Comparison of TLS implementations
The Transport Layer Security (TLS) protocol provide the ability to secure communications across networks. There are several TLS implementations which are free and open source software and sometimes choosing between the available implementations can be tough. Below, you will find a side-by-side comparison of several of the most prominent libraries.
All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.
Overview
Implementation | Developed By | Open Source | Software License | Copyright Owner | Latest Stable Version | Release Date | Origin | Website |
---|---|---|---|---|---|---|---|---|
axTLS | Cameron Rich | Yes | BSD style licensing | Cameron Rich | 1.4.5 | 2/11/2012 | Australia | http://axtls.sourceforge.net/ |
cryptlib | Peter Gutmann | Yes | Sleepycat License and commercial license | Peter Gutmann | 3.4.1 | 07/27/2011 | NZ | http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ |
CyaSSL | yaSSL | Yes | GPLv2 and commercial license | yassl.com | 2.0.2 | 12/05/2011 | US | http://www.yassl.com |
GnuTLS | GnuTLS project | Yes | LGPL | Free Software Foundation | 3.0.11 | 01/06/2012 | EU (Greece and Sweden) | http://www.gnutls.org/ |
MatrixSSL | PeerSec Networks | No | Proprietary | PeerSec Networks | 3.3 | 02/22/2012 | US | http://www.matrixssl.org |
MatrixSSL-open | PeerSec Networks | Yes | GPLv2 | PeerSec Networks | 3.3 | 02/22/2012 | US | http://www.matrixssl.org |
NSS | Yes | LGPL and Mozilla_Public_License | NSS contributors | 3.12.9 | 1/12/2011 | US | http://www.mozilla.org/projects/security/pki/nss/ | |
OpenSSL | OpenSSL project | Yes | OpenSSL / SSLeay dual-license | Eric Young, Tim Hudson, Sun, OpenSSL project, and others | 0.9.8t / 1.0.0g | 01/18/2012 | Australia/EU | http://openssl.org/ |
PolarSSL | Offspark | Yes | GPLv2 and commercial license | Brainspark B.V. (brainspark.nl) | 1.0.0 | 09/08/2011 | EU (Netherlands) | http://polarssl.org |
SChannel | Microsoft | No | Proprietary | Microsoft Inc. | Windows 7 | 10/22/2009 | US | http://microsoft.com |
Security Builder SSL-C | Certicom | No | Proprietary | Certicom Corp., A Subsidiary of Research In Motion | 5.5.1 | 2/28/2011 | Canada | http://www.certicom.com |
JSSE | Oracle | Yes | GPLv2 and commercial license | Oracle | JDK 6, JDK 7 in EA stage | 02/03/2011(ea snapshot release) | US | http://openjdk.java.net/ http://www.java.net/ http://www.java.com/ |
Implementation | Developed By | Open Source | Software License | Copyright Owner | Latest Stable Version | Release Date | Origin | Website |
Protocol Support
Several versions of the TLS protocol exist. SSL 2.0 is a deprecated protocol, vulnerable to several attacks. SSL 3.0 and TLS 1.0 are its successors without any major known vulnerabilities. TLS 1.1 fixes all the known issues in TLS 1.0, and TLS 1.2 is the latest published version, introducing new features. DTLS 1.0 or Datagram TLS is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated.
Note that there are known vulnerabilities in SSL 2.0, SSL 3.0 and TLS 1.0[1] protocols.
Implementation | SSL 2.0[2] | SSL 3.0[3] | TLS 1.0[4] | TLS 1.1[5] | TLS 1.2[6] | DTLS 1.0[7] | DTLS 1.2[8] |
---|---|---|---|---|---|---|---|
axTLS | No[9] | No | Yes | Yes | No | No | No |
cryptlib | No | Yes | Yes | Yes | Yes | No | No |
CyaSSL | No | Yes | Yes | Yes | Yes | Yes[10] | No |
GnuTLS | No[9] | Yes | Yes | Yes | Yes | Yes | No |
MatrixSSL | No | Yes | Yes | Yes | Yes | Yes | No |
MatrixSSL-open | No | Yes | Yes | Yes | No | No | No |
NSS | Yes | Yes | Yes | No | No | No | No |
OpenSSL | Yes | Yes | Yes | Yes[11] | Yes[11] | Yes | No |
PolarSSL | No | Yes | Yes | Yes | No | No | No |
SChannel | Yes | Yes | Yes | Yes | Yes | No | No |
Security Builder SSL-C | Yes | Yes | Yes | Yes | Yes | Yes | No |
JSSE | No[9] | Yes | Yes | Yes | Yes | No | No |
Implementation | SSL 2.0 | SSL 3.0 | TLS 1.0 | TLS 1.1 | TLS 1.2 | DTLS 1.0 | DTLS 1.2 |
CipherSuite Profiles
Implementation | TLS 1.2 Suite B |
---|---|
axTLS | No |
cryptlib | Yes |
CyaSSL | No |
GnuTLS | Yes |
NSS | No |
MatrixSSL | No |
OpenSSL | No |
PolarSSL | No |
SChannel | No |
Security Builder SSL-C | Yes |
JSSE | No |
Implementation | TLS 1.2 Suite B |
Key Exchange Algorithms (Certificate-only)
Implementation | RSA[12] | RSA-EXPORT[12] | DHE-RSA[12] | DHE-DSS[12] | ECDH-ECDSA[13] | ECDHE-ECDSA[13] | ECDH-RSA[13] | ECDHE-RSA[13] | VKO GOST R 34.10-2001[14][15] |
---|---|---|---|---|---|---|---|---|---|
axTLS | Yes | No | No | No | No | No | No | No | No |
cryptlib | Yes | No | Yes | Yes | No | Yes | No | No | No |
CyaSSL | Yes | No | Yes | No | No | No | No | No | No |
GnuTLS | Yes | Yes | Yes | Yes | No | Yes | No | Yes | No |
MatrixSSL | Yes | No | Yes | No | Yes | Yes | Yes | Yes | No |
MatrixSSL-open | Yes | No | No | No | No | No | No | No | No |
NSS | Yes | Yes | Partial[16] | Partial[16] | Yes | Yes | No | No | No |
OpenSSL | Yes | Yes | Yes | Yes | No | Yes | No | Yes | Yes |
PolarSSL | Yes | No | Yes | No | No | No | No | No | No |
SChannel | Yes | No | No | Yes | No | Yes | No | No | No[17] |
Security Builder SSL-C | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No |
JSSE | Yes | Yes | Yes | Yes | Yes | Yes | No | No | No[17] |
Implementation | RSA | RSA EXPORT | DHE-RSA | DHE-DSS | ECDH-ECDSA | ECDHE-ECDSA | ECDH-RSA | ECDHE-RSA | VKO GOST R 34.10-2001 |
Key Exchange Algorithms (Alternative key-exchanges)
Implementation | DH-ANON[12] | SRP[18] | SRP-DSS[18] | SRP-RSA[18] | PSK-RSA[18] | PSK[19] | DHE-PSK[19] | ECDHE-PSK[20] | ECDH-ANON[13] |
---|---|---|---|---|---|---|---|---|---|
axTLS | No | No | No | No | No | No | No | No | No |
cryptlib | No | No | No | No | No | Yes | Yes | No | No |
CyaSSL | No | No | No | No | No | Yes | No | No | No |
GnuTLS | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes |
MatrixSSL | Yes | No | No | No | No | Yes | No | No | No |
MatrixSSL-open | No | No | No | No | No | No | No | No | No |
NSS | No | No | No | No | No | No | No | No | No |
OpenSSL | Yes | No[21] | No | No | No | Yes | No | No | Yes |
PolarSSL | No | No | No | No | No | No | No | No | No |
SChannel | No | No | No | No | No | No | No | No | No |
Security Builder SSL-C | Yes | No | No | No | Yes | Yes | Yes | Yes | Yes |
JSSE | Yes | No | No | No | No | No | No | No | No |
Implementation | DH-ANON | SRP | SRP-DSS | SRP-RSA | PSK-RSA | PSK | DHE-PSK | ECDHE-PSK | ECDH-ANON |
Encryption Algorithms
Implementation | AES-CBC | AES-GCM[22] | AES-CCM[23] | 3DES-CBC | DES-CBC[24] | RC4-128 | RC4-40[25] | CAMELLIA-CBC[26] | GOST28147-89[14] |
---|---|---|---|---|---|---|---|---|---|
axTLS | Yes | No | No | No | No | Yes | No | No | No |
cryptlib | Yes | Yes | No | Yes | No | Yes | No | No | No |
CyaSSL | Yes | No | No | Yes | No | Yes | No | No | No |
GnuTLS | Yes | Yes | No | Yes | No | Yes | Yes | Yes | No |
MatrixSSL | Yes | No | No | Yes | No | Yes | No | No | No |
MatrixSSL-open | Yes | No | No | Yes | No | Yes | No | No | No |
NSS | Yes | No | No | Yes | Yes | Yes | Yes | Yes | No |
OpenSSL | Yes | Yes [11] | Yes [11] | Yes | Yes | Yes | Yes | Yes | Yes |
PolarSSL | Yes | No | No | Yes | No | Yes | No | Yes | No |
SChannel | Yes | Partial[27] | No | Yes | Yes | Yes | No | No | No[17] |
Security Builder SSL-C | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
JSSE | Yes | No | No | Yes | Yes | Yes | Yes | No | No[17] |
Implementation | AES-CBC | AES-GCM | AES-CCM | 3DES-CBC | DES-CBC | RC4-128 | RC4-40 | CAMELLIA-CBC | GOST28147-89 |
CPU-assisted cryptography
This section lists the ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware accelerators.
Implementation | /dev/crypto | PKCS #11 device | Windows CSP | Intel AES-NI | VIA Padlock |
---|---|---|---|---|---|
axTLS | No | No | No | No | No |
cryptlib | No | Yes | No | No | Yes |
CyaSSL | No | No | No | Yes | No |
GnuTLS | Yes | No | No | Yes | Yes |
MatrixSSL | No | No | No | No | No |
MatrixSSL-open | No | No | No | No | No |
NSS | No | No | No | Yes | No |
OpenSSL | Yes | No | No | Yes | Yes |
PolarSSL | No | No | No | No | Yes |
SChannel | No | No | Yes | Yes | No |
Security Builder SSL-C | No | Yes | No | No | No |
JSSE | No | No | No | No | No |
Implementation | /dev/crypto | PKCS #11 device | Windows CSP | Intel AES-NI | VIA Padlock |
MAC Functions
Implementation | AEAD | HMAC-MD5 | HMAC-SHA-1 | HMAC-SHA-256 | GOST28147-89-MAC[14] | GOST 34.11-94[14] |
---|---|---|---|---|---|---|
axTLS | No | Yes | Yes | No | No | No |
cryptlib | Yes | Yes | Yes | Yes | No | No |
CyaSSL | No | Yes | Yes | Yes | No | No |
GnuTLS | Yes | Yes | Yes | Yes | No | No |
MatrixSSL | No | Yes | Yes | Yes | No | No |
MatrixSSL-open | No | Yes | Yes | No | No | No |
NSS | No | Yes | Yes | Yes | No | No |
OpenSSL | No | Yes | Yes | Yes | Yes | Yes |
PolarSSL | No | Yes | Yes | Yes | No | No |
SChannel | Yes | Yes | Yes | Yes | No[17] | No[17] |
Security Builder SSL-C | Yes | Yes | Yes | Yes | No | No |
JSSE | No | Yes | Yes | Yes | No[17] | No[17] |
Implementation | AEAD | HMAC-MD5 | HMAC-SHA-1 | HMAC-SHA-256 | GOST28147-89-MAC | GOST 34.11-94 |
Compression
Implementation | DEFLATE[28] |
---|---|
axTLS | No |
cryptlib | No |
CyaSSL | Yes |
GnuTLS | Yes |
MatrixSSL | No |
MatrixSSL-open | No |
NSS | Yes |
OpenSSL | Yes |
PolarSSL | No |
SChannel | No |
Security Builder SSL-C | Yes |
JSSE | No |
Implementation | DEFLATE |
Cryptographic module/token support
Implementation | Hardware token support | Objects identified via |
---|---|---|
axTLS | No | |
cryptlib | PKCS11 | User-defined label |
CyaSSL | No | |
GnuTLS | PKCS11 | PKCS #11 URLs[29] |
MatrixSSL | No | |
MatrixSSL-open | No | |
NSS | PKCS11 | |
OpenSSL | PKCS11 (via external module) | Custom method |
PolarSSL | PKCS11 (via libpkcs11-helper) | |
SChannel | Microsoft CryptoAPI | UUID, User-defined label |
Security Builder SSL-C | PKCS11 (via external module) | |
JSSE | PKCS11 Java_Cryptography_Architecture/ Java_Cryptography_Extension |
|
Implementation | Hardware token support | Objects identified via |
Extensions
In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.
Implementation | Secure Renegotiation[30] |
Server Name Indication[31] |
Certificate Status Request[31] |
OpenPGP[32] | Supplemental Data[33] |
Session Ticket[34] |
Keying Material Exporter[35] |
Maximum Fragment Length[31] |
Truncated HMAC[31] |
---|---|---|---|---|---|---|---|---|---|
axTLS | No | No | No | No | No | No | No | No | No |
cryptlib | Yes | Yes | No | No | Yes | No | No | No[36] | No |
CyaSSL | No | No | No | No | No | No | No | No | No |
GnuTLS | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | No |
MatrixSSL | Yes | No | No | No | No | No | No | No | No |
MatrixSSL-open | Yes | No | No | No | No | No | No | No | No |
NSS | Yes | Yes | No | No | No | Yes | No[37] | No | No |
OpenSSL | Yes | Yes | Yes | No | No? | Yes | Yes? | No | No |
PolarSSL | No | Partial[16] | No | No | No | No | No | No | No |
SChannel | Yes | Yes | Yes | No | Yes | No | No | No | No |
Security Builder SSL-C | Yes | Yes | No | No | No | Yes | No | Yes | No |
JSSE | Yes | Partial[16] | No | No | No | No | No | No | No |
Implementation | Secure Renegotiation |
Server Name Indication |
Certificate Status Request |
OpenPGP | Supplemental Data |
Session Ticket |
Keying Material Exporter |
Maximum Fragment Length |
Truncated HMAC |
Code Size and Dependencies
Implementation | Code size | Dependencies | Optional dependencies |
---|---|---|---|
axTLS | 12 kLoc | libc | |
CyaSSL | 27 kLoc | libc | zlib (compression) |
GnuTLS | 138 kLoc | libc libnettle (crypto) gmp (bignum) |
zlib (compression) p11-kit (PKCS #11) |
MatrixSSL | 22 kLoc | libc | |
MatrixSSL-open | 18 kLoc | libc | |
NSS | 400 kLoc | libc libnspr4 libsoftokn3 libplc4 libplds4 |
zlib (compression) |
OpenSSL | 159 kLoc | libc | zlib (compression) |
PolarSSL | 14 kLOC | libc | libpkcs11-helper (PKCS #11) |
JSSE | 37 kLoc (Framework and Oracle provider) |
Java | |
Implementation | Code size | Dependencies | Optional dependencies |
Development Environment
Implementation | Namespace | Build Tools | API Manual | Crypto Back-end | OpenSSL Compatibility Layer |
---|---|---|---|---|---|
axTLS | SSL_CTX, SSL | Makefile, mconf | API Reference (HTML) | Included (monolithic) | Yes (limited) |
cryptlib | crypt* | makefile, MSVC project workspaces | Programmers reference manual (PDF), architecture design manual (PDF) | Included (monolithic) | No |
CyaSSL | CyaSSL_* SSL_* |
Autoconf, automake, libtool, MSVC project workspaces, XCode projects | API Reference (HTML) | Included (monolithic) | Yes (about 10% of API) |
GnuTLS | gnutls_* | Autoconf, automake, libtool | Manual and API reference (HTML, PDF) | External, libnettle | Yes (limited) |
MatrixSSL | matrixSsl_* ps* |
automake, MSVC project workspaces, XCode projects | API Reference (PDF) | Included (monolithic) | No |
MatrixSSL-open | matrixSsl_* ps* |
automake, MSVC project workspaces, XCode projects | API Reference (PDF) | Included (monolithic) | No |
NSS | CERT_* SEC_* |
Makefile | Manual (HTML) | Included, PKCS#11 based[38] | Yes (separate package called nss_compat_ossl[39]) |
OpenSSL | SSL_* SHA1_* |
Makefile | Man pages | Included (monolithic) | Not Applicable |
PolarSSL | ssl_* sha1_* |
Makefile, CMake, MSVC project workspaces | API Reference + High Level and Module Level Documentation (HTML) | Included (monolithic) | No |
Security Builder SSL-C | ssl_* | makefile | Programmers reference manual (PDF), User Guide (PDF) | Included (monolithic) | No |
JSSE | javax.net.ssl | Makefile | API Reference (HTML) + | Java_Cryptography_Architecture/ Java_Cryptography_Extension |
|
Implementation | Namespace | Build Tools | API Manual | Crypto Back-end | OpenSSL Compatibility Layer |
Portability Concerns
Implementation | Platform Requirements | Network Requirements | Thread Safety | Random Seed | Able to Cross-Compile | Supported Operating Systems |
---|---|---|---|---|---|---|
axTLS | C89 | none | POSIX threads (optional) | /dev/urandom or platform dependent. | Yes | Generally any POSIX or Windows based platforms. |
cryptlib | C89 | POSIX send() and recv(). API to supply your own replacement | Thread-safe. | Platform-dependent, including hardware sources | Yes | AMX, BeOS, ChorusOS, DOS, eCOS, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, PalmOS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, OS X, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK) |
CyaSSL | C89 | POSIX send() and recv(). API to supply your own replacement. | Thread-safe, needs mutex hooks if PThreads or WinThreads not available, can be turned off | Random seed set through TaoCrypt | Yes | Win32/64, Linux, Mac OS X, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, OpenCL, NonStop, Tron/itron/microitron, Micrium's µC OS, FreeRTOS, Freescale MQX |
GnuTLS | C89 | POSIX send() and recv(). API to supply your own replacement. | Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available. | platform dependent | Yes | Generally any POSIX platforms or Windows, commonly tested platforms include GNU/Linux, Win32/64, Mac OS X, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD. |
MatrixSSL | C89 | none | Thread-safe | platform dependent | Yes | |
MatrixSSL-open | C89 | none | Thread-safe | platform dependent | Yes | |
NSS | C89, NSPR[40] | NSPR[40] PR_Send() and PR_Recv(). API to supply your own replacement. | Thread-safe | Platform dependent[41] | Yes (but cumbersome) | AIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, Mac OS X, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation |
OpenSSL | C89? | ? | Needs mutex callbacks | Set through native API | Unix, DOS (with djgpp), Windows, OpenVMS, MacOS, NetWare | |
PolarSSL | C89 | POSIX read() and write(). API to supply your own replacement. | Thread-safe | Random seed set through HAVEGE random engine | Yes | Known to work on: Win32/64, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox |
Security Builder SSL-C | C89 | Must write your own application callbacks for socket I/O | Thread-safe under certain documented conditions | platform dependent | Yes | |
JSSE | Java | Java SE network components | Thread-safe | Depends on java.security.SecureRandom | Yes | Java based, platform-independent |
Implementation | Platform Requirements | Network Requirements | Thread Safety | Random Seed | Able to Cross-Compile | Supported Operating Systems |
References
- ^ Bard attack
- ^ SSLv2 is insecure
- ^ RFC 6101
- ^ RFC 2246
- ^ RFC 4346
- ^ RFC 5246
- ^ RFC 4347
- ^ RFC 6347
- ^ a b c SSLv2 client hello is supported
- ^ CyaSSL's DTLS support is labeled as "This is only for testing purposes at this time. Rebroadcast and reordering aren't fully implemented at this time but will be for the next release."
- ^ a b c d initial support in version 1.0.1 www.openssl.org/news/changelog.html
- ^ a b c d e RFC 5246
- ^ a b c d e RFC 4492
- ^ a b c d draft-chudov-cryptopro-cptls-04
- ^ RFC 4357
- ^ a b c d Client side only
- ^ a b c d e f g h Extensions to support this functionality might be available.
- ^ a b c d RFC 5054 Cite error: The named reference "srp" was defined multiple times with different content (see the help page).
- ^ a b RFC 4279
- ^ RFC 5489
- ^ patch is available, and appears to be planned for OpenSSL 1.0.1
- ^ RFC 5288
- ^ [1]
- ^ DES is insecure
- ^ 40-bit encryption is insecure
- ^ RFC 5932
- ^ Support is erratic, in many cases SChannel will simply drop the connection if a suite with this algorithm is specified.
- ^ RFC 3749
- ^ PKCS #11 URLs is a way to refer to objects stored in PKCS #11 tokens
- ^ RFC 5746
- ^ a b c d RFC 4366
- ^ RFC 6091
- ^ RFC 4680
- ^ RFC 5077
- ^ RFC 5705
- ^ Present but disabled by default due to lack of use by any implementation.
- ^ Patch is available
- ^ On the fly replaceable/augmentable.
- ^ http://fedoraproject.org/wiki/Nss_compat_ossl
- ^ a b Netscape Portable Runtime (NSPR)
- ^ For Unix/Linux it uses /dev/urandom if available, for Windows it uses CAPI. For all platforms it gets data from clock, and tries to open system files. NSS has a set of platform dependent functions is uses to determine randomness.