] KRB5[81] DH-ANON[29] (insecure) ECDH-ANON[65] (insecure)
Botan Yes Yes Yes No Yes Yes Yes No Yes Yes
cryptlib No No No No Yes Yes No Unknown No No
GnuTLS Yes Yes Yes Yes Yes Yes Yes No Disabled by default Disabled by default
JSSE No No No No No No No Unknown Disabled by default in Java 8 Disabled by default in Java 8
LibreSSL No[82] No[82] No[82] No No No No No Yes Yes
MatrixSSL No No No Yes Yes Yes No No Yes No
mbed TLS No No No Yes Yes Yes Yes No No No
NSS No[83] No[83] No[83] No[84] No[84] No[84] No[84] No Disabled by default Disabled by default[85]
OpenSSL Yes Yes Yes No Yes No No No Yes Yes
RSA BSAFE[43] No No No No No No No Unknown Yes Yes
SChannel No No No No No No No Yes No No
Secure Transport No No No No No No No Unknown Yes Yes
SharkSSL No No No No Yes No No Unknown No No
wolfSSL No No No No Yes No No[86] No No No
Implementation SRP SRP-DSS SRP-RSA PSK-RSA PSK DHE-PSK (forward secrecy) ECDHE-PSK (forward secrecy) KRB5 DH-ANON (insecure) ECDH-ANON (insecure)

Certificate verification methods[edit]

Implementation Application-defined PKIX path validation[29] CRL[87] OCSP[88] DANE (DNSSEC)[89] Trust on First Use (TOFU)
Botan Yes Yes Yes Yes No No
cryptlib Unknown Yes Unknown Unknown No No
GnuTLS Yes Yes Yes Yes Yes Yes
JSSE Yes Yes Yes Yes No No
LibreSSL Yes Yes Yes Yes No No
MatrixSSL Yes Yes Yes No No No
mbed TLS Yes Yes Yes Unknown No No
NSS Yes Yes Yes Yes No[90] No
OpenSSL Yes Yes Yes Yes No No
RSA BSAFE[43] Yes Yes Yes Yes No No
SChannel Unknown Yes Yes[91] Yes[91] No No
Secure Transport Yes Yes Yes Yes No No
SharkSSL Yes Yes No No No No
wolfSSL Yes Yes Yes Yes No No
Implementation Application-defined PKIX CRL OCSP DANE TOFU

Encryption algorithms[edit]

Implementation Block cipher with mode of operation Stream cipher None
AES GCM
[92]
AES CCM
[93]
AES CBC Camellia GCM
[94]
Camellia CBC
[95]
ARIA GCM
[96]
ARIA CBC
[96]
SEED CBC
[97]
3DES EDE CBC GOST 28147-89 CNT
(proposed)
[66][n 1]
ChaCha20-Poly1305
(proposed)
[98][n 1]
Null
(insecure)
[n 2]
Botan Yes Yes Yes Yes Yes No No Yes Yes Yes[99] Yes[100] Disabled by Default
cryptlib Yes No Yes No No No No No Yes No No Disabled by Default
GnuTLS Yes Yes[32] Yes Yes Yes No No No Yes No Disabled by default[32] Disabled by Default
JSSE Yes No Yes No No No No No Yes No[68] No Disabled by Default
LibreSSL Yes[33] No Yes No Yes[69] No No No[33] Yes Yes[69] Yes[33] Disabled by Default
MatrixSSL Yes No Yes No No No No Yes Disabled by default No No Disabled by Default
mbed TLS Yes Yes [101] Yes Yes Yes No No No Yes No No Disabled by default at compile time
NSS Yes[102] No Yes No[103] Yes[104] No No Yes[105] Yes No[71][72] No[109] Disabled by Default
OpenSSL Yes[110] No Yes No Yes No No Yes Yes Yes[73] No[111] Disabled by Default
RSA BSAFE MES[43] Yes Yes Yes No No No No No Yes No No Disabled by Default
RSA BSAFE SSL-J[43] Yes No Yes No No No No No Yes No No Disabled by Default
SChannel XP/2003 No No 2003 only[112] No No No No No Yes No[74] No Disabled by Default
SChannel Vista/2008, 2008R2, 2012 No No Yes No No No No No Yes No[74] No Disabled by Default
SChannel 7, 8, 8.1/2012R2 Yes except ECDHE_RSA
[75][76]
No Yes No No No No No Yes No[74] No Disabled by Default
Schannel 10 Technical Preview[113] Yes No Yes No No No No No Yes No[74] No Disabled by Default
Secure Transport Yes Yes Yes No No No No No Yes No No Disabled by Default
SharkSSL Yes Yes Yes No No No No No Yes No Yes Disabled by default
wolfSSL Yes Yes Yes No Yes No No No Yes No Yes Disabled by Default
Implementation AES GCM AES CCM AES CBC Camellia GCM Camellia CBC ARIA GCM ARIA CBC SEED CBC 3DES EDE CBC GOST 28147-89 CNT
(proposed)
ChaCha20-Poly1305
(proposed)
Null
(insecure)
Block cipher with mode of operation Stream cipher None
Notes
  1. ^ a b This algorithm is not defined yet as TLS cipher suites in RFCs, is proposed in drafts.
  2. ^ authentication only, no encryption

Obsolete algorithms[edit]

Implementation Block cipher with mode of operation Stream cipher
IDEA CBC
[n 1]
DES CBC
(insecure)
[n 1]
DES-40 CBC
(EXPORT, insecure)
[n 2]
RC2-40 CBC
(EXPORT, insecure)
[n 2]
RC4-128
(insecure)
[n 3]
RC4-40
(EXPORT, insecure)
[n 3][n 2]
Botan No No No Disabled by Default No[115] No
cryptlib No Disabled by default Disabled by default Disabled by default Yes No
GnuTLS No No No No Disabled by default[32] No
JSSE No Disabled by default Disabled by default No Yes Disabled by default [116]
LibreSSL Yes Yes No[33] No[33] Yes No[33]
MatrixSSL Yes No No No Disabled by default No
mbed TLS No Disabled by default at compile time No No Lowest priority[117] No
NSS Yes Disabled by default Disabled by default Disabled by default Lowest priority[118][119] Disabled by default
OpenSSL Yes Yes Yes Yes Yes Yes
RSA BSAFE MES[43] No No No No Yes No
RSA BSAFE SSL-J[43] No Yes Yes No Yes Yes
SChannel XP/2003 No Yes Yes Yes Yes Yes
SChannel Vista/2008 No Disabled by default Disabled by default Disabled by default Yes Disabled by default
SChannel 7/2008R2, 8/2012 No Disabled by default Disabled by default Disabled by default Lowest priority[76][n 4] Disabled by default
SChannel 8.1/2012R2 No Disabled by default Disabled by default Disabled by default Disabled except as a fallback[n 5][121][122] Disabled by default
Schannel 10 Technical Preview[113] No Disabled by default Disabled by default Disabled by default Disabled except as a fallback[n 5] Disabled by default
Secure Transport Yes Yes Disabled by default Disabled by default Yes Disabled by default
SharkSSL No Disabled by default No No Disabled by default No
wolfSSL No No No No Disabled by default No
Implementation IDEA CBC DES CBC
(insecure)
DES-40 CBC
(EXPORT, insecure)
RC2-40 CBC
(EXPORT, insecure)
RC4-128
(insecure)
RC4-40
(EXPORT, insecure)
Block cipher with mode of operation Stream cipher
Notes
  1. ^ a b IDEA and DES have been removed from TLS 1.2.[114]
  2. ^ a b c 40 bits strength of cipher suites were designed to operate at reduced key lengths in order to comply with US regulations about the export of cryptographic software containing certain strong encryption algorithms (see Export of cryptography from the United States). These weak suites are forbidden in TLS 1.1 and later.
  3. ^ a b The RC4 attacks weaken or break RC4 used in SSL/TLS. Use of RC4 is prohibited by RFC 7465.
  4. ^ RC4 can be disabled except as a fallback (Only when no cipher suites with other than RC4 is available, cipher suites with RC4 will be used as a fallback.)[120]
  5. ^ a b Only when no cipher suites with other than RC4 is available, cipher suites with RC4 will be used as a fallback.

Supported elliptic curves[edit]

This section lists the supported elliptic curves by each implementation.

Implementation sect163k1
NIST K-163
(1)[65]
sect163r1
(2)[65]
sect163r2
NIST B-163
(3)[65]
sect193r1
(4)[65]
sect193r2
(5)[65]
sect233k1
NIST K-233
(6)[65]
sect233r1
NIST B-233
(7)[65]
sect239k1
(8)[65]
sect283k1
NIST K-283
(9)[65]
sect283r1
NIST B-283
(10)[65]
sect409k1
NIST K-409
(11)[65]
sect409r1
NIST B-409
(12)[65]
sect571k1
NIST K-571
(13)[65]
sect571r1
NIST B-571
(14)[65]
Botan No No No No No No No No No No No No No No
GnuTLS No No No No No No No No No No No No No No
JSSE Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
LibreSSL Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
MatrixSSL No No No No No No No No No No No No No No
mbed TLS No No No No No No No No No No No No No No
NSS Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OpenSSL Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
RSA BSAFE[43] Yes No Yes No No Yes Yes No Yes Yes Yes Yes Yes Yes
SChannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 Technical Preview No No No No No No No No No No No No No No
Secure Transport No No No No No No No No No No No No No No
SharkSSL No No No No No No No No No No No No No No
wolfSSL No No No No No No No No No No No No No No
Implementation sect163k1
NIST K-163
(1)
sect163r1
(2)
sect163r2
NIST B-163
(3)
sect193r1
(4)
sect193r2
(5)
sect233k1
NIST K-233
(6)
sect233r1
NIST B-233
(7)
sect239k1
(8)
sect283k1
NIST K-283
(9)
sect283r1
NIST B-283
(10)
sect409k1
NIST K-409
(11)
sect409r1
NIST B-409
(12)
sect571k1
NIST K-571
(13)
sect571r1
NIST B-571
(14)
Implementation secp160k1
(15)[65]
secp160r1
(16)[65]
secp160r2
(17)[65]
secp192k1
(18)[65]
secp192r1
prime192v1
NIST P-192
(19)[65]
secp224k1
(20)[65]
secp224r1
NIST P-244
(21)[65]
secp256k1
(22)[65]
secp256r1
prime256v1
NIST P-256
(23)[65]
secp384r1
NIST P-384
(24)[65]
secp521r1
NIST P-521
(25)[65]
arbitrary prime curves
(0xFF01)[65][123]
arbitrary char2 curves
(0xFF02)[65][123]
Botan Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No
GnuTLS No No No No Yes No Yes No Yes Yes Yes No No
JSSE Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No
LibreSSL Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No
MatrixSSL No No No No Yes No Yes No Yes Yes Yes No No
mbed TLS No No No Yes Yes Yes Yes Yes Yes Yes Yes No No
NSS Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No
OpenSSL Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No
RSA BSAFE[43] No No No No Yes No Yes No Yes Yes Yes No No
SChannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 Technical Preview No No No No No No No No Yes Yes Yes No No
Secure Transport No No No No Yes No No No Yes No Yes No No
SharkSSL No No No No Yes No Yes No Yes Yes Yes No No
wolfSSL No Yes No No Yes No Yes No Yes Yes Yes No No
Implementation secp160k1
(15)
secp160r1
(16)
secp160r2
(17)
secp192k1
(18)
secp192r1
prime192v1
NIST P-192
(19)
secp224k1
(20)
secp224r1
NIST P-224
(21)
secp256k1
(22)
secp256r1
prime256v1
NIST P-256
(23)
secp384r1
NIST P-384
(24)
secp521r1
NIST P-521
(25)
arbitrary prime curves
(0xFF01)
arbitrary char2 curves
(0xFF02)
Implementation brainpoolP256r1
(26)[124]
brainpoolP384r1
(27)[124]
brainpoolP512r1
(28)[124]
Curve25519
[125]
M221
Curve2213
[126]
E222
[126]
Curve1174
[126]
E382
[126]
M383
[126]
Curve383187
[126]
Curve41417
Curve3617
[126]
Ed448-Goldilocks
[126]
M511
Curve511187
[126]
E521
[126]
Botan Yes[127] Yes[127] Yes[127] Yes[100] No No No No No No No No No No
GnuTLS No No No No No No No No No No No No No No
JSSE No No No No No No No No No No No No No No
LibreSSL Yes[33] Yes[33] Yes[33] No No No No No No No No No No No
MatrixSSL No No No No No No No No No No No No No No
mbed TLS Yes[128] Yes[128] Yes[128] Yes[129] No No No No No No No No No No
NSS No[130] No[130] No[130] No[131] No No No No No No No No No No
OpenSSL Yes[42] Yes[42] Yes[42] No No No No No No No No No No No
RSA BSAFE[43] No No No No No No No No No No No No No No
SChannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 Technical Preview No No No No No No No No No No No No No No
Secure Transport No No No No No No No No No No No No No No
SharkSSL No No No No No No No No No No No No No No
wolfSSL No No No No No No No No No No No No No No
Implementation brainpoolP256r1
(26)
brainpoolP384r1
(27)
brainpoolP512r1
(28)
Curve25519 M221
Curve2213
E222 Curve1174 E382 M383 Curve383187 Curve41417
Curve3617
Ed448-Goldilocks M511
Curve511187
E521

Data integrity[edit]

Implementation HMAC-MD5 HMAC-SHA1 HMAC-SHA256/384 AEAD GOST 28147-89 IMIT[66] GOST R 34.11-94[66]
Botan Yes Yes Yes Yes Yes[99] Yes[132]
cryptlib Yes Yes Yes Yes No No
GnuTLS Yes Yes Yes Yes No No
JSSE Yes Yes Yes Yes No[68] No[68]
LibreSSL Yes Yes Yes Yes Yes[69] Yes[69]
MatrixSSL Yes Yes Yes Yes No No
mbed TLS Yes Yes Yes Yes No No
NSS Yes Yes Yes Yes No[71][72] No[71][72]
OpenSSL Yes Yes Yes Yes Yes[73] Yes[73]
RSA BSAFE[43] Yes Yes Yes Yes No No
SChannel XP/2003, Vista/2008 Yes Yes XP SP3, 2003 SP2 via hotfix[133] No No[74] No[74]
SChannel 7/2008R2, 8/2012, 8.1/2012R2 Yes Yes Yes except ECDHE_RSA[75][76][77] No[74] No[74]
SChannel 10 Technical Preview Yes Yes Yes Yes[113] No[74] No[74]
Secure Transport Yes Yes Yes No No No
SharkSSL Yes Yes Yes Yes No No
wolfSSL Yes Yes Yes Yes No No
Implementation HMAC-MD5 HMAC-SHA1 HMAC-SHA256/384 AEAD GOST 28147-89 IMIT GOST R 34.11-94

Compression[edit]

Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.

Implementation DEFLATE[134]
(insecure)
Botan No
cryptlib No
GnuTLS Disabled by default
JSSE No
LibreSSL No[33]
MatrixSSL Disabled by default
mbed TLS Disabled by default
NSS Disabled by default
OpenSSL Yes
RSA BSAFE[43] No
SChannel No
Secure Transport No
SharkSSL No
wolfSSL Disabled by default
Implementation DEFLATE

Extensions[edit]

In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security[citation needed]. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.

Implementation Secure Renegotiation
[135]
Server Name Indication
[136]
ALPN
[137]
Certificate Status Request
[136]
OpenPGP
[138]
Supplemental Data
[139]
Session Ticket
[140]
Keying Material Exporter
[141]
Maximum Fragment Length
[136]
Truncated HMAC
[136]
Encrypt-then-MAC
[142]
TLS Fallback SCSV
[143]
Extended Master Secret
[144]
TLS Padding
[145]
Botan Yes Yes No No No No Yes Yes Yes No No Yes[146] No No
cryptlib Yes Yes No No No Yes No No No[147] No No No No No
GnuTLS Yes Yes Yes[148] Yes Yes Yes Yes Yes Yes No Yes[32] No Yes[32] No
JSSE Yes Yes[50] Unknown No No No No No No No No No No No
LibreSSL Yes Yes Yes[149] Yes No No? Yes Yes? No No No Server side only[150] No Yes
MatrixSSL Yes Yes Yes[151] No No No Yes No Yes Yes No No No No
mbed TLS Yes Yes Yes[152] No No No Yes No Yes Yes Yes[153] Yes[153] Yes[153] No
NSS Yes Yes Yes[154] Yes No[155] No Yes Yes No No No[156] Yes[157] No Yes[154]
OpenSSL Yes Yes Yes[42] Yes No No? Yes Yes? No No No Yes[158] No Yes[159]
RSA BSAFE MES[43] Yes Yes No Yes No No Yes No Yes Yes No No No No
RSA BSAFE SSL-J[43] Yes Yes No No No No No No Yes Yes No No No No
SChannel XP/2003 No No No No No Yes No No No No No No No No
SChannel Vista/2008 Yes Yes No No No Yes No No No No No No No No
SChannel 7/2008R2 Yes Yes No Yes No Yes No No No No No No No No
SChannel 8/2012 Yes Yes No Yes No Yes Client side only[160] No No No No No No No
SChannel 8.1/2012R2, 10 Technical Preview Yes Yes Yes Yes No Yes Yes[160] No No No No No No No
Secure Transport Yes Yes Unknown No No Yes No No No No No No No No
SharkSSL Yes No No No No No No No No No No No No No
wolfSSL Yes Yes No No No No Yes No Yes Yes No No No No
Implementation Secure Renegotiation Server Name Indication ALPN Certificate Status Request OpenPGP Supplemental Data Session Ticket Keying Material Exporter Maximum Fragment Length Truncated HMAC Encrypt-then-MAC TLS Fallback SCSV Extended Master Secret TLS Padding

Assisted cryptography[edit]

This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.

Implementation PKCS #11 device Intel AES-NI VIA PadLock STM32F2 Cavium NITROX Freescale CAU/mmCAU ARMv8-A Microchip PIC32MZ
Botan No Yes No No No No No No
cryptlib Yes No Yes No No No No No
GnuTLS Yes Yes Yes No No No No No
JSSE Yes Yes[161] No No No No No No
LibreSSL No Yes Yes No Yes No No No
MatrixSSL Yes Yes No No No No No No
mbed TLS Yes Yes[162] Yes No No No No No
NSS Yes[163] Yes[164] No[165] No No No No No
OpenSSL No Yes Yes No Yes No Yes[166] No
RSA BSAFE[43] Yes Yes No No No No No No
SChannel No Yes No No No No No No
Secure Transport No Yes[167][168] No No No No Yes No
SharkSSL No No No Yes No Yes No No
wolfSSL No Yes No Yes Yes Yes No Yes
Implementation PKCS #11 device Intel AES-NI VIA PadLock STM32F2 Cavium NITROX Freescale CAU/mmCAU ARMv8-A Microchip PIC32MZ

System-specific backends[edit]

This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.

Implementation /dev/crypto Windows CSP CommonCrypto OpenSSL engine
Botan No No No No
cryptlib No No No No
GnuTLS Yes No No No
JSSE No Yes No No
LibreSSL Yes No No Yes
MatrixSSL No No Yes Yes
mbed TLS No No No No
NSS No No No No
OpenSSL Yes No No Yes
RSA BSAFE[43] No No No No
SChannel No Yes No No
Secure Transport No No Yes No
SharkSSL No No No No
wolfSSL No Partial No No
Implementation /dev/crypto Windows CSP CommonCrypto OpenSSL engine

Cryptographic module/token support[edit]

Implementation TPM support Hardware token support Objects identified via
Botan No No
cryptlib No PKCS11 User-defined label
GnuTLS Yes PKCS11 PKCS #11 URLs[169]
JSSE No PKCS11 Java Cryptography Architecture/
Java Cryptography Extension
LibreSSL Yes PKCS11 (via 3rd party module) Custom method
MatrixSSL No PKCS11
mbed TLS No PKCS11 (via libpkcs11-helper) or standard hooks Custom method
NSS No PKCS11
OpenSSL Yes PKCS11 (via 3rd party module) Custom method
RSA BSAFE MES[43] No PKCS11 (via 3rd party module) User-defined label
RSA BSAFE SSL-J[43] No No
SChannel No Microsoft CryptoAPI UUID, User-defined label
Secure Transport
SharkSSL No No
wolfSSL No No
Implementation TPM support Hardware token support Objects identified via

Code dependencies[edit]

Implementation Dependencies Optional
dependencies
Botan C++11 sqlite, zlib (compression), bzip2 (compression), liblzma (compression)
GnuTLS libc
nettle
gmp
zlib (compression)
p11-kit (PKCS #11)
trousers (TPM)
JSSE Java
MatrixSSL none zlib (compression)
MatrixSSL-open libc or newlib
mbed TLS libc libpkcs11-helper (PKCS #11)
zlib (compression)
NSS libc
libnspr4
libsoftokn3
libplc4
libplds4
zlib (compression)
OpenSSL libc zlib (compression)
SharkSSL None
wolfSSL None libc, zlib (compression)
Implementation Dependencies Optional
dependencies

Development environment[edit]

Implementation Namespace Build tools API manual Crypto back-end OpenSSL compatibility Layer[clarify]
Botan Botan::TLS Makefile Sphinx Included (monolithic) No
cryptlib crypt* makefile, MSVC project workspaces Programmers reference manual (PDF), architecture design manual (PDF) Included (monolithic) No
GnuTLS gnutls_* Autoconf, automake, libtool Manual and API reference (HTML, PDF) External, libnettle Yes (limited)
JSSE javax.net.ssl Makefile API Reference (HTML) +

Java SE 8

Java Cryptography Architecture/
Java Cryptography Extension
No
MatrixSSL matrixSsl_*

ps*

Makefile, MSVC project workspaces, Xcode projects for Mac OS X and iOS API Reference (PDF), Integration Guide Included (pluggable) Yes (Subset: SSL_read, SSL_write, etc.)
mbed TLS ssl_*

sha1_*
md5_*
x509parse_*
...

Makefile, CMake, MSVC project workspaces API Reference + High Level and Module Level Documentation (HTML) Included (monolithic) No
NSS CERT_*

SEC_*
SECKEY_*
NSS_*
PK11_*
SSL_*
...

Makefile Manual (HTML) Included, PKCS#11 based[170] Yes (separate package called nss_compat_ossl[171])
OpenSSL SSL_*

SHA1_*
MD5_*
EVP_*
...

Makefile Man pages Included (monolithic) N/A
SharkSSL SharkSsl* Makefile (online) HTML Manual and API Reference Included (monolithic) No
wolfSSL CyaSSL_*

SSL_*

Autoconf, automake, libtool, MSVC project workspaces, XCode projects, CodeWarrior projects, MPLAB X projects, Keil, IAR, Clang, GCC Manual and API Reference (HTML, PDF) Included (monolithic) Yes (about 10% of API)
Implementation Namespace Build tools API manual Crypto back-end OpenSSL compatibility layer

Portability concerns[edit]

Implementation Platform requirements Network requirements Thread safety Random seed Able to cross-compile No OS (bare metal) Supported operating systems
Botan C++11 None Thread-safe Platform-dependent Yes Most Windows and POSIX systems
cryptlib C89 POSIX send() and recv(). API to supply your own replacement Thread-safe Platform-dependent, including hardware sources Yes Yes AMX, BeOS, ChorusOS, DOS, eCOS, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, Palm OS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, OS X, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK
GnuTLS C89 POSIX send() and recv(). API to supply your own replacement. Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available. Platform dependent Yes No Generally any POSIX platforms or Windows, commonly tested platforms include GNU/Linux, Win32/64, Mac OS X, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD.
JSSE Java Java SE network components Thread-safe Depends on java.security.SecureRandom Yes Java based, platform-independent
MatrixSSL C89 None Thread-safe Platform dependent Yes Yes All
mbed TLS C89 POSIX read() and write(). API to supply your own replacement. Threading layer available (POSIX or own hooks) Random seed set through entropy pool Yes Yes Known to work on: Win32/64, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, SeggerOS
NSS C89, NSPR[172] NSPR[172] PR_Send() and PR_Recv(). API to supply your own replacement. Thread-safe Platform dependent[173] Yes (but cumbersome) No AIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, Mac OS X, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation
OpenSSL C89?  ? Needs mutex callbacks Set through native API Yes No Unix, DOS (with djgpp), Windows, OpenVMS, MacOS, NetWare
SharkSSL C89 None: Transport agnostic API Thread-safe: multiple ports Random seed set through entropy pool and/or HW Yes Yes INTEGRITY, MQX, SMX, ThreadX, VxWorks, SeggerOS, OSE, Android, Win 32/64, Linux 32/64, uCLinux, Mac OS X, OpenBSD, DD-WRT, OpenWrt
wolfSSL C89 POSIX send() and recv(). API to supply your own replacement. Thread-safe, needs mutex hooks if PThreads or WinThreads not available, can be turned off Random seed set through CTaoCrypt Yes Yes Win32/64, Linux, Mac OS X, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, OpenCL, NonStop, TRON/ITRON/µITRON, Micrium's µC OS, FreeRTOS, SafeRTOS, Freescale MQX, Nucleus, TinyOS, HP/UX, Keil RTX, TI-RTOS
Implementation Platform requirements Network requirements Thread safety Random seed Able to cross-compile No OS (bare metal) Supported operating systems

See also[edit]

  • SCTP — with DTLS support
  • DCCP — with DTLS support
  • SRTP — with DTLS support (DTLS-SRTP) and Secure Real-Time Transport Control Protocol (SRTCP)

References[edit]

  1. ^ "Version 1.11.16, 2015-03-29 — Botan". 2015-03-29. Retrieved 2015-04-01. 
  2. ^ "Latest Java Releases - bouncycastle.org". 2015-03-01. Retrieved 2015-03-02. 
  3. ^ "The Legion of the Bouncy Castle C# Cryptography APIs". 2011-04-07. Retrieved 2014-06-16. 
  4. ^ "cryptlib 3.4.2 released". 2012-12-17. Retrieved 2014-06-16. 
  5. ^ a b "GnuTLS". 2015-04-08. Retrieved 2015-04-15. 
  6. ^ "LibreSSL 2.1.6 released". 2015-03-19. Retrieved 2015-03-22. 
  7. ^ The features listed are for the closed source version
  8. ^ "MatrixSSL - News". 2015-04-14. Retrieved 2015-04-16. 
  9. ^ "Download - mbed TLS (Previously PolarSSL)". 2015-02-08. Retrieved 2015-02-09. 
  10. ^ "Download archive - mbed TLS (Previously PolarSSL)". 2015-02-16. Retrieved 2014-02-19. 
  11. ^ "NSS 3.18 release notes". Mozilla. 2015-03-19. Retrieved 2015-03-20. 
  12. ^ "NSS 3.16.2.3 release notes". Mozilla. 2014-10-27. Retrieved 2014-10-27. 
  13. ^ a b c d "OpenSSL: News, Project Newsflash". Retrieved March 20, 2015. 
  14. ^ "Nsssl - AOLserver Wiki". Retrieved 2014-07-04. 
  15. ^ a b "RSA BSAFE - EMC". Retrieved 2015-01-09. 
  16. ^ "SharkSSL product description". Retrieved 2014-04-21. 
  17. ^ "wolfSSL ChangeLog". 2015-03-30. Retrieved 2015-03-31. 
  18. ^ RFC6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
  19. ^ "CBC-Padding: Security Flaws in SSL, IPsec, WTLS,...", Serge Vaudenay, 2001
  20. ^ Rizzo/Duong BEAST Countermeasures
  21. ^ Möller, Bodo; Duong, Thai; Kotowicz, Krzysztof (September 2014). "This POODLE Bites: Exploiting The SSL 3.0 Fallback". Retrieved 15 October 2014. 
  22. ^ TLSv1.2's Major Differences from TLSv1.1
  23. ^ a b RFC 6347
  24. ^ "Bard attack". CiteSeerX: 10.1.1.61.5887. 
  25. ^ The SSL Protocol <draft-hickman-netscape-ssl-00.txt>
  26. ^ RFC 6101
  27. ^ RFC 2246
  28. ^ RFC 4346
  29. ^ a b c d e f g RFC 5246
  30. ^ RFC 4347
  31. ^ "Version 1.11.13, 2015-01-11 — Botan". 2015-01-11. Retrieved 2015-01-16. 
  32. ^ a b c d e f g "[gnutls-devel] GnuTLS 3.4.0 released". 2015-04-08. Retrieved 2015-04-16. 
  33. ^ a b c d e f g h i j k l m "OpenBSD 5.6 Released". 2014-11-01. Retrieved 2015-01-20. 
  34. ^ "LibreSSL 2.1.1 released". 2014-10-16. Retrieved 2014-10-17. 
  35. ^ "MatrixSSL - News". Retrieved 2014-11-09. 
  36. ^ a b "mbed TLS 1.4 DTLS preview release". 2015-02-16. Retrieved 2015-03-01. 
  37. ^ "Bug 1140029 - Disable SSL 3 in the default NSS configuration". Mozilla. Retrieved 2015-03-09. 
  38. ^ a b "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Retrieved 2012-10-27. 
  39. ^ "NSS 3.15.1 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-08-10. 
  40. ^ "NSS 3.16.2 release notes". Mozilla Developer Network. Mozilla. 2014-06-30. Retrieved 2014-06-30. 
  41. ^ a b "Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]". 2012-03-14. Retrieved 2015-01-20. 
  42. ^ a b c d e f "Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]". Retrieved 2015-01-22. 
  43. ^ a b c d e f g h i j k l m n o p q r s t "RSA BSAFE Technical Specification Comparison Tables". 
  44. ^ TLS cipher suites in Microsoft Windows XP and 2003
  45. ^ SChannel Cipher Suites in Microsoft Windows Vista
  46. ^ a b c TLS Cipher Suites in SChannel for Windows 7, 2008R2, 8, 2012
  47. ^ a b "An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. Retrieved 13 November 2012. 
  48. ^ "Java™ SE Development Kit 8, Update 31 Release Notes". Retrieved 2015-01-22. 
  49. ^ "Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03. 
  50. ^ a b http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html
  51. ^ "Bug 663320 - (NSA-Suite-B-TLS) Implement RFC6460 (NSA Suite B profile for TLS)". Mozilla. Retrieved 2014-05-19. 
  52. ^ http://technet.microsoft.com/en-us/library/dd566200(v=ws.10).aspx
  53. ^ "Secure or Compliant, Pick One" Steve Marquess blog
  54. ^ http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
  55. ^ "Is botan FIPS 140 certified?" Frequently Asked Questions — Botan
  56. ^ "What about FIPS 140 certification?" cryptlib FAQ
  57. ^ "As such we are not actively pursuing this kind of certification." GnuTLS 3.3.10 B.5 Certification
  58. ^ Matrix SSL Toolkit
  59. ^ Is PolarSSL FIPS certified?
  60. ^ FIPS Validation - MozillaWiki
  61. ^ OpenSSL and FIPS 140-2
  62. ^ Validated 140-1 and 140-2 Cryptographic Modules
  63. ^ Microsoft FIPS 140 Validated Cryptographic Modules
  64. ^ wolfSSL - wolfCrypt FIPS 140-2 Validation
  65. ^ a b c d e f g h i j k l m n o p q r s t u v w x y z aa ab ac ad ae af RFC 4492
  66. ^ "Version 1.9.4, 2010-03-09 — Botan". 2010-03-09. Retrieved 2015-01-23. 
  67. ^ a b c d Extensions to support JSSE in SChannel might be available.[citation needed]
  68. ^ a b c d e "LibreSSL 2.1.2 released". 2014-12-09. Retrieved 2015-01-20. 
  69. ^ a b Mozilla.org. "Bug 102794 - Implement the server-side code of the DHE SSL ciphersuites.". Retrieved 19 November 2013. 
  70. ^ a b c d Mozilla.org. "Bug 518787 - Add GOST crypto algorithm support in NSS". Retrieved 2014-07-01. 
  71. ^ a b c d Mozilla.org. "Bug 608725 - Add Russian GOST cryptoalgorithms to NSS and Thunderbird". Retrieved 2014-07-01. 
  72. ^ a b c d openssl/engines/ccgost/README.gost
  73. ^ a b c d e f g h i j k l m n Extensions to support GOST in SChannel might be available.[citation needed]
  74. ^ a b c "Microsoft Security Bulletin MS14-066 - Critical (Section Update FAQ)". Microsoft. November 11, 2014. Retrieved 11 November 2014. 
  75. ^ a b c d Thomlinson, Matt (November 11, 2014). "Hundreds of Millions of Microsoft Customers Now Benefit from Best-in-Class Encryption". Microsoft Security. Retrieved 11 November 2014. 
  76. ^ a b Update adds new TLS cipher suites and changes cipher suite priorities in Windows 8.1 and Windows Server 2012 R2
  77. ^ a b c RFC 5054
  78. ^ a b c RFC 4279
  79. ^ RFC 5489
  80. ^ RFC 2712
  81. ^ a b c "LibreSSL 2.0.4 released". Retrieved 2014-08-04. 
  82. ^ a b c "Bug 405155 - add support for TLS-SRP, rfc5054". Mozilla. Retrieved 2014-01-25. 
  83. ^ a b c d "Bug 306435 - Mozilla browsers should support the new IETF TLS-PSK protocol to help reduce phishing". Mozilla. Retrieved 2014-01-25. 
  84. ^ "Bug 236245 - Update ECC/TLS to conform to RFC 4492". Mozilla. Retrieved 2014-06-09. 
  85. ^ "RFC 5487 in CyaSSL TLS Library". 2014-06-25. Retrieved 2014-07-14. 
  86. ^ RFC 3280
  87. ^ RFC 2560
  88. ^ RFC 6698, RFC 7218
  89. ^ "Bug 672600 - Use DNSSEC/DANE chain stapled into TLS handshake in certificate chain validation". Mozilla. Retrieved 2014-06-18. 
  90. ^ a b "How Certificate Revocation Works". Microsoft TechNet. Microsoft. March 16, 2012. Retrieved July 10, 2013. 
  91. ^ RFC 5288, RFC 5289
  92. ^ RFC 6655, RFC 7251
  93. ^ RFC 6367
  94. ^ RFC 5932, RFC 6367
  95. ^ a b RFC 6209
  96. ^ RFC 4162
  97. ^ draft-agl-tls-chacha20poly1305-04 - ChaCha20 and Poly1305 based Cipher Suites for TLS, draft-mavrogiannopoulos-chacha-tls-04 - The ChaCha Stream Cipher for Transport Layer Security
  98. ^ a b "Version 0.7.1, 2001-05-16 — Botan". 2001-05-16. Retrieved 2015-01-23. 
  99. ^ a b "Version 1.11.12, 2015-01-02 — Botan". 2015-01-02. Retrieved 2015-01-09. 
  100. ^ PolarSSL 1.3.8 release notes
  101. ^ "NSS 3.15.2 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-09-26. 
  102. ^ "Bug 940119 - libssl does not support any TLS_ECDHE_*_CAMELLIA_*_GCM cipher suites". Mozilla. Retrieved 2013-11-19. 
  103. ^ "NSS 3.12 is released". Retrieved 2013-11-19. 
  104. ^ "NSS 3.12.3 Release Notes". Mozilla Developer Network. Mozilla. Retrieved 2014-07-01. 
  105. ^ a b "Issue 310768: Support ChaCha20+Poly1305 TLS cipher suites". Google. Retrieved 2013-12-01. 
  106. ^ "Chrome 32 promotes Chacha20/Poly1305 suite, SSL Client Test fails to process SSL/TLS handshake". Qualys. Retrieved 2013-12-01. 
  107. ^ "Bug 917571 - Support ChaCha20+Poly1305 cipher suites". Mozilla. Retrieved 2013-12-01. 
  108. ^ As of November 2014, only available on private version of NSS integrated into Chromium and derived browsers (Google Chrome and Opera).[106][107] Patch for NSS upstream has been submitted and under review.[108]
  109. ^ "openssl/CHANGES at OpenSSL_1_0_1-stable · openssl/openssl". Retrieved 2015-01-20. 
  110. ^ As of November 2014, only available on private version of OpenSSL integrated into Chromium and derived browsers (Google Chrome and Opera).[106]
  111. ^ Hofix 984963: TLS AES cipher suites for Microsoft Windows 2003
  112. ^ a b c https://dev.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%2010%20Preview
  113. ^ RFC 5469
  114. ^ "Version 1.11.15, 2015-03-08 — Botan". 2015-03-08. Retrieved 2015-03-11. 
  115. ^ http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
  116. ^ PolarSSL RC4 deprecation plan
  117. ^ "NSS 3.15.3 release notes". Mozilla Developer Network. Mozilla. Retrieved 2014-07-13. 
  118. ^ "MFSA 2013-103: Miscellaneous Network Security Services (NSS) vulnerabilities". Mozilla. Mozilla. Retrieved 2014-07-13. 
  119. ^ Microsoft security advisory: Update for disabling RC4
  120. ^ "Release Notes: Important Issues in Windows 8.1 Preview". Microsoft. 2013-06-24. Retrieved 2014-11-04. 
  121. ^ "W8.1(IE11) vs RC4 | Qualys Community". Retrieved 2014-11-04. 
  122. ^ a b Negotiation of arbitrary curves has been shown to be insecure for certain curve sizes Mavrogiannopoulos, Nikos and Vercautern, Frederik and Velichkov, Vesselin and Preneel, Bart (2012). A cross-protocol attack on the TLS protocol. Proceedings of the 2012 ACM conference on Computer and communications security. pp. 62–72. ISBN 978-1-4503-1651-4. 
  123. ^ a b c RFC 7027
  124. ^ Curve25519 for ephemeral key exchange in Transport Layer Security (TLS): draft-josefsson-tls-curve25519
  125. ^ a b c d e f g h i j Additional Elliptic Curves for Transport Layer Security (TLS) Key Agreement: draft-josefsson-tls-additional-curves
  126. ^ a b c "Version 1.11.5, 2013-11-10 — Botan". 2013-11-10. Retrieved 2015-01-23. 
  127. ^ a b c "PolarSSL 1.3.1 released". 2013-10-15. Retrieved 2015-01-23. 
  128. ^ "PolarSSL 1.3.3 released". 2013-12-31. Retrieved 2015-01-23. 
  129. ^ a b c "Bug 943639 - Support for Brainpool ECC Curve (rfc5639)". Mozilla. Retrieved 2014-01-25. 
  130. ^ "Bug 957105 - Add support for curve25519 Key Exchange and UMAC MAC support for TLS". Mozilla. Retrieved 2015-01-23. 
  131. ^ "Supported Algorithms — Botan". Retrieved 2015-01-23. 
  132. ^ "SHA2 and Windows". Retrieved 2014-09-08. 
  133. ^ RFC 3749
  134. ^ RFC 5746
  135. ^ a b c d RFC 6066
  136. ^ RFC 7301
  137. ^ RFC 6091
  138. ^ RFC 4680
  139. ^ RFC 5077
  140. ^ RFC 5705
  141. ^ RFC 7366
  142. ^ draft-ietf-tls-downgrade-scsv-05 - TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks
  143. ^ draft-ietf-tls-session-hash-04 - Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension
  144. ^ draft-ietf-tls-padding-01 - A TLS padding extension
  145. ^ "Version 1.11.10, 2014-12-10 — Botan". 2014-12-10. Retrieved 2014-12-14. 
  146. ^ Present but disabled by default due to lack of use by any implementation.
  147. ^ "gnutls 3.2.0". Retrieved 2015-01-26. 
  148. ^ "LibreSSL 2.1.3 released". 2015-01-22. Retrieved 2015-01-22. 
  149. ^ "LibreSSL 2.1.4 released". 2015-03-04. Retrieved 2015-03-04. 
  150. ^ "MatrixSSL - News". 2014-12-04. Retrieved 2015-01-26. 
  151. ^ "Download overview - PolarSSL". 2014-04-11. Retrieved 2015-01-26. 
  152. ^ a b c "mbed TLS 1.3.10 released". 2015-02-08. Retrieved 2015-02-09. 
  153. ^ a b "NSS 3.15.5 release notes". Mozilla Developer Network. Mozilla. Retrieved 2015-01-26. 
  154. ^ "Bug 961416 - Support RFC6091 - Using OpenPGP Keys for Transport Layer Security Authentication (TLS1.2)". Mozilla. Retrieved 2014-06-18. 
  155. ^ "Bug 972145 - Implement the encrypt-then-MAC TLS extension". Mozilla. Retrieved 2014-11-06. 
  156. ^ "NSS 3.17.1 release notes". Retrieved 2014-10-17. 
  157. ^ http://www.openssl.org/news/secadv_20141015.txt
  158. ^ "Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]". 2014-04-07. Retrieved 2015-02-10. 
  159. ^ a b "What's New in TLS/SSL (Schannel SSP)". Retrieved 2014-06-18. 
  160. ^ http://stackoverflow.com/questions/14259671/java-ssl-provider-with-aes-ni-support
  161. ^ "We've incorporated support for AES-NI in our AES and GCM modules". 2013-12-31. Retrieved 2014-01-07. 
  162. ^ Normally NSS's libssl performs all operations via the PKCS#11 interface, either to hardware or software tokens
  163. ^ "Bug 706024 - AES-NI enhancements to NSS on Sandy Bridge systems". Retrieved 2013-09-28. 
  164. ^ "Bug 479744 - RFE : VIA Padlock ACE support (hardware RNG, AES, SHA1 and SHA256)". Retrieved 2014-04-11. 
  165. ^ http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddacb8f27ba4c8a8d51c306c150e1a8703b008f2
  166. ^ http://www.opensource.apple.com/source/Security/Security-55179.13/sec/Security/SecECKey.c
  167. ^ http://km.support.apple.com/library/APPLE/APPLECARE_ALLGEOS/HT5396/Crypto_Officer_Role_Guide_for_FIPS_140-2_Compliance_OS_X_Mountain_Lion_v10.8.pdf
  168. ^ PKCS #11 URLs
  169. ^ On the fly replaceable/augmentable.
  170. ^ http://fedoraproject.org/wiki/Nss_compat_ossl
  171. ^ a b Netscape Portable Runtime (NSPR)
  172. ^ For Unix/Linux it uses /dev/urandom if available, for Windows it uses CAPI. For other platforms it gets data from clock, and tries to open system files. NSS has a set of platform dependent functions it uses to determine randomness.