Comparison of TLS implementations: Difference between revisions
→Key exchange algorithms (alternative key-exchanges): mention that EC/DH-ANON is disabled by default |
|||
Line 810: | Line 810: | ||
|- |
|- |
||
| [[GnuTLS]] |
| [[GnuTLS]] |
||
| {{ |
| {{Yes|Disabled by default}} |
||
| {{yes}} |
| {{yes}} |
||
| {{yes}} |
| {{yes}} |
||
Line 818: | Line 818: | ||
| {{yes}} |
| {{yes}} |
||
| {{yes}} |
| {{yes}} |
||
| {{ |
| {{Yes|Disabled by default}} |
||
|- |
|- |
||
| [[MatrixSSL]] |
| [[MatrixSSL]] |
Revision as of 12:12, 6 May 2014
The Transport Layer Security (TLS) protocol provides the ability to secure communications across networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free and open source software.
All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.
Overview
Implementation | Developed by | Open source | Software license | Copyright owner | Latest stable version | Release date | Origin |
---|---|---|---|---|---|---|---|
Botan | Jack Lloyd | Yes | Simplified BSD License | Jack Lloyd | 1.11.5 | 2013-11-10 | US (Vermont) |
cryptlib | Peter Gutmann | Yes | Sleepycat License and commercial license | Peter Gutmann | 3.4.2 | 2012-12-17 | NZ |
CyaSSL | wolfSSL | Yes | GPLv2 and commercial license | wolfSSL Inc. | 3.0.0 | 2014-04-29 | US |
GnuTLS | GnuTLS project | Yes | LGPL | Free Software Foundation | 3.2.13 | 2014-04-07 | EU (Greece and Sweden) |
MatrixSSL | PeerSec Networks | Yes | GPLv2 and commercial license | PeerSec Networks | 3.6.1 | 2014-04-11 | US |
Network Security Services | Yes | Mozilla Public License | NSS contributors | 3.16 | 2014-03-18 | US | |
OpenSSL | OpenSSL project | Yes | OpenSSL / SSLeay dual-license | Eric Young, Tim Hudson, Sun, OpenSSL project, and others | 1.0.1g | 2014-04-07 | Australia/EU |
PolarSSL | Offspark | Yes | GPLv2 and commercial license | Brainspark B.V. (brainspark.nl) | 1.3.6 | 2014-04-11 | EU (Netherlands) |
SChannel | Microsoft | No | Proprietary | Microsoft Inc. | Windows 8.1 | 2013-11-13 | US |
Secure Transport | Apple Inc. | Yes | APSL 2.0 | Apple Inc. | 55471.14 (OS X 10.9.2) | 2014-02-25 | US |
SharkSSL | Realtimelogic LLC[1] | No | Proprietary | Realtimelogic LLC | 2.1 | 2014-01-12 | US |
JSSE | Oracle | Yes | GPLv2 and commercial license | Oracle | JDK 8 | 2014-03-18 (JDK 8) | US |
Bouncy Castle | The Legion of the Bouncy Castle Inc. | Yes | MIT License | Legion of the Bouncy Castle Inc. | Java 1.4-1.7 / C# | 2013-09-03 | Australia |
LibreSSL | OpenBSD | Yes | OpenSSL / SSLeay dual-license | Eric Young, Tim Hudson, Sun, OpenSSL project, and others | |||
Implementation | Developed by | Open source | Software license | Copyright owner | Latest stable version | Release date | Origin |
Protocol support
Several versions of the TLS protocol exist. SSL 2.0 is a deprecated[2] protocol version with significant weaknesses. SSL 3.0 (1996) and TLS 1.0 (1999) are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay.[3] TLS 1.1 (2006) fixed only one of the problems, by switching to random IVs for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was ignored and is still present in TLSv1.2 today. A workaround for SSLv3 and TLSv1.0, roughly equivalent to random IVs from TLSv1.1, was widely adopted by many implementations in late 2011,[4] so from a security perspective, all existing version of TLS v1.0, v1.1 and v1.2 provide equivalent strength in the base protocol and are suitable for 128-bit security according to NIST SP800-57 up to at least 2030. TLSv1.2 (2008) is the latest published version of the base protocol, introducing a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future (rsa,sha256/sha384/sha512) over the SSLv3 conservative choice (rsa,sha1+md5), the TLSv1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides (rsa,sha1) and even (rsa,md5).[5]
Datagram Transport Layer Security (DTLS or Datagram TLS) 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLSv1.2 based on TLSv1.2 was published in January 2012[6]
Note that there are known vulnerabilities in SSL 2.0. With the exception of the predictable IVs (for which an easy workaround exists) all currently known vulnerabilities affect SSLv3 and all version of TLSv1.0/v1.1/v1.2 alike.[7]
Implementation | SSL 2.0 (insecure)[8] |
SSL 3.0[9] | TLS 1.0[10] | TLS 1.1[11] | TLS 1.2[12] | DTLS 1.0[13] | DTLS 1.2[6] |
---|---|---|---|---|---|---|---|
Botan | No[14] | Yes | Yes | Yes | Yes | Beta | Beta |
cryptlib | No | Yes | Yes | Yes | Yes | No | No |
CyaSSL | No | Yes | Yes | Yes | Yes | Yes | Yes |
GnuTLS | No[14] | Yes | Yes | Yes | Yes | Yes | Yes |
MatrixSSL | No[14] | Yes | Yes | Yes | Yes | Yes | Yes |
NSS | Disabled by default | Yes | Yes | Yes[15] | Yes[16] | Beta[15][17] | No[17][18] |
OpenSSL | Yes | Yes | Yes | Yes[19] | Yes[19] | Yes | Beta[19] |
PolarSSL | No | Yes | Yes | Yes | Yes | No | No |
SChannel XP/2003[20] | Disabled by MSIE 7 | Yes | Enabled by MSIE 7 | No | No | No | No |
SChannel Vista/2008[21] | Disabled by default | Yes | Yes | No | No | No | No |
SChannel Win7/2008R2[22] | Disabled by default | Yes | Yes | Yes | Yes | Yes[23] | Yes[23] |
SChannel Win8/2012 | Disabled by default | Yes | Yes | Yes | Yes | Yes | Yes |
Secure Transport | Not anymore[a] | Yes | Yes | Yes[a] | Yes[a] | Yes[a] | No |
SharkSSL | No | Yes | Yes | Yes | Yes | No | No |
JSSE | No[14] | Yes | Yes | Yes | Yes | No | No |
Implementation | SSL 2.0 | SSL 3.0 | TLS 1.0 | TLS 1.1 | TLS 1.2 | DTLS 1.0 | DTLS 1.2 |
NSA Suite B Cryptography
Required components for NSA Suite B Cryptography (RFC 6460) are:
- Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits. For traffic flow, AES should be used with either the Counter Mode (CTR) for low bandwidth traffic or the Galois/Counter Mode (GCM) mode of operation for high bandwidth traffic (see Block cipher modes of operation) — symmetric encryption
- Elliptic Curve Digital Signature Algorithm (ECDSA) — digital signatures
- Elliptic Curve Diffie–Hellman (ECDH) — key agreement
- Secure Hash Algorithm 2 (SHA-256 and SHA-384) — message digest
Per CNSSP-15, the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.
Implementation | TLS 1.2 Suite B [RFC 6460] |
---|---|
Botan | Yes |
cryptlib | Yes |
CyaSSL | Yes |
GnuTLS | Yes |
NSS | No[25] |
MatrixSSL | Yes |
OpenSSL | No |
PolarSSL | Yes |
SChannel | No |
Secure Transport | Unknown |
SharkSSL | Yes |
JSSE | Yes[26] |
Implementation | TLS 1.2 Suite B [RFC 6460] |
Certifications
Implementation | Certified version | FIPS 140-2 | Common Criteria |
---|---|---|---|
Botan | |||
cryptlib | |||
CyaSSL | |||
GnuTLS | |||
MatrixSSL | Level 1 | ||
NSS | 3.11.4, 3.12.4 | Level 2 | |
OpenSSL | 1.0, 1.1.1, 1.1.2, 1.2, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5 | Level 1 | |
PolarSSL | |||
SChannel | Windows CE, Embedded, XP, Vista, 7, 8, RT, Server 2003, Server 2008 R2, and Server 2012 | Level 1 | |
Secure Transport | Mac OS X 10.6 Snow Leopard, Mac OS X 10.7 Lion, Mac OS X 10.8 Mountain Lion, OS X 10.9 Mavericks, iOS 6.0, iOS 7.0 | Level 1 | |
SharkSSL | |||
JSSE | |||
Implementation | Certified version | FIPS 140-2 | Common Criteria |
Key exchange algorithms (certificate-only)
This section lists the certificate verification functionality available in the various implementations.
Implementation | RSA[12] | RSA-EXPORT (insecure)[12] | DHE-RSA (forward secrecy)[12] | DHE-DSS (forward secrecy)[12] | ECDH-ECDSA[28] | ECDHE-ECDSA (forward secrecy)[28] | ECDH-RSA[28] | ECDHE-RSA (forward secrecy)[28] | VKO GOST R 34.10-2001[29][30] |
---|---|---|---|---|---|---|---|---|---|
Botan | Yes | No | Yes | Yes | No | Yes | No | Yes | No |
cryptlib | Yes | No | Yes | Yes | No | Yes | No | No | No |
CyaSSL | Yes | No | Yes | No | Yes | Yes | Yes | Yes | No |
GnuTLS | Yes | Disabled by default | Yes | Yes | No | Yes | No | Yes | No |
MatrixSSL | Yes | No | Yes | No | Yes | Yes | Yes | Yes | No |
NSS | Yes | Disabled by default | Partial[31][32] | Partial[31][32] | Yes | Yes | Yes | Yes | No |
OpenSSL | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
PolarSSL | Yes | No | Yes | No | Yes | Yes | Yes | Yes | No |
SChannel XP/2003 | Yes | Yes | No | max.1024 | No | No | No | No | 3rd Party |
SChannel Vista/2008 | Yes | disabled by default | No | max.1024 | No | Yes | No | Yes | 3rd Party |
SChannel 7/2008R2 | Yes | disabled by default | No | max.1024 | No | Yes | No | Yes | 3rd Party |
SChannel 8/2012 | Yes | disabled by default | No | max.1024 | No | Yes | No | Yes | 3rd Party |
Secure Transport | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | No |
SharkSSL | Yes | No | Yes | No | Yes | Yes | Yes | Yes | No |
JSSE | Yes | Disabled by default | max.2048 | max.2048 | Yes | Yes | Yes | Yes | No[33] |
Implementation | RSA | RSA EXPORT | DHE-RSA | DHE-DSS | ECDH-ECDSA | ECDHE-ECDSA | ECDH-RSA | ECDHE-RSA | VKO GOST R 34.10-2001 |
Certificate verification methods
Implementation | Application-defined | PKIX path validation[12] | CRL[34] | OCSP[35] | DANE (DNSSEC)[12] | Trust on First Use (TOFU) |
---|---|---|---|---|---|---|
Botan | Yes | Yes | Yes | Yes | No | No |
cryptlib | Yes | No | No | |||
CyaSSL | Yes | Yes | Yes | Yes | No | No |
GnuTLS | Yes | Yes | Yes | Yes | Yes | Yes |
MatrixSSL | Yes | Yes | Yes | No | No | No |
NSS | Yes | Yes | Yes | Yes | No | No |
OpenSSL | Yes | Yes | Yes | No | No | |
PolarSSL | Yes | Yes | Yes | No | No | |
SChannel | Yes | Yes[36] | Yes[36] | No | No | |
Secure Transport | Yes | Yes | Yes | Yes | No | No |
SharkSSL | ||||||
JSSE | Yes | Yes | Yes | Yes | No | No |
Implementation | Application-defined | PKIX | CRL | OCSP | DANE | TOFU |
Key exchange algorithms (alternative key-exchanges)
Implementation | DH-ANON[12] (insecure) | SRP[37] | SRP-DSS[37] | SRP-RSA[37] | PSK-RSA[38] | PSK[38] | DHE-PSK[38] | ECDHE-PSK[39] | ECDH-ANON[28] (insecure) |
---|---|---|---|---|---|---|---|---|---|
Botan | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes |
cryptlib | No | No | No | No | No | Yes | Yes | No | No |
CyaSSL | No | No | No | No | No | Yes | No | No | No |
GnuTLS | Disabled by default | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Disabled by default |
MatrixSSL | Yes | No | No | No | No | Yes | Yes | No | No |
NSS | Yes | No[40] | No[40] | No[40] | No[41] | No[41] | No[41] | No[41] | Yes |
OpenSSL | Yes | Yes | Yes | Yes | No | Yes | No | No | Yes |
PolarSSL | No | No | No | No | Yes | Yes | Yes | Yes | No |
SChannel | No | No | No | No | No | No | No | No | No |
Secure Transport | Yes | No | No | No | Partial[42] | Partial[42] | Partial[42] | No | Yes |
SharkSSL | |||||||||
JSSE | Disabled by default in Java 8 | No | No | No | No | No | No | No | Disabled by default in Java 8 |
Implementation | DH-ANON (insecure) | SRP | SRP-DSS | SRP-RSA | PSK-RSA | PSK | DHE-PSK | ECDHE-PSK | ECDH-ANON (insecure) |
Encryption algorithms
Implementation | 3DES-CBC | AES-CBC | AES-GCM[43] | AES-CCM[44] | CAMELLIA-CBC[45] | CAMELLIA-GCM[46] | SEED-CBC[47] | DES-CBC (insecure) | RC4-128 (insecure) | RC4-40 (insecure) | CHACHA20-POLY1305[48][49] | GOST28147-89[29] |
---|---|---|---|---|---|---|---|---|---|---|---|---|
Botan | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | No | No | No |
cryptlib | Yes | Yes | Yes | No | No | No | No | No | Yes | No | No | No |
CyaSSL | Yes | Yes | Yes | Yes | Yes | No | No | No | Yes | No | No | No |
GnuTLS | Yes | Yes | Yes | No | Yes | Yes | No | No | Yes | Disabled by default | No | No |
MatrixSSL | Yes | Yes | Yes | No | No | No | Yes | No | Yes | No | No | No |
NSS | Yes | Yes | Yes[50] | No | Yes[51][52] | No[53] | Yes[54] | Disabled by default | Yes | Disabled by default | Partial[58] | No |
OpenSSL | Yes | Yes | Yes [19] | No | Yes | No | Yes | Yes | Yes | Yes | Partial[59] | Yes |
PolarSSL | Yes | Yes | Yes | No | Yes | Yes | No | Disabled by default | Yes | No | No | No |
SChannel XP/2003 | Yes | 2003 only[60] | No | No | No | No | No | yes | Yes | yes | No | 3rd Party |
SChannel Vista/2008 | Yes | Yes | No | No | No | No | No | Disabled by default | Yes | Disabled by default | No | 3rd Party |
SChannel 7/2008R2 | Yes | Yes | ECHDE_ECDSA only[61] | No | No | No | No | Disabled by default | Disabled by IE11 except as a fallback if no other enabled algorithm works | Disabled by default | No | 3rd Party |
SChannel 8/2012 | Yes | Yes | ECDHE_ECDSA only[61] | No | No | No | No | Disabled by default | Yes | Disabled by default | No | 3rd Party |
SChannel 8.1/2012 R2 | Yes | Yes | ECDHE_ECDSA only[61] | No | No | No | No | Disabled by default | Disabled except as a fallback if no other enabled algorithm works | Disabled by default | No | 3rd Party |
Secure Transport | Yes | Yes | Yes | Yes | No | No | No | Yes | Yes | Yes | No | No |
SharkSSL | Yes | Yes | Yes | Yes | No | No | No | Yes | Yes | No | No | No |
JSSE | Yes | Yes | Yes | No | No | No | No | Disabled by default | Yes | Disabled by default [62] | No | No[33] |
Implementation | 3DES-CBC | AES-CBC | AES-GCM | AES-CCM | CAMELLIA-CBC | CAMELLIA-GCM | SEED-CBC | DES-CBC (insecure) | RC4-128 (insecure) | RC4-40 (insecure) | CHACHA20-POLY1305 | GOST28147-89 |
Supported elliptic curves
This section lists the supported elliptic curves by each implementation.
Implementation | Arbitrary curves | Arbitrary char2 curves | sect163k1 (1) | sect163r1 (2) | sect163r2 (3) | sect193r1 (4) | sect193r2 (5) | sect233k1 (6) | sect233r1 (7) | sect239k1 (8) | sect283k1 (9) | sect283r1 (10) | sect409k1 (11) | sect409r1 (12) | sect571k1 (13) | sect571r1 (14) |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Botan | No | No | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
CyaSSL | No | No | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
GnuTLS | No | No | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
MatrixSSL | No | No | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
NSS | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
OpenSSL | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
PolarSSL | No | No | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
Secure Transport | No | No | No | No | No | No | No | No | No | No | No | No | No | No | No | No |
SharkSSL | ||||||||||||||||
JSSE | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Implementation | Arbitrary curves | Arbitrary char2 curves | sect163k1 | sect163r1 | sect163r2 | sect193r1 | sect193r2 | sect233k1 | sect233r1 | sect239k1 | sect283k1 | sect283r1 | sect409k1 | sect409r1 | sect571k1 | sect571r1 |
Implementation | secp160k1 (15) | secp160r1 (16) | secp160r2 (17) | secp192k1 (18) | secp192r1 prime192v1 (19) | secp224k1 (20) | secp224r1 (21) | secp256k1 (22) | secp256r1 prime256v1 (23) | secp384r1 (24) | secp521r1 (25) | brainpoolP256r1 (26) | brainpoolP384r1 (27) | brainpoolP512r1 (28) |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Botan | No | Yes | No | No | Yes | No | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes |
CyaSSL | No | Yes | No | No | Yes | No | Yes | No | Yes | Yes | Yes | No | No | No |
GnuTLS | No | No | No | No | Yes | No | Yes | No | Yes | Yes | Yes | No | No | No |
MatrixSSL | No | No | No | No | Yes | No | Yes | No | Yes | Yes | Yes | No | No | No |
NSS | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No[63] | No[63] | No[63] |
OpenSSL | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes[64][65] | Yes[64][65] | Yes[64][65] |
PolarSSL | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Secure Transport | No | No | No | No | Yes | No | No | No | Yes | No | Yes | No | No | No |
SharkSSL | ||||||||||||||
JSSE | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No | No |
Implementation | secp160k1 | secp160r1 | secp160r2 | secp192k1 | secp192r1 prime192v1 | secp224k1 | secp224r1 | secp256k1 | secp256r1 prime256v1 | secp384r1 | secp521r1 | brainpoolP256r1 | brainpoolP384r1 | brainpoolP512r1 |
Assisted cryptography
This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.
Implementation | PKCS #11 device | Intel AES-NI | VIA PadLock | STM32F2 | Cavium NITROX | Freescale CAU/mmCAU | ARMv8-A | Microchip PIC32MZ |
---|---|---|---|---|---|---|---|---|
Botan | No | Yes | No | No | No | No | No | No |
cryptlib | Yes | No | Yes | No | No | No | No | No |
CyaSSL | No | Yes | No | Yes | Yes | Yes | No | Yes |
GnuTLS | Yes | Yes | Yes | No | No | No | No | No |
MatrixSSL | Yes | Yes | No | No | No | No | No | No |
NSS | Yes[66] | Yes[67] | No[68] | No | No | No | No | No |
OpenSSL | No | Yes | Yes | No | Yes | No | No | No |
PolarSSL | Yes | Yes[69] | Yes | No | No | No | No | No |
SChannel | No | Yes | No | No | No | No | No | No |
Secure Transport | No | No | No | No | No | No | Yes | No |
SharkSSL | ||||||||
JSSE | Yes | Yes[70] | No | No | No | No | No | No |
Implementation | PKCS #11 device | Intel AES-NI | VIA PadLock | STM32F2 | Cavium NITROX | Freescale CAU/mmCAU | ARMv8-A | Microchip PIC32MZ |
System-specific backends
This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.
Implementation | /dev/crypto | Windows CSP | CommonCrypto | OpenSSL engine |
---|---|---|---|---|
Botan | No | No | No | No |
cryptlib | No | No | No | No |
CyaSSL | No | Partial | No | No |
GnuTLS | Yes | No | No | No |
MatrixSSL | No | No | Yes | Yes |
NSS | No | No | No | No |
OpenSSL | Yes | No | No | Yes |
PolarSSL | No | No | No | No |
SChannel | No | Yes | No | No |
Secure Transport | No | No | Yes | No |
SharkSSL | ||||
JSSE | No | Yes | No | No |
Implementation | /dev/crypto | Windows CSP | CommonCrypto | OpenSSL engine |
MAC functions
Implementation | AEAD | HMAC-MD5 | HMAC-SHA-1 | HMAC-SHA-256 | GOST28147-89-MAC[29] | GOST 34.11-94[29] |
---|---|---|---|---|---|---|
Botan | Yes | Yes | Yes | Yes | No | No |
cryptlib | Yes | Yes | Yes | Yes | No | No |
CyaSSL | Yes | Yes | Yes | Yes | No | No |
GnuTLS | Yes | Yes | Yes | Yes | No | No |
MatrixSSL | Yes | Yes | Yes | Yes | No | No |
NSS | Yes | Yes | Yes | Yes | No | No |
OpenSSL | Yes | Yes | Yes | Yes | Yes | Yes |
PolarSSL | Yes | Yes | Yes | Yes | No | No |
SChannel XP/2003 | No | Yes | Yes | No | 3rd Party | 3rd Party |
SChannel Vista/2008 | No | Yes | Yes | No | 3rd Party | 3rd Party |
SChannel 7/2008R2 | ECDHE_ECDSA only | Yes | Yes | Yes | 3rd Party | 3rd Party |
SChannel 8/2012 | ECDHE_ECDSA only | Yes | Yes | Yes | 3rd Party | 3rd Party |
Secure Transport | Yes | Yes | Yes | Yes | No | No |
SharkSSL | Yes | Yes | Yes | Yes | No | No |
JSSE | Yes | Yes | Yes | Yes | No[33] | No[33] |
Implementation | AEAD | HMAC-MD5 | HMAC-SHA-1 | HMAC-SHA-256 | GOST28147-89-MAC | GOST 34.11-94 |
Compression
Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.
Implementation | DEFLATE[71] (insecure) |
---|---|
Botan | No |
cryptlib | No |
CyaSSL | Disabled by default |
GnuTLS | Disabled by default |
MatrixSSL | Disabled by default |
NSS | Disabled by default |
OpenSSL | Yes |
PolarSSL | Disabled by default |
SChannel | No |
Secure Transport | No |
SharkSSL | |
JSSE | No |
Implementation | DEFLATE |
Cryptographic module/token support
Implementation | TPM support | Hardware token support | Objects identified via |
---|---|---|---|
Botan | No | No | |
cryptlib | No | PKCS11 | User-defined label |
CyaSSL | No | No | |
GnuTLS | Yes | PKCS11 | PKCS #11 URLs[72] |
MatrixSSL | No | PKCS11 | |
NSS | No | PKCS11 | |
OpenSSL | Yes | PKCS11 (via external module) | Custom method |
PolarSSL | No | PKCS11 (via libpkcs11-helper) or standard hooks | Custom method |
SChannel | No | Microsoft CryptoAPI | UUID, User-defined label |
Secure Transport | |||
SharkSSL | |||
JSSE | No | PKCS11 Java Cryptography Architecture/ Java Cryptography Extension |
|
Implementation | TPM support | Hardware token support | Objects identified via |
Extensions
In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.
Implementation | Secure Renegotiation[73] |
Server Name Indication[74] |
Application Layer Protocol Negotiation[75] |
Certificate Status Request[74] |
OpenPGP[76] | Supplemental Data[77] |
Session Ticket[78] |
Keying Material Exporter[79] |
Maximum Fragment Length[74] |
Truncated HMAC[74] |
---|---|---|---|---|---|---|---|---|---|---|
Botan | Yes | Yes | Unknown | No | No | No | Yes | Yes | Yes | No |
cryptlib | Yes | Yes | Unknown | No | No | Yes | No | No | No[80] | No |
CyaSSL | No | Yes | Unknown | No | No | No | Yes | No | Yes | Yes |
GnuTLS | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No |
MatrixSSL | Yes | Yes | Unknown | No | No | No | Yes | No | Yes | Yes |
NSS | Yes | Yes | Yes | Yes | No | No | Yes | Yes | No | No |
OpenSSL | Yes | Yes | Yes | Yes | No | No? | Yes | Yes? | No | No |
PolarSSL | Yes | Yes | Unknown | No | No | No | Yes | No | Yes | Yes |
SChannel | Yes | Yes | Yes | Yes | No | Yes | No[81] | No | No | No |
Secure Transport | Yes | Yes | Unknown | No | No | Yes | No | No | No | No |
SharkSSL | ||||||||||
JSSE | Yes | Yes[26] | Unknown | No | No | No | No | No | No | No |
Implementation | Secure Renegotiation |
Server Name Indication |
Application Layer Protocol Negotiation |
Certificate Status Request |
OpenPGP | Supplemental Data |
Session Ticket |
Keying Material Exporter |
Maximum Fragment Length |
Truncated HMAC |
Code size and dependencies
The size is given in kSLOC (1000 source lines of code).
Implementation | Code size | Dependencies | Optional dependencies |
---|---|---|---|
Botan | 32 kSLOC | C++11 | sqlite, zlib (compression), bzip2 (compression), liblzma (compression) |
CyaSSL | 67 kSLOC | None | libc, zlib (compression) |
GnuTLS | 138 kSLOC | libc nettle gmp |
zlib (compression) p11-kit (PKCS #11) trousers (TPM) |
MatrixSSL | 22 kSLOC | none | zlib (compression) |
MatrixSSL-open | 18 kSLOC | libc or newlib | |
NSS | 400 kSLOC | libc libnspr4 libsoftokn3 libplc4 libplds4 |
zlib (compression) |
OpenSSL | 159 kSLOC | libc | zlib (compression) |
PolarSSL | 14 kSLOC | libc | libpkcs11-helper (PKCS #11) zlib (compression) |
JSSE | 37 kSLOC (Framework and Oracle provider) |
Java | |
Implementation | Code size | Dependencies | Optional dependencies |
Development environment
Implementation | Namespace | Build tools | API manual | Crypto back-end | OpenSSL compatibility Layer[clarify] |
---|---|---|---|---|---|
Botan | Botan::TLS | Makefile | Sphinx | Included (monolithic) | No |
cryptlib | crypt* | makefile, MSVC project workspaces | Programmers reference manual (PDF), architecture design manual (PDF) | Included (monolithic) | No |
CyaSSL | CyaSSL_* SSL_* |
Autoconf, automake, libtool, MSVC project workspaces, XCode projects, CodeWarrior projects, MPLAB X projects, Keil, IAR, Clang, GCC | Manual and API Reference (HTML, PDF) | Included (monolithic) | Yes (about 10% of API) |
GnuTLS | gnutls_* | Autoconf, automake, libtool | Manual and API reference (HTML, PDF) | External, libnettle | Yes (limited) |
MatrixSSL | matrixSsl_* ps* |
Makefile, MSVC project workspaces, Xcode projects for Mac OS X and iOS | API Reference (PDF), Integration Guide | Included (pluggable) | Yes (Subset: SSL_read, SSL_write, etc.) |
NSS | CERT_* SEC_* |
Makefile | Manual (HTML) | Included, PKCS#11 based[82] | Yes (separate package called nss_compat_ossl[83]) |
OpenSSL | SSL_* SHA1_* |
Makefile | Man pages | Included (monolithic) | — |
PolarSSL | ssl_* sha1_* |
Makefile, CMake, MSVC project workspaces | API Reference + High Level and Module Level Documentation (HTML) | Included (monolithic) | No |
JSSE | javax.net.ssl | Makefile | API Reference (HTML) + | Java Cryptography Architecture/ Java Cryptography Extension |
No |
Implementation | Namespace | Build tools | API manual | Crypto back-end | OpenSSL compatibility layer |
Portability concerns
Implementation | Platform requirements | Network requirements | Thread safety | Random seed | Able to cross-compile | No OS (bare metal) | Supported operating systems |
---|---|---|---|---|---|---|---|
Botan | C++11 | None | Thread-safe | Platform-dependent | Yes | Most Windows and POSIX systems | |
cryptlib | C89 | POSIX send() and recv(). API to supply your own replacement | Thread-safe | Platform-dependent, including hardware sources | Yes | AMX, BeOS, ChorusOS, DOS, eCOS, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, Palm OS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, OS X, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK | |
CyaSSL | C89 | POSIX send() and recv(). API to supply your own replacement. | Thread-safe, needs mutex hooks if PThreads or WinThreads not available, can be turned off | Random seed set through CTaoCrypt | Yes | Yes | Win32/64, Linux, Mac OS X, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, OpenCL, NonStop, TRON/ITRON/µITRON, Micrium's µC OS, FreeRTOS, SafeRTOS, Freescale MQX, Nucleus, TinyOS, HP/UX, Keil RTX |
GnuTLS | C89 | POSIX send() and recv(). API to supply your own replacement. | Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available. | Platform dependent | Yes | Generally any POSIX platforms or Windows, commonly tested platforms include GNU/Linux, Win32/64, Mac OS X, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD. | |
MatrixSSL | C89 | None | Thread-safe | Platform dependent | Yes | Yes | All |
NSS | C89, NSPR[84] | NSPR[84] PR_Send() and PR_Recv(). API to supply your own replacement. | Thread-safe | Platform dependent[85] | Yes (but cumbersome) | AIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, Mac OS X, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation | |
OpenSSL | C89? | ? | Needs mutex callbacks | Set through native API | Unix, DOS (with djgpp), Windows, OpenVMS, MacOS, NetWare | ||
PolarSSL | C89 | POSIX read() and write(). API to supply your own replacement. | Threading layer available (POSIX or own hooks) | Random seed set through entropy pool | Yes | Yes | Known to work on: Win32/64, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, SeggerOS |
JSSE | Java | Java SE network components | Thread-safe | Depends on java.security.SecureRandom | Yes | Java based, platform-independent | |
Implementation | Platform requirements | Network requirements | Thread safety | Random seed | Able to cross-compile | No OS (bare metal) | Supported operating systems |
See also
- SCTP — with DTLS support
- DCCP — with DTLS support
- SRTP — with DTLS support (DTLS-SRTP) and Secure Real-Time Transport Control Protocol (SRTCP)
References
- ^ "SharkSSL product description". Retrieved 2014-04-21.
- ^ RFC6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
- ^ "CBC-Padding: Security Flaws in SSL, IPsec, WTLS,...", Serge Vaudenay, 2001
- ^ Rizzo/Duong BEAST Countermeasures
- ^ TLSv1.2's Major Differences from TLSv1.1
- ^ a b RFC 6347
- ^ "Bard attack". CiteSeerx: 10.1.1.61.5887.
{{cite web}}
: Missing or empty|url=
(help) - ^ SSLv2 is insecure
- ^ RFC 6101
- ^ RFC 2246
- ^ RFC 4346
- ^ a b c d e f g h RFC 5246 Cite error: The named reference "tls" was defined multiple times with different content (see the help page).
- ^ RFC 4347
- ^ a b c d SSLv2 client hello is supported
- ^ a b "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Retrieved 2012-10-27.
- ^ "NSS 3.15.1 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-08-10.
- ^ a b "Bug 681065 - (dtls) Implement DTLS (Datagram TLS) in libssl". Mozilla. Retrieved 2013-11-18.
- ^ "Bug 959864 - Support DTLS 1.2". Mozilla. Retrieved 2014-01-25.
- ^ a b c d www.openssl.org/news/changelog.html
- ^ TLS cipher suites in Microsoft Windows XP and 2003
- ^ SChannel Cipher Suites in Microsoft Windows Vista
- ^ TLS Cipher Suites in SChannel for Windows 7, 2008R2, 8, 2012
- ^ a b "An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. Retrieved 13 November 2012.
- ^ "Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
- ^ "Bug 663320 - (NSA-Suite-B-TLS) Implement RFC5430 (NSA Suite B profile for TLS)". Mozilla. Retrieved 2014-01-25.
- ^ a b http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html
- ^ http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
- ^ a b c d e RFC 4492
- ^ a b c d draft-chudov-cryptopro-cptls-04
- ^ RFC 4357
- ^ a b Client side only
- ^ a b Mozilla.org. "Bug 102794 - Implement the server-side code of the DHE SSL ciphersuites". Retrieved 19 November 2013.
- ^ a b c d Extensions to support this functionality might be available.
- ^ RFC 3280
- ^ RFC 2560
- ^ a b "How Certificate Revocation Works". Microsoft TechNet. Microsoft. March 16, 2012. Retrieved July 10, 2013.
- ^ a b c RFC 5054
- ^ a b c RFC 4279
- ^ RFC 5489
- ^ a b c "Bug 405155 - add support for TLS-SRP, rfc5054". Mozilla. Retrieved 2014-01-25.
- ^ a b c d "Bug 306435 - Mozilla browsers should support the new IETF TLS-PSK protocol to help reduce phishing". Mozilla. Retrieved 2014-01-25.
- ^ a b c As of iOS 7, PSK ciphers are enumerated in the headers but there are no APIs that use them.
- ^ RFC 5288
- ^ RFC 6655
- ^ RFC 5932
- ^ RFC 6367
- ^ RFC 4162
- ^ draft-agl-tls-chacha20poly1305-04
- ^ As of December 2013[update], only available on Google services
- ^ "NSS 3.15.2 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-09-26.
- ^ "Bug 361025 - Support for Camellia Cipher Suites to TLS RFC4132". Mozilla. Retrieved 2013-11-19.
- ^ "NSS 3.12 is released". Retrieved 2013-11-19.
- ^ "Bug 940119 - libssl does not support any TLS_ECDHE_*_CAMELLIA_*_GCM cipher suites". Mozilla. Retrieved 2013-11-19.
- ^ "Bug 453234 - Support for SEED Cipher Suites to TLS RFC4010". Mozilla. Retrieved 2013-12-01.
- ^ a b "Issue 310768: Support ChaCha20+Poly1305 TLS cipher suites". Google. Retrieved 2013-12-01.
- ^ "Chrome 32 promotes Chacha20/Poly1305 suite, SSL Client Test fails to process SSL/TLS handshake". Qualys. Retrieved 2013-12-01.
- ^ "Bug 917571 - Support ChaCha20+Poly1305 cipher suites". Mozilla. Retrieved 2013-12-01.
- ^ As of December 2013[update], only available on private version of NSS integrated into Chromium (implementation is still ongoing).[55][56] Patch for NSS upstream has been submitted and under review.[57]
- ^ As of December 2013[update], only available on private version of OpenSSL integrated into Chromium (implementation is still ongoing).[55]
- ^ Hofix 984963: TLS AES cipher suites for Microsoft Windows 2003
- ^ a b c Support is erratic, in many cases SChannel will simply drop the connection if a suite with this algorithm is specified.
- ^ http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
- ^ a b c "Bug 943639 - Support for Brainpool ECC Curve (rfc5639)". Mozilla. Retrieved 2014-01-25.
- ^ a b c "OpenSSL RT #2239: [PATCH] RFC 5639 support - resolved 2012-04-22". OpenSSL.org. Retrieved 2014-02-03.
- ^ a b c "openssl-1.0.2-stable prerelease tarballs available on OpenSSL's FTP server: files openssl-1.0.2-stable-SNAP-*.tar.gz". OpenSSL.org. Retrieved 2014-02-03.
- ^ Normally NSS's libssl performs all operations via the PKCS#11 interface, either to hardware or software tokens
- ^ "Bug 706024 - AES-NI enhancements to NSS on Sandy Bridge systems". Retrieved 2013-09-28.
- ^ "Bug 479744 - RFE : VIA Padlock ACE support (hardware RNG, AES, SHA1 and SHA256)". Retrieved 2014-04-11.
- ^ "We've incorporated support for AES-NI in our AES and GCM modules". 2013-12-31. Retrieved 2014-01-07.
- ^ http://stackoverflow.com/questions/14259671/java-ssl-provider-with-aes-ni-support
- ^ RFC 3749
- ^ PKCS #11 URLs is a way to refer to objects stored in PKCS #11 tokens
- ^ RFC 5746
- ^ a b c d RFC 6066
- ^ draft-ietf-tls-applayerprotoneg
- ^ RFC 6091
- ^ RFC 4680
- ^ RFC 5077
- ^ RFC 5705
- ^ Present but disabled by default due to lack of use by any implementation.
- ^ Supported in Windows 8.1 Preview and Windows Server 2012 R2 Preview; see What's New in TLS/SSL (Schannel SSP)
- ^ On the fly replaceable/augmentable.
- ^ http://fedoraproject.org/wiki/Nss_compat_ossl
- ^ a b Netscape Portable Runtime (NSPR)
- ^ For Unix/Linux it uses /dev/urandom if available, for Windows it uses CAPI. For other platforms it gets data from clock, and tries to open system files. NSS has a set of platform dependent functions it uses to determine randomness.