Comparison of TLS implementations: Difference between revisions

The Transport Layer Security (TLS) protocol provides the ability to secure communications across networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free and open source software.

All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.

Overview

Implementation	Developed by	Open source	Software license	Copyright owner	Latest stable version	Release date	Origin
Botan	Jack Lloyd	Yes	Simplified BSD License	Jack Lloyd	1.11.5	2013-11-10	US (Vermont)
cryptlib	Peter Gutmann	Yes	Sleepycat License and commercial license	Peter Gutmann	3.4.2	2012-12-17	NZ
CyaSSL	wolfSSL	Yes	GPLv2 and commercial license	wolfSSL Inc.	3.0.0	2014-04-29	US
GnuTLS	GnuTLS project	Yes	LGPL	Free Software Foundation	3.2.13	2014-04-07	EU (Greece and Sweden)
MatrixSSL	PeerSec Networks	Yes	GPLv2 and commercial license	PeerSec Networks	3.6.1	2014-04-11	US
Network Security Services		Yes	Mozilla Public License	NSS contributors	3.16	2014-03-18	US
OpenSSL	OpenSSL project	Yes	OpenSSL / SSLeay dual-license	Eric Young, Tim Hudson, Sun, OpenSSL project, and others	1.0.1g	2014-04-07	Australia/EU
PolarSSL	Offspark	Yes	GPLv2 and commercial license	Brainspark B.V. (brainspark.nl)	1.3.6	2014-04-11	EU (Netherlands)
SChannel	Microsoft	No	Proprietary	Microsoft Inc.	Windows 8.1	2013-11-13	US
Secure Transport	Apple Inc.	Yes	APSL 2.0	Apple Inc.	55471.14 (OS X 10.9.2)	2014-02-25	US
SharkSSL	Realtimelogic LLC[1]	No	Proprietary	Realtimelogic LLC	2.1	2014-01-12	US
JSSE	Oracle	Yes	GPLv2 and commercial license	Oracle	JDK 8	2014-03-18 (JDK 8)	US
Bouncy Castle	The Legion of the Bouncy Castle Inc.	Yes	MIT License	Legion of the Bouncy Castle Inc.	Java 1.4-1.7 / C#	2013-09-03	Australia
LibreSSL	OpenBSD	Yes	OpenSSL / SSLeay dual-license	Eric Young, Tim Hudson, Sun, OpenSSL project, and others
Implementation	Developed by	Open source	Software license	Copyright owner	Latest stable version	Release date	Origin

Protocol support

Several versions of the TLS protocol exist. SSL 2.0 is a deprecated^[2] protocol version with significant weaknesses. SSL 3.0 (1996) and TLS 1.0 (1999) are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay.^[3] TLS 1.1 (2006) fixed only one of the problems, by switching to random IVs for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was ignored and is still present in TLSv1.2 today. A workaround for SSLv3 and TLSv1.0, roughly equivalent to random IVs from TLSv1.1, was widely adopted by many implementations in late 2011,^[4] so from a security perspective, all existing version of TLS v1.0, v1.1 and v1.2 provide equivalent strength in the base protocol and are suitable for 128-bit security according to NIST SP800-57 up to at least 2030. TLSv1.2 (2008) is the latest published version of the base protocol, introducing a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future (rsa,sha256/sha384/sha512) over the SSLv3 conservative choice (rsa,sha1+md5), the TLSv1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides (rsa,sha1) and even (rsa,md5).^[5]

Datagram Transport Layer Security (DTLS or Datagram TLS) 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLSv1.2 based on TLSv1.2 was published in January 2012^[6]

Note that there are known vulnerabilities in SSL 2.0. With the exception of the predictable IVs (for which an easy workaround exists) all currently known vulnerabilities affect SSLv3 and all version of TLSv1.0/v1.1/v1.2 alike.^[7]

Implementation	SSL 2.0 (insecure)[8]	SSL 3.0[9]	TLS 1.0[10]	TLS 1.1[11]	TLS 1.2[12]	DTLS 1.0[13]	DTLS 1.2[6]
Botan	No[14]	Yes	Yes	Yes	Yes	Beta	Beta
cryptlib	No	Yes	Yes	Yes	Yes	No	No
CyaSSL	No	Yes	Yes	Yes	Yes	Yes	Yes
GnuTLS	No[14]	Yes	Yes	Yes	Yes	Yes	Yes
MatrixSSL	No[14]	Yes	Yes	Yes	Yes	Yes	Yes
NSS	Disabled by default	Yes	Yes	Yes[15]	Yes[16]	Beta[15][17]	No[17][18]
OpenSSL	Yes	Yes	Yes	Yes[19]	Yes[19]	Yes	Beta[19]
PolarSSL	No	Yes	Yes	Yes	Yes	No	No
SChannel XP/2003[20]	Disabled by MSIE 7	Yes	Enabled by MSIE 7	No	No	No	No
SChannel Vista/2008[21]	Disabled by default	Yes	Yes	No	No	No	No
SChannel Win7/2008R2[22]	Disabled by default	Yes	Yes	Yes	Yes	Yes[23]	Yes[23]
SChannel Win8/2012	Disabled by default	Yes	Yes	Yes	Yes	Yes	Yes
Secure Transport	Not anymore[a]	Yes	Yes	Yes[a]	Yes[a]	Yes[a]	No
SharkSSL	No	Yes	Yes	Yes	Yes	No	No
JSSE	No[14]	Yes	Yes	Yes	Yes	No	No
Implementation	SSL 2.0	SSL 3.0	TLS 1.0	TLS 1.1	TLS 1.2	DTLS 1.0	DTLS 1.2

1. Secure Transport: SSL 2.0 was discontinued in OS X 10.8. TLS 1.1, 1.2 and DTLS are available on iOS 5.0 and later, and OS X 10.8 and later.^[24]

NSA Suite B Cryptography

Required components for NSA Suite B Cryptography (RFC 6460) are:

• Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits. For traffic flow, AES should be used with either the Counter Mode (CTR) for low bandwidth traffic or the Galois/Counter Mode (GCM) mode of operation for high bandwidth traffic (see Block cipher modes of operation) — symmetric encryption
• Elliptic Curve Digital Signature Algorithm (ECDSA) — digital signatures
• Elliptic Curve Diffie–Hellman (ECDH) — key agreement
• Secure Hash Algorithm 2 (SHA-256 and SHA-384) — message digest

Per CNSSP-15, the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.

Implementation	TLS 1.2 Suite B [RFC 6460]
Botan	Yes
cryptlib	Yes
CyaSSL	Yes
GnuTLS	Yes
NSS	No[25]
MatrixSSL	Yes
OpenSSL	No
PolarSSL	Yes
SChannel	No
Secure Transport	Un­known
SharkSSL	Yes
JSSE	Yes[26]
Implementation	TLS 1.2 Suite B [RFC 6460]

Certifications

Implementation	Certified version	FIPS 140-2	Common Criteria
Botan
cryptlib
CyaSSL
GnuTLS
MatrixSSL		Level 1
NSS	3.11.4, 3.12.4	Level 2
OpenSSL	1.0, 1.1.1, 1.1.2, 1.2, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5	Level 1
PolarSSL
SChannel	Windows CE, Embedded, XP, Vista, 7, 8, RT, Server 2003, Server 2008 R2, and Server 2012	Level 1
Secure Transport	Mac OS X 10.6 Snow Leopard, Mac OS X 10.7 Lion, Mac OS X 10.8 Mountain Lion, OS X 10.9 Mavericks, iOS 6.0, iOS 7.0	Level 1
SharkSSL
JSSE
Implementation	Certified version	FIPS 140-2	Common Criteria

^[27]

Key exchange algorithms (certificate-only)

This section lists the certificate verification functionality available in the various implementations.

Implementation	RSA[12]	RSA-EXPORT (insecure)[12]	DHE-RSA (forward secrecy)[12]	DHE-DSS (forward secrecy)[12]	ECDH-ECDSA[28]	ECDHE-ECDSA (forward secrecy)[28]	ECDH-RSA[28]	ECDHE-RSA (forward secrecy)[28]	VKO GOST R 34.10-2001[29][30]
Botan	Yes	No	Yes	Yes	No	Yes	No	Yes	No
cryptlib	Yes	No	Yes	Yes	No	Yes	No	No	No
CyaSSL	Yes	No	Yes	No	Yes	Yes	Yes	Yes	No
GnuTLS	Yes	Disabled by default	Yes	Yes	No	Yes	No	Yes	No
MatrixSSL	Yes	No	Yes	No	Yes	Yes	Yes	Yes	No
NSS	Yes	Disabled by default	Partial[31][32]	Partial[31][32]	Yes	Yes	Yes	Yes	No
OpenSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
PolarSSL	Yes	No	Yes	No	Yes	Yes	Yes	Yes	No
SChannel XP/2003	Yes	Yes	No	max.1024	No	No	No	No	3rd Party
SChannel Vista/2008	Yes	disabled by default	No	max.1024	No	Yes	No	Yes	3rd Party
SChannel 7/2008R2	Yes	disabled by default	No	max.1024	No	Yes	No	Yes	3rd Party
SChannel 8/2012	Yes	disabled by default	No	max.1024	No	Yes	No	Yes	3rd Party
Secure Transport	Yes	No	Yes	Yes	Yes	Yes	Yes	Yes	No
SharkSSL	Yes	No	Yes	No	Yes	Yes	Yes	Yes	No
JSSE	Yes	Disabled by default	max.2048	max.2048	Yes	Yes	Yes	Yes	No[33]
Implementation	RSA	RSA EXPORT	DHE-RSA	DHE-DSS	ECDH-ECDSA	ECDHE-ECDSA	ECDH-RSA	ECDHE-RSA	VKO GOST R 34.10-2001

Certificate verification methods

Implementation	Application-defined	PKIX path validation[12]	CRL[34]	OCSP[35]	DANE (DNSSEC)[12]	Trust on First Use (TOFU)
Botan	Yes	Yes	Yes	Yes	No	No
cryptlib		Yes			No	No
CyaSSL	Yes	Yes	Yes	Yes	No	No
GnuTLS	Yes	Yes	Yes	Yes	Yes	Yes
MatrixSSL	Yes	Yes	Yes	No	No	No
NSS	Yes	Yes	Yes	Yes	No	No
OpenSSL		Yes	Yes	Yes	No	No
PolarSSL	Yes	Yes	Yes		No	No
SChannel		Yes	Yes[36]	Yes[36]	No	No
Secure Transport	Yes	Yes	Yes	Yes	No	No
SharkSSL
JSSE	Yes	Yes	Yes	Yes	No	No
Implementation	Application-defined	PKIX	CRL	OCSP	DANE	TOFU

Key exchange algorithms (alternative key-exchanges)

Implementation	DH-ANON[12] (insecure)	SRP[37]	SRP-DSS[37]	SRP-RSA[37]	PSK-RSA[38]	PSK[38]	DHE-PSK[38]	ECDHE-PSK[39]	ECDH-ANON[28] (insecure)
Botan	Yes	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes
cryptlib	No	No	No	No	No	Yes	Yes	No	No
CyaSSL	No	No	No	No	No	Yes	No	No	No
GnuTLS	Disabled by default	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Disabled by default
MatrixSSL	Yes	No	No	No	No	Yes	Yes	No	No
NSS	Yes	No[40]	No[40]	No[40]	No[41]	No[41]	No[41]	No[41]	Yes
OpenSSL	Yes	Yes	Yes	Yes	No	Yes	No	No	Yes
PolarSSL	No	No	No	No	Yes	Yes	Yes	Yes	No
SChannel	No	No	No	No	No	No	No	No	No
Secure Transport	Yes	No	No	No	Partial[42]	Partial[42]	Partial[42]	No	Yes
SharkSSL
JSSE	Disabled by default in Java 8	No	No	No	No	No	No	No	Disabled by default in Java 8
Implementation	DH-ANON (insecure)	SRP	SRP-DSS	SRP-RSA	PSK-RSA	PSK	DHE-PSK	ECDHE-PSK	ECDH-ANON (insecure)

Encryption algorithms

Implementation	3DES-CBC	AES-CBC	AES-GCM[43]	AES-CCM[44]	CAMELLIA-CBC[45]	CAMELLIA-GCM[46]	SEED-CBC[47]	DES-CBC (insecure)	RC4-128 (insecure)	RC4-40 (insecure)	CHACHA20-POLY1305[48][49]	GOST28147-89[29]
Botan	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes	No	No	No
cryptlib	Yes	Yes	Yes	No	No	No	No	No	Yes	No	No	No
CyaSSL	Yes	Yes	Yes	Yes	Yes	No	No	No	Yes	No	No	No
GnuTLS	Yes	Yes	Yes	No	Yes	Yes	No	No	Yes	Disabled by default	No	No
MatrixSSL	Yes	Yes	Yes	No	No	No	Yes	No	Yes	No	No	No
NSS	Yes	Yes	Yes[50]	No	Yes[51][52]	No[53]	Yes[54]	Disabled by default	Yes	Disabled by default	Partial[58]	No
OpenSSL	Yes	Yes	Yes [19]	No	Yes	No	Yes	Yes	Yes	Yes	Partial[59]	Yes
PolarSSL	Yes	Yes	Yes	No	Yes	Yes	No	Disabled by default	Yes	No	No	No
SChannel XP/2003	Yes	2003 only[60]	No	No	No	No	No	yes	Yes	yes	No	3rd Party
SChannel Vista/2008	Yes	Yes	No	No	No	No	No	Disabled by default	Yes	Disabled by default	No	3rd Party
SChannel 7/2008R2	Yes	Yes	ECHDE_ECDSA only[61]	No	No	No	No	Disabled by default	Disabled by IE11 except as a fallback if no other enabled algorithm works	Disabled by default	No	3rd Party
SChannel 8/2012	Yes	Yes	ECDHE_ECDSA only[61]	No	No	No	No	Disabled by default	Yes	Disabled by default	No	3rd Party
SChannel 8.1/2012 R2	Yes	Yes	ECDHE_ECDSA only[61]	No	No	No	No	Disabled by default	Disabled except as a fallback if no other enabled algorithm works	Disabled by default	No	3rd Party
Secure Transport	Yes	Yes	Yes	Yes	No	No	No	Yes	Yes	Yes	No	No
SharkSSL	Yes	Yes	Yes	Yes	No	No	No	Yes	Yes	No	No	No
JSSE	Yes	Yes	Yes	No	No	No	No	Disabled by default	Yes	Disabled by default [62]	No	No[33]
Implementation	3DES-CBC	AES-CBC	AES-GCM	AES-CCM	CAMELLIA-CBC	CAMELLIA-GCM	SEED-CBC	DES-CBC (insecure)	RC4-128 (insecure)	RC4-40 (insecure)	CHACHA20-POLY1305	GOST28147-89

Supported elliptic curves

This section lists the supported elliptic curves by each implementation.

Implementation	Arbitrary curves	Arbitrary char2 curves	sect163k1 (1)	sect163r1 (2)	sect163r2 (3)	sect193r1 (4)	sect193r2 (5)	sect233k1 (6)	sect233r1 (7)	sect239k1 (8)	sect283k1 (9)	sect283r1 (10)	sect409k1 (11)	sect409r1 (12)	sect571k1 (13)	sect571r1 (14)
Botan	No	No	No	No	No	No	No	No	No	No	No	No	No	No	No	No
CyaSSL	No	No	No	No	No	No	No	No	No	No	No	No	No	No	No	No
GnuTLS	No	No	No	No	No	No	No	No	No	No	No	No	No	No	No	No
MatrixSSL	No	No	No	No	No	No	No	No	No	No	No	No	No	No	No	No
NSS	No	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
OpenSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
PolarSSL	No	No	No	No	No	No	No	No	No	No	No	No	No	No	No	No
Secure Transport	No	No	No	No	No	No	No	No	No	No	No	No	No	No	No	No
SharkSSL
JSSE	No	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Implementation	Arbitrary curves	Arbitrary char2 curves	sect163k1	sect163r1	sect163r2	sect193r1	sect193r2	sect233k1	sect233r1	sect239k1	sect283k1	sect283r1	sect409k1	sect409r1	sect571k1	sect571r1

Implementation	secp160k1 (15)	secp160r1 (16)	secp160r2 (17)	secp192k1 (18)	secp192r1 prime192v1 (19)	secp224k1 (20)	secp224r1 (21)	secp256k1 (22)	secp256r1 prime256v1 (23)	secp384r1 (24)	secp521r1 (25)	brainpoolP256r1 (26)	brainpoolP384r1 (27)	brainpoolP512r1 (28)
Botan	No	Yes	No	No	Yes	No	Yes	No	Yes	Yes	Yes	Yes	Yes	Yes
CyaSSL	No	Yes	No	No	Yes	No	Yes	No	Yes	Yes	Yes	No	No	No
GnuTLS	No	No	No	No	Yes	No	Yes	No	Yes	Yes	Yes	No	No	No
MatrixSSL	No	No	No	No	Yes	No	Yes	No	Yes	Yes	Yes	No	No	No
NSS	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No[63]	No[63]	No[63]
OpenSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes[64][65]	Yes[64][65]	Yes[64][65]
PolarSSL	No	No	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Secure Transport	No	No	No	No	Yes	No	No	No	Yes	No	Yes	No	No	No
SharkSSL
JSSE	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No
Implementation	secp160k1	secp160r1	secp160r2	secp192k1	secp192r1 prime192v1	secp224k1	secp224r1	secp256k1	secp256r1 prime256v1	secp384r1	secp521r1	brainpoolP256r1	brainpoolP384r1	brainpoolP512r1

Assisted cryptography

This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.

Implementation	PKCS #11 device	Intel AES-NI	VIA PadLock	STM32F2	Cavium NITROX	Freescale CAU/mmCAU	ARMv8-A	Microchip PIC32MZ
Botan	No	Yes	No	No	No	No	No	No
cryptlib	Yes	No	Yes	No	No	No	No	No
CyaSSL	No	Yes	No	Yes	Yes	Yes	No	Yes
GnuTLS	Yes	Yes	Yes	No	No	No	No	No
MatrixSSL	Yes	Yes	No	No	No	No	No	No
NSS	Yes[66]	Yes[67]	No[68]	No	No	No	No	No
OpenSSL	No	Yes	Yes	No	Yes	No	No	No
PolarSSL	Yes	Yes[69]	Yes	No	No	No	No	No
SChannel	No	Yes	No	No	No	No	No	No
Secure Transport	No	No	No	No	No	No	Yes	No
SharkSSL
JSSE	Yes	Yes[70]	No	No	No	No	No	No
Implementation	PKCS #11 device	Intel AES-NI	VIA PadLock	STM32F2	Cavium NITROX	Freescale CAU/mmCAU	ARMv8-A	Microchip PIC32MZ

System-specific backends

This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.

Implementation	/dev/crypto	Windows CSP	CommonCrypto	OpenSSL engine
Botan	No	No	No	No
cryptlib	No	No	No	No
CyaSSL	No	Partial	No	No
GnuTLS	Yes	No	No	No
MatrixSSL	No	No	Yes	Yes
NSS	No	No	No	No
OpenSSL	Yes	No	No	Yes
PolarSSL	No	No	No	No
SChannel	No	Yes	No	No
Secure Transport	No	No	Yes	No
SharkSSL
JSSE	No	Yes	No	No
Implementation	/dev/crypto	Windows CSP	CommonCrypto	OpenSSL engine

MAC functions

Implementation	AEAD	HMAC-MD5	HMAC-SHA-1	HMAC-SHA-256	GOST28147-89-MAC[29]	GOST 34.11-94[29]
Botan	Yes	Yes	Yes	Yes	No	No
cryptlib	Yes	Yes	Yes	Yes	No	No
CyaSSL	Yes	Yes	Yes	Yes	No	No
GnuTLS	Yes	Yes	Yes	Yes	No	No
MatrixSSL	Yes	Yes	Yes	Yes	No	No
NSS	Yes	Yes	Yes	Yes	No	No
OpenSSL	Yes	Yes	Yes	Yes	Yes	Yes
PolarSSL	Yes	Yes	Yes	Yes	No	No
SChannel XP/2003	No	Yes	Yes	No	3rd Party	3rd Party
SChannel Vista/2008	No	Yes	Yes	No	3rd Party	3rd Party
SChannel 7/2008R2	ECDHE_ECDSA only	Yes	Yes	Yes	3rd Party	3rd Party
SChannel 8/2012	ECDHE_ECDSA only	Yes	Yes	Yes	3rd Party	3rd Party
Secure Transport	Yes	Yes	Yes	Yes	No	No
SharkSSL	Yes	Yes	Yes	Yes	No	No
JSSE	Yes	Yes	Yes	Yes	No[33]	No[33]
Implementation	AEAD	HMAC-MD5	HMAC-SHA-1	HMAC-SHA-256	GOST28147-89-MAC	GOST 34.11-94

Compression

Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.

Implementation	DEFLATE[71] (insecure)
Botan	No
cryptlib	No
CyaSSL	Disabled by default
GnuTLS	Disabled by default
MatrixSSL	Disabled by default
NSS	Disabled by default
OpenSSL	Yes
PolarSSL	Disabled by default
SChannel	No
Secure Transport	No
SharkSSL
JSSE	No
Implementation	DEFLATE

Cryptographic module/token support

Implementation	TPM support	Hardware token support	Objects identified via
Botan	No	No
cryptlib	No	PKCS11	User-defined label
CyaSSL	No	No
GnuTLS	Yes	PKCS11	PKCS #11 URLs[72]
MatrixSSL	No	PKCS11
NSS	No	PKCS11
OpenSSL	Yes	PKCS11 (via external module)	Custom method
PolarSSL	No	PKCS11 (via libpkcs11-helper) or standard hooks	Custom method
SChannel	No	Microsoft CryptoAPI	UUID, User-defined label
Secure Transport
SharkSSL
JSSE	No	PKCS11 Java Cryptography Architecture/ Java Cryptography Extension
Implementation	TPM support	Hardware token support	Objects identified via

Extensions

In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.

Implementation	Secure Renegotiation[73]	Server Name Indication[74]	Application Layer Protocol Negotiation[75]	Certificate Status Request[74]	OpenPGP[76]	Supplemental Data[77]	Session Ticket[78]	Keying Material Exporter[79]	Maximum Fragment Length[74]	Truncated HMAC[74]
Botan	Yes	Yes	Un­known	No	No	No	Yes	Yes	Yes	No
cryptlib	Yes	Yes	Un­known	No	No	Yes	No	No	No[80]	No
CyaSSL	No	Yes	Un­known	No	No	No	Yes	No	Yes	Yes
GnuTLS	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No
MatrixSSL	Yes	Yes	Un­known	No	No	No	Yes	No	Yes	Yes
NSS	Yes	Yes	Yes	Yes	No	No	Yes	Yes	No	No
OpenSSL	Yes	Yes	Yes	Yes	No	No?	Yes	Yes?	No	No
PolarSSL	Yes	Yes	Un­known	No	No	No	Yes	No	Yes	Yes
SChannel	Yes	Yes	Yes	Yes	No	Yes	No[81]	No	No	No
Secure Transport	Yes	Yes	Un­known	No	No	Yes	No	No	No	No
SharkSSL
JSSE	Yes	Yes[26]	Un­known	No	No	No	No	No	No	No
Implementation	Secure Renegotiation	Server Name Indication	Application Layer Protocol Negotiation	Certificate Status Request	OpenPGP	Supplemental Data	Session Ticket	Keying Material Exporter	Maximum Fragment Length	Truncated HMAC

Code size and dependencies

The size is given in kSLOC (1000 source lines of code).

Implementation	Code size	Dependencies	Optional dependencies
Botan	32 kSLOC	C++11	sqlite, zlib (compression), bzip2 (compression), liblzma (compression)
CyaSSL	67 kSLOC	None	libc, zlib (compression)
GnuTLS	138 kSLOC	libc nettle gmp	zlib (compression) p11-kit (PKCS #11) trousers (TPM)
MatrixSSL	22 kSLOC	none	zlib (compression)
MatrixSSL-open	18 kSLOC	libc or newlib
NSS	400 kSLOC	libc libnspr4 libsoftokn3 libplc4 libplds4	zlib (compression)
OpenSSL	159 kSLOC	libc	zlib (compression)
PolarSSL	14 kSLOC	libc	libpkcs11-helper (PKCS #11) zlib (compression)
JSSE	37 kSLOC (Framework and Oracle provider)	Java
Implementation	Code size	Dependencies	Optional dependencies

Development environment

Implementation	Namespace	Build tools	API manual	Crypto back-end	OpenSSL compatibility Layer[clarify]
Botan	Botan::TLS	Makefile	Sphinx	Included (monolithic)	No
cryptlib	crypt*	makefile, MSVC project workspaces	Programmers reference manual (PDF), architecture design manual (PDF)	Included (monolithic)	No
CyaSSL	CyaSSL_* SSL_*	Autoconf, automake, libtool, MSVC project workspaces, XCode projects, CodeWarrior projects, MPLAB X projects, Keil, IAR, Clang, GCC	Manual and API Reference (HTML, PDF)	Included (monolithic)	Yes (about 10% of API)
GnuTLS	gnutls_*	Autoconf, automake, libtool	Manual and API reference (HTML, PDF)	External, libnettle	Yes (limited)
MatrixSSL	matrixSsl_* ps*	Makefile, MSVC project workspaces, Xcode projects for Mac OS X and iOS	API Reference (PDF), Integration Guide	Included (pluggable)	Yes (Subset: SSL_read, SSL_write, etc.)
NSS	CERT_* SEC_* SECKEY_* NSS_* PK11_* SSL_* ...	Makefile	Manual (HTML)	Included, PKCS#11 based[82]	Yes (separate package called nss_compat_ossl[83])
OpenSSL	SSL_* SHA1_* MD5_* EVP_* ...	Makefile	Man pages	Included (monolithic)	—
PolarSSL	ssl_* sha1_* md5_* x509parse_* ...	Makefile, CMake, MSVC project workspaces	API Reference + High Level and Module Level Documentation (HTML)	Included (monolithic)	No
JSSE	javax.net.ssl	Makefile	API Reference (HTML) + JSSE Reference Guide	Java Cryptography Architecture/ Java Cryptography Extension	No
Implementation	Namespace	Build tools	API manual	Crypto back-end	OpenSSL compatibility layer

Portability concerns

Implementation	Platform requirements	Network requirements	Thread safety	Random seed	Able to cross-compile	No OS (bare metal)	Supported operating systems
Botan	C++11	None	Thread-safe	Platform-dependent	Yes		Most Windows and POSIX systems
cryptlib	C89	POSIX send() and recv(). API to supply your own replacement	Thread-safe	Platform-dependent, including hardware sources	Yes		AMX, BeOS, ChorusOS, DOS, eCOS, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, Palm OS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, OS X, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK
CyaSSL	C89	POSIX send() and recv(). API to supply your own replacement.	Thread-safe, needs mutex hooks if PThreads or WinThreads not available, can be turned off	Random seed set through CTaoCrypt	Yes	Yes	Win32/64, Linux, Mac OS X, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, OpenCL, NonStop, TRON/ITRON/µITRON, Micrium's µC OS, FreeRTOS, SafeRTOS, Freescale MQX, Nucleus, TinyOS, HP/UX, Keil RTX
GnuTLS	C89	POSIX send() and recv(). API to supply your own replacement.	Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available.	Platform dependent	Yes		Generally any POSIX platforms or Windows, commonly tested platforms include GNU/Linux, Win32/64, Mac OS X, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD.
MatrixSSL	C89	None	Thread-safe	Platform dependent	Yes	Yes	All
NSS	C89, NSPR[84]	NSPR[84] PR_Send() and PR_Recv(). API to supply your own replacement.	Thread-safe	Platform dependent[85]	Yes (but cumbersome)		AIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, Mac OS X, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation
OpenSSL	C89?	?	Needs mutex callbacks	Set through native API			Unix, DOS (with djgpp), Windows, OpenVMS, MacOS, NetWare
PolarSSL	C89	POSIX read() and write(). API to supply your own replacement.	Threading layer available (POSIX or own hooks)	Random seed set through entropy pool	Yes	Yes	Known to work on: Win32/64, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, SeggerOS
JSSE	Java	Java SE network components	Thread-safe	Depends on java.security.SecureRandom	Yes		Java based, platform-independent
Implementation	Platform requirements	Network requirements	Thread safety	Random seed	Able to cross-compile	No OS (bare metal)	Supported operating systems

See also

• SCTP — with DTLS support
• DCCP — with DTLS support
• SRTP — with DTLS support (DTLS-SRTP) and Secure Real-Time Transport Control Protocol (SRTCP)

References

1. "SharkSSL product description". Retrieved 2014-04-21.
2. RFC6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
3. "CBC-Padding: Security Flaws in SSL, IPsec, WTLS,...", Serge Vaudenay, 2001
4. Rizzo/Duong BEAST Countermeasures
5. TLSv1.2's Major Differences from TLSv1.1
6. RFC 6347
7. "Bard attack". CiteSeer^x: 10.1.1.61.5887. {{cite web}}: Missing or empty |url= (help)
8. SSLv2 is insecure
9. RFC 6101
10. RFC 2246
11. RFC 4346
12. RFC 5246 Cite error: The named reference "tls" was defined multiple times with different content (see the help page).
13. RFC 4347
14. SSLv2 client hello is supported
15. "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Retrieved 2012-10-27.
16. "NSS 3.15.1 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-08-10.
17. "Bug 681065 - (dtls) Implement DTLS (Datagram TLS) in libssl". Mozilla. Retrieved 2013-11-18.
18. "Bug 959864 - Support DTLS 1.2". Mozilla. Retrieved 2014-01-25.
19. www.openssl.org/news/changelog.html
20. TLS cipher suites in Microsoft Windows XP and 2003
21. SChannel Cipher Suites in Microsoft Windows Vista
22. TLS Cipher Suites in SChannel for Windows 7, 2008R2, 8, 2012
23. "An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. Retrieved 13 November 2012.
24. "Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
25. "Bug 663320 - (NSA-Suite-B-TLS) Implement RFC5430 (NSA Suite B profile for TLS)". Mozilla. Retrieved 2014-01-25.
26. http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html
27. http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
28. RFC 4492
29. draft-chudov-cryptopro-cptls-04
30. RFC 4357
31. Client side only
32. Mozilla.org. "Bug 102794 - Implement the server-side code of the DHE SSL ciphersuites". Retrieved 19 November 2013.
33. Extensions to support this functionality might be available.
34. RFC 3280
35. RFC 2560
36. "How Certificate Revocation Works". Microsoft TechNet. Microsoft. March 16, 2012. Retrieved July 10, 2013.
37. RFC 5054
38. RFC 4279
39. RFC 5489
40. "Bug 405155 - add support for TLS-SRP, rfc5054". Mozilla. Retrieved 2014-01-25.
41. "Bug 306435 - Mozilla browsers should support the new IETF TLS-PSK protocol to help reduce phishing". Mozilla. Retrieved 2014-01-25.
42. As of iOS 7, PSK ciphers are enumerated in the headers but there are no APIs that use them.
43. RFC 5288
44. RFC 6655
45. RFC 5932
46. RFC 6367
47. RFC 4162
48. draft-agl-tls-chacha20poly1305-04
49. As of December 2013^[update], only available on Google services
50. "NSS 3.15.2 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-09-26.
51. "Bug 361025 - Support for Camellia Cipher Suites to TLS RFC4132". Mozilla. Retrieved 2013-11-19.
52. "NSS 3.12 is released". Retrieved 2013-11-19.
53. "Bug 940119 - libssl does not support any TLS_ECDHE_*_CAMELLIA_*_GCM cipher suites". Mozilla. Retrieved 2013-11-19.
54. "Bug 453234 - Support for SEED Cipher Suites to TLS RFC4010". Mozilla. Retrieved 2013-12-01.
55. "Issue 310768: Support ChaCha20+Poly1305 TLS cipher suites". Google. Retrieved 2013-12-01.
56. "Chrome 32 promotes Chacha20/Poly1305 suite, SSL Client Test fails to process SSL/TLS handshake". Qualys. Retrieved 2013-12-01.
57. "Bug 917571 - Support ChaCha20+Poly1305 cipher suites". Mozilla. Retrieved 2013-12-01.
58. As of December 2013^[update], only available on private version of NSS integrated into Chromium (implementation is still ongoing).^[55][56] Patch for NSS upstream has been submitted and under review.^[57]
59. As of December 2013^[update], only available on private version of OpenSSL integrated into Chromium (implementation is still ongoing).^[55]
60. Hofix 984963: TLS AES cipher suites for Microsoft Windows 2003
61. Support is erratic, in many cases SChannel will simply drop the connection if a suite with this algorithm is specified.
62. http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
63. "Bug 943639 - Support for Brainpool ECC Curve (rfc5639)". Mozilla. Retrieved 2014-01-25.
64. "OpenSSL RT #2239: [PATCH] RFC 5639 support - resolved 2012-04-22". OpenSSL.org. Retrieved 2014-02-03.
65. "openssl-1.0.2-stable prerelease tarballs available on OpenSSL's FTP server: files openssl-1.0.2-stable-SNAP-*.tar.gz". OpenSSL.org. Retrieved 2014-02-03.
66. Normally NSS's libssl performs all operations via the PKCS#11 interface, either to hardware or software tokens
67. "Bug 706024 - AES-NI enhancements to NSS on Sandy Bridge systems". Retrieved 2013-09-28.
68. "Bug 479744 - RFE : VIA Padlock ACE support (hardware RNG, AES, SHA1 and SHA256)". Retrieved 2014-04-11.
69. "We've incorporated support for AES-NI in our AES and GCM modules". 2013-12-31. Retrieved 2014-01-07.
70. http://stackoverflow.com/questions/14259671/java-ssl-provider-with-aes-ni-support
71. RFC 3749
72. PKCS #11 URLs is a way to refer to objects stored in PKCS #11 tokens
73. RFC 5746
74. RFC 6066
75. draft-ietf-tls-applayerprotoneg
76. RFC 6091
77. RFC 4680
78. RFC 5077
79. RFC 5705
80. Present but disabled by default due to lack of use by any implementation.
81. Supported in Windows 8.1 Preview and Windows Server 2012 R2 Preview; see What's New in TLS/SSL (Schannel SSP)
82. On the fly replaceable/augmentable.
83. http://fedoraproject.org/wiki/Nss_compat_ossl
84. Netscape Portable Runtime (NSPR)
85. For Unix/Linux it uses /dev/urandom if available, for Windows it uses CAPI. For other platforms it gets data from clock, and tries to open system files. NSS has a set of platform dependent functions it uses to determine randomness.