Comparison of TLS implementations

The Transport Layer Security protocol provides the ability to secure communications across networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.
All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.

Overview

Protocol support

Several versions of the TLS protocol exist. SSL 2.0 is a deprecated protocol version with significant weaknesses. SSL 3.0 and TLS 1.0 are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay. TLS 1.1 fixed only one of the problems, by switching to random initialization vectors for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was addressed with RFC7366. A workaround for SSL 3.0 and TLS 1.0, roughly equivalent to random IVs from TLS 1.1, was widely adopted by many implementations in late 2011, so from a security perspective, all existing version of TLS 1.0, 1.1 and 1.2 provide equivalent strength in the base protocol and are suitable for 128-bit security according to NIST SP800-57 up to at least 2030. In 2014, the POODLE vulnerability of SSL 3.0 was discovered, which takes advantage the known vulnerabilities in CBC, and an insecure fallback negotiation used in browsers.
TLS 1.2 introduced a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future over the SSL 3.0 conservative choice, the TLS 1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides and even.
Datagram Transport Layer Security 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLS 1.2 based on TLS 1.2 was published in January 2012.
Note that there are known vulnerabilities in SSL 2.0 and SSL 3.0. With the exception of the predictable IVs all currently known vulnerabilities affect all version of TLS 1.0/1.1/1.2 alike.

Implementation	SSL 2.0	SSL 3.0	TLS 1.0	TLS 1.1	TLS 1.2	TLS 1.3	DTLS 1.0	DTLS 1.2
Botan
BoringSSL
Bouncy Castle
cryptlib
GnuTLS
JSSE
LibreSSL
MatrixSSL
Mbed TLS
NSS
OpenSSL
RSA BSAFE
S2n
SChannel XP, 2003
SChannel Vista
SChannel 2008
SChannel 7, 2008R2
SChannel 8, 2012
SChannel 8.1, 2012R2, 10 v1507 & v1511
SChannel 10 v1607 / 2016
Secure Transport OS X 10.2-10.7, iOS 1-4
Secure Transport OS X 10.8-10.10, iOS 5-8
Secure Transport OS X 10.11, iOS 9
Secure Transport OS X 10.13, iOS 11
wolfSSL
Erlang/OTP SSL application
Implementation	SSL 2.0	SSL 3.0	TLS 1.0	TLS 1.1	TLS 1.2	TLS 1.3	DTLS 1.0	DTLS 1.2

NSA Suite B Cryptography

Required components for NSA Suite B Cryptography are:

Advanced Encryption Standard with key sizes of 128 and 256 bits. For traffic flow, AES should be used with either the Counter Mode for low bandwidth traffic or the Galois/Counter Mode mode of operation for high bandwidth traffic — symmetric encryption
Elliptic Curve Digital Signature Algorithm — digital signatures
Elliptic Curve Diffie–Hellman — key agreement
Secure Hash Algorithm 2 — message digest

Per CNSSP-15, the 256-bit elliptic curve, SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve, SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.

Implementation	TLS 1.2 Suite B
Botan
Bouncy Castle
cryptlib
GnuTLS
JSSE
LibreSSL
MatrixSSL
Mbed TLS
NSS
OpenSSL
RSA BSAFE
S2n
SChannel
Secure Transport
wolfSSL
Implementation	TLS 1.2 Suite B

Certifications

Note that certain certifications have received serious negative criticism from people who are actually involved in them.

Key exchange algorithms (certificate-only)

This section lists the certificate verification functionality available in the various implementations.

Implementation	RSA	RSA-EXPORT	DHE-RSA	DHE-DSS	ECDH-ECDSA	ECDHE-ECDSA	ECDH-RSA	ECDHE-RSA	GOST R 34.10-94, 34.10-2001
Botan
cryptlib
GnuTLS
JSSE
LibreSSL
MatrixSSL
Mbed TLS
NSS
OpenSSL
RSA BSAFE
SChannel XP/2003
SChannel Vista/2008
SChannel 8/2012
SChannel 7/2008R2, 8.1/2012R2
SChannel 10
Secure Transport OS X 10.6
Secure Transport OS X 10.8-10.10
Secure Transport OS X 10.11
wolfSSL
Erlang/OTP SSL application
Implementation	RSA	RSA-EXPORT	DHE-RSA	DHE-DSS	ECDH-ECDSA	ECDHE-ECDSA	ECDH-RSA	ECDHE-RSA	GOST R 34.10-94, 34.10-2001

Key exchange algorithms (alternative key-exchanges)

Certificate verification methods

Encryption algorithms

; Notes

Obsolete algorithms

; Notes

Supported elliptic curves

This section lists the supported elliptic curves by each implementation.

Implementation

sect163k1

sect163r1

sect163r2

sect193r1

sect193r2

sect233k1

sect233r1

sect239k1

sect283k1

sect283r1

sect409k1

sect409r1

sect571k1

sect571r1

Botan

BoringSSL

GnuTLS

JSSE

LibreSSL

MatrixSSL

Mbed TLS

NSS

OpenSSL

RSA BSAFE

SChannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10

Secure Transport

wolfSSL

Erlang/OTP SSL application

Implementation

sect163k1

sect163r1

sect163r2

sect193r1

sect193r2

sect233k1

sect233r1

sect239k1

sect283k1

sect283r1

sect409k1

sect409r1

sect571k1

sect571r1

Implementation

secp160k1

secp160r1

secp160r2

secp192k1

secp192r1
prime192v1

secp224k1

secp224r1

secp256k1

secp256r1
prime256v1

secp384r1

secp521r1

arbitrary prime curves

arbitrary char2 curves

Botan

BoringSSL

GnuTLS

JSSE

LibreSSL

MatrixSSL

Mbed TLS

NSS

OpenSSL

RSA BSAFE

SChannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10

Secure Transport

wolfSSL

Erlang/OTP SSL application

Implementation

secp160k1

secp160r1

secp160r2

secp192k1

secp192r1
prime192v1

secp224k1

secp224r1

secp256k1

secp256r1
prime256v1

secp384r1

secp521r1

arbitrary prime curves

arbitrary char2 curves

Implementation

brainpoolP256r1

brainpoolP384r1

brainpoolP512r1

X25519

Curve448

M221
Curve2213

E222

Curve1174

E382

M383

Curve383187

Curve41417
Curve3617

M511
Curve511187

E521

Botan

BoringSSL

GnuTLS

JSSE

LibreSSL

MatrixSSL

Mbed TLS

NSS

OpenSSL

RSA BSAFE

SChannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10

Secure Transport

wolfSSL

Erlang/OTP SSL application

Implementation

brainpoolP256r1

brainpoolP384r1

brainpoolP512r1

Curve25519

Curve448

M221
Curve2213

E222

Curve1174

E382

M383

Curve383187

Curve41417
Curve3617

M511
Curve511187

E521

Data integrity

Compression

Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.

Implementation	DEFLATE
Botan
cryptlib
GnuTLS
JSSE
LibreSSL
MatrixSSL
Mbed TLS
NSS
OpenSSL
RSA BSAFE
SChannel
Secure Transport
wolfSSL
Erlang/OTP SSL application
Implementation	DEFLATE

Extensions

In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.

Implementation

Secure Renegotiation

Server Name Indication

ALPN

Certificate Status Request

OpenPGP

Supplemental Data

Session Ticket

Keying Material Exporter

Maximum Fragment Length

Truncated HMAC

Encrypt-then-MAC

TLS Fallback SCSV

Extended Master Secret

ClientHello Padding

Raw Public Keys

Botan

cryptlib

GnuTLS

JSSE

LibreSSL

MatrixSSL

Mbed TLS

NSS

OpenSSL

RSA BSAFE Micro-Edition Suite

RSA BSAFE SSL-J

SChannel XP/2003

SChannel Vista/2008

SChannel 7/2008R2

SChannel 8/2012

SChannel 8.1/2012R2, 10

Secure Transport

wolfSSL

Erlang/OTP SSL application

Implementation

Secure Renegotiation

Server Name Indication

ALPN

Certificate Status Request

OpenPGP

Supplemental Data

Session Ticket

Keying Material Exporter

Maximum Fragment Length

Truncated HMAC

Encrypt-then-MAC

TLS Fallback SCSV

Extended Master Secret

ClientHello Padding

Assisted cryptography

This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.

Implementation	PKCS #11 device	Intel AES-NI	VIA PadLock	ARMv8-A	Intel SGX		Intel SHA
Botan
cryptlib
Crypto++
GnuTLS
JSSE
LibreSSL
MatrixSSL
Mbed TLS
NSS
OpenSSL
RSA BSAFE Micro Edition Suite
RSA BSAFE SSL-J
SChannel
Secure Transport
wolfSSL
Implementation	PKCS #11 device	Intel AES-NI	VIA PadLock	ARMv8-A	Intel SGX	Intel QAT	Intel SHA

System-specific backends

This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.

Implementation			Windows CSP		OpenSSL engine
Botan
cryptlib
GnuTLS
JSSE
LibreSSL
MatrixSSL
Mbed TLS
NSS
OpenSSL
RSA BSAFE
SChannel
Secure Transport
wolfSSL
Erlang/OTP SSL application
Implementation	/dev/crypto	af_alg	Windows CSP	CommonCrypto	OpenSSL engine

Cryptographic module/token support

Code dependencies

Development environment

API

Portability concerns

Popular movies

The Hunger Games (film) - 2012 American dystopian action thriller science fiction-adventure film directed by Gary Ross and based on Suzanne Collins’s 2008 novel of the same name. It is the first insta...
untitled Captain Marvel sequel - part of Marvel Cinematic Universe....
Killers of the Flower Moon (film project) - Killers of the Flower Moon - film project in United States of America. It was presented as drama, detective fiction, thriller. The film project starred Leonardo Dicaprio, Robert De Niro. Director of...
Five Nights at Freddy's (film) - Five Nights at Freddy's - film published in 2017 in United States of America. Scenarist of the film - Scott Cawthon....

Popular books

Book of Revelation - The Book of Revelation is the final book of the New Testament, and consequently is also the final book of the Christian Bible. Its title is derived from the first word of the Koine Greek text: apok...
Book of Genesis - account of the creation of the world, the early history of humanity, Israel's ancestors and the origins...
Gospel of Matthew - The Gospel According to Matthew is the first book of the New Testament and one of the three synoptic gospels. It tells how Israel's Messiah, rejected and executed in Israel, pronounces judgement on ...
Michelin Guide - Michelin Guides are a series of guide books published by the French tyre company Michelin for more than a century. The term normally refers to the annually published Michelin Red Guide , the oldest...
Psalms - The Book of Psalms , commonly referred to simply as Psalms , the Psalter or "the Psalms", is the first book of the Ketuvim , the third section of the Hebrew Bible, and thus a book of th...
Ecclesiastes - Ecclesiastes is one of 24 books of the Tanakh , where it is classified as one of the Ketuvim . Originally written c. 450–200 BCE, it is also among the canonical Wisdom literature of the Old Tes...
The 48 Laws of Power - non-fiction book by American author Robert Greene. The book...

Popular television series

The Crown (TV series) - historical drama web television series about the reign of Queen Elizabeth II, created and principally written by Peter Morgan, and produced by Left Bank Pictures and Sony Pictures Tel...
Friends - American sitcom television series, created by David Crane and Marta Kauffman, which aired on NBC from September 22, 1994, to May 6, 2004, lasting ten seasons. With an ensemble cast sta...
Young Sheldon - spin-off prequel to The Big Bang Theory and begins with the character Sheldon...
Modern Family - American television mockumentary family sitcom created by Christopher Lloyd and Steven Levitan for the American Broadcasting Company. It ran for eleven seasons, from September 23...
Loki (TV series) - upcoming American web television miniseries created for Disney+ by Michael Waldron, based on the Marvel Comics character of the same name. It is set in the Marvel Cinematic Universe, shar...
Game of Thrones - American fantasy drama television series created by David Benioff and D. B. Weiss for HBO. It...
Shameless (American TV series) - American comedy-drama television series developed by John Wells which debuted on Showtime on January 9, 2011. It...