Hubbry Logo
Comparison of TLS implementationsComparison of TLS implementationsMain
Open search
Comparison of TLS implementations
Community hub
Comparison of TLS implementations
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Comparison of TLS implementations
Comparison of TLS implementations
Comparison of TLS implementations
View on Wikipedia
from Wikipedia

The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.

Overview

[edit]
Implementation Developed by Open source Software license Copyright holder Written in Latest stable version, release date Origin
Botan Jack Lloyd Yes Simplified BSD License Jack Lloyd C++ 3.10.0 (November 6, 2025; 2 months ago (2025-11-06)[1]) [±] US (Vermont)
BoringSSL Google Yes OpenSSL-SSLeay dual-license, ISC license Eric Young, Tim Hudson, Sun, OpenSSL project, Google, and others C, C++, Go, assembly No stable releases[2] Australia/EU[citation needed]
Bouncy Castle The Legion of the Bouncy Castle Inc. Yes MIT License Legion of the Bouncy Castle Inc. Java, C#
Java1.83 / November 27, 2025; 2 months ago (2025-11-27)[3]
Java LTSBC-LJA 2.73.9 / September 19, 2025; 4 months ago (2025-09-19)[4]
Java FIPSBC-FJA 2.0.0 / July 30, 2024; 18 months ago (2024-07-30)[5]
C#2.6.2 / July 15, 2025; 6 months ago (2025-07-15)[6]
C# FIPSBC-FNA 1.0.2 / March 11, 2024; 22 months ago (2024-03-11)[7]
 Australia
BSAFE Dell, formerly RSA Security No Proprietary Dell Java, C, assembly SSL-J 7.4 (December 2, 2025; 2 months ago (2025-12-02)[8]) [±]

Micro Edition Suite 5.0.3 (December 3, 2024; 14 months ago (2024-12-03)[9]) [±]

Australia
cryptlib Peter Gutmann Yes Sleepycat License and commercial license Peter Gutmann C 3.4.8 (April 30, 2025; 9 months ago (2025-04-30)[10]) [±] NZ
GnuTLS GnuTLS project Yes LGPL-2.1-or-later Free Software Foundation C 3.8.11[11] Edit this on Wikidata 2025-11-20 EU (Greece and Sweden)
Java Secure Socket Extension (JSSE) Oracle Yes GNU GPLv2 and commercial license Oracle Java

25 LTS (September 16, 2025; 4 months ago (2025-09-16)[12]) [±]
21.0.5 LTS (October 15, 2024; 15 months ago (2024-10-15)[13]) [±]
17.0.13 LTS (October 15, 2024; 15 months ago (2024-10-15)[14]) [±]
11.0.25 LTS (October 15, 2024; 15 months ago (2024-10-15)[15]) [±]
8u431 LTS (October 15, 2024; 15 months ago (2024-10-15)[16]) [±]

US
LibreSSL OpenBSD Project Yes Apache-1.0, BSD-4-Clause, ISC, and public domain Eric Young, Tim Hudson, Sun, OpenSSL project, OpenBSD Project, and others C, assembly 4.2.1[17] Edit this on Wikidata 2025-10-31 Canada
MatrixSSL[18] PeerSec Networks Yes GNU GPLv2+ and commercial license PeerSec Networks C 4.2.2 (September 11, 2019; 6 years ago (2019-09-11) [19]) [±] US
Mbed TLS (previously PolarSSL) Arm Yes Apache License 2.0, GNU GPLv2+ and commercial license Arm Holdings C 4.0.0[20]Edit this on Wikidata (15 October 2025; 3 months ago (15 October 2025)) [±] EU (Netherlands)
Network Security Services (NSS) Mozilla, AOL, Red Hat, Sun, Oracle, Google and others Yes MPL 2.0 NSS contributors C, assembly
Standard3.84 / October 12, 2022; 3 years ago (2022-10-12)[21]
Extended Support Release3.79.1 / August 18, 2022; 3 years ago (2022-08-18)[21]
 US
OpenSSL OpenSSL project Yes Apache-2.0[a] Eric Young, Tim Hudson, Sun, OpenSSL project, and others C, assembly 3.6.1[22] Edit this on Wikidata 2026-01-27 Australia/EU
Rustls Joe Birr-Pixton, Dirkjan Ochtman, Daniel McCarney, Josh Aas, and open source contributors Yes Apache-2.0, MIT License and ISC Open source contributors Rust v0.23.31 (July 29, 2025; 6 months ago (2025-07-29)[23]) [±] United Kingdom
s2n Amazon Yes Apache License 2.0, GNU GPLv2+ and commercial license Amazon.com, Inc. C Continuous US
Schannel Microsoft No Proprietary Microsoft Corporation Windows 11, 2021-10-05 US
Secure Transport Apple Inc. Yes APSL 2.0 Apple Inc. 57337.20.44 (OS X 10.11.2), 2015-12-08 US
wolfSSL (previously CyaSSL) wolfSSL[24] Yes GNU GPLv3+ and commercial license wolfSSL Inc.[25] C, assembly 5.8.4 (November 20, 2025; 2 months ago (2025-11-20)[26]) [±] US
Erlang/OTP SSL application Ericsson Yes Apache License 2.0 Ericsson Erlang OTP-21, 2018-06-19 Sweden
Implementation Developed by Open source Software license Copyright owner Written in Latest stable version, release date Origin
  1. ^ Apache-2.0 for OpenSSL 3.0 and later releases. OpenSSL-SSLeay dual-license for any release before OpenSSL 3.0.

TLS/SSL protocol version support

[edit]

Several versions of the TLS protocol exist. SSL 2.0 is a deprecated[27] protocol version with significant weaknesses. SSL 3.0 (1996) and TLS 1.0 (1999) are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay.[28] TLS 1.1 (2006) fixed only one of the problems, by switching to random initialization vectors (IV) for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was addressed with RFC 7366.[29] A workaround for SSL 3.0 and TLS 1.0, roughly equivalent to random IVs from TLS 1.1, was widely adopted by many implementations in late 2011.[30] In 2014, the POODLE vulnerability of SSL 3.0 was discovered, which takes advantage of the known vulnerabilities in CBC, and an insecure fallback negotiation used in browsers.[31]

TLS 1.2 (2008) introduced a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future (rsa,sha256/sha384/sha512) over the SSL 3.0 conservative choice (rsa,sha1+md5), the TLS 1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides (rsa,sha1) and even (rsa,md5).[32]

Datagram Transport Layer Security (DTLS or Datagram TLS) 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLS 1.2 based on TLS 1.2 was published in January 2012.[33]

TLS 1.3 (2018) specified in RFC 8446 includes major optimizations and security improvements. QUIC (2021) specified in RFC 9000 and DTLS 1.3 (2022) specified in RFC 9147 builds on TLS 1.3. The publishing of TLS 1.3 and DTLS 1.3 obsoleted TLS 1.2 and DTLS 1.2.

Note that there are known vulnerabilities in SSL 2.0 and SSL 3.0. In 2021, IETF published RFC 8996 also forbidding negotiation of TLS 1.0, TLS 1.1, and DTLS 1.0 due to known vulnerabilities. NIST SP 800-52 requires support of TLS 1.3 by January 2024. Support of TLS 1.3 means that two compliant nodes will never negotiate TLS 1.2.

Implementation SSL 2.0 (insecure)[34] SSL 3.0 (insecure)[35] TLS 1.0 (deprecated)[36] TLS 1.1 (deprecated)[37] TLS 1.2[38] TLS 1.3 DTLS 1.0 (deprecated)[39] DTLS 1.2[33] DTLS 1.3
Botan No No[40] No No Yes Yes No Yes No
BoringSSL Yes Yes Yes Yes Yes Yes No
Bouncy Castle No No Yes Yes Yes Yes Yes Yes No
BSAFE SSL-J[41] No Disabled by default No[a] No[a] Yes Yes No No No
cryptlib No No Yes Yes Yes Yes No No No
GnuTLS No[b] Disabled by default[42] Yes Yes Yes Yes[43] Yes Yes No
JSSE No[b] Disabled by default[44] Disabled by default[45] Disabled by default[45] Yes Yes Yes Yes No
LibreSSL No[46] No[47] Yes Yes Yes Yes Yes Yes[48] No
MatrixSSL No Disabled by default at compile time[49] Yes Yes Yes Yes Yes Yes No
Mbed TLS No No[50] No[50] No[50] Yes Yes
(experimental) 		Yes[51] Yes[51] No
NSS No[c] Disabled by default[52] Yes Yes[53] Yes[54] Yes[55] Yes[53] Yes[56] No
OpenSSL No[57] Disabled by default Yes Yes[58] Yes[58] Yes Yes Yes[59] No
Rustls No[60] No[60] No[60] No[60] Yes[60] Yes[60] No No No
s2n[61] No Disabled by default Yes Yes Yes Yes No No No
Schannel XP, 2003[62] Disabled by default in MSIE 7 Enabled by default Enabled by default in MSIE 7 No No No No No No
Schannel Vista[63] Disabled by default Enabled by default Yes No No No No No No
Schannel 2008[63] Disabled by default Enabled by default Yes Disabled by default (KB4019276) Disabled by default (KB4019276) No No No No
Schannel 7, 2008R2[64] Disabled by default Disabled by default in MSIE 11 Yes Enabled by default in MSIE 11 Enabled by default in MSIE 11 No Yes[65] No[65] No
Schannel 8, 2012[64] Disabled by default Enabled by default Yes Disabled by default Disabled by default No Yes No No
Schannel 8.1, 2012R2, 10 RTM & v1511[64] Disabled by default Disabled by default in MSIE 11 Yes Yes Yes No Yes No No
Schannel 10 v1607 / 2016[66] No Disabled by default Yes Yes Yes No Yes Yes No
Schannel 11 / 2022[67] No Disabled by default Yes Yes Yes Yes Yes Yes No
Secure Transport

OS X 10.2–10.7, iOS 1–4

Yes Yes Yes No No No No No
Secure Transport OS X 10.8–10.10, iOS 5–8 No[d] Yes Yes Yes[d] Yes[d] Yes[d] No No
Secure Transport OS X 10.11, iOS 9 No No[d] Yes Yes Yes Yes Unknown No
Secure Transport OS X 10.13, iOS 11 No No[d] Yes Yes Yes Yes
(draft version)[68] 		Yes Unknown No
wolfSSL No Disabled by default[69] Disabled by default[70] Yes Yes Yes Yes Yes Yes
Erlang/OTP SSL application[71] No [e] No [f] Disabled by default [e] Disabled by default [e] Yes Partially [g] Disabled by default [e] Yes No
Implementation SSL 2.0 (insecure)[34] SSL 3.0 (insecure)[35] TLS 1.0 (deprecated)[36] TLS 1.1 (deprecated)[37] TLS 1.2[38] TLS 1.3 DTLS 1.0 (deprecated)[39] DTLS 1.2[33] DTLS 1.3
  1. ^ a b As of SSL-J 7.0, support for TLS 1.0 and 1.1 has been removed
  2. ^ a b SSL 2.0 client hello is supported for backward compatibility reasons even though SSL 2.0 is not supported.
  3. ^ Server-side implementation of the SSL/TLS protocol still supports processing of received v2-compatible client hello messages."NSS 3.24 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2016-08-26. Retrieved 2016-06-19.
  4. ^ a b c d e f Secure Transport: SSL 2.0 was discontinued in OS X 10.8. SSL 3.0 was discontinued in OS X 10.11 and iOS 9.TLS 1.1, 1.2 and DTLS are available on iOS 5.0 and later, and OS X 10.9 and later."Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
  5. ^ a b c d Since OTP 22
  6. ^ Since OTP 23
  7. ^ "Erlang OTP SSL application TLS 1.3 compliance table".

NSA Suite B Cryptography

[edit]

Required components for NSA Suite B Cryptography (RFC 6460) are:

Per CNSSP-15, the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.

Implementation TLS 1.2 Suite B
Botan Yes
Bouncy Castle Yes
BSAFE Yes[41]
cryptlib Yes
GnuTLS Yes
JSSE Yes[72]
LibreSSL Yes
MatrixSSL Yes
Mbed TLS Yes
NSS No[73]
OpenSSL Yes[59]
Rustls Yes[60]
S2n
Schannel Yes[74]
Secure Transport No
wolfSSL Yes
Implementation TLS 1.2 Suite B

Certifications

[edit]

Note that certain certifications have received serious negative criticism from people who are actually involved in them.[75]

Implementation FIPS 140-1, FIPS 140-2[76] FIPS 140-3
Level 1 Level 2[disputeddiscuss] Level 1
Botan[77]
Bouncy Castle BC-FJA 2.0.0 (#4743)
BC-FJA 2.1.0 (#4943)
BC-FNA 1.0.2 (#4416
BSAFE SSL-J[78] Crypto-J 6.0 (1785, 1786)
Crypto-J 6.1 / 6.1.1.0.1 (2057, 2058)
Crypto-J 6.2 / 6.2.1.1 (2468, 2469)
Crypto-J 6.2.4 (3172, 3184)
Crypto-J 6.2.5 (#3819, #3820)
Crypto-J 6.3 (#4696, #4697) 		Crypto-J 7.0 (4892)
cryptlib[79]
GnuTLS[80] Red Hat Enterprise Linux GnuTLS Cryptographic Module (#2780)
JSSE
LibreSSL[46] no support
MatrixSSL[81] SafeZone FIPS Cryptographic Module: 1.1 (#2389)
Mbed TLS[82]
NSS[83] Network Security Services: 3.2.2 (#247)
Network Security Services Cryptographic Module: 3.11.4 (#815), 3.12.4 (#1278), 3.12.9.1 (#1837) 		Netscape Security Module: 1 (#7[notes 1]), 1.01 (#47[notes 2])
Network Security Services: 3.2.2 (#248[notes 3])
Network Security Services Cryptographic Module: 3.11.4 (#814[notes 4]), 3.12.4 (#1279, #1280[notes 5])
OpenSSL[84] OpenSSL FIPS Object Module: 1.0 (#624), 1.1.1 (#733), 1.1.2 (#918), 1.2, 1.2.1, 1.2.2, 1.2.3 or 1.2.4 (#1051)
2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7 or 2.0.8 (#1747)
Rustls aws-lc FIPS module[85] (#4759)
Schannel[86] Cryptographic modules in Windows NT 4.0, 95, 95, 2000, XP, Server 2003, CE 5, CE 6, Mobile 6.x, Vista, Server 2008, 7, Server 2008 R2, 8, Server 2012, RT, Surface, Phone 8
See details on Microsoft FIPS 140 Validated Cryptographic Modules
Secure Transport Apple FIPS Cryptographic Module: 1.0 (OS X 10.6, #1514), 1.1 (OS X 10.7, #1701)
Apple OS X CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (OS X 10.8, #1964, #1956), 4.0 (OS X 10.9, #2015, #2016)
Apple iOS CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (iOS 6, #1963, #1944), 4.0 (iOS 7, #2020, #2021)
wolfSSL[87] wolfCrypt FIPS Module: 4.0 (#3389)
See details on NIST certificate for validated Operating Environments
wolfCrypt FIPS Module: 3.6.0 (#2425)
See details on NIST certificate for validated Operating Environments 		wolfCrypt FIPS Module (#4178)
See details on NIST certificate
Implementation Level 1 Level 2 Level 1
FIPS 140-1, FIPS 140-2 FIPS 140-3
  1. ^ with Sun SPARC 5 w/ Sun Solaris v 2.4SE (ITSEC-rated)
  2. ^ with Sun Ultra-5 w/ Sun Trusted Solaris version 2.5.1 (ITSEC-rated)
  3. ^ with Solaris v8.0 with AdminSuite 3.0.1 as specified in UK IT SEC CC Report No. P148 EAL4 on a SUN SPARC Ultra-1
  4. ^ with these platforms; Red Hat Enterprise Linux Version 4 Update 1 AS on IBM xSeries 336 with Intel Xeon CPU, Trusted Solaris 8 4/01 on Sun Blade 2500 Workstation with UltraSPARC IIIi CPU
  5. ^ with these platforms; Red Hat Enterprise Linux v5 running on an IBM System x3550, Red Hat Enterprise Linux v5 running on an HP ProLiant DL145, Sun Solaris 10 5/08 running on a Sun SunBlade 2000 workstation, Sun Solaris 10 5/08 running on a Sun W2100z workstation

Key exchange algorithms (certificate-only)

[edit]

This section lists the certificate verification functionality available in the various implementations.

Implementation RSA[38] RSA-EXPORT (insecure)[38] DHE-RSA (forward secrecy)[38] DHE-DSS (forward secrecy)[38] ECDH-ECDSA[88] ECDHE-ECDSA (forward secrecy)[88] ECDH-RSA[88] ECDHE-RSA (forward secrecy)[88] GOST R 34.10-94, 34.10-2001[89]
Botan Disabled by default No Yes Disabled by default No Yes No Yes No
BSAFE Yes No Yes Yes Yes Yes Yes Yes No
cryptlib Yes No Yes Yes Yes Yes No Yes No
GnuTLS Yes No Yes Disabled by default[42] No Yes No Yes No
JSSE Yes Disabled by default Yes Yes Yes Yes Yes Yes No
LibreSSL Yes No[46] Yes Yes No Yes No Yes Yes[90]
MatrixSSL Yes No Yes No Yes Yes Yes Yes No
Mbed TLS Yes No Yes No Yes Yes Yes Yes No
NSS Yes Disabled by default Yes[91] Yes Yes Yes Yes Yes No[92][93]
OpenSSL Yes No[57] Yes Disabled by default[57] No Yes No Yes Yes[94]
Rustls No No No No No Yes[60] No Yes[60] No
Schannel XP/2003 Yes Yes No XP: Max 1024 bits
2003: 1024 bits only 		No No No No No[95]
Schannel Vista/2008 Yes Disabled by default No 1024 bits by default[96] No Yes No except AES_GCM No[95]
Schannel 8/2012 Yes Disabled by default AES_GCM only[97][98][99] 1024 bits by default[96] No Yes No except AES_GCM No[95]
Schannel 7/2008R2, 8.1/2012R2 Yes Disabled by default Yes 2048 bits by default[96] No Yes No except AES_GCM No[95]
Schannel 10 Yes Disabled by default Yes 2048 bits by default[96] No Yes No Yes No[95]
Secure Transport OS X 10.6 Yes Yes except AES_GCM Yes Yes except AES_GCM yes except AES_GCM No
Secure Transport OS X 10.8-10.10 Yes No except AES_GCM No Yes except AES_GCM Yes except AES_GCM No
Secure Transport OS X 10.11 Yes No Yes No No Yes No Yes No
wolfSSL Yes No Yes No Yes Yes Yes Yes No
Erlang/OTP SSL application Yes No Yes Yes Yes Yes Yes Yes No
Implementation RSA[38] RSA-EXPORT (insecure)[38] DHE-RSA (forward secrecy)[38] DHE-DSS (forward secrecy)[38] ECDH-ECDSA[88] ECDHE-ECDSA (forward secrecy)[88] ECDH-RSA[88] ECDHE-RSA (forward secrecy)[88] GOST R 34.10-94, 34.10-2001[89]

Key exchange algorithms (alternative key-exchanges)

[edit]
Implementation SRP[100] SRP-DSS[100] SRP-RSA[100] PSK-RSA[101] PSK[101] DHE-PSK (forward secrecy)[101] ECDHE-PSK (forward secrecy)[102] KRB5[103] DH-ANON[38] (insecure) ECDH-ANON[88] (insecure)
Botan No No No No Yes No Yes No No No
BSAFE SSL-J No No No No Yes[104] No No No Disabled by default Disabled by default
cryptlib No No No No Yes Yes No No No No
GnuTLS Yes Yes Yes Yes Yes Yes Yes No Disabled by default Disabled by default
JSSE No No No No No No No No Disabled by default Disabled by default
LibreSSL No[105] No[105] No[105] No No No No No Yes Yes
MatrixSSL No No No Yes Yes Yes No No Disabled by default No
Mbed TLS No No No Yes Yes Yes Yes No No No
NSS No[106] No[106] No[106] No[107] No[107] No[107] No[107] No Client side only, disabled by default[108] Disabled by default[109]
OpenSSL Yes Yes Yes Yes Yes Yes Yes Yes[110] Disabled by default[111] Disabled by default[111]
Rustls No No No No No No No No No No
Schannel No No No No No No No Yes No No
Secure Transport No No No No No No No Unknown Yes Yes
wolfSSL Yes Yes Yes Yes Yes Yes Yes[112] Yes No No
Erlang/OTP SSL application Disabled by default Disabled by default Disabled by default Disabled by default Disabled by default Disabled by default No No Disabled by default Disabled by default
Implementation SRP[100] SRP-DSS[100] SRP-RSA[100] PSK-RSA[101] PSK[101] DHE-PSK (forward secrecy)[101] ECDHE-PSK (forward secrecy)[102] KRB5[103] DH-ANON[38] (insecure) ECDH-ANON[88] (insecure)

Certificate verification methods

[edit]
Implementation Application-defined PKIX path validation[113] CRL[114] OCSP[115] DANE (DNSSEC)[116][117] CT[118]
Botan Yes Yes Yes Yes No Unknown
Bouncy Castle Yes Yes Yes Yes Yes Unknown
BSAFE Yes Yes Yes Yes No Unknown
cryptlib Yes Yes Yes Yes No Unknown
GnuTLS Yes Yes Yes Yes Yes Unknown
JSSE Yes Yes Yes Yes No No
LibreSSL Yes Yes Yes Yes No Unknown
MatrixSSL Yes Yes Yes Yes[119] No Unknown
Mbed TLS Yes Yes Yes No[120] No Unknown
NSS Yes Yes Yes Yes No[121] Unknown
OpenSSL Yes Yes Yes Yes Yes Yes
Rustls Yes Yes Yes No No No
s2n No [122] Unknown [123] Unknown [124]
Schannel Unknown Yes Yes[125] Yes[125] No Unknown
Secure Transport Yes Yes Yes Yes No Unknown
wolfSSL Yes Yes Yes Yes No Unknown
Erlang/OTP SSL application Yes Yes Yes No No Unknown
Implementation Application-defined PKIX path validation CRL OCSP DANE (DNSSEC) CT

Encryption algorithms

[edit]
Implementation Block cipher with mode of operation Stream cipher None
AES GCM
[126] 		AES CCM
[127] 		AES CBC Camellia GCM
[128] 		Camellia CBC
[129][128] 		ARIA GCM
[130] 		ARIA CBC
[130] 		SEED CBC
[131] 		3DES EDE CBC
(insecure)[132] 		GOST 28147-89 CNT
(proposed)
[89][n 1] 		ChaCha20-Poly1305
[133] 		Null
(insecure)
[n 2]
Botan Yes Yes Yes Yes Yes No No Disabled by default Disabled by default No Yes[134] Not implemented
BoringSSL Yes No Yes No No No No No Yes No Yes
BSAFE SSL-J Yes Yes Yes No No No No No Disabled by default No No Disabled by default
cryptlib Yes No Yes No No No No No Yes No No Not implemented
GnuTLS Yes Yes[42] Yes Yes Yes No No No Disabled by default[135] No Yes[136] Disabled by default
JSSE Yes No Yes No No No No No Disabled by default[137] No Yes
(JDK 12+)[138] 		Disabled by default
LibreSSL Yes[46] No Yes No Yes[90] No No No[46] Yes Yes[90] Yes[46] Disabled by default
MatrixSSL Yes No Yes No No No No Yes Disabled by default No Yes[139] Disabled by default
Mbed TLS Yes Yes [140] Yes Yes Yes Yes[141] Yes[141] No No[50] No Yes[142] Disabled by default at compile time
NSS Yes[143] No Yes No[144][n 3] Yes[145] No No Yes[146] Yes No[92][93] Yes[147] Disabled by default
OpenSSL Yes[148] Disabled by default[57] Yes No Disabled by default[57] Disabled by default[149] No Disabled by default[57] Disabled by default[57] Yes[94] Yes[57] Disabled by default
Rustls Yes[60] No No No No No No No No No Yes[60] Not implemented
Schannel XP/2003 No No 2003 only[150] No No No No No Yes No[95] No Disabled by default
Schannel Vista/2008, 2008R2, 2012 No No Yes No No No No No Yes No[95] No Disabled by default
Schannel 7, 8, 8.1/2012R2 Yes except ECDHE_RSA
[97][98] 		No Yes No No No No No Yes No[95] No Disabled by default
Schannel 10[151] Yes No Yes No No No No No Yes No[95] No Disabled by default
Secure Transport OS X 10.6 - 10.10 No No Yes No No No No No Yes No No Disabled by default
Secure Transport OS X 10.11 Yes No Yes No No No No No Yes No No Disabled by default
wolfSSL Yes Yes Yes No No No No No Yes No Yes Disabled by default
Erlang/OTP SSL application Yes No Yes No No No No No Disabled by default No Experimental Disable by default
Implementation Block cipher with mode of operation Stream cipher None
AES GCM
[126] 		AES CCM
[127] 		AES CBC Camellia GCM
[128] 		Camellia CBC
[129][128] 		ARIA GCM
[130] 		ARIA CBC
[130] 		SEED CBC
[131] 		3DES EDE CBC
(insecure)[132] 		GOST 28147-89 CNT
(proposed)
[89][n 1] 		ChaCha20-Poly1305
[133] 		Null
(insecure)
[n 2]
Notes
  1. ^ a b This algorithm is not defined yet as TLS cipher suites in RFCs, is proposed in drafts.
  2. ^ a b authentication only, no encryption
  3. ^ This algorithm is implemented in an NSS fork used by Pale Moon.

Obsolete algorithms

[edit]
Implementation Block cipher with mode of operation Stream cipher
IDEA CBC
[n 1](insecure)[153] 		DES CBC
(insecure)
[n 1] 		DES-40 CBC
(EXPORT, insecure)
[n 2] 		RC2-40 CBC
(EXPORT, insecure)
[n 2] 		RC4-128
(insecure)
[n 3] 		RC4-40
(EXPORT, insecure)
[n 4][n 2]
Botan No No No No No[154] No
BoringSSL No No No No Disabled by default at compile time No
BSAFE SSL-J No Disabled by default Disabled by default No Disabled by default Disabled by default
cryptlib No Disabled by default at compile time No No Disabled by default at compile time No
GnuTLS No No No No Disabled by default[42] No
JSSE No Disabled by default Disabled by default No Disabled by default Disabled by default [155]
LibreSSL Yes Yes No[46] No[46] Yes No[46]
MatrixSSL Yes No No No Disabled by default No
Mbed TLS No Disabled by default at compile time No No Disabled by default at compile time[51] No
NSS Yes Disabled by default Disabled by default Disabled by default Lowest priority[156][157] Disabled by default
OpenSSL Disabled by default[57] Disabled by default No[57] No[57] Disabled by default No[57]
Rustls No No No No No No
Schannel XP/2003 No Yes Yes Yes Yes Yes
Schannel Vista/2008 No Disabled by default Disabled by default Disabled by default Yes Disabled by default
Schannel 7/2008R2 No Disabled by default Disabled by default Disabled by default Lowest priority
will be disabled soon[158] 		Disabled by default
Schannel 8/2012 No Disabled by default Disabled by default Disabled by default Only as fallback Disabled by default
Schannel 8.1/2012R2 No Disabled by default Disabled by default Disabled by default Disabled by default[158] Disabled by default
Schannel 10[151] No Disabled by default Disabled by default Disabled by default Disabled by default[158] Disabled by default
Secure Transport OS X 10.6 Yes Yes Yes Yes Yes Yes
Secure Transport OS X 10.7 Yes Unknown Unknown Unknown Yes Unknown
Secure Transport OS X 10.8-10.9 Yes Disabled by default Disabled by default Disabled by default Yes Disabled by default
Secure Transport OS X 10.10-10.11 Yes Disabled by default Disabled by default Disabled by default Lowest priority Disabled by default
Secure Transport macOS 10.12 Yes Disabled by default Disabled by default Disabled by default Disabled by default Disabled by default
wolfSSL Disabled by default[159] No No No Disabled by default No
Erlang/OTP SSL application no Disabled by default no no Disabled by default no
Implementation Block cipher with mode of operation Stream cipher
IDEA CBC
[n 1](insecure)[153] 		DES CBC
(insecure)
[n 1] 		DES-40 CBC
(EXPORT, insecure)
[n 2] 		RC2-40 CBC
(EXPORT, insecure)
[n 2] 		RC4-128
(insecure)
[n 3] 		RC4-40
(EXPORT, insecure)
[n 4][n 2]
Notes
  1. ^ a b c d IDEA and DES have been removed from TLS 1.2.[152]
  2. ^ a b c d e f 40 bits strength of cipher suites were designed to operate at reduced key lengths in order to comply with US regulations about the export of cryptographic software containing certain strong encryption algorithms (see Export of cryptography from the United States). These weak suites are forbidden in TLS 1.1 and later.
  3. ^ a b The RC4 attacks weaken or break RC4 used in SSL/TLS. Use of RC4 is prohibited by RFC 7465.
  4. ^ a b The RC4 attacks weaken or break RC4 used in SSL/TLS.

Supported elliptic curves

[edit]

This section lists the supported elliptic curves by each implementation.

Defined curves in RFC 8446 (for TLS 1.3) and RFC 8422, 7027 (for TLS 1.2 and earlier)

[edit]
applicable TLS version TLS 1.3 and earlier TLS 1.2 and earlier
Implementation secp256r1
prime256v1
NIST P-256
(0x0017,[160] 23[161]) 		secp384r1
NIST P-384
(0x0018,[160] 24[161]) 		secp521r1
NIST P-521
(0x0019,[160] 25[161]) 		X25519
(0x001D,[160] 29[161]) 		X448
(0x001E,[160] 30[161]) 		brainpoolP256r1
(26)[162] 		brainpoolP384r1
(27)[162] 		brainpoolP512r1
(28)[162]
Botan Yes Yes Yes Yes[134] No Yes[163] Yes[163] Yes[163]
BoringSSL Yes Yes Yes (disabled by default) Yes No No No No
BSAFE Yes Yes Yes No No No No No
GnuTLS Yes Yes Yes Yes[164] Yes[165] No No No
JSSE Yes Yes Yes Yes
x25519: JDK 13+[166]
Ed25519:JDK 15+[167] 		Yes
x448: JDK 13+[166]
Ed448: JDK 15+[167] 		No No No
LibreSSL Yes Yes Yes Yes[168] No Yes[46] Yes[46] Yes[46]
MatrixSSL Yes Yes Yes TLS 1.3 only[169] No Yes Yes Yes
Mbed TLS Yes Yes Yes Primitive only[170] Primitive only[171] Yes[172] Yes[172] Yes[172]
NSS Yes Yes Yes Yes[173] No[174][175] No[176] No[176] No[176]
OpenSSL Yes Yes Yes Yes[177][178] Yes[179][180] Yes[59] Yes[59] Yes[59]
Rustls Yes Yes No Yes No No No No
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 Yes Yes Yes No No No No No
Secure Transport Yes Yes Yes No No No No No
wolfSSL Yes Yes Yes Yes[181] Yes[182] Yes Yes Yes
Erlang/OTP SSL application Yes Yes Yes No No Yes Yes Yes
Implementation secp256r1
prime256v1
NIST P-256
(0x0017, 23) 		secp384r1
NIST P-384
(0x0018, 24) 		secp521r1
NIST P-521
(0x0019, 25) 		X25519
(0x001D, 29) 		X448
(0x001E, 30) 		brainpoolP256r1
(26) 		brainpoolP384r1
(27) 		brainpoolP512r1
(28)

Deprecated curves in RFC 8422

[edit]
Implementation sect163k1
NIST K-163
(1)[88] 		sect163r1
(2)[88] 		sect163r2
NIST B-163
(3)[88] 		sect193r1
(4)[88] 		sect193r2
(5)[88] 		sect233k1
NIST K-233
(6)[88] 		sect233r1
NIST B-233
(7)[88] 		sect239k1
(8)[88] 		sect283k1
NIST K-283
(9)[88] 		sect283r1
NIST B-283
(10)[88] 		sect409k1
NIST K-409
(11)[88] 		sect409r1
NIST B-409
(12)[88] 		sect571k1
NIST K-571
(13)[88] 		sect571r1
NIST B-571
(14)[88]
Botan No No No No No No No No No No No No No No
BoringSSL No No No No No No No No No No No No No No
BSAFE Yes No Yes No No Yes Yes No Yes Yes Yes Yes Yes Yes
GnuTLS No No No No No No No No No No No No No No
JSSE Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b]
LibreSSL Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
MatrixSSL No No No No No No No No No No No No No No
Mbed TLS No No No No No No No No No No No No No No
NSS Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OpenSSL Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Rustls No No No No No No No No No No No No No No
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 No No No No No No No No No No No No No No
Secure Transport No No No No No No No No No No No No No No
wolfSSL No No No No No No No No No No No No No No
Erlang/OTP SSL application Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Implementation sect163k1
NIST K-163
(1) 		sect163r1
(2) 		sect163r2
NIST B-163
(3) 		sect193r1
(4) 		sect193r2
(5) 		sect233k1
NIST K-233
(6) 		sect233r1
NIST B-233
(7) 		sect239k1
(8) 		sect283k1
NIST K-283
(9) 		sect283r1
NIST B-283
(10) 		sect409k1
NIST K-409
(11) 		sect409r1
NIST B-409
(12) 		sect571k1
NIST K-571
(13) 		sect571r1
NIST B-571
(14)
Implementation secp160k1
(15)[88] 		secp160r1
(16)[88] 		secp160r2
(17)[88] 		secp192k1
(18)[88] 		secp192r1
prime192v1
NIST P-192
(19)[88] 		secp224k1
(20)[88] 		secp224r1
NIST P-244
(21)[88] 		secp256k1
(22)[88] 		arbitrary prime curves
(0xFF01)[88][185] 		arbitrary char2 curves
(0xFF02)[88][185]
Botan No No No No No No No No No No
BoringSSL No No No No No No Yes No No No
BSAFE No No No No Yes No Yes No No No
GnuTLS No No No No Yes No Yes No No No
JSSE Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b] Notes[a][b] No No
LibreSSL Yes Yes Yes Yes Yes Yes Yes Yes No No
MatrixSSL No No No No Yes No Yes No No No
Mbed TLS No No No Yes Yes Yes Yes Yes No No
NSS Yes Yes Yes Yes Yes Yes Yes Yes No No
OpenSSL Yes Yes Yes Yes Yes Yes Yes Yes No No
Rustls No No No No No No No No No No
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10 No No No No No No No No No No
Secure Transport No No No No Yes No No No No No
wolfSSL Yes Yes Yes Yes Yes Yes Yes Yes No No
Erlang/OTP SSL application Yes Yes Yes Yes Yes Yes Yes Yes No No
Implementation secp160k1
(15) 		secp160r1
(16) 		secp160r2
(17) 		secp192k1
(18) 		secp192r1
prime192v1
NIST P-192
(19) 		secp224k1
(20) 		secp224r1
NIST P-244
(21) 		secp256k1
(22) 		arbitrary prime curves
(0xFF01) 		arbitrary char2 curves
(0xFF02)
Notes
  1. ^ a b c d e f g h i j k l m n o p q r s t u v These elliptic curves were "Disabled by Default" in current JDK families as part of JDK-8236730.[183]
  2. ^ a b c d e f g h i j k l m n o p q r s t u v These elliptic curves were subsequently removed in JDK 16+ as part of JDK-8252601.[184]

Data integrity

[edit]
Implementation HMAC-MD5 HMAC-SHA1 HMAC-SHA256/384 AEAD GOST 28147-89 IMIT
[89] 		GOST R 34.11-94
[89]
Botan No Yes Yes Yes No No
BSAFE Yes Yes Yes Yes No No
cryptlib Yes Yes Yes Yes No No
GnuTLS Yes Yes Yes Yes No No
JSSE Disabled by Default Yes Yes Yes No No
LibreSSL Yes Yes Yes Yes Yes
[90] 		Yes
[90]
MatrixSSL Yes Yes Yes Yes No No
Mbed TLS Yes Yes Yes Yes No No
NSS Yes Yes Yes Yes No
[92][93] 		No
[92][93]
OpenSSL Yes Yes Yes Yes Yes
[94] 		Yes
[94]
Rustls No No No Yes No No
Schannel XP/2003, Vista/2008 Yes Yes XP SP3, 2003 SP2 via hotfix
[186] 		No No
[95] 		No
[95]
Schannel 7/2008R2, 8/2012, 8.1/2012R2 Yes Yes Yes except ECDHE_RSA
[97][98][99] 		No
[95] 		No
[95]
Schannel 10 Yes Yes Yes Yes
[151] 		No
[95] 		No
[95]
Secure Transport Yes Yes Yes Yes No No
wolfSSL Disabled by Default Yes Yes Yes No No
Erlang/OTP SSL application Yes Yes Yes Yes No No
Implementation HMAC-MD5 HMAC-SHA1 HMAC-SHA256/384 AEAD GOST 28147-89 IMIT GOST R 34.11-94

Compression

[edit]

Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.

Implementation DEFLATE[187]
(insecure)
Botan No
BSAFE[41] No
cryptlib No
GnuTLS Disabled by default
JSSE No
LibreSSL No[46]
MatrixSSL Disabled by default
Mbed TLS Disabled by default
NSS Disabled by default
OpenSSL Disabled by default
Rustls No
Schannel No
Secure Transport No
wolfSSL Disabled by default
Erlang/OTP SSL application No
Implementation DEFLATE

Extensions

[edit]

In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security [citation needed]. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.

Implementation Secure Renegotiation
[188] 		Server Name Indication
[189] 		ALPN
[190] 		Certificate Status Request
[189] 		OpenPGP
[191] 		Supplemental Data
[192] 		Session Ticket
[193] 		Keying Material Exporter
[194] 		Maximum Fragment Length
[189] 		Encrypt-then-MAC
[29] 		TLS Fallback SCSV
[195] 		Extended Master Secret
[196] 		ClientHello Padding
[197] 		Raw Public Keys
[198]
Botan Yes Yes Yes[199] No No No Yes Yes Yes Yes Yes[200] Yes[201] No Unknown
BSAFE SSL-J Yes Yes No Yes No No No No Yes No No Yes No No
cryptlib Yes Yes No No No Yes No No No[202] Yes Yes Yes No Unknown
GnuTLS Yes Yes Yes[203] Yes No[204] Yes Yes Yes Yes Yes[42] Yes[205] Yes[42] Yes[206] Yes[207]
JSSE Yes Yes[72] Yes[72] Yes No No Yes No Yes No No Yes No No
LibreSSL Yes Yes Yes[208] Yes No No? Yes Yes? No No Server side only[209] No Yes No
MatrixSSL Yes Yes Yes[210] Yes[139] No No Yes No Yes No Yes[139] Yes[139] No Unknown
Mbed TLS Yes Yes Yes[211] No No No Yes No Yes Yes[212] Yes[212] Yes[212] No No
NSS Yes Yes Yes[213] Yes No[214] No Yes Yes No No[215] Yes[216] Yes[217] Yes[213] Unknown
OpenSSL Yes Yes Yes[59] Yes No No? Yes Yes Yes Yes Yes[218] Yes[57] Yes[219] Yes[220]
Rustls Yes Yes Yes Yes No No Yes Yes No No No [221] Yes No Unknown
Schannel XP/2003 No No No No No Yes No No No No No No No Unknown
Schannel Vista/2008 Yes Yes No No No Yes No No No No No Yes[222] No Unknown
Schannel 7/2008R2 Yes Yes No Yes No Yes No No No No No Yes[222] No Unknown
Schannel 8/2012 Yes Yes No Yes No Yes Client side only[223] No No No No Yes[222] No Unknown
Schannel 8.1/2012R2, 10 Yes Yes Yes Yes No Yes Yes[223] No No No No Yes[222] No Unknown
Secure Transport Yes Yes Unknown No No Yes No No No No No No No Unknown
wolfSSL Yes Yes Yes[159] Yes No No Yes No Yes Yes[224] No Yes No Yes[225]
Erlang/OTP SSL application Yes Yes Yes No No No No No No No Yes No No Unknown
Implementation Secure Renegotiation Server Name Indication ALPN Certificate Status Request OpenPGP Supplemental Data Session Ticket Keying Material Exporter Maximum Fragment Length Encrypt-then-MAC TLS Fallback SCSV Extended Master Secret ClientHello Padding Raw Public Keys

Assisted cryptography

[edit]

This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.

Implementation PKCS #11 device Intel AES-NI VIA PadLock ARMv8-A Intel SHA NXP CAAM TPM 2.0 NXP SE050 Microchip ATECC STMicro STSAFE Maxim MAXQ
Botan Yes[226] Yes No Yes No Yes[227] No No No No
BSAFE SSL-J [a][b] Yes Yes No Yes Yes No No[230] No No No No
cryptlib Yes Yes Yes No Yes No No No No
Crypto++ Yes Yes No No No No
GnuTLS Yes Yes Yes Yes[231] Yes No[232] No No No No
JSSE Yes Yes[233] No No No No No No No
LibreSSL No Yes Yes No No No No No
MatrixSSL Yes Yes No Yes No No No No No
Mbed TLS Yes Yes[234] Yes No No Partial[235] Yes[236] No No
NSS Yes[237] Yes[238] No[239] No No No No No No
OpenSSL Yes[240][241][242] Yes Yes Yes[243] Yes Partial Partial[244][245] Partial[235] No Partial[246] No
Rustls Yes Yes Yes No No No No
Schannel No Yes No No No No No No No
Secure Transport No Yes[247][248] No Yes No No No No No
wolfSSL Yes Yes No Yes Yes Yes[249] Yes[250][251] Yes[252] Yes[253] Yes[254] Yes[255]
Implementation PKCS #11 device Intel AES-NI VIA PadLock ARMv8-A Intel SHA NXP CAAM TPM 2.0 NXP SE050 Microchip ATECC STMicro STSAFE Maxim MAXQ
  1. ^ Pure Java implementations relies on JVM processor optimization capabilities, such as OpenJDK support for AES-NI[228]
  2. ^ BSAFE SSL-J can be configured to run in native mode, using BSAFE Crypto-C Micro Edition to benefit from processor optimization.[229]

System-specific backends

[edit]

This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.

Implementation /dev/crypto af_alg Windows CSP CommonCrypto OpenSSL engine
Botan No No No No Partial
BSAFE No No No No No
cryptlib Yes No No No No
GnuTLS Yes Yes No No No
JSSE No No Yes No No
LibreSSL No No No No No[256]
MatrixSSL No No No Yes Yes
Mbed TLS No No No No No
NSS No No No No No
OpenSSL Yes Yes No No Yes
Rustls No Yes [257] No No No
Schannel No No Yes No No
Secure Transport No No No Yes No
wolfSSL Yes Yes Partial No Yes[258]
Erlang/OTP SSL application No No No No Yes
Implementation /dev/crypto af_alg Windows CSP CommonCrypto OpenSSL engine

Cryptographic module/token support

[edit]
Implementation TPM support Hardware token support Objects identified via
Botan Partial[201] PKCS #11
BSAFE SSL-J No No
cryptlib Yes PKCS #11 User-defined label
GnuTLS Yes PKCS #11 RFC 7512 PKCS #11 URLs[259]
JSSE No PKCS11 Java Cryptography Architecture,
Java Cryptography Extension
LibreSSL Yes PKCS #11 (via 3rd party module) Custom method
MatrixSSL No PKCS #11
Mbed TLS No PKCS #11 (via libpkcs11-helper) or standard hooks Custom method
NSS No PKCS #11
OpenSSL Yes PKCS #11 (via 3rd party module)[260] RFC 7512 PKCS #11 URLs[259]
Rustls No Microsoft CryptoAPI [261] Custom method
Schannel No Microsoft CryptoAPI UUID, User-defined label
Secure Transport
wolfSSL Yes PKCS #11
Implementation TPM support Hardware token support Objects identified via

Code dependencies

[edit]
Implementation Dependencies Optional dependencies
Botan C++20 SQLite
zlib (compression)
bzip2 (compression)
liblzma (compression)
boost
trousers (TPM)
GnuTLS libc
nettle
gmp 		zlib (compression)
p11-kit (PKCS #11)
trousers (TPM)
libunbound (DANE)
JSSE Java
MatrixSSL none zlib (compression)
MatrixSSL-open libc or newlib
Mbed TLS libc libpkcs11-helper (PKCS #11)
zlib (compression)
NSS libc
libnspr4
libsoftokn3
libplc4
libplds4 		zlib (compression)
Rustls rust core library rust std library
zlib-rs (compression)
brotli (compression)
ring (cryptography)
aws-lc-rs (cryptography)
OpenSSL libc zlib (compression)
brotli (compression)
zstd (compression)
wolfSSL None libc
zlib (compression)
Erlang/OTP SSL application libcrypto (from OpenSSL), Erlang/OTP and its public_key, crypto and asn1 applications Erlang/OTP -inets (http fetching of CRLs)
Implementation Dependencies Optional dependencies

Development environment

[edit]
Implementation Namespace Build tools API manual Crypto back-end OpenSSL compatibility Layer[clarify]
Botan Botan::TLS Makefile Sphinx Included (pluggable) No
Bouncy Castle org.bouncycastle Java Development Environment Programmers reference manual (PDF) Included (pluggable) No
BSAFE SSL-J com.rsa.asn1[a]

com.rsa.certj[b]
com.rsa.jcp[c]
com.rsa.jsafe[d]
com.rsa.ssl[e]
com.rsa.jsse[f]

Java class loader Javadoc, Developer's guide (HTML) Included No
cryptlib crypt* makefile, MSVC project workspaces Programmers reference manual (PDF), architecture design manual (PDF) Included (monolithic) No
GnuTLS gnutls_* Autoconf, automake, libtool Manual and API reference (HTML, PDF) External, libnettle Yes (limited)
JSSE javax.net.ssl

sun.security.ssl

Makefile API Reference (HTML) +

JSSE Reference Guide

Java Cryptography Architecture,
Java Cryptography Extension 		No
MatrixSSL matrixSsl_*

ps*

Makefile, MSVC project workspaces, Xcode projects for OS X and iOS API Reference (PDF), Integration Guide Included (pluggable) Yes (Subset: SSL_read, SSL_write, etc.)
Mbed TLS mbedtls_ssl_*

mbedtls_sha1_*
mbedtls_md5_*
mbedtls_x509*
...

Makefile, CMake, MSVC project workspaces, yotta API Reference + High Level and Module Level Documentation (HTML) Included (monolithic) No
NSS CERT_*

SEC_*
SECKEY_*
NSS_*
PK11_*
SSL_*
...

Makefile Manual (HTML) Included, PKCS#11 based[262] Yes (separate package called nss_compat_ossl[263])
OpenSSL SSL_*

SHA1_*
MD5_*
EVP_*
...

Makefile Man pages Included (monolithic) N/a
Rustls rustls:: cargo API reference and design manual Two options included (pluggable) Yes[264] (subset)
wolfSSL wolfSSL_*

CyaSSL_*
SSL_*

Autoconf, automake, libtool, MSVC project workspaces, XCode projects, CodeWarrior projects, MPLAB X projects, Keil, IAR, Clang, GCC, e2Studio Manual and API Reference (HTML, PDF) Included (monolithic) Yes (about 60% of API)
Implementation Namespace Build tools API manual Crypto back-end OpenSSL compatibility layer
  1. ^
    ASN.1 manipulation classes
  2. ^
    Cert-J proprietary API
  3. ^
    Certificate Path manipulation classes
  4. ^
    Crypto-J proprietary API, JCE, CMS and PKI
    5. API
  5. ^
    SSLJ proprietary API
  6. ^
    JSSE API

Portability concerns

[edit]
Implementation Platform requirements Network requirements Thread safety Random seed Able to cross-compile No OS (bare metal) Supported operating systems
Botan C++11 None Thread-safe Platform-dependent Yes Windows, Linux, macOS, Android, iOS, FreeBSD, OpenBSD, Solaris, AIX, HP-UX, QNX, BeOS, IncludeOS
BSAFE SSL-J Java Java SE network components Thread-safe Depends on java.security.SecureRandom Yes No FreeBSD, Linux, macOS, Microsoft Windows, Android, AIX, Solaris
cryptlib C89 POSIX send() and recv(). API to supply your own replacement Thread-safe Platform-dependent, including hardware sources Yes Yes AMX, BeOS, ChorusOS, DOS, eCos, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, Palm OS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, macOS, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK
GnuTLS C89 POSIX send() and recv(). API to supply your own replacement. Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available. Platform dependent Yes No Generally any POSIX platforms or Windows, commonly tested platforms include Linux, Win32/64, macOS, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD.
JSSE Java Java SE network components Thread-safe Depends on java.security.SecureRandom Yes Java based, platform-independent
MatrixSSL C89 None Thread-safe Platform dependent Yes Yes All
Mbed TLS C89 POSIX read() and write(). API to supply your own replacement. Threading layer available (POSIX or own hooks) Random seed set through entropy pool Yes Yes Known to work on: Win32/64, Linux, macOS, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, eCos, SeggerOS, RISC OS
NSS C89, NSPR[265] NSPR[265] PR_Send() and PR_Recv(). API to supply your own replacement. Thread-safe Platform dependent[266] Yes (but cumbersome) No AIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, macOS, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation
Rustls Rust (programming language) None Thread-safe Platform dependent Yes Yes All supported by Rust (programming language)
OpenSSL C89 None Thread-safe Platform dependent Yes No Unix-like, DOS (with djgpp), Windows, OpenVMS, NetWare, eCos
wolfSSL C89 POSIX send() and recv(). API to supply your own replacement. Thread-safe Random seed set through wolfCrypt Yes Yes Win32/64, Linux, macOS, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Yocto Project, OpenEmbedded, WinCE, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and GameCube through DevKitPro, QNX, MontaVista, NonStop, TRON/ITRON/μITRON, eCos, Micrium μC/OS-III, FreeRTOS, SafeRTOS, NXP/Freescale MQX, Nucleus, TinyOS, HP/UX, AIX, ARC MQX, Keil RTX, TI-RTOS, uTasker, embOS, INtime, Mbed, uT-Kernel, RIOT, CMSIS-RTOS, FROSTED, Green Hills INTEGRITY, TOPPERS, PetaLinux, Apache mynewt
Implementation Platform requirements Network requirements Thread safety Random seed Able to cross-compile No OS (bare metal) Supported operating systems

See also

[edit]
  • SCTP — with DTLS support
  • DCCP — with DTLS support
  • SRTP — with DTLS support (DTLS-SRTP) and Secure Real-Time Transport Control Protocol (SRTCP)

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Comparison of TLS implementations

View on Grokipedia
from Grokipedia
Transport Layer Security (TLS) implementations are software libraries and frameworks that enable secure data transmission over networks by providing cryptographic functions for , , and integrity protection, adhering to standards defined by the (IETF). Comparisons of these implementations assess critical dimensions including support for TLS protocol versions (from 1.0 to 1.3), cryptographic algorithms and cipher suites, performance metrics such as handshake latency and throughput under varying loads, security attributes like vulnerability history and compliance, as well as factors like code footprint for embedded systems and licensing models. Prominent open-source implementations include OpenSSL, BoringSSL, GnuTLS, mbed TLS, wolfSSL, and LibreSSL, each tailored to different use cases from high-performance servers to resource-constrained devices. Security remains a primary focus in these comparisons, as TLS libraries have historically been targets for exploits like in (2014), which exposed memory contents and affected millions of systems, prompting forks such as BoringSSL for enhanced auditing and for code simplification. Modern evaluations highlight differences in handling protocol downgrades, certificate validation, and readiness; for instance, offers lightweight FIPS-certified modules suitable for IoT, while provides lightweight alternatives for resource-constrained devices, and 3.x introduces stricter API controls but has faced criticism for compatibility regressions. As of 2025, libraries like BoringSSL prioritize bleeding-edge features with frequent updates from , though this can lead to API instability, whereas emphasizes POSIX compliance and LGPL licensing for broader integration. Performance benchmarks reveal significant variances, particularly in multi-threaded environments; as of 2024 benchmarks on AWS r8g.16xlarge hardware, AWS-LC (a of BoringSSL) achieves up to 183,000 end-to-end connections per second with TLS resumption at 64 threads, outperforming 3.0.14's 3,700 under similar conditions due to optimized locking mechanisms. excels in embedded scenarios with faster elliptic curve operations compared to in TLS 1.3 handshakes, as shown in 2018 benchmarks. In contrast, rustls (a Rust-based ) offers guarantees but limited feature parity, such as partial support. Feature support also differs: most contemporary libraries fully implement TLS 1.3 for reduced latency (one round-trip handshakes), ALPN for protocol negotiation, and extensions like 0-RTT resumption, though adoption of (RFC 9000) varies, with BoringSSL and leading in experimental integrations. These comparisons guide developers in selecting implementations based on application needs, such as balancing audits (e.g., NSS in products) with deployment overhead, and underscore ongoing evolution toward quantum-resistant algorithms amid threats from advances in computing power, with varying PQC support across libraries as of 2025. As TLS underpins , (SMTPS), and VPNs, rigorous evaluations ensure robust protection against and man-in-the-middle attacks in an increasingly connected ecosystem.

Introduction

Overview

Transport Layer Security (TLS) is a that provides communications privacy and between two communicating applications, such as a and a server, over an unreliable network like the . It ensures confidentiality by encrypting the transmitted data, integrity by detecting any modifications, and authentication to verify the identity of the communicating parties, typically the server and optionally the client. TLS evolved from the Secure Sockets Layer (SSL) protocol, originally developed by Netscape Communications to secure HTTP traffic for early web browsers. The history of TLS traces back to the mid-1990s when introduced SSL 2.0 in 1995 and SSL 3.0 in 1996 to address growing needs for secure online transactions amid the expanding . Recognizing the proprietary nature of SSL, the (IETF) formed a in 1996 to standardize it, resulting in TLS 1.0 as an upgrade to SSL 3.0, published as RFC 2246 in 1999. Subsequent iterations improved and efficiency: TLS 1.1 (RFC 4346, 2006) addressed vulnerabilities like CBC attacks, TLS 1.2 (RFC 5246, 2008) added support for advanced cipher suites, and TLS 1.3 (RFC 8446, 2018) streamlined the for better performance and removed obsolete cryptographic options. Major open-source TLS implementations include several widely adopted libraries, each tailored to specific environments. is a versatile toolkit implementing SSL and TLS protocols, commonly used in general-purpose servers, web applications, and cryptographic operations across various platforms. BoringSSL, a of maintained by , powers secure connections in Chrome, Android, and services, prioritizing integration with Google's ecosystem over broad API stability. from provides libraries for security-enabled applications, primarily supporting TLS in and other Mozilla products like Thunderbird. , part of , serves as a secure communications backend for distributions and applications requiring TLS, DTLS, and certificate handling. , developed by , offers a lightweight implementation optimized for resource-constrained embedded systems and IoT devices. , a of , emphasizes code auditing, portability, and removal of deprecated features for improved security. provides a lightweight, embeddable library with strong support for FIPS compliance and real-time operating systems. This comparison evaluates these implementations across key dimensions, including security (e.g., vulnerability history and cryptographic robustness), (e.g., latency and throughput), compatibility (e.g., protocol version and extension support), and (e.g., code quality and update frequency), to guide developers in selecting appropriate libraries for secure deployments.

Comparison Criteria

The comparison of TLS implementations relies on standardized criteria to ensure objective evaluation across diverse libraries such as , BoringSSL, and . These criteria are grouped into key categories: security, which assesses vulnerability history and resistance to known exploits like those documented in CVE databases; compatibility, evaluating support for protocol versions and with clients; , measuring metrics such as latency and throughput under load; and ecosystem integration, examining ease of embedding in applications and support for platform-specific features. Data for these evaluations is drawn from authoritative sources to maintain verifiability and recency. Official documentation from library maintainers provides baseline feature details, while RFCs such as RFC 8446 define core TLS 1.3 requirements for protocol fidelity. Third-party audits from independent firms offer insights into vulnerability patching timelines. Tools like SSL Labs deliver quantitative scoring through automated scans of server configurations using the libraries, assigning grades (A-F) based on configuration strength, robustness, and certificate chain validation. Comparisons are typically presented in tabular formats for clarity, with implementations (e.g., rows or columns) juxtaposed against criteria (e.g., opposite rows or columns) to highlight supported features, versions, or scores. For instance, a table might list protocol versions in rows and libraries in columns, using checkmarks for full support, partial indicators for experimental features, and footnotes for deprecated elements like hashing. This approach facilitates quick identification of trade-offs, such as BoringSSL's streamlined support versus OpenSSL's broader but potentially riskier options. Notes accompany entries to contextualize variations, such as conditional support dependent on build flags. Despite these methods, comparisons face inherent limitations that must be acknowledged for balanced interpretation. Open-source implementations like often benefit from community scrutiny but may lag in proprietary optimizations, introducing biases toward feature breadth over specialized performance tuning. The dynamic landscape of TLS, including post-2023 integrations of quantum-resistant algorithms like those standardized by NIST (e.g., ML-KEM), means evaluations can quickly outdated without ongoing updates, emphasizing the need for timestamped assessments.

Protocol Support

TLS/SSL Version Support

The (TLS) protocol and its predecessor, Secure Sockets Layer (SSL), have evolved through several versions to address security vulnerabilities and improve cryptographic strength. SSL 2.0, released in 1995, and SSL 3.0, released in 1996, are obsolete due to severe flaws such as weak key exchanges and susceptibility to attacks like ; SSL 3.0 was formally deprecated by the IETF in RFC 7568 (2015), mandating that implementations must not negotiate it and should terminate connections attempting to do so. TLS 1.0 (RFC 2246, 1999) and TLS 1.1 (RFC 4346, 2006) introduced improvements but remain deprecated under RFC 8996 (2021), which classifies them as Historic due to their reliance on vulnerable algorithms like , lack of support for , and exposure to downgrade attacks; implementations are required to reject negotiations of these versions with a protocol_version alert. TLS 1.2 (RFC 5246, 2008) is now considered legacy but widely used, while TLS 1.3 (RFC 8446, 2018) is the current standard, emphasizing streamlined handshakes and mandatory . Major TLS implementations vary in their support for these versions, often disabling deprecated ones by default to mitigate risks while allowing explicit enablement for legacy compatibility. The following table summarizes support across key open-source libraries, focusing on whether versions are compiled in, enabled by default, or require configuration:
ImplementationSSL 3.0TLS 1.0TLS 1.1TLS 1.2TLS 1.3Default Minimum Version
OpenSSL (3.x)NoNo (explicit enable)No (explicit enable)YesYesTLS 1.2
BoringSSLNoNo (explicit enable required)No (explicit enable required)YesYesTLS 1.2
GnuTLS (3.8.x)No (not compiled by default)Yes (configurable)Yes (configurable)YesYesTLS 1.2 (configurable via priority strings)
NSS (3.100+)NoYes (configurable, disabled in modern apps like Firefox)Yes (configurable, disabled in modern apps)YesYesTLS 1.2 (in Firefox; configurable)
mbed TLS (3.x)NoNoNoYesYesTLS 1.2 (support for older versions removed)
wolfSSLNoNo (explicit enable required)No (explicit enable required)YesYesTLS 1.2
OpenSSL, since version 1.1.1 (2018), disables TLS 1.0 and 1.1 by default via its security level settings (SECLEVEL=2), aligning with IETF timelines, though users can enable them using functions like SSL_CTX_set_min_proto_version for in controlled environments. BoringSSL, a Google-maintained fork, similarly requires explicit enabling of pre-TLS 1.2 versions through flags, emphasizing security by prioritizing modern protocols in products like Chrome. GnuTLS, starting with version 3.8 (2023), removed SSL 3.0 from default compilation to reduce attack surface, responding to its obsolescence, while retaining configurable support for TLS 1.0 and 1.1 until broader ecosystem migration; version 3.7 () began stricter handling of legacy protocols. NSS, used in products, supports legacy versions for flexibility but disables TLS 1.0/1.1 by default in since version 78 (), enforcing TLS 1.2 as the minimum to comply with recommendations. mbed TLS 3.x series explicitly dropped support for SSL 3.0, TLS 1.0, and 1.1 to streamline for embedded systems, focusing solely on TLS 1.2 and 1.3 for enhanced security and reduced code footprint. TLS 1.3 mandates across all compliant implementations by eliminating static key exchanges (e.g., RSA key transport) and requiring ephemeral Diffie-Hellman (DHE/ECDHE) or equivalent for every session, ensuring that compromise of long-term keys does not decrypt past traffic; this is uniformly enforced in , BoringSSL, , NSS, , and as part of RFC 8446 compliance.

Extension and Feature Support

TLS protocol extensions provide optional enhancements to the core handshake, enabling features such as , revocation checking, and . (SNI), defined in RFC 6066, allows clients to specify the target hostname during the handshake, supporting multiple domains on a single ; this extension is universally supported across major implementations, including (since version 0.9.8j), BoringSSL, NSS, (via configuration), , and . OCSP Stapling, also from RFC 6066, permits servers to attach responses to the handshake, reducing client latency and privacy risks associated with direct OCSP queries; support varies, with full implementation in (via SSL_CTX_set_tlsext_status_cb since 1.0.0), BoringSSL, NSS (integrated in for browser contexts), (since 3.1.10), and wolfSSL (including multi-stapling per RFC 6961), but absent in due to resource constraints in embedded environments. Session Tickets, outlined in RFC 5077, facilitate stateless session resumption by encrypting session state in tickets issued by the server; all listed implementations provide client-side support, with server-side capabilities in (since 0.9.8f), BoringSSL, NSS, (configurable via MBEDTLS_SSL_SESSION_TICKETS), , and wolfSSL. (ALPN), per RFC 7301, enables protocol selection (e.g., ) within the TLS handshake to avoid additional round trips; it is supported comprehensively in (since 1.0.2), BoringSSL, NSS, , , and wolfSSL. Implementation variances arise from design priorities, such as resource optimization in embedded systems or integration with specific ecosystems. For instance, prioritizes lightweight operation, offering partial or configurable support for extensions like and ALPN but omitting to minimize footprint. In contrast, NSS, tailored for browser use in , historically excelled in features like the deprecated extension (removed post-2013 due to vulnerabilities), which allowed early data transmission but is no longer recommended. Post-TLS 1.3 features address evolving privacy and performance needs, building on the protocol's streamlined . Encrypted Client Hello (ECH), an IETF standard (draft-ietf-tls-esni-25 as of 2025, approved for publication as RFC), encrypts sensitive ClientHello fields like to mitigate network surveillance; experimental support exists in via third-party integrations, full client-side in NSS ( since 2023), full in BoringSSL and , while and lag with partial or planned implementations. Zero-Round-Trip Time (0-RTT) resumption in TLS 1.3 (RFC 8446) enables immediate data transmission on resumption but introduces risks; mitigations include server-side anti-replay windows and application-level idempotency. Support is mature in (1.1.1+), BoringSSL, NSS, (3.7+), and , with enabling it optionally in version 3.0+ configurations.
ImplementationSNI (RFC 6066)OCSP Stapling (RFC 6066)Session Tickets (RFC 5077)ALPN (RFC 7301)ECH (Draft)0-RTT (TLS 1.3)
Full (0.9.8j+)Full (1.0.0+)Full (0.9.8f+)Full (1.0.2+)ExperimentalFull (1.1.1+)
BoringSSLFullFullFullFullFullFull
NSSFullFullFullFullFull (Client)Full
Full (Config.)AbsentFull (Config.)FullPlannedOptional (3.0+)
Full (2.12+)Full (3.1.10+)FullFull (3.2+)PartialFull (3.7+)
FullFull (RFC 6961)FullFullFullFull

Cryptographic Mechanisms

Key Exchange Algorithms

Key exchange algorithms in TLS are responsible for securely establishing a between client and server during the , enabling subsequent symmetric encryption. Certificate-based methods rely on (PKI) for authentication, while alternatives like pre-shared keys avoid certificates entirely. Modern TLS versions, particularly TLS 1.3, emphasize ephemeral methods for perfect forward secrecy (PFS), which ensures that session keys remain secure even if the long-term private key is compromised later. Certificate-based key exchanges include static RSA using v1.5 padding, which has been deprecated due to vulnerabilities like padding oracle attacks and lack of PFS; it directly encrypts the pre-master secret with the server's public key. In contrast, ephemeral Diffie-Hellman (DHE) and Diffie-Hellman (ECDHE) generate temporary keys for each session, providing PFS and resistance to long-term key compromise. ECDHE is preferred over DHE for its computational efficiency and smaller key sizes, using elliptic curves like NIST P-256. All major implementations support ECDHE and DHE for PFS, with minimum RSA key sizes of 2048 bits mandated by certificate authorities to meet levels equivalent to 112 bits of symmetric strength. These algorithms map to specific cipher suites, such as TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, where ECDHE handles , RSA authenticates the server, AES-256-GCM provides , and SHA-384 ensures . Implementations differ in defaults: BoringSSL, a of optimized for performance, prioritizes ECDHE in its ordering to favor PFS-enabled suites by default. GnuTLS offers broader support for legacy DHE groups, including finite-field Diffie-Hellman parameters like 1024-bit (though not recommended) and standardized FFDHE groups up to 8192 bits, enabling compatibility with older systems. Alternative methods include (PSK) exchanges, which use symmetric keys provisioned for and key derivation, suitable for IoT or closed networks without PKI. Secure Remote Password (SRP) extends PSK with password-based to prevent offline dictionary attacks. and fully support both PSK and SRP, while omits SRP and limits PSK to specific configurations; NSS and support PSK but not SRP natively. Post-quantum candidates address threats from quantum computers capable of breaking classical schemes like RSA and ECDHE via . Kyber, now standardized as ML-KEM in NIST FIPS 203 (2024), a lattice-based (KEM), has been integrated in 3.5+ for hybrid modes like X25519+ML-KEM in TLS 1.3, combining classical and post-quantum security. BoringSSL and also support hybrid ML-KEM key exchange in production builds as of 2025, while offers experimental integrations.
ImplementationRSA (PKCS#1 v1.5)ECDHE (PFS)DHE (PFS)PSKSRP (PQ)
Yes (legacy)YesYesYesYesIntegrated (3.5+)
BoringSSLYes (legacy)Yes (prioritized)YesYesNoYes (hybrid)
Yes (legacy)YesYes (legacy groups)YesYesExperimental
Yes (legacy)YesYesLimitedNoNo
NSSYes (legacy)YesYesYesNoNo
Yes (legacy)YesYesYesYesYes

Symmetric Encryption Algorithms

Symmetric encryption algorithms in TLS are responsible for protecting the confidentiality of application data exchanged after the handshake, using symmetric keys derived from the key exchange process. These algorithms operate in modes that provide bulk encryption, with modern implementations prioritizing Authenticated Encryption with Associated Data (AEAD) modes to combine encryption and integrity protection in a single primitive. For TLS 1.2 and later, AEAD ciphers are the standard for symmetric encryption. The Advanced Encryption Standard in Galois/Counter Mode (AES-GCM) with 128-bit or 256-bit keys is widely supported, offering high security and efficiency on hardware-accelerated platforms. AES-128-GCM and AES-256-GCM cipher suites, such as TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, are enabled by default in all major implementations. Additionally, ChaCha20-Poly1305, introduced in RFC 7905, provides an alternative AEAD cipher suite like TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, which is also universally supported and preferred in environments lacking AES hardware acceleration. Legacy stream and block ciphers persist in some implementations for but are deprecated due to vulnerabilities. RC4, a , has been disabled or removed in modern TLS libraries since 2015, following revelations of biases exploitable in TLS contexts, rendering it unsuitable for use. (3DES) in Cipher Block Chaining (CBC) mode, with an effective 112-bit key strength, is similarly weak against modern attacks like Sweet32 and is disabled by default in recent versions, though still compilable in some. AES in CBC mode, such as AES-128-CBC or AES-256-CBC, offers better security than predecessors but suffers from padding oracle vulnerabilities if not implemented with encrypt-then-MAC, leading to its in favor of AEAD modes. NIST guidelines recommend AES-GCM variants for TLS deployments, designating AES-256-GCM as FIPS 140-approved for high-security environments while prohibiting , 3DES, and CBC modes in new systems. Implementation defaults align with these, as seen in 3.0 and later, which disable CBC and legacy ciphers by default under the new to enforce secure configurations. Performance considerations favor on resource-constrained or non-x86 devices without AES-NI instructions, where it achieves comparable throughput to AES-GCM without specialized hardware, reducing latency in mobile or embedded scenarios.
ImplementationAES-128-GCMAES-256-GCMAES-CBC3DES-CBC
3.xEnabledEnabledEnabledDisabled by defaultDisabled by defaultRemoved
BoringSSLEnabledEnabledEnabledSupported, not preferredDisabledRemoved
NSS 3.90+EnabledEnabledEnabledDisabled by defaultDisabledDisabled
GnuTLS 3.8+EnabledEnabledEnabledSupported, configurableDisabled by defaultDeprecated, disabled
mbed TLS 3.xEnabledEnabledEnabledSupported, configurableRemovedNot supported

Message Authentication Algorithms

Message authentication in TLS ensures the integrity and authenticity of transmitted data by verifying that messages have not been altered or forged during transit. In TLS versions prior to 1.3, this is typically achieved using Hash-based Message Authentication Codes (HMAC) applied to the plaintext after encryption, while TLS 1.3 integrates authentication directly into Authenticated Encryption with Associated Data (AEAD) modes for improved efficiency and security. These mechanisms prevent tampering attacks, such as those exploiting padding oracles, by producing a tag that the receiver validates against the received data. For TLS 1.2, HMAC-based authentication relies on secure hash functions like SHA-256 and SHA-384, where the is computed over the encrypted message and associated data using keys derived from the master secret. Cipher suites such as TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 employ HMAC-SHA-384 to provide 192-bit security strength against collision attacks. In TLS 1.3, while AEAD handles primary authentication, remains foundational through the (-based Key Derivation Function) for key expansion and derivation from the handshake secrets, ensuring consistent security across traffic protection keys. -Extract uses to pseudorandomly derive intermediate keys, followed by -Expand for final key material, replacing the less secure PRF from earlier versions. AEAD constructions streamline by combining and protection in a single operation. AES-GCM (Galois/Counter Mode) generates an authentication tag via the GHASH polynomial hash over the , additional authenticated , and a unique tag, providing 128-bit or higher security when paired with SHA-256 or SHA-384 in cipher suites like TLS_AES_128_GCM_SHA256. Similarly, the AEAD uses the Poly1305 one-time authenticator—a 128-bit MAC based on over the message—to verify , offering resistance to timing attacks and suitability for software implementations without . These are mandatory in TLS 1.3 and preferred in 1.2 for their efficiency. Older algorithms like and for have been deprecated due to cryptographic weaknesses exposed by attacks starting around 2011, including practical collisions for and padding vulnerabilities. The attack (CVE-2014-3566), disclosed in 2014, exploited fallback to SSL 3.0—which used a combined MD5/SHA-1 MAC—allowing attackers to decrypt sensitive data by forcing protocol downgrades and manipulating padding. As a result, modern TLS deployments disable these hashes entirely, with RFC 9155 formally deprecating MD5 and SHA-1 in TLS 1.2 signatures and implicitly in legacy MACs to mitigate ongoing risks. TLS implementations differ in their support for these algorithms, balancing security, performance, and resource constraints. Major libraries like , BoringSSL, , NSS, and all support core HMAC-SHA-256/384 and AEAD options, but vary in advanced features like SHA-3 integration. For instance, NSS includes FIPS-validated support since version 3.36 in 2018, enabling HMAC-SHA-3 in compliant modes for enhanced post-quantum readiness. In contrast, prioritizes embedded systems by limiting TLS authentication to the SHA-2 family, avoiding due to computational overhead despite basic hash support. These authentication algorithms are often paired with symmetric ciphers in cipher suites to ensure comprehensive protection.
ImplementationHMAC-SHA-256HMAC-SHA-384HMAC-SHA-3AES-GCM Auth TagChaCha20-Poly1305Notes
OpenSSLYesYesYes (3.0+)YesYesFull AEAD support; SHA-3 via libgcrypt or internal.
BoringSSLYesYesNoYesYesOptimized for Google services; prioritizes performance over legacy.
GnuTLSYesYesExperimentalYesYesSupports HMAC variants; SHA-3 via external plugins.
NSSYesYesYes (3.36+)YesYesFIPS 140-2/3 validated; SHA-3 for high-security environments.
mbed TLSYesYesNo (hash only)YesYesSHA-2 focused for IoT; no SHA-3 in TLS due to constraints.

Elliptic Curve Cryptography Support

(ECC) plays a central role in modern TLS implementations for via Elliptic Curve Diffie-Hellman (ECDH) and digital signatures via Elliptic Curve Digital Signature Algorithm (ECDSA). TLS standards define specific curves to ensure interoperability and security, with implementations varying in their support for these primitives. The primary curves are those specified in RFC 8422 for TLS 1.2 and earlier, which include the NIST-approved P-256, , and P-521 curves, providing security levels of 128, 192, and 256 bits, respectively. For TLS 1.3, RFC 8446 mandates support for X25519 and X448 from the family, offering 128-bit and 224-bit security levels, respectively, as integrated mechanisms. Several older curves, such as sect163k1 and other binary field curves from earlier standards, have been deprecated due to insufficient security margins and lack of widespread adoption. Brainpool curves, defined in RFC 5639 and initially supported in TLS 1.2 via RFC 7027, faced limited adoption and were excluded from TLS 1.3 in its original specification owing to low usage; however, RFC 8734 later enabled their use in TLS 1.3 for scenarios requiring them, such as in European standards. In versions prior to 3.2, Brainpool curves were supported for TLS 1.2 but not TLS 1.3, reflecting caution around historical concerns with elliptic curve generation tied to flawed generators like , though Brainpool itself stems from independent BSI specifications. Other implementations, like , have maintained fuller support for Brainpool across versions. As quantum computing advances threaten classical ECC, TLS implementations are exploring post-quantum readiness through hybrid modes that combine traditional ECDH with quantum-resistant algorithms. For instance, support in BoringSSL enables hybrid key exchanges pairing ECDHE (using curves like X25519) with ML-KEM (), a lattice-based standardized in NIST FIPS 203, as deployed in production by services and Chrome as of 2025. These hybrids maintain while providing quantum resistance, with ongoing IETF work in drafts like hybrid ECDHE-ML-KEM for TLS 1.3. The following table summarizes support for key RFC-defined curves across major TLS implementations, indicating full native support, configurable enablement, or partial/limited availability (e.g., in embedded configurations). Support levels are based on standard builds as of 2025; embedded libraries like mbedTLS often require explicit configuration for full suites.
CurveSecurity Level (bits)mbedTLSNSSBoringSSL
P-256128FullFullFullFullFull
P-384192FullFullFullFullFull
P-521256FullFullConfigFullFull
X25519128FullFullFullFullFull
X448224FullFullConfigFullFull
GnuTLS provides the most comprehensive out-of-the-box suite, including Brainpool variants, while mbedTLS prioritizes lightweight support suitable for resource-constrained environments, often enabling only essential curves by default.

Certificate Handling

Certificate Verification Methods

Certificate verification in TLS implementations occurs during the handshake to ensure the authenticity and validity of the presented server certificate. This process typically involves constructing a chain from the leaf certificate to a trusted root certificate authority (CA), verifying signatures along the path, checking status, and confirming the certificate matches the expected . Implementations differ in their default trust anchors, support for protocols, and handling of edge cases like self-signed certificates. Revocation checking prevents the use of compromised certificates by querying whether they have been revoked. Certificate Revocation Lists (CRLs) provide an offline method where clients download a signed list of revoked serial numbers from the issuing CA, which can grow large and require periodic updates, potentially introducing latency. The (OCSP) offers real-time verification by sending a query to the CA's OCSP responder for the specific certificate's status, reducing bandwidth but adding a network dependency and potential privacy risks from query metadata. mitigates these issues by allowing the server to include a pre-fetched, signed OCSP response in the TLS handshake (via the Certificate Status Request extension in RFC 6066), enabling efficient client-side validation without direct CA contact. Chain validation requires building a path to a root CA by iteratively verifying issuer signatures and ensuring no loops or missing intermediates. Hostname matching, as defined in RFC 6125, compares the server's presented identity (from the certificate's subjectAltName or commonName) against the expected hostname using case-insensitive string comparison, with support for wildcards but restrictions on IP addresses and internationalized domain names. Certificate pinning, once enabled via HTTP Public Key Pinning (HPKP, RFC 7469), allowed sites to specify expected public keys or hashes to prevent man-in-the-middle attacks, but it was deprecated by Google in Chrome 67 (2018) due to deployment risks like accidental lockouts and low adoption, with full removal in Chrome 72 (2019). Implementation variances arise in trust store management and feature integration. OpenSSL relies on system-wide trust stores, such as the ca-certificates bundle on Linux distributions, loaded via directories like /etc/ssl/certs or explicit files, allowing flexible but OS-dependent configuration. NSS embeds Mozilla's curated root CA list (maintained per the Mozilla Root Store Policy), providing a consistent, browser-aligned set of approximately 100 trusted roots without needing external bundles. BoringSSL, a streamlined fork of OpenSSL, inherits similar verification logic but omits legacy features for reduced attack surface, using the same system trust mechanisms. mbed TLS requires explicit CA chain provision via configuration (e.g., mbedtls_x509_crt_parse), supporting basic path building but lacking built-in OCSP; CRL checks are manual via loaded lists. GnuTLS integrates system trust stores or pkcs11 modules, with native support for OCSP queries and CRL downloading during verification.
ImplementationTrust StoreRevocation MethodsNotes
System (e.g., ca-certificates)CRL (via X509_V_FLAG_CRL_CHECK), (manual or stapling via SSL_CTX_set_tlsext_status_cb)Flexible but requires configuration for stapling; supports partial chain validation.
BoringSSLSystem (inherits )CRL, Similar to but stricter defaults; no deprecated algorithms.
NSSBuilt-in Mozilla rootsCRL (automatic download), OCSP (via CERT_VerifyCert)Integrated with ; supports stapling and soft-token CRL updates.
Explicit CA filesCRL (manual parsing)No native OCSP; focuses on embedded use with lightweight chain verify.
System or CRL (gnutls_certificate_set_x509_trust), OCSP (gnutls_ocsp_status_request)Enables OCSP by default if URLs present; supports stapling.
Security considerations include handling self-signed certificates, which most implementations reject by default unless explicitly trusted as roots, to avoid unauthorized endpoints. Extended Validation (EV) certificates, which undergo rigorous identity checks per CA/Browser Forum guidelines, see declining support post-2019 as browsers like Firefox 70 and Chrome 77 removed distinctive UI indicators (e.g., green bars), treating them like domain-validated certificates since users rarely noticed or acted on the distinction. This shift prioritizes usability while maintaining backend validation, though EV issuance continues for compliance.

Certifications and Compliance Standards

TLS implementations undergo rigorous certification processes to ensure they meet security standards required for government, financial, and enterprise use. The Federal Information Processing Standards (FIPS) 140-2 and its successor FIPS 140-3, administered by the National Institute of Standards and Technology (NIST), validate cryptographic modules for compliance with U.S. federal security requirements. OpenSSL's FIPS Provider in version 3.1.2 achieved FIPS 140-3 validation under certificate #4985, effective from March 11, 2025, and valid until March 10, 2030. NSS, used in Mozilla products and Oracle environments, has maintained FIPS 140-2 certification since 2005 through modules like the NSS Softoken, with ongoing validations integrated into Oracle Linux distributions. wolfSSL's wolfCrypt library holds multiple FIPS 140-3 certificates, including #4718 and #5041, both valid through July 17, 2030, supporting embedded and high-performance applications. BoringSSL includes a FIPS module with public NIST validation under certificate #4735 for FIPS 140-3, focused on Google use but available in products like Google Cloud. In contrast, mbed TLS offers partial FIPS readiness through its FIPS-based configuration but lacks full module validation, requiring additional vendor-specific adaptations for compliance. GnuTLS has achieved FIPS 140-3 validation in distributions like AlmaLinux 9 (#5049, valid July 2025–2030) and Oracle Linux 9. LibreSSL removed FIPS support post-fork from OpenSSL, offering no certification. rustls provides FIPS 140-3 compliance via its aws-lc-rs cryptographic backend (no dedicated module certificate). FIPS certifications follow a five-year validity cycle, after which modules must undergo recertification or risk expiration; for instance, all validations are scheduled to sunset by September 21, 2026, accelerating the transition to FIPS 140-3. This recertification ensures modules address evolving threats, such as those from , and maintain operational integrity through self-tests and approved algorithms. The (NSA) Suite B, evolved into the Commercial National Security Algorithm Suite (CNSA) 1.0 and 2.0, specifies algorithms for protecting national security systems (NSS). CNSA 1.0 mandates AES-256 for , SHA-384 for hashing, and elliptic curves like for in TLS contexts. supports CNSA 1.0 profiles via configuration, enabling TLS 1.3 implementations compliant with NSA guidelines for protecting classified information up to . NSS inherently aligns with CNSA 1.0 through its algorithm suite, used in federal systems since the Suite B era. Post-2022, CNSA 2.0 introduces quantum-resistant algorithms, requiring NSS to migrate by 2030-2035 timelines; and have begun integrating post-quantum (e.g., ) for CNSA 2.0 readiness in TLS. supports CNSA 1.0 algorithms but trails in full CNSA 2.0 quantum migration, with experimental post-quantum extensions. supports CNSA 1.0; rustls offers partial CNSA 2.0 via post-quantum extensions in aws-lc-rs. Other compliance standards include (CC) at 4+ (EAL4+), which evaluates overall system security including TLS components, and PCI-DSS for payment card industry data security. CC EAL4+ certifications are typically applied to products embedding TLS libraries, such as firewalls or gateways using or NSS, verifying resistance to deliberate attacks. PCI-DSS Requirement 4 mandates in transit, achievable with TLS 1.2+ using libraries like configured for approved ciphers (e.g., AES-256-GCM), though it certifies environments rather than libraries directly.
ImplementationFIPS LevelCertificate #Expiration DateCNSA SupportCC EAL4+PCI-DSS Configurable
140-34985March 10, 20301.0/2.0 (PQ)Product-embeddedYes
NSS140-2Various (e.g., Oracle-integrated)Ongoing (pre-2026 sunset)1.0Product-embeddedYes
Partial (140-2 ready)N/AN/A1.0 (partial 2.0)LimitedYes
140-34718, 5041July 17, 20301.0/2.0 (PQ)Product-embeddedYes
BoringSSL140-34735N/A1.0N/AYes
140-35049 (e.g., AlmaLinux 9)July 27, 20301.0Product-embeddedYes
NoneN/AN/A1.0LimitedYes
rustls140-3 (via aws-lc-rs)N/AN/A1.0 (partial 2.0 PQ)LimitedYes
This table summarizes certification status for major implementations as of November 2025, highlighting gaps like mbed TLS's incomplete FIPS validation and LibreSSL's lack of support.

Advanced Features

Compression Support

(TLS) originally included support for compressing the payload of TLS records to reduce bandwidth usage, primarily through the algorithm defined in RFC 3749. This method, which employs the zlib library for compression, was intended to optimize data transmission in bandwidth-constrained environments but introduced significant risks due to the compress-then-encrypt . The compression could leak information about through variations in compressed output size, enabling side-channel attacks. The attack, disclosed in 2012, exploited compression in TLS to infer sensitive data such as authentication cookies by analyzing compression ratios over multiple connections. This vulnerability, classified as CVE-2012-4929, demonstrated how an active network attacker could progressively reveal secrets by injecting crafted content and observing encrypted packet lengths. A related attack, BREACH, extended similar principles to HTTP-level compression but highlighted the broader dangers of compression in secure channels, though it primarily affected application-layer rather than TLS records. Following CRIME, major TLS implementations disabled compression by default; for instance, versions 1.0.1 and later rejected the compression extension during handshake negotiation. TLS 1.3, standardized in RFC 8446, eliminated record-layer compression entirely to mitigate these risks, removing the compression method field from the record layer and prohibiting any payload compression. Legacy support for and other methods like LZS (from RFC 3943) persists only in older TLS versions (1.0–1.2) for , but it is widely discouraged and often compiled out in modern libraries. , for example, removed record-layer compression support starting with version 3.6.0, citing security concerns, while retaining optional legacy modes for interoperability in constrained environments. In contrast, BoringSSL, Google's security-focused fork of , never implemented record-layer compression to avoid vulnerabilities from the outset. As an alternative to TLS-level compression, application-layer methods like for HTTP content remain viable and are recommended, as they occur after and avoid side-channel leaks in the . These operate independently of TLS, compressing response bodies without exposing plaintext patterns to network observers. More recently, TLS 1.3 introduced certificate compression via RFC 8879 to reduce handshake overhead without compromising payload security. This extension allows compressing the certificate chain using algorithms like (zlib-based but optimized for web content), Zstandard, or zlib, negotiated separately from record compression. support is experimental in some contexts but standardized here, with implementations varying: provides via its COMP_brotli method since version 3.0, enables it through gnutls_compress_certificate_set_methods since 3.7.0, and BoringSSL supports it via SSL_CTX_add_cert_compression_alg callbacks. This feature achieves significant size reduction for large certificate chains, enhancing performance on mobile networks without the risks of record compression.
ImplementationRecord-Layer Compression (DEFLATE/LZS)Certificate Compression (Brotli/Zstd/etc.)
OpenSSLDisabled by default (1.0.1+); removableSupported (3.0+ incl. )
GnuTLSRemoved (3.6.0+); legacy optionalSupported (3.7.0+ incl. )
BoringSSLNever supportedSupported (via callbacks incl. )
mbed TLSRemoved (3.0+)Not supported

Assisted Cryptography

Assisted cryptography in TLS implementations refers to the offloading of cryptographic operations, such as key exchanges and during handshakes, to external hardware or modules to enhance and . This approach allows TLS libraries to delegate resource-intensive tasks like RSA or ECDH computations to specialized devices, reducing computational load on the host system while maintaining protocol integrity. Major TLS libraries integrate these capabilities through standardized interfaces, enabling seamless support for hardware-accelerated operations in both client and server contexts. Key features include support for the interface, which provides a platform-independent API for interacting with hardware security modules (HSMs) and cryptographic tokens, facilitating secure key storage and operations without exposing sensitive material to the host environment. In , the ENGINE API historically enabled plugin-based integration for such offloading, though it has been deprecated in favor of the more modular provider interface since version 3.0, allowing dynamic loading of PKCS#11 providers for algorithms like RSA and elliptic curve operations. NSS, by contrast, embeds PKCS#11 natively as its core architecture, treating HSMs as pluggable modules for TLS key management. Implementation details vary across libraries, with NSS offering the most direct integration by registering PKCS#11 modules during initialization, enabling TLS handshakes to use hardware-backed keys transparently for operations like certificate signing and key derivation. mbed TLS supports assisted cryptography through external plugins and its Platform Security Architecture (PSA) cryptography API, which allows interfacing with HSMs via driver layers, though full PKCS#11 compatibility relies on wrappers like pkcs11-helper that are now deprecated in favor of PSA secure element interfaces. wolfSSL provides robust built-in PKCS#11 support, both as a consumer of external modules and as a provider via its wolfPKCS11 library, optimizing for embedded TLS scenarios. BoringSSL, a streamlined OpenSSL fork, facilitates offloading through custom private key method callbacks, supporting asynchronous hardware acceleration for TLS private key operations without native PKCS#11 but compatible via upstream mechanisms. Common use cases involve offloading RSA or ECDH key exchanges to smart cards or HSMs in high-throughput environments, such as web servers handling thousands of TLS connections, where can handle 33% more requests per second compared to software-only implementations. For instance, in enterprise TLS deployments, HSMs handle private key operations during certificate authentication, ensuring scalability for protocols like TLS 1.3 while minimizing CPU overhead on the . Security trade-offs in assisted modes center on balancing enhanced key protection against potential vulnerabilities; while HSMs prevent key exposure by confining operations within tamper-resistant boundaries—reducing risks from memory dumps or side-channel attacks on host systems—they introduce dependencies on hardware integrity and may incur latency from inter-module communication. Key exposure risks are mitigated in HSM-assisted TLS by never exporting private keys, unlike software modes where keys reside in volatile memory, but compromise of the HSM itself remains a concern if not FIPS 140 validated. Post-2020 mitigations include OpenSSL's shift to provider-based architectures, which isolate third-party modules to limit attack surfaces, and NIST guidelines emphasizing automated key rotation in HSMs to counter prolonged exposure during certificate lifecycles.

Alternative Key Exchange Support

Alternative key exchange mechanisms in TLS provide options beyond traditional certificate-based authentication, enabling authentication through pre-shared secrets or passwords. These approaches are particularly useful in environments where (PKI) is impractical or resource-intensive. (PSK) ciphersuites, defined in RFC 4279, allow parties to authenticate using symmetric keys shared out-of-band, supporting both pure PSK modes and hybrid variants that incorporate ephemeral Diffie-Hellman (DHE-PSK) for . In DHE-PSK hybrids, the PSK handles authentication while DHE generates ephemeral keys to protect against key compromise, as specified in the same RFC for TLS versions prior to 1.3. Additionally, the Secure Remote Password (SRP) protocol enables password-authenticated key exchange, where a verifier derived from the password facilitates without transmitting the password itself, per RFC 5054. In TLS 1.3, PSK support is integrated into the core protocol (RFC 8446), allowing resumption of prior sessions with pre-shared keys for reduced latency. A key feature is 0-RTT (zero round-trip time) resumption, where clients can send encrypted application data immediately in the ClientHello using the PSK, though this trades some security for performance by risking replay attacks on early data. The TLS 1.3 key schedule derives all secrets, including those for PSK modes, using HKDF-Expand-Label, a construct from (RFC 5869) that expands pseudorandom keys into labeled subkeys for traffic protection and key updates. SRP integration remains available in earlier TLS versions but is not natively extended to TLS 1.3, as the protocol favors PSK for low-entropy secrets with additional protections like key ratcheting. These mechanisms find prominent use in resource-constrained settings, such as (IoT) devices, where avoiding PKI overhead simplifies deployment and reduces computational demands. PSK enables lightweight for low-power sensors or embedded systems communicating with gateways, ensuring without certificate management. SRP suits scenarios requiring human-memorable passwords, like legacy device logins, while hybrids like DHE-PSK balance efficiency with in bandwidth-limited networks. Support for these features varies across TLS implementations, with full PSK commonly available but SRP more limited due to its niche adoption and deprecation in some libraries.
ImplementationPSK Support (incl. TLS 1.3 & 0-RTT)DHE-PSK HybridSRP Support
OpenSSLFull, via API callbacks for external PSKsYes (pre-TLS 1.3)Deprecated in 3.x versions; available in 1.1.x via srp command
GnuTLSFull, with credential functions and priority stringsYes (pre-TLS 1.3)Full, via dedicated authentication mode and srptool
BoringSSLSupported for internal PSKs; external PSKs limited in TLS 1.3Yes (pre-TLS 1.3)No native support
NSSFull for TLS 1.3 resumption PSKsYes (pre-TLS 1.3)No native support
wolfSSLFull (incl. TLS 1.3 & 0-RTT)Yes (pre-TLS 1.3)Limited; available via external integration

Implementation Aspects

System-Specific Backends

TLS implementations often integrate with operating system-specific cryptographic backends to leverage native APIs for enhanced , , and compliance with platform standards. These backends provide access to underlying , certificate stores, and without requiring custom code, allowing TLS libraries to offload tasks like , , and verification to the OS level. On Windows, the Schannel Security Support Provider (SSP) serves as the primary TLS backend, utilizing the Cryptography API: Next Generation (CNG) and legacy CryptoAPI (CAPI) for cryptographic operations such as public key handling and symmetric encryption in TLS 1.0 through 1.3. Schannel integrates seamlessly with Windows' certificate store and supports protocols like DTLS, enabling applications to establish secure connections via the Security Support Provider Interface (SSPI) while automatically benefiting from OS updates to cipher suites and vulnerabilities. This approach ensures compliance with Windows security policies but ties implementations closely to ecosystems, limiting cross-platform reuse. For macOS and iOS, the Security Framework provides the Secure Transport API as the core TLS backend, supporting TLS 1.0 to 1.3 and DTLS with preferences for and AES-based ciphers. It handles certificate validation per RFC 5280 and via RFC 6962, integrating with the system's for credential management and enforcing policies like App Transport Security (ATS) to mandate TLS 1.2+ and strong hashing. Secure Transport deprecates weaker algorithms like and , promoting secure defaults, though it lacks native TLS 1.3 support in older APIs, directing developers to higher-level frameworks like Network.framework for modern features. This backend excels in Apple's unified security model but requires adaptation for non-Apple platforms. In environments, the kernel TLS (kTLS) implementation utilizes the kernel crypto to perform symmetric and decryption directly in kernel space, supporting TLS 1.2 and 1.3 over TCP sockets via setsockopt options like TLS_TX and TLS_RX. Post-handshake, user-space applications can offload record processing to the kernel, which handles ciphers such as AES-GCM using structures like tls12_crypto_info_aes_gcm_128, reducing data copies between user and kernel space. This integration enables efficient operations with sendfile and supports key updates for TLS 1.3, with statistics trackable via /proc/net/tls_stat. kTLS enhances throughput for high-load scenarios, such as in , by up to 29% on certain distributions through minimized context switches and hardware offload compatibility. Cross-platform TLS libraries like Network Security Services (NSS) address portability by relying on the Netscape Portable Runtime (NSPR) as an abstraction layer over OS-specific APIs, allowing consistent TLS behavior across Windows, Linux, and Unix-like systems without direct backend dependencies. NSS uses NSPR for threading, I/O, and memory management, enabling it to interface with platform crypto providers while maintaining a unified API for TLS handshakes and session management. In contrast, BoringSSL, a fork of OpenSSL tailored for Google's services, integrates tightly with Chromium's networking stack, optimizing for browser-specific needs like QUIC over TLS but forgoing broad OS backend abstraction in favor of custom performance tweaks. System-specific backends offer advantages in performance and automatic hardware utilization—such as NIC offload for —reducing CPU overhead compared to pure user-space implementations, though they sacrifice portability by requiring platform recompilation or wrappers. For instance, kTLS can halve latency in data transfers by avoiding user-kernel copies, but cross-platform libraries like NSS mitigate this via NSPR at the cost of potential overhead. 3.0, released in 2021, introduces a provider-based to enhance modularity, allowing dynamic loading of backends like the default (standard algorithms), FIPS (validated module), or legacy providers via OSSL_PROVIDER_load, with system-specific paths such as fips.so on Unix or fips.dll on Windows. This enables to adapt to OS crypto APIs more flexibly than prior versions' engine interface, supporting hybrid deployments.
ImplementationPrimary Backend(s)Key AdvantagesKey Disadvantages
Schannel (Windows native)CNG/CAPINative certificate integration; automatic OS updatesWindows-only; limited customization
Secure Transport (macOS)Security FrameworkEnforced secure defaults (e.g., ATS); supportDeprecated older APIs; lock-in
kTLS (Linux)Kernel Crypto APIKernel-level offload for high throughput; Requires kernel 4.13+; user-space handshake needed
NSSNSPR abstractionCross-platform portabilityAbstraction layer overhead
BoringSSL stackBrowser-optimized performanceNot general-purpose; no ABI stability
OpenSSL 3.0+Modular providers (e.g., default, FIPS)Dynamic backend loading; FIPS complianceConfiguration complexity for multi-provider setups

Hardware Token and Module Support

TLS implementations often integrate with hardware tokens and modules to enhance security by offloading sensitive cryptographic operations, such as , storage, and usage during TLS handshakes, to tamper-resistant devices. The standard provides a platform-independent for accessing these hardware cryptographic tokens, enabling uniform interaction with devices like hardware security modules (HSMs) and smart cards for tasks including private key protection and signature generation in TLS sessions. GnuTLS supports PKCS#11 hardware tokens through integration with the p11-kit library, which manages module loading and configuration, allowing applications to perform TLS operations like certificate verification and key derivation using tokens without exposing private keys. OpenSSL achieves similar functionality via the engine_pkcs11 library, which acts as an engine to route cryptographic calls to -compliant hardware modules during TLS negotiations. The Network Security Services (NSS) library also natively supports tokens for secure in TLS contexts, facilitating integration with various hardware accelerators and smart cards. For instance, the YubiHSM 2 device exposes its capabilities through a module, enabling TLS servers to use it for encryption and signing while keeping keys confined to the hardware. Trusted Platform Module (TPM) 2.0 integration further extends hardware support in TLS by allowing keys stored in the to be used for and without extraction. incorporates TPM 2.0 via the tpm2-openssl provider, which exposes TPM keys through the standard for seamless TLS use. provides TPM 2.0 support through its , enabling applications to list and utilize TPM-stored keys for TLS client and server . NSS can interface with TPM 2.0 via wrappers, supporting secure key operations in browser-based TLS sessions. Hardware tokens and modules compliant with Level 3 (under standards such as or the current ) ensure robust for key storage and generation in TLS environments, featuring tamper detection and response mechanisms to protect against unauthorized access. These certified devices, such as PCIe-based accelerators, support TLS protocol acceleration while maintaining key confidentiality, as validated by NIST for cryptographic modules used in secure communications. Usage typically involves storing private keys non-exportably and performing operations like RSA or ECDSA signing directly on the hardware during TLS handshakes. Challenges in hardware integration include configuration complexities and potential dependencies on vendor-specific drivers, which can lead to optimization for particular modules like nCipher HSMs in NSS setups, potentially complicating migrations to alternative hardware. Such vendor-specific tuning may enhance performance for TLS workloads but risks issues across diverse token ecosystems. This hardware offloading can briefly assist features like acceleration by delegating compute-intensive tasks to specialized modules.

Code Dependencies

TLS implementations vary in their reliance on external libraries for core functionality such as parsing and , which are common across many libraries to handle certificate processing and cryptographic operations. For instance, requires the libtasn1 library for structure handling in certificates and related protocols. Similarly, big-integer arithmetic libraries like GMP are often used indirectly; in , GMP is a dependency of the Nettle cryptographic backend for operations such as Diffie-Hellman . , by contrast, implements its own bignum library and does not mandate external big-integer support, though optional engines may integrate third-party arithmetic libraries. Implementation-specific dependencies reflect design goals, such as portability or integration with larger ecosystems. BoringSSL, a fork of OpenSSL tailored for Google's infrastructure, maintains minimal external dependencies at runtime and integrates seamlessly with Go's standard crypto package for applications in that language, relying primarily on standard C libraries. mbed TLS is designed as a standalone library with no external cryptographic dependencies, using only standard C library functions to minimize footprint for embedded systems. NSS depends on NSPR for portable runtime services and zlib for compression, ensuring cross-platform compatibility without broader external crypto libraries. Dependencies introduce vulnerability risks through supply-chain attacks, where compromised third-party components can propagate flaws, akin to the 2021 Log4j incident that affected numerous Java-based systems via logging library dependencies. In TLS contexts, outdated or vulnerable dependencies like those in distributions have led to exposures such as CVE-2022-3602, highlighting the need for vigilant updates; for example, firmware using embedded versions faced supply-chain risks from unpatched variants. Update cadences vary: dependencies like Nettle and GMP receive regular releases, but synchronization lags can expose systems if not managed, as seen in historical mismatches affecting cryptographic integrity. The following table summarizes core and optional dependencies for select implementations, along with approximate minimal binary sizes for TLS functionality (stripped configurations on x86_64 ):
ImplementationCore DependenciesOptional DependenciesApprox. Binary Size
Standard C libraries, (build)None (self-contained crypto)~3.2 MB
libtasn1, Nettle (incl. GMP)p11-kit, libunistring~1.7 MB
BoringSSLStandard C librariesGo (tests/integration)~3 MB
Standard libcNone~420 KB
NSSNSPR, zlibNone~2 MB
Sizes represent compiled library binaries with basic TLS support and exclude tests or full toolchains; actual footprints depend on configuration.

Development and Portability Concerns

Development environments for TLS implementations vary significantly, influencing ease of integration and maintenance. OpenSSL and GnuTLS are primarily developed in the C programming language, providing low-level control suitable for high-performance applications, while build systems like Autotools for OpenSSL facilitate configuration across Unix-like systems. In contrast, the ring cryptography library, often used within Rust-based TLS stacks like rustls, leverages Rust for memory safety and concurrency benefits, with Cargo as the build tool to manage dependencies and cross-compilation. BoringSSL, a fork of OpenSSL, also uses C but employs CMake for builds, enabling more modern and flexible configuration compared to traditional Autotools setups. mbed TLS similarly relies on C and supports CMake or makefiles, optimized for resource-constrained environments. Licensing models play a crucial role in adoption, particularly for commercial deployments where source code disclosure requirements can impact . BoringSSL is released under the Apache 2.0 license, a permissive that allows unrestricted commercial use, modification, and distribution without mandating the sharing of derivative works. GnuTLS operates under the GNU Lesser General Public License (LGPL) version 2.1 or later, permitting dynamic linking in applications without forcing the entire program to be open-sourced, though static linking may trigger obligations. This makes LGPL suitable for libraries in commercial products but requires careful linkage strategies to avoid GPL contamination. OpenSSL adopted the Apache 2.0 license starting with version 3.0 in 2021, resolving prior incompatibilities with the GPL and broadening its appeal for enterprise integration. mbed TLS and ring also use Apache 2.0 and ISC licenses, respectively, favoring permissive terms that minimize legal hurdles for commercial vendors embedding TLS functionality. Portability challenges arise from architectural differences and target platforms, affecting deployment in diverse ecosystems. mbed TLS excels in embedded systems, offering native support for ARM architectures through configurable modules that minimize footprint and enable bare-metal operation without an OS. It handles endianness variations via compile-time options, ensuring compatibility on both little- and big-endian processors common in IoT devices. OpenSSL provides native support for big-endian platforms such as IBM Power and SPARC. GnuTLS emphasizes ANSI C portability, supporting a wide range of Unix, Windows, and embedded targets, though it may need platform-specific tweaks for optimal performance. BoringSSL maintains high portability inherited from OpenSSL but prioritizes x86 and ARM, with limited emphasis on exotic architectures due to its Google-centric focus. ring's Rust foundation enhances cross-platform portability via no_std mode, allowing use in embedded Rust environments, though it relies on assembly optimizations that may limit some architectures. Maintenance concerns highlight vulnerabilities in contributor ecosystems, underscoring the risks of underfunded open-source projects. The 2014 Heartbleed bug in (CVE-2014-0160) exposed private keys and sensitive data due to a buffer over-read, affecting up to two-thirds of servers and revealing the project's reliance on a small volunteer base of fewer than a dozen core contributors at the time. This incident prompted increased corporate funding and restructuring, yet 's ecosystem remains challenged by complex codebases that deter new contributors, with ongoing calls for better documentation and testing frameworks. benefits from Foundation backing, fostering a more stable contributor pool, while BoringSSL's maintenance is driven by Google's resources, reducing vulnerability exposure through rigorous internal reviews. , maintained by , addresses embedded-specific maintenance via , but Rust-based options like ring/rustls attract a growing of safe-code advocates, potentially mitigating historical C-related bugs. These dynamics emphasize the need for diverse contributor involvement to sustain secure TLS evolution across implementations.

References

  1. https://curl.se/docs/ssl-compared.html
  2. https://www.haproxy.com/blog/state-of-ssl-stacks
  3. https://www.ijser.in/archives/v13i5/SE25522112222.pdf
  4. https://www.conf-icnc.org/2024/papers/p147-zi_qiu.pdf
  5. https://arxiv.org/html/2508.16078v1
  6. https://www.wolfssl.com/license/fips/
  7. https://www.wolfssl.com/performance-comparison-tls-1-3-wolfssl-openssl/
  8. https://transactional.blog/blog/2022-database-tls-survey
  9. https://datatracker.ietf.org/doc/html/rfc8446
  10. https://www.acunetix.com/blog/articles/history-of-tls-ssl-part-2/
  11. https://www.feistyduck.com/ssl-tls-and-pki-history/
  12. https://www.openssl.org/
  13. https://boringssl.googlesource.com/boringssl
  14. https://firefox-source-docs.mozilla.org/security/nss/index.html
  15. https://www.gnutls.org/
  16. https://mbed-tls.readthedocs.io/en/latest/
  17. https://www.libressl.org/
  18. https://www.wolfssl.com/
  19. https://csrc.nist.gov/pubs/sp/800/52/r2/final
  20. https://bhu.ac.in/research_pub/jsr/Volumes/JSR_66_02_2022/12.pdf
  21. https://www.fastly.com/blog/boringssl-to-make-tls-more-secure
  22. https://english.ncsc.nl/binaries/ncsc-en/documenten/publications/2021/january/19/it-security-guidelines-for-transport-layer-security-2.1/IT%2BSecurity%2BGuidelines%2Bfor%2BTransport%2BLayer%2BSecurity%2Bv2.1.pdf
  23. https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
  24. https://datatracker.ietf.org/doc/html/rfc7568
  25. https://datatracker.ietf.org/doc/html/rfc8996
  26. https://github.com/openssl/openssl
  27. https://documentation.ubuntu.com/server/explanation/crypto/openssl/
  28. https://gnutls.org/
  29. https://www.gnutls.org/manual/html_node/Upgrading-from-previous-versions.html
  30. https://github.com/nss-dev/nss
  31. https://nss-crypto.org/reference/security/nss/legacy/nss_releases/nss_3.28_release_notes/index.html
  32. https://docs.espressif.com/projects/esp-idf/en/stable/esp32/api-reference/protocols/mbedtls.html
  33. https://github.com/Mbed-TLS/mbedtls
  34. https://www.wolfssl.com/documentation/manuals/wolfssl/appendix04.html
  35. https://mbed-tls.readthedocs.io/en/latest/kb/how-to/use-sni/
  36. https://bugzilla.mozilla.org/show_bug.cgi?id=713933
  37. https://support.mozilla.org/en-US/kb/understand-encrypted-client-hello
  38. https://www.wolfssl.com/how-and-why-to-use-ech-encrypted-client-hello/
  39. https://datatracker.ietf.org/doc/draft-ietf-tls-esni/25/
  40. https://www.wolfssl.com/docs/tls13/
  41. https://datatracker.ietf.org/doc/html/rfc8446#section-2
  42. https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.7.1
  43. https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8
  44. https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
  45. https://gnutls.org/manual/html_node/Priority-Strings.html
  46. https://datatracker.ietf.org/doc/html/rfc4279
  47. https://www.heise.de/en/news/OpenSSL-3-5-0-now-contains-post-quantum-procedures-10345305.html
  48. https://www.wolfssl.com/wolfssl-unveils-post-quantum-cryptography-and-security-solutions-at-embedded-world-2025/
  49. https://docs.openssl.org/3.0/man1/openssl-ciphers/
  50. https://wiki.openssl.org/index.php/OpenSSL_3.0
  51. https://wiki.mozilla.org/Security/Cipher_Suites
  52. https://www.gnutls.org/manual/html_node/Supported-ciphersuites.html
  53. https://www.trustedfirmware.org/blog/mbed-tls-30/
  54. https://datatracker.ietf.org/doc/html/rfc5246
  55. https://datatracker.ietf.org/doc/html/rfc5289
  56. https://www.gnutls.org/manual/html_node/Hash-and-MAC-functions.html
  57. https://datatracker.ietf.org/doc/html/rfc8422
  58. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt1r5.pdf
  59. https://datatracker.ietf.org/doc/html/rfc8734
  60. https://security.googleblog.com/2024/09/a-new-path-for-kyber-on-web.html
  61. https://www.gnutls.org/manual/html_node/Public-key-algorithms.html
  62. https://datatracker.ietf.org/doc/html/rfc6125#section-6
  63. https://developer.chrome.com/blog/chrome-67-deps-rems
  64. https://curl.se/docs/sslcerts.html
  65. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
  66. https://www.imperialviolet.org/2015/10/17/boringssl.html
  67. https://www.gnutls.org/manual/html_node/PKIX-certificate-revocation-lists.html
  68. https://docs.openssl.org/3.1/man1/openssl-verification-options/
  69. https://www.gnutls.org/manual/html_node/OCSP-certificate-status-checking.html
  70. https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/
  71. https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
  72. https://openssl-library.org/post/2025-03-11-fips-140-3/
  73. https://www.oracle.com/corporate/security-practices/assurance/development/external-security-evaluations/fips/certifications/
  74. https://cloud.google.com/security/compliance/fips-140-2-validated
  75. https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/5049
  76. https://www.memorysafety.org/blog/rustls-with-aws-crypto-back-end-and-fips/
  77. https://www.openwall.com/lists/oss-security/2014/04/23/1
  78. https://www.safelogic.com/blog/fips-140-3-transition-extended-by-cmvp
  79. https://media.defense.gov/2025/May/30/2003728741/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS.PDF
  80. https://www.wolfssl.com/suite-b-versus-cnsa-1-0-versus-cnsa-2-0/
  81. https://www.ibm.com/docs/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q009980_.html
  82. https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3148990/nsa-releases-future-quantum-resistant-qr-algorithm-requirements-for-national-se/
  83. https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/does-pci-dss-define-which-versions-of-tls-must-be-used/
  84. https://blog.qualys.com/product-tech/2012/09/14/crime-information-leakage-attack-against-ssltls
  85. https://www.breachattack.com/
  86. https://www.gnutls.org/manual/html_node/Compression-algorithms-and-the-record-layer.html
  87. https://httpd.apache.org/docs/2.4/mod/mod_deflate.html
  88. https://datatracker.ietf.org/doc/html/rfc8879
  89. https://docs.openssl.org/3.3/man3/COMP_CTX_new/
  90. https://www.gnutls.org/manual/html_node/Enabling-TLS-certificate-compression.html
  91. https://stackoverflow.com/questions/67337572/boringssl-certificate-compression
  92. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-16.pdf
  93. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/configuring-applications-to-use-cryptographic-hardware-through-pkcs-11_security-hardening
  94. https://www.wolfssl.com/wolfssl-pkcs11-support/
  95. https://www.mdpi.com/1999-5903/16/5/148
  96. https://www.rfc-editor.org/rfc/rfc5054.html
  97. https://blog.golioth.io/yes-even-your-iot-prototype-should-be-secure/
  98. https://www.keyfactor.com/blog/how-to-build-trust-in-iot-device-security-with-proven-authentication-methods/
  99. https://docs.openssl.org/3.1/man3/SSL_CTX_use_psk_identity_hint/
  100. https://docs.openssl.org/3.1/man1/openssl-srp/
  101. https://www.gnutls.org/manual/html_node/Authentication-using-PSK.html
  102. https://www.gnutls.org/manual/html_node/PSK-credentials.html
  103. https://www.gnutls.org/manual/html_node/Authentication-using-SRP.html
  104. https://boringssl.googlesource.com/boringssl/%2B/master/ssl/tls13_client.cc
  105. https://boringssl.googlesource.com/boringssl/%2B/master/ssl/handshake_client.cc
  106. https://commoncriteria.github.io/pp/tls/tls.pdf
  107. https://searchfox.org/firefox-main/source/security/nss/lib/ssl
  108. https://learn.microsoft.com/en-us/windows-server/security/tls/tls-ssl-schannel-ssp-overview
  109. https://www.kernel.org/doc/html/latest/networking/tls.html
  110. https://support.apple.com/guide/security/tls-security-sec100a75d12/web
  111. https://www.f5.com/company/blog/nginx/improving-nginx-performance-with-kernel-tls
  112. https://nss-crypto.org/reference/security/nss/legacy/overview/index.html
  113. https://boringssl.googlesource.com/boringssl/+/HEAD/README.md
  114. https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html
  115. https://www.gnutls.org/manual/html_node/PKCS11.html
  116. https://github.com/OpenSC/engine_pkcs11
  117. https://www-archive.mozilla.org/projects/security/pki/nss/overview
  118. https://developers.yubico.com/yubihsm-shell/yubihsm-pkcs11.html
  119. https://github.com/tpm2-software/tpm2-openssl
  120. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/considerations_in_adopting_rhel_9/assembly_security_considerations-in-adopting-rhel-9
  121. https://nss-crypto.org/reference/security/nss/legacy/pkcs11/faq/index.html
  122. https://csrc.nist.gov/projects/cryptographic-module-validation-program
  123. https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4218.pdf
  124. https://docs.keyfactor.com/ejbca/9.0/ncipher-nshield-nethsm
  125. https://www.gnutls.org/manual/html_node/Downloading-and-installing.html
  126. https://www.gnutls.org/manual/gnutls.html
  127. https://wiki.openssl.org/index.php/Compilation_and_Installation
  128. https://mbed-tls.readthedocs.io/en/latest/kb/development/what-external-dependencies-does-mbedtls-rely-on/
  129. https://firefox-source-docs.mozilla.org/security/nss/build.html
  130. https://www.cisa.gov/sites/default/files/publications/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF
  131. https://www.binarly.io/blog/openssl-usage-in-uefi-firmware-exposes-weakness-in-sboms
  132. https://gitlab.com/gnutls/gnutls/blob/master/README.md
  133. https://packages.debian.org/bookworm/gnutls-bin
  134. https://www.linuxfromscratch.org/blfs/view/svn/postlfs/nss.html
  135. https://heartbleed.com/
  136. https://lwn.net/Articles/702751/
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.