Comparison of TLS implementations

From Wikipedia, the free encyclopedia
  (Redirected from Comparison of TLS Implementations)
Jump to: navigation, search

The Transport Layer Security (TLS) protocol provides the ability to secure communications across networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free and open source software.

All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.

Overview[edit]

Implementation Developed by Open source Software license Copyright owner Latest stable version / release date Origin
Botan Jack Lloyd Yes Simplified BSD License Jack Lloyd 1.10.8 (April 10, 2014; 5 months ago (2014-04-10)[1]) [±] US (Vermont)
cryptlib Peter Gutmann Yes Sleepycat License and commercial license Peter Gutmann 3.4.2 (December 17, 2012; 20 months ago (2012-12-17) [2]) [±] NZ
CyaSSL wolfSSL Yes GPLv2 and commercial license wolfSSL Inc. 3.2.0 (September 10, 2014; 9 days ago (2014-09-10)[3]) [±] US
GnuTLS GnuTLS project Yes LGPL Free Software Foundation 3.2.17 (August 24, 2014; 26 days ago (2014-08-24) [4]) [±]

3.1.26 (August 24, 2014; 26 days ago (2014-08-24) [5]) [±]

EU (Greece and Sweden)
MatrixSSL[6] PeerSec Networks Yes GPLv2 and commercial license PeerSec Networks 3.6.2 (September 5, 2014; 14 days ago (2014-09-05) [7]) [±] US
Network Security Services Mozilla, AOL, Red Hat, Sun, Oracle, Google and others Yes Mozilla Public License 2.0 NSS contributors 3.17 (August 19, 2014; 31 days ago (2014-08-19)[8]) [±] US
OpenSSL OpenSSL project Yes OpenSSL / SSLeay dual-license Eric Young, Tim Hudson, Sun, OpenSSL project, and others 1.0.1i (6 August 2014; 44 days ago (2014-08-06)[9]) [±]

1.0.0n (6 August 2014; 44 days ago (2014-08-06)[9]) [±]
0.9.8zb (6 August 2014; 44 days ago (2014-08-06)[9]) [±]

Australia/EU
LibreSSL OpenBSD Project Yes OpenSSL / SSLeay dual-license Eric Young, Tim Hudson, Sun, OpenSSL project, OpenBSD Project, and others 2.0.5 (August 8, 2014; 42 days ago (2014-08-08) [10]) [±]
PolarSSL Offspark Yes GPLv2 and commercial license Brainspark B.V. (brainspark.nl) 1.3.8 (July 11, 2014; 2 months ago (2014-07-11) [11]) [±]

1.2.11 (July 11, 2014; 2 months ago (2014-07-11) [11]) [±]

EU (Netherlands)
RSA BSAFE RSA Security No[12] Proprietary RSA Security ? US
SChannel Microsoft No Proprietary Microsoft Inc. Windows 8.1 / 2013-11-13 US
Secure Transport Apple Inc. Yes APSL 2.0 Apple Inc. 55471.14 (OS X 10.9.2) / 2014-02-25 US
SharkSSL Realtimelogic LLC[13] No Proprietary Realtimelogic LLC 2.1 / 2014-01-12 US
JSSE Oracle Yes GPLv2 and commercial license Oracle JDK 8 / 2014-03-18 US
Bouncy Castle The Legion of the Bouncy Castle Inc. Yes MIT License Legion of the Bouncy Castle Inc. 1.51 (Java) (July 27, 2014; 54 days ago (2014-07-27) [14]) [±]

1.7 (C#) (April 7, 2011; 3 years ago (2011-04-07) [15]) [±]

Australia
Implementation Developed by Open source Software license Copyright owner Latest stable version / release date Origin

Protocol support[edit]

Several versions of the TLS protocol exist. SSL 2.0 is a deprecated[16] protocol version with significant weaknesses. SSL 3.0 (1996) and TLS 1.0 (1999) are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay.[17] TLS 1.1 (2006) fixed only one of the problems, by switching to random IVs for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was ignored and is still present in TLS 1.2 today. A workaround for SSL 3.0 and TLS 1.0, roughly equivalent to random IVs from TLS 1.1, was widely adopted by many implementations in late 2011,[18] so from a security perspective, all existing version of TLS 1.0, 1.1 and 1.2 provide equivalent strength in the base protocol and are suitable for 128-bit security according to NIST SP800-57 up to at least 2030. TLS 1.2 (2008) is the latest published version of the base protocol, introducing a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future (rsa,sha256/sha384/sha512) over the SSL 3.0 conservative choice (rsa,sha1+md5), the TLS 1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides (rsa,sha1) and even (rsa,md5).[19]

Datagram Transport Layer Security (DTLS or Datagram TLS) 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLS 1.2 based on TLS 1.2 was published in January 2012[20]

Note that there are known vulnerabilities in SSL 2.0. With the exception of the predictable IVs (for which an easy workaround exists) all currently known vulnerabilities affect SSL 3.0 and all version of TLS 1.0/1.1/1.2 alike.[21]

Implementation SSL 2.0
(insecure)[22]
SSL 3.0[23] TLS 1.0[24] TLS 1.1[25] TLS 1.2[26] DTLS 1.0[27] DTLS 1.2[20]
Botan No[a] Yes Yes Yes Yes Beta Beta
cryptlib No Yes Yes Yes Yes No No
CyaSSL No Yes Yes Yes Yes Yes Yes
GnuTLS No[a] Yes Yes Yes Yes Yes Yes
MatrixSSL No[a] Yes Yes Yes Yes Yes Yes
NSS Disabled by default[a] Yes Yes Yes[28] Yes[29] Yes[28] Yes[30]
OpenSSL Yes Yes Yes Yes[31] Yes[31] Yes Beta[31]
LibreSSL No Yes Yes Yes[31] Yes[31] Yes Beta[31]
PolarSSL No[a] Yes Yes Yes Yes No No
SChannel XP/2003[32] Disabled by default in MSIE 7 Yes Enabled by default in MSIE 7 No No No No
SChannel Vista/2008[33] Disabled by default Yes Yes No No No No
SChannel 7/2008R2, 8/2012, 8.1/2012R2[34] Disabled by default Yes Yes Enabled by default in MSIE 11 Enabled by default in MSIE 11 Yes[35] Yes[35]
Secure Transport Not anymore[b] Yes Yes Yes[b] Yes[b] Yes[b] No
SharkSSL No Yes Yes Yes Yes No No
JSSE No[a] Yes Yes Yes Yes No No
Implementation SSL 2.0
(insecure)
SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 DTLS 1.0 DTLS 1.2
  1. ^ SSL 2.0 client hello is supported even though SSL 2.0 is not supported or is disabled because of the backward compatibilities.
  2. ^ Secure Transport: SSL 2.0 was discontinued in OS X 10.8. TLS 1.1, 1.2 and DTLS are available on iOS 5.0 and later, and OS X 10.8 and later.[36]

NSA Suite B Cryptography[edit]

Required components for NSA Suite B Cryptography (RFC 6460) are:

Per CNSSP-15, the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.

Implementation TLS 1.2 Suite B
Botan Yes
cryptlib Yes
CyaSSL Yes
GnuTLS Yes
NSS No[37]
MatrixSSL Yes
OpenSSL No
LibreSSL No
PolarSSL Yes
SChannel No
Secure Transport Unknown
SharkSSL Yes
JSSE Yes[38]
Implementation TLS 1.2 Suite B

Certifications[edit]

Implementation Certified version FIPS 140-2 Common Criteria
Botan
cryptlib
CyaSSL
GnuTLS
MatrixSSL Level 1
NSS Netscape Security Module 1, 1.01, NSS 3.2.2, 3.11.4, 3.12.4 Level 2
OpenSSL 1.0, 1.1.1, 1.1.2, 1.2, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5 Level 1
LibreSSL
PolarSSL
SChannel Windows CE, Embedded, XP, Vista, 7, 8, RT, Server 2003, Server 2008 R2, and Server 2012 Level 1
Secure Transport Mac OS X 10.6 Snow Leopard, Mac OS X 10.7 Lion, Mac OS X 10.8 Mountain Lion, OS X 10.9 Mavericks, iOS 6.0, iOS 7.0 Level 1
SharkSSL
JSSE
Implementation Certified version FIPS 140-2 Common Criteria

[39]

Key exchange algorithms (certificate-only)[edit]

This section lists the certificate verification functionality available in the various implementations.

Implementation RSA[26] RSA-EXPORT (insecure)[26] DHE-RSA (forward secrecy)[26] DHE-DSS (forward secrecy)[26] ECDH-ECDSA[40] ECDHE-ECDSA (forward secrecy)[40] ECDH-RSA[40] ECDHE-RSA (forward secrecy)[40] VKO GOST R 34.10-2001[41][42]
Botan Yes No Yes Yes No Yes No Yes No
cryptlib Yes No Yes Yes No Yes No No No
CyaSSL Yes No Yes No Yes Yes Yes Yes No
GnuTLS Yes Disabled by default Yes Yes No Yes No Yes No
MatrixSSL Yes No Yes No Yes Yes Yes Yes No
NSS Yes Disabled by default Client side only[43] Client side only[43] Yes Yes Yes Yes No[44][45]
OpenSSL Yes Yes Yes Yes Yes Yes Yes Yes Yes
LibreSSL Yes Yes Yes Yes Yes Yes Yes Yes Yes
PolarSSL Yes No Yes No Yes Yes Yes Yes No
SChannel XP/2003 Yes Yes No Max 1024 bit No No No No 3rd Party
SChannel Vista/2008, 7/2008R2, 8/2012 Yes disabled by default No Max 1024 bit No Yes No Yes 3rd Party
SChannel 8.1/2012R2 Yes disabled by default GCM only[46] Max 1024 bit No Yes No Yes 3rd Party
Secure Transport Yes No Yes Yes Yes Yes Yes Yes No
SharkSSL Yes No Yes No Yes Yes Yes Yes No
JSSE Yes Disabled by default Max 2048 bit Max 2048 bit Yes Yes Yes Yes No[47]
Implementation RSA RSA EXPORT (insecure) DHE-RSA (forward secrecy) DHE-DSS (forward secrecy) ECDH-ECDSA ECDHE-ECDSA (forward secrecy) ECDH-RSA ECDHE-RSA (forward secrecy) VKO GOST R 34.10-2001

Key exchange algorithms (alternative key-exchanges)[edit]

Implementation SRP[48] SRP-DSS[48] SRP-RSA[48] PSK-RSA[49] PSK[49] DHE-PSK (forward secrecy)[49] ECDHE-PSK (forward secrecy)[50] DH-ANON[26] (insecure) ECDH-ANON[40] (insecure)
Botan Yes Yes Yes No Yes Yes Yes Yes Yes
cryptlib No No No No Yes Yes No No No
CyaSSL No No No No Yes No No[51] No No
GnuTLS Yes Yes Yes Yes Yes Yes Yes Disabled by default Disabled by default
MatrixSSL No No No No Yes Yes No Yes No
NSS No[52] No[52] No[52] No[53] No[53] No[53] No[53] Disabled by default Disabled by default[54]
OpenSSL Yes Yes Yes No Yes No No Yes Yes
LibreSSL No[55] No[55] No[55] No Yes No No Yes Yes
PolarSSL No No No Yes Yes Yes Yes No No
SChannel No No No No No No No No No
Secure Transport No No No Partial[56] Partial[56] Partial[56] No Yes Yes
SharkSSL No No No No Yes No No No No
JSSE No No No No No No No Disabled by default in Java 8 Disabled by default in Java 8
Implementation SRP SRP-DSS SRP-RSA PSK-RSA PSK DHE-PSK (forward secrecy) ECDHE-PSK (forward secrecy) DH-ANON (insecure) ECDH-ANON (insecure)

Certificate verification methods[edit]

Implementation Application-defined PKIX path validation[26] CRL[57] OCSP[58] DANE (DNSSEC)[26] Trust on First Use (TOFU)
Botan Yes Yes Yes Yes No No
cryptlib Yes No No
CyaSSL Yes Yes Yes Yes No No
GnuTLS Yes Yes Yes Yes Yes Yes
MatrixSSL Yes Yes Yes No No No
NSS Yes Yes Yes Yes No[59] No
OpenSSL Yes Yes Yes No No
LibreSSL Yes Yes Yes No No
PolarSSL Yes Yes Yes No No
SChannel Yes Yes[60] Yes[60] No No
Secure Transport Yes Yes Yes Yes No No
SharkSSL Yes Yes No No No No
JSSE Yes Yes Yes Yes No No
Implementation Application-defined PKIX CRL OCSP DANE TOFU

Encryption algorithms[edit]

Implementation None Block cipher with mode of operation Stream cipher Other
NULL
(insecure)
3DES EDE CBC AES CBC AES GCM
[61]
AES CCM
[62]
CAMELLIA CBC
[63]
CAMELLIA GCM
[64]
SEED CBC
[65]
ARIA CBC
[66]
ARIA GCM
[66]
IDEA CBC DES CBC
(insecure)
DES-40 CBC
(EXPORT, insecure)
RC2-40 CBC
(EXPORT, insecure)
CHACHA20-POLY1305
[67][68]
RC4-128
(insecure)
RC4-40
(EXPORT, insecure)
GOST 28147-89
[41]
Botan Yes Yes Yes Yes Yes Yes Yes Yes No No No No No Disabled by Default No Yes No No
cryptlib Yes Yes Yes Yes No No No No No No No Disabled by default Disabled by default Disabled by default No Yes No No
CyaSSL Yes Yes Yes Yes Yes Yes No No No No No No No No Yes Yes No No
GnuTLS Yes Yes Yes Yes No Yes Yes No No No No No No No No Yes Disabled by default No
MatrixSSL Yes Yes Yes Yes No No No Yes No No Yes No No No No Yes No No
NSS Yes Yes Yes Yes[69] No Yes[70] No[71] Yes[72] No No Yes Disabled by default Disabled by default Disabled by default Partial[76] Lowest priority by default[77][78] Disabled by default No[44][45]
OpenSSL Yes Yes Yes Yes [31] No Yes No Yes No No Yes Yes Yes Yes Partial[79] Yes Yes Yes
LibreSSL Yes Yes Yes Yes [31] No Yes No Yes No No Yes Yes Yes Yes Yes Yes Yes Yes
PolarSSL Disabled by default at compile time Yes Yes Yes Yes [80] Yes Yes No No No No Disabled by default at compile time No No No Lowest priority by default [81] No No
SChannel XP/2003 Yes Yes 2003 only[82] No No No No No No No No yes yes Yes No Yes yes 3rd Party
SChannel Vista/2008 Yes Yes Yes No No No No No No No No Disabled by default Disabled by default Disabled by default No Yes Disabled by default 3rd Party
SChannel 8/2012 Yes Yes Yes ECDHE_ECDSA only No No No No No No No Disabled by default Disabled by default Disabled by default No Yes Disabled by default 3rd Party
SChannel 7/2008R2 Yes Yes Yes ECDHE_ECDSA only No No No No No No No Disabled by default Disabled by default Disabled by default No Disabled except as a fallback if no other enabled algorithm works Disabled by default 3rd Party
SChannel 8.1/2012R2 Yes Yes Yes except ECDHE_RSA[46] No No No No No No No Disabled by default Disabled by default Disabled by default No Disabled except as a fallback if no other enabled algorithm works Disabled by default 3rd Party
Secure Transport Yes Yes Yes Yes Yes No No No No No Yes Yes Disabled by default Disabled by default No Yes Disabled by default No
SharkSSL Yes Yes Yes Yes Yes No No No No No No Yes No No No Yes No No
JSSE Yes Yes Yes Yes No No No No No No No Disabled by default Disabled by default No No Yes Disabled by default [83] No[47]
Implementation NULL
(insecure)
3DES EDE CBC AES CBC AES GCM AES CCM CAMELLIA CBC CAMELLIA GCM SEED CBC ARIA CBC ARIA GCM IDEA CBC DES CBC
(insecure)
DES-40 CBC
(EXPORT, insecure)
RC2-40 CBC
(EXPORT, insecure)
CHACHA20-POLY1305 RC4-128
(insecure)
RC4-40
(EXPORT, insecure)
GOST28147-89
None Block cipher with mode of operation Stream cipher Other

Supported elliptic curves[edit]

This section lists the supported elliptic curves by each implementation.

Implementation Arbitrary prime curves[84] Arbitrary char2 curves sect163k1 (1) sect163r1 (2) sect163r2 (3) sect193r1 (4) sect193r2 (5) sect233k1 (6) sect233r1 (7) sect239k1 (8) sect283k1 (9) sect283r1 (10) sect409k1 (11) sect409r1 (12) sect571k1 (13) sect571r1 (14)
Botan No No No No No No No No No No No No No No No No
CyaSSL No No No No No No No No No No No No No No No No
GnuTLS No No No No No No No No No No No No No No No No
MatrixSSL No No No No No No No No No No No No No No No No
NSS No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OpenSSL No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
LibreSSL No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
PolarSSL No No No No No No No No No No No No No No No No
SChannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2 No No No No No No No No No No No No No No No No
Secure Transport No No No No No No No No No No No No No No No No
SharkSSL No No No No No No No No No No No No No No No No
JSSE No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Implementation Arbitrary prime curves Arbitrary char2 curves sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1
Implementation secp160k1 (15) secp160r1 (16) secp160r2 (17) secp192k1 (18) secp192r1 prime192v1 (19) secp224k1 (20) secp224r1 (21) secp256k1 (22) secp256r1 prime256v1 (23) secp384r1 (24) secp521r1 (25) brainpoolP256r1 (26) brainpoolP384r1 (27) brainpoolP512r1 (28)
Botan Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
CyaSSL No Yes No No Yes No Yes No Yes Yes Yes No No No
GnuTLS No No No No Yes No Yes No Yes Yes Yes No No No
MatrixSSL No No No No Yes No Yes No Yes Yes Yes No No No
NSS Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No[85] No[85] No[85]
OpenSSL Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes[86][87] Yes[86][87] Yes[86][87]
LibreSSL Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes[86][87] Yes[86][87] Yes[86][87]
PolarSSL No No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
SChannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2 No No No No No No No No Yes Yes Yes No No No
Secure Transport No No No No Yes No No No Yes No Yes No No No
SharkSSL No No No No Yes No Yes No Yes Yes Yes No No No
JSSE Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No
Implementation secp160k1 secp160r1 secp160r2 secp192k1 secp192r1 prime192v1 secp224k1 secp224r1 secp256k1 secp256r1 prime256v1 secp384r1 secp521r1 brainpoolP256r1 brainpoolP384r1 brainpoolP512r1

Data integrity[edit]

Implementation HMAC-MD5 HMAC-SHA1 HMAC-SHA256/384 AEAD GOST28147-89-MAC[41] GOST 34.11-94[41]
Botan Yes Yes Yes Yes No No
cryptlib Yes Yes Yes Yes No No
CyaSSL Yes Yes Yes Yes No No
GnuTLS Yes Yes Yes Yes No No
MatrixSSL Yes Yes Yes Yes No No
NSS Yes Yes Yes Yes No[44][45] No[44][45]
OpenSSL Yes Yes Yes Yes Yes Yes
LibreSSL Yes Yes Yes Yes Yes Yes
PolarSSL Yes Yes Yes Yes No No
SChannel XP/2003, Vista/2008 Yes Yes XP SP3, 2003 SP2 via hotfix[88] No 3rd Party 3rd Party
SChannel 7/2008R2, 8/2012 Yes Yes Yes ECDHE_ECDSA only 3rd Party 3rd Party
SChannel 8.1/2012R2 Yes Yes Yes Except ECDHE_RSA[46] 3rd Party 3rd Party
Secure Transport Yes Yes Yes Yes No No
SharkSSL Yes Yes Yes Yes No No
JSSE Yes Yes Yes Yes No[47] No[47]
Implementation HMAC-MD5 HMAC-SHA1 HMAC-SHA256/384 AEAD GOST28147-89-MAC GOST 34.11-94

Compression[edit]

Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.

Implementation DEFLATE[89]
(insecure)
Botan No
cryptlib No
CyaSSL Disabled by default
GnuTLS Disabled by default
MatrixSSL Disabled by default
NSS Disabled by default
OpenSSL Yes
LibreSSL No
PolarSSL Disabled by default
SChannel No
Secure Transport No
SharkSSL
JSSE No
Implementation DEFLATE

Extensions[edit]

In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security[citation needed]. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.

Implementation Secure
Renegotiation[90]
Server Name
Indication[91]
ALPN[92] Certificate Status
Request
[91]
OpenPGP[93] Supplemental Data[94] Session Ticket[95] Keying Material Exporter[96] Maximum Fragment Length[91] Truncated HMAC[91]
Botan Yes Yes No No No No Yes Yes Yes No
cryptlib Yes Yes No No No Yes No No No[97] No
CyaSSL Yes Yes No No No No Yes No Yes Yes
GnuTLS Yes Yes Yes Yes Yes Yes Yes Yes Yes No
MatrixSSL Yes Yes No No No No Yes No Yes Yes
NSS Yes Yes Yes Yes No[98] No Yes Yes No No
OpenSSL Yes Yes Yes Yes No No? Yes Yes? No No
LibreSSL Yes Yes Yes Yes No No? Yes Yes? No No
PolarSSL Yes Yes Yes No No No Yes No Yes Yes
SChannel XP/2003 No No No No No Yes No No No No
SChannel Vista/2008 Yes Yes No No No Yes No No No No
SChannel 7/2008R2 Yes Yes No Yes No Yes No No No No
SChannel 8/2012 Yes Yes No Yes No Yes Client side only[99] No No No
SChannel 8.1/2012R2 Yes Yes Yes Yes No Yes Yes[99] No No No
Secure Transport Yes Yes Unknown No No Yes No No No No
SharkSSL Yes No No No No No No No No No
JSSE Yes Yes[38] Unknown No No No No No No No
Implementation Secure Renegotiation Server Name Indication ALPN Certificate Status Request OpenPGP Supplemental Data Session Ticket Keying Material Exporter Maximum Fragment Length Truncated HMAC

Assisted cryptography[edit]

This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.

Implementation PKCS #11 device Intel AES-NI VIA PadLock STM32F2 Cavium NITROX Freescale CAU/mmCAU ARMv8-A Microchip PIC32MZ
Botan No Yes No No No No No No
cryptlib Yes No Yes No No No No No
CyaSSL No Yes No Yes Yes Yes No Yes
GnuTLS Yes Yes Yes No No No No No
MatrixSSL Yes Yes No No No No No No
NSS Yes[100] Yes[101] No[102] No No No No No
OpenSSL No Yes Yes No Yes No No No
LibreSSL No Yes Yes No Yes No No No
PolarSSL Yes Yes[103] Yes No No No No No
SChannel No Yes No No No No No No
Secure Transport No No No No No No Yes No
SharkSSL
JSSE Yes Yes[104] No No No No No No
Implementation PKCS #11 device Intel AES-NI VIA PadLock STM32F2 Cavium NITROX Freescale CAU/mmCAU ARMv8-A Microchip PIC32MZ

System-specific backends[edit]

This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.

Implementation /dev/crypto Windows CSP CommonCrypto OpenSSL engine
Botan No No No No
cryptlib No No No No
CyaSSL No Partial No No
GnuTLS Yes No No No
MatrixSSL No No Yes Yes
NSS No No No No
OpenSSL Yes No No Yes
LibreSSL Yes No No Yes
PolarSSL No No No No
SChannel No Yes No No
Secure Transport No No Yes No
SharkSSL
JSSE No Yes No No
Implementation /dev/crypto Windows CSP CommonCrypto OpenSSL engine

Cryptographic module/token support[edit]

Implementation TPM support Hardware token support Objects identified via
Botan No No
cryptlib No PKCS11 User-defined label
CyaSSL No No
GnuTLS Yes PKCS11 PKCS #11 URLs[105]
MatrixSSL No PKCS11
NSS No PKCS11
OpenSSL Yes PKCS11 (via 3rd party module) Custom method
LibreSSL Yes PKCS11 (via 3rd party module) Custom method
PolarSSL No PKCS11 (via libpkcs11-helper) or standard hooks Custom method
SChannel No Microsoft CryptoAPI UUID, User-defined label
Secure Transport
SharkSSL
JSSE No PKCS11 Java Cryptography Architecture/
Java Cryptography Extension
Implementation TPM support Hardware token support Objects identified via

Code size and dependencies[edit]

The size is given in kSLOC (1000 source lines of code).

Implementation Code size Dependencies Optional
dependencies
Botan 32 kSLOC C++11 sqlite, zlib (compression), bzip2 (compression), liblzma (compression)
CyaSSL 67 kSLOC None libc, zlib (compression)
GnuTLS 138 kSLOC libc
nettle
gmp
zlib (compression)
p11-kit (PKCS #11)
trousers (TPM)
MatrixSSL 22 kSLOC none zlib (compression)
MatrixSSL-open 18 kSLOC libc or newlib
NSS 400 kSLOC libc
libnspr4
libsoftokn3
libplc4
libplds4
zlib (compression)
OpenSSL 159 kSLOC libc zlib (compression)
PolarSSL 14 kSLOC libc libpkcs11-helper (PKCS #11)
zlib (compression)
JSSE 37 kSLOC

(Framework and Oracle provider)

Java
Implementation Code size Dependencies Optional
dependencies

Development environment[edit]

Implementation Namespace Build tools API manual Crypto back-end OpenSSL compatibility Layer[clarify]
Botan Botan::TLS Makefile Sphinx Included (monolithic) No
cryptlib crypt* makefile, MSVC project workspaces Programmers reference manual (PDF), architecture design manual (PDF) Included (monolithic) No
CyaSSL CyaSSL_*

SSL_*

Autoconf, automake, libtool, MSVC project workspaces, XCode projects, CodeWarrior projects, MPLAB X projects, Keil, IAR, Clang, GCC Manual and API Reference (HTML, PDF) Included (monolithic) Yes (about 10% of API)
GnuTLS gnutls_* Autoconf, automake, libtool Manual and API reference (HTML, PDF) External, libnettle Yes (limited)
MatrixSSL matrixSsl_*

ps*

Makefile, MSVC project workspaces, Xcode projects for Mac OS X and iOS API Reference (PDF), Integration Guide Included (pluggable) Yes (Subset: SSL_read, SSL_write, etc.)
NSS CERT_*

SEC_*
SECKEY_*
NSS_*
PK11_*
SSL_*
...

Makefile Manual (HTML) Included, PKCS#11 based[106] Yes (separate package called nss_compat_ossl[107])
OpenSSL SSL_*

SHA1_*
MD5_*
EVP_*
...

Makefile Man pages Included (monolithic) N/A
PolarSSL ssl_*

sha1_*
md5_*
x509parse_*
...

Makefile, CMake, MSVC project workspaces API Reference + High Level and Module Level Documentation (HTML) Included (monolithic) No
SharkSSL SharkSsl* Makefile (online) HTML Manual and API Reference Included (monolithic) No
JSSE javax.net.ssl Makefile API Reference (HTML) +

Java SE 7

Java Cryptography Architecture/
Java Cryptography Extension
No
Implementation Namespace Build tools API manual Crypto back-end OpenSSL compatibility layer

Portability concerns[edit]

Implementation Platform requirements Network requirements Thread safety Random seed Able to cross-compile No OS (bare metal) Supported operating systems
Botan C++11 None Thread-safe Platform-dependent Yes Most Windows and POSIX systems
cryptlib C89 POSIX send() and recv(). API to supply your own replacement Thread-safe Platform-dependent, including hardware sources Yes Yes AMX, BeOS, ChorusOS, DOS, eCOS, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, Palm OS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, OS X, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK
CyaSSL C89 POSIX send() and recv(). API to supply your own replacement. Thread-safe, needs mutex hooks if PThreads or WinThreads not available, can be turned off Random seed set through CTaoCrypt Yes Yes Win32/64, Linux, Mac OS X, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, OpenCL, NonStop, TRON/ITRON/µITRON, Micrium's µC OS, FreeRTOS, SafeRTOS, Freescale MQX, Nucleus, TinyOS, HP/UX, Keil RTX, TI-RTOS
GnuTLS C89 POSIX send() and recv(). API to supply your own replacement. Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available. Platform dependent Yes No Generally any POSIX platforms or Windows, commonly tested platforms include GNU/Linux, Win32/64, Mac OS X, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD.
MatrixSSL C89 None Thread-safe Platform dependent Yes Yes All
NSS C89, NSPR[108] NSPR[108] PR_Send() and PR_Recv(). API to supply your own replacement. Thread-safe Platform dependent[109] Yes (but cumbersome) No AIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, Mac OS X, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation
OpenSSL C89?  ? Needs mutex callbacks Set through native API Yes No Unix, DOS (with djgpp), Windows, OpenVMS, MacOS, NetWare
PolarSSL C89 POSIX read() and write(). API to supply your own replacement. Threading layer available (POSIX or own hooks) Random seed set through entropy pool Yes Yes Known to work on: Win32/64, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, SeggerOS
SharkSSL C89 None: Transport agnostic API Thread-safe: multiple ports Random seed set through entropy pool and/or HW Yes Yes INTEGRITY, MQX, SMX, ThreadX, VxWorks, SeggerOS, OSE, Android, Win 32/64, Linux 32/64, uCLinux, Mac OS X, OpenBSD, DD-WRT, OpenWrt
JSSE Java Java SE network components Thread-safe Depends on java.security.SecureRandom Yes Java based, platform-independent
Implementation Platform requirements Network requirements Thread safety Random seed Able to cross-compile No OS (bare metal) Supported operating systems

See also[edit]

  • SCTP — with DTLS support
  • DCCP — with DTLS support
  • SRTP — with DTLS support (DTLS-SRTP) and Secure Real-Time Transport Control Protocol (SRTCP)

References[edit]

  1. ^ "Version 1.10.8, 2014-04-10 — Botan". 2014-04-10. Retrieved 2014-06-16. 
  2. ^ "cryptlib 3.4.2 released". 2012-12-17. Retrieved 2014-06-16. 
  3. ^ "CyaSSL ChangeLog". 2014-09-10. Retrieved 2014-09-10. 
  4. ^ "GnuTLS". 2014-08-24. Retrieved 2014-09-09. 
  5. ^ "GnuTLS". 2014-08-24. Retrieved 2014-09-09. 
  6. ^ The features listed are for the closed source version
  7. ^ "MatrixSSL - News". 2014-09-05. Retrieved 2014-09-15. 
  8. ^ "NSS 3.17 release notes". Mozilla. 2014-08-19. Retrieved 2014-08-20. 
  9. ^ a b c "OpenSSL: News, Project Newsflash". Retrieved 6 August 2014. 
  10. ^ "LibreSSL 2.0.5 released". 2014-08-08. Retrieved 2014-08-08. 
  11. ^ a b "Download overview - PolarSSL". 2014-07-11. Retrieved 2014-07-13. 
  12. ^ "Nsssl - AOLserver Wiki". Retrieved 2014-07-04. 
  13. ^ "SharkSSL product description". Retrieved 2014-04-21. 
  14. ^ "Latest Java Releases - bouncycastle.org". 2014-07-27. Retrieved 2014-07-29. 
  15. ^ "The Legion of the Bouncy Castle C# Cryptography APIs". 2011-04-07. Retrieved 2014-06-16. 
  16. ^ RFC6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
  17. ^ "CBC-Padding: Security Flaws in SSL, IPsec, WTLS,...", Serge Vaudenay, 2001
  18. ^ Rizzo/Duong BEAST Countermeasures
  19. ^ TLSv1.2's Major Differences from TLSv1.1
  20. ^ a b RFC 6347
  21. ^ "Bard attack". CiteSeerX: 10.1.1.61.5887. 
  22. ^ SSLv2 is insecure
  23. ^ RFC 6101
  24. ^ RFC 2246
  25. ^ RFC 4346
  26. ^ a b c d e f g h RFC 5246
  27. ^ RFC 4347
  28. ^ a b "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Retrieved 2012-10-27. 
  29. ^ "NSS 3.15.1 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-08-10. 
  30. ^ "NSS 3.16.2 release notes". Mozilla Developer Network. Mozilla. 2014-06-30. Retrieved 2014-06-30. 
  31. ^ a b c d e f g h www.openssl.org/news/changelog.html
  32. ^ TLS cipher suites in Microsoft Windows XP and 2003
  33. ^ SChannel Cipher Suites in Microsoft Windows Vista
  34. ^ TLS Cipher Suites in SChannel for Windows 7, 2008R2, 8, 2012
  35. ^ a b "An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. Retrieved 13 November 2012. 
  36. ^ "Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03. 
  37. ^ "Bug 663320 - (NSA-Suite-B-TLS) Implement RFC6460 (NSA Suite B profile for TLS)". Mozilla. Retrieved 2014-05-19. 
  38. ^ a b http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html
  39. ^ http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
  40. ^ a b c d e RFC 4492
  41. ^ RFC 4357
  42. ^ a b Mozilla.org. "Bug 102794 - Implement the server-side code of the DHE SSL ciphersuites.". Retrieved 19 November 2013. 
  43. ^ a b c d Mozilla.org. "Bug 518787 - Add GOST crypto algorithm support in NSS". Retrieved 2014-07-01. 
  44. ^ a b c d Mozilla.org. "Bug 608725 - Add Russian GOST cryptoalgorithms to NSS and Thunderbird". Retrieved 2014-07-01. 
  45. ^ a b c Update adds new TLS cipher suites and changes cipher suite priorities in Windows 8.1 and Windows Server 2012 R2
  46. ^ a b c d Extensions to support this functionality might be available.
  47. ^ a b c RFC 5054
  48. ^ a b c RFC 4279
  49. ^ RFC 5489
  50. ^ "RFC 5487 in CyaSSL TLS Library". 2014-06-25. Retrieved 2014-07-14. 
  51. ^ a b c "Bug 405155 - add support for TLS-SRP, rfc5054". Mozilla. Retrieved 2014-01-25. 
  52. ^ a b c d "Bug 306435 - Mozilla browsers should support the new IETF TLS-PSK protocol to help reduce phishing". Mozilla. Retrieved 2014-01-25. 
  53. ^ "Bug 236245 - Update ECC/TLS to conform to RFC 4492". Mozilla. Retrieved 2014-06-09. 
  54. ^ a b c "LibreSSL 2.0.4 released". Retrieved 2014-08-04. 
  55. ^ a b c As of iOS 7, PSK ciphers are enumerated in the headers but there are no APIs that use them.
  56. ^ RFC 3280
  57. ^ RFC 2560
  58. ^ "Bug 672600 - Use DNSSEC/DANE chain stapled into TLS handshake in certificate chain validation". Mozilla. Retrieved 2014-06-18. 
  59. ^ a b "How Certificate Revocation Works". Microsoft TechNet. Microsoft. March 16, 2012. Retrieved July 10, 2013. 
  60. ^ RFC 5288
  61. ^ RFC 6655
  62. ^ RFC 5932, RFC 6367
  63. ^ RFC 6367
  64. ^ RFC 4162
  65. ^ a b RFC 6209
  66. ^ draft-agl-tls-chacha20poly1305-04, draft-mavrogiannopoulos-chacha-tls-02
  67. ^ As of June 2014, only available on Google services
  68. ^ "NSS 3.15.2 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-09-26. 
  69. ^ "NSS 3.12 is released". Retrieved 2013-11-19. 
  70. ^ "Bug 940119 - libssl does not support any TLS_ECDHE_*_CAMELLIA_*_GCM cipher suites". Mozilla. Retrieved 2013-11-19. 
  71. ^ "NSS 3.12.3 Release Notes". Mozilla Developer Network. Mozilla. Retrieved 2014-07-01. 
  72. ^ a b "Issue 310768: Support ChaCha20+Poly1305 TLS cipher suites". Google. Retrieved 2013-12-01. 
  73. ^ "Chrome 32 promotes Chacha20/Poly1305 suite, SSL Client Test fails to process SSL/TLS handshake". Qualys. Retrieved 2013-12-01. 
  74. ^ "Bug 917571 - Support ChaCha20+Poly1305 cipher suites". Mozilla. Retrieved 2013-12-01. 
  75. ^ As of June 2014, only available on private version of NSS integrated into Chromium and derived browsers (Google Chrome and Opera).[73][74] Patch for NSS upstream has been submitted and under review.[75]
  76. ^ "NSS 3.15.3 Release Notes". Mozilla Developer Network. Mozilla. Retrieved 2014-07-13. 
  77. ^ "MFSA 2013-103: Miscellaneous Network Security Services (NSS) vulnerabilities". Mozilla. Mozilla. Retrieved 2014-07-13. 
  78. ^ As of June 2014, only available on private version of OpenSSL integrated into Chromium and derived browsers (Google Chrome and Opera).[73]
  79. ^ PolarSSL 1.3.8 release notes
  80. ^ PolarSSL RC4 deprecation plan
  81. ^ Hofix 984963: TLS AES cipher suites for Microsoft Windows 2003
  82. ^ http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
  83. ^ Negotiation of arbitrary curves has been shown to be insecure for certain curve sizes Mavrogiannopoulos, Nikos and Vercautern, Frederik and Velichkov, Vesselin and Preneel, Bart (2012). A cross-protocol attack on the TLS protocol. Proceedings of the 2012 ACM conference on Computer and communications security. pp. 62–72. ISBN 978-1-4503-1651-4. 
  84. ^ a b c "Bug 943639 - Support for Brainpool ECC Curve (rfc5639)". Mozilla. Retrieved 2014-01-25. 
  85. ^ a b c d e f "OpenSSL RT #2239: [PATCH] RFC 5639 support - resolved 2012-04-22". OpenSSL.org. Retrieved 2014-02-03. 
  86. ^ a b c d e f "openssl-1.0.2-stable prerelease tarballs available on OpenSSL's FTP server: files openssl-1.0.2-stable-SNAP-*.tar.gz". OpenSSL.org. Retrieved 2014-02-03. 
  87. ^ "SHA2 and Windows". Retrieved 2014-09-08. 
  88. ^ RFC 3749
  89. ^ RFC 5746
  90. ^ a b c d RFC 6066
  91. ^ RFC 7301
  92. ^ RFC 6091
  93. ^ RFC 4680
  94. ^ RFC 5077
  95. ^ RFC 5705
  96. ^ Present but disabled by default due to lack of use by any implementation.
  97. ^ "Bug 961416 - Support RFC6091 - Using OpenPGP Keys for Transport Layer Security Authentication (TLS1.2)". Mozilla. Retrieved 2014-06-18. 
  98. ^ a b "What's New in TLS/SSL (Schannel SSP)". Retrieved 2014-06-18. 
  99. ^ Normally NSS's libssl performs all operations via the PKCS#11 interface, either to hardware or software tokens
  100. ^ "Bug 706024 - AES-NI enhancements to NSS on Sandy Bridge systems". Retrieved 2013-09-28. 
  101. ^ "Bug 479744 - RFE : VIA Padlock ACE support (hardware RNG, AES, SHA1 and SHA256)". Retrieved 2014-04-11. 
  102. ^ "We've incorporated support for AES-NI in our AES and GCM modules". 2013-12-31. Retrieved 2014-01-07. 
  103. ^ http://stackoverflow.com/questions/14259671/java-ssl-provider-with-aes-ni-support
  104. ^ PKCS #11 URLs is a way to refer to objects stored in PKCS #11 tokens
  105. ^ On the fly replaceable/augmentable.
  106. ^ http://fedoraproject.org/wiki/Nss_compat_ossl
  107. ^ a b Netscape Portable Runtime (NSPR)
  108. ^ For Unix/Linux it uses /dev/urandom if available, for Windows it uses CAPI. For other platforms it gets data from clock, and tries to open system files. NSS has a set of platform dependent functions it uses to determine randomness.