Comparison of TLS implementations

Jump to content
From Wikipedia, the free encyclopedia
(Redirected from Secure Transport)

The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.

Overview

[edit]
ImplementationDeveloped byOpen sourceSoftware licenseCopyright holderWritten inLatest stable version, release dateOrigin
BotanJack LloydYesSimplified BSD LicenseJack LloydC++3.10.0 (November 6, 2025; 57 days ago (2025-11-06)[1]) [±]US (Vermont)
BoringSSLGoogleYesOpenSSL-SSLeay dual-license, ISC licenseEric Young, Tim Hudson, Sun, OpenSSL project, Google, and othersC, C++, Go, assemblyNo stable releases[2]Australia/EU[citation needed]
Bouncy CastleThe Legion of the Bouncy Castle Inc.YesMIT LicenseLegion of the Bouncy Castle Inc.Java, C#
Java1.83 / November 27, 2025; 36 days ago (2025-11-27)[3]
Java LTSBC-LJA 2.73.9 / September 19, 2025; 3 months ago (2025-09-19)[4]
Java FIPSBC-FJA 2.0.0 / July 30, 2024; 17 months ago (2024-07-30)[5]
C#2.6.2 / July 15, 2025; 5 months ago (2025-07-15)[6]
C# FIPSBC-FNA 1.0.2 / March 11, 2024; 21 months ago (2024-03-11)[7]
Australia
BSAFEDell, formerly RSA SecurityNoProprietaryDellJava, C, assemblySSL-J 7.4 (December 2, 2025; 31 days ago (2025-12-02)[8]) [±]

Micro Edition Suite 5.0.3 (December 3, 2024; 12 months ago (2024-12-03)[9]) [±]

Australia
cryptlibPeter GutmannYesSleepycat License and commercial licensePeter GutmannC3.4.8 (April 30, 2025; 8 months ago (2025-04-30)[10]) [±]NZ
GnuTLSGnuTLS projectYesLGPL-2.1-or-laterFree Software FoundationC3.8.11[11] Edit this on Wikidata 2025-11-20EU (Greece and Sweden)
Java Secure Socket Extension (JSSE)OracleYesGNU GPLv2 and commercial licenseOracleJava

25 LTS (September 16, 2025; 3 months ago (2025-09-16)[12]) [±]
21.0.5 LTS (October 15, 2024; 14 months ago (2024-10-15)[13]) [±]
17.0.13 LTS (October 15, 2024; 14 months ago (2024-10-15)[14]) [±]
11.0.25 LTS (October 15, 2024; 14 months ago (2024-10-15)[15]) [±]
8u431 LTS (October 15, 2024; 14 months ago (2024-10-15)[16]) [±]

US
LibreSSLOpenBSD ProjectYesApache-1.0, BSD-4-Clause, ISC, and public domainEric Young, Tim Hudson, Sun, OpenSSL project, OpenBSD Project, and othersC, assembly4.2.1[17] Edit this on Wikidata 2025-10-31Canada
MatrixSSL[18]PeerSec NetworksYesGNU GPLv2+ and commercial licensePeerSec NetworksC4.2.2 (September 11, 2019; 6 years ago (2019-09-11) [19]) [±]US
Mbed TLS (previously PolarSSL)ArmYesApache License 2.0, GNU GPLv2+ and commercial licenseArm HoldingsC4.0.0[20]Edit this on Wikidata (15 October 2025; 2 months ago (15 October 2025)) [±]EU (Netherlands)
Network Security Services (NSS)Mozilla, AOL, Red Hat, Sun, Oracle, Google and othersYesMPL 2.0NSS contributorsC, assembly
Standard3.84 / October 12, 2022; 3 years ago (2022-10-12)[21]
Extended Support Release3.79.1 / August 18, 2022; 3 years ago (2022-08-18)[21]
US
OpenSSLOpenSSL projectYesApache-2.0[a]Eric Young, Tim Hudson, Sun, OpenSSL project, and othersC, assembly3.6.0[22] Edit this on Wikidata 2025-10-01Australia/EU
RustlsJoe Birr-Pixton, Dirkjan Ochtman, Daniel McCarney, Josh Aas, and open source contributorsYesApache-2.0, MIT License and ISCOpen source contributorsRustv0.23.31 (July 29, 2025; 5 months ago (2025-07-29)[23]) [±]United Kingdom
s2nAmazonYesApache License 2.0, GNU GPLv2+ and commercial licenseAmazon.com, Inc.CContinuousUS
SchannelMicrosoftNoProprietaryMicrosoft CorporationWindows 11, 2021-10-05US
Secure TransportApple Inc.YesAPSL 2.0Apple Inc.57337.20.44 (OS X 10.11.2), 2015-12-08US
wolfSSL (previously CyaSSL)wolfSSL[24]YesGNU GPLv3+ and commercial licensewolfSSL Inc.[25]C, assembly5.8.4 (November 20, 2025; 43 days ago (2025-11-20)[26]) [±]US
Erlang/OTP SSL applicationEricssonYesApache License 2.0EricssonErlangOTP-21, 2018-06-19Sweden
ImplementationDeveloped byOpen sourceSoftware licenseCopyright ownerWritten inLatest stable version, release dateOrigin
  1. ^ Apache-2.0 for OpenSSL 3.0 and later releases. OpenSSL-SSLeay dual-license for any release before OpenSSL 3.0.

TLS/SSL protocol version support

[edit]

Several versions of the TLS protocol exist. SSL 2.0 is a deprecated[27] protocol version with significant weaknesses. SSL 3.0 (1996) and TLS 1.0 (1999) are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay.[28] TLS 1.1 (2006) fixed only one of the problems, by switching to random initialization vectors (IV) for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was addressed with RFC 7366.[29] A workaround for SSL 3.0 and TLS 1.0, roughly equivalent to random IVs from TLS 1.1, was widely adopted by many implementations in late 2011.[30] In 2014, the POODLE vulnerability of SSL 3.0 was discovered, which takes advantage of the known vulnerabilities in CBC, and an insecure fallback negotiation used in browsers.[31]

TLS 1.2 (2008) introduced a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future (rsa,sha256/sha384/sha512) over the SSL 3.0 conservative choice (rsa,sha1+md5), the TLS 1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides (rsa,sha1) and even (rsa,md5).[32]

Datagram Transport Layer Security (DTLS or Datagram TLS) 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLS 1.2 based on TLS 1.2 was published in January 2012.[33]

TLS 1.3 (2018) specified in RFC 8446 includes major optimizations and security improvements. QUIC (2021) specified in RFC 9000 and DTLS 1.3 (2022) specified in RFC 9147 builds on TLS 1.3. The publishing of TLS 1.3 and DTLS 1.3 obsoleted TLS 1.2 and DTLS 1.2.

Note that there are known vulnerabilities in SSL 2.0 and SSL 3.0. In 2021, IETF published RFC 8996 also forbidding negotiation of TLS 1.0, TLS 1.1, and DTLS 1.0 due to known vulnerabilities. NIST SP 800-52 requires support of TLS 1.3 by January 2024. Support of TLS 1.3 means that two compliant nodes will never negotiate TLS 1.2.

ImplementationSSL 2.0 (insecure)[34]SSL 3.0 (insecure)[35]TLS 1.0 (deprecated)[36]TLS 1.1 (deprecated)[37]TLS 1.2[38]TLS 1.3DTLS 1.0 (deprecated)[39]DTLS 1.2[33]DTLS 1.3
BotanNoNo[40]NoNoYesYesNoYesNo
BoringSSLYesYesYesYesYesYesNo
Bouncy CastleNoNoYesYesYesYesYesYesNo
BSAFE SSL-J[41]NoDisabled by defaultNo[a]No[a]YesYesNoNoNo
cryptlibNoNoYesYesYesYesNoNoNo
GnuTLSNo[b]Disabled by default[42]YesYesYesYes[43]YesYesNo
JSSENo[b]Disabled by default[44]Disabled by default[45]Disabled by default[45]YesYesYesYesNo
LibreSSLNo[46]No[47]YesYesYesYesYesYes[48]No
MatrixSSLNoDisabled by default at compile time[49]YesYesYesYesYesYesNo
Mbed TLSNoNo[50]No[50]No[50]YesYes
(experimental)
Yes[51]Yes[51]No
NSSNo[c]Disabled by default[52]YesYes[53]Yes[54]Yes[55]Yes[53]Yes[56]No
OpenSSLNo[57]Disabled by defaultYesYes[58]Yes[58]YesYesYes[59]No
RustlsNo[60]No[60]No[60]No[60]Yes[60]Yes[60]NoNoNo
s2n[61]NoDisabled by defaultYesYesYesYesNoNoNo
Schannel XP, 2003[62]Disabled by default in MSIE 7Enabled by defaultEnabled by default in MSIE 7NoNoNoNoNoNo
Schannel Vista[63]Disabled by defaultEnabled by defaultYesNoNoNoNoNoNo
Schannel 2008[63]Disabled by defaultEnabled by defaultYesDisabled by default (KB4019276)Disabled by default (KB4019276)NoNoNoNo
Schannel 7, 2008R2[64]Disabled by defaultDisabled by default in MSIE 11YesEnabled by default in MSIE 11Enabled by default in MSIE 11NoYes[65]No[65]No
Schannel 8, 2012[64]Disabled by defaultEnabled by defaultYesDisabled by defaultDisabled by defaultNoYesNoNo
Schannel 8.1, 2012R2, 10 RTM & v1511[64]Disabled by defaultDisabled by default in MSIE 11YesYesYesNoYesNoNo
Schannel 10 v1607 / 2016[66]NoDisabled by defaultYesYesYesNoYesYesNo
Schannel 11 / 2022[67]NoDisabled by defaultYesYesYesYesYesYesNo
Secure Transport

OS X 10.2–10.7, iOS 1–4

YesYesYesNoNoNoNoNo
Secure Transport OS X 10.8–10.10, iOS 5–8No[d]YesYesYes[d]Yes[d]Yes[d]NoNo
Secure Transport OS X 10.11, iOS 9NoNo[d]YesYesYesYesUnknownNo
Secure Transport OS X 10.13, iOS 11NoNo[d]YesYesYesYes
(draft version)[68]
YesUnknownNo
wolfSSLNoDisabled by default[69]Disabled by default[70]YesYesYesYesYesYes
Erlang/OTP SSL application[71]No [e]No [f]Disabled by default [e]Disabled by default [e]YesPartially [g]Disabled by default [e]YesNo
ImplementationSSL 2.0 (insecure)[34]SSL 3.0 (insecure)[35]TLS 1.0 (deprecated)[36]TLS 1.1 (deprecated)[37]TLS 1.2[38]TLS 1.3DTLS 1.0 (deprecated)[39]DTLS 1.2[33]DTLS 1.3
  1. ^ a b As of SSL-J 7.0, support for TLS 1.0 and 1.1 has been removed
  2. ^ a b SSL 2.0 client hello is supported for backward compatibility reasons even though SSL 2.0 is not supported.
  3. ^ Server-side implementation of the SSL/TLS protocol still supports processing of received v2-compatible client hello messages."NSS 3.24 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2016-08-26. Retrieved 2016-06-19.
  4. ^ a b c d e f Secure Transport: SSL 2.0 was discontinued in OS X 10.8. SSL 3.0 was discontinued in OS X 10.11 and iOS 9.TLS 1.1, 1.2 and DTLS are available on iOS 5.0 and later, and OS X 10.9 and later."Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
  5. ^ a b c d Since OTP 22
  6. ^ Since OTP 23
  7. ^ "Erlang OTP SSL application TLS 1.3 compliance table".

NSA Suite B Cryptography

[edit]

Required components for NSA Suite B Cryptography (RFC 6460) are:

Per CNSSP-15, the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.

ImplementationTLS 1.2 Suite B
BotanYes
Bouncy CastleYes
BSAFEYes[41]
cryptlibYes
GnuTLSYes
JSSEYes[72]
LibreSSLYes
MatrixSSLYes
Mbed TLSYes
NSSNo[73]
OpenSSLYes[59]
RustlsYes[60]
S2n
SchannelYes[74]
Secure TransportNo
wolfSSLYes
ImplementationTLS 1.2 Suite B

Certifications

[edit]

Note that certain certifications have received serious negative criticism from people who are actually involved in them.[75]

ImplementationFIPS 140-1, FIPS 140-2[76]FIPS 140-3
Level 1Level 2[disputeddiscuss]Level 1
Botan[77]
Bouncy CastleBC-FJA 2.0.0 (#4743)
BC-FJA 2.1.0 (#4943)
BC-FNA 1.0.2 (#4416
BSAFE SSL-J[78]Crypto-J 6.0 (1785, 1786)
Crypto-J 6.1 / 6.1.1.0.1 (2057, 2058)
Crypto-J 6.2 / 6.2.1.1 (2468, 2469)
Crypto-J 6.2.4 (3172, 3184)
Crypto-J 6.2.5 (#3819, #3820)
Crypto-J 6.3 (#4696, #4697)
Crypto-J 7.0 (4892)
cryptlib[79]
GnuTLS[80]Red Hat Enterprise Linux GnuTLS Cryptographic Module (#2780)
JSSE
LibreSSL[46]no support
MatrixSSL[81]SafeZone FIPS Cryptographic Module: 1.1 (#2389)
Mbed TLS[82]
NSS[83]Network Security Services: 3.2.2 (#247)
Network Security Services Cryptographic Module: 3.11.4 (#815), 3.12.4 (#1278), 3.12.9.1 (#1837)
Netscape Security Module: 1 (#7[notes 1]), 1.01 (#47[notes 2])
Network Security Services: 3.2.2 (#248[notes 3])
Network Security Services Cryptographic Module: 3.11.4 (#814[notes 4]), 3.12.4 (#1279, #1280[notes 5])
OpenSSL[84]OpenSSL FIPS Object Module: 1.0 (#624), 1.1.1 (#733), 1.1.2 (#918), 1.2, 1.2.1, 1.2.2, 1.2.3 or 1.2.4 (#1051)
2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7 or 2.0.8 (#1747)
Rustlsaws-lc FIPS module[85] (#4759)
Schannel[86]Cryptographic modules in Windows NT 4.0, 95, 95, 2000, XP, Server 2003, CE 5, CE 6, Mobile 6.x, Vista, Server 2008, 7, Server 2008 R2, 8, Server 2012, RT, Surface, Phone 8
See details on Microsoft FIPS 140 Validated Cryptographic Modules
Secure TransportApple FIPS Cryptographic Module: 1.0 (OS X 10.6, #1514), 1.1 (OS X 10.7, #1701)
Apple OS X CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (OS X 10.8, #1964, #1956), 4.0 (OS X 10.9, #2015, #2016)
Apple iOS CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (iOS 6, #1963, #1944), 4.0 (iOS 7, #2020, #2021)
wolfSSL[87]wolfCrypt FIPS Module: 4.0 (#3389)
See details on NIST certificate for validated Operating Environments
wolfCrypt FIPS Module: 3.6.0 (#2425)
See details on NIST certificate for validated Operating Environments
wolfCrypt FIPS Module (#4178)
See details on NIST certificate
ImplementationLevel 1Level 2Level 1
FIPS 140-1, FIPS 140-2FIPS 140-3
  1. ^ with Sun Sparc 5 w/ Sun Solaris v 2.4SE (ITSEC-rated)
  2. ^ with Sun Ultra-5 w/ Sun Trusted Solaris version 2.5.1 (ITSEC-rated)
  3. ^ with Solaris v8.0 with AdminSuite 3.0.1 as specified in UK IT SEC CC Report No. P148 EAL4 on a SUN SPARC Ultra-1
  4. ^ with these platforms; Red Hat Enterprise Linux Version 4 Update 1 AS on IBM xSeries 336 with Intel Xeon CPU, Trusted Solaris 8 4/01 on Sun Blade 2500 Workstation with UltraSPARC IIIi CPU
  5. ^ with these platforms; Red Hat Enterprise Linux v5 running on an IBM System x3550, Red Hat Enterprise Linux v5 running on an HP ProLiant DL145, Sun Solaris 10 5/08 running on a Sun SunBlade 2000 workstation, Sun Solaris 10 5/08 running on a Sun W2100z workstation

Key exchange algorithms (certificate-only)

[edit]

This section lists the certificate verification functionality available in the various implementations.

ImplementationRSA[38]RSA-EXPORT (insecure)[38]DHE-RSA (forward secrecy)[38]DHE-DSS (forward secrecy)[38]ECDH-ECDSA[88]ECDHE-ECDSA (forward secrecy)[88]ECDH-RSA[88]ECDHE-RSA (forward secrecy)[88]GOST R 34.10-94, 34.10-2001[89]
BotanDisabled by defaultNoYesDisabled by defaultNoYesNoYesNo
BSAFEYesNoYesYesYesYesYesYesNo
cryptlibYesNoYesYesYesYesNoYesNo
GnuTLSYesNoYesDisabled by default[42]NoYesNoYesNo
JSSEYesDisabled by defaultYesYesYesYesYesYesNo
LibreSSLYesNo[46]YesYesNoYesNoYesYes[90]
MatrixSSLYesNoYesNoYesYesYesYesNo
Mbed TLSYesNoYesNoYesYesYesYesNo
NSSYesDisabled by defaultYes[91]YesYesYesYesYesNo[92][93]
OpenSSLYesNo[57]YesDisabled by default[57]NoYesNoYesYes[94]
RustlsNoNoNoNoNoYes[60]NoYes[60]No
Schannel XP/2003YesYesNoXP: Max 1024 bits
2003: 1024 bits only
NoNoNoNoNo[95]
Schannel Vista/2008YesDisabled by defaultNo1024 bits by default[96]NoYesNoexcept AES_GCMNo[95]
Schannel 8/2012YesDisabled by defaultAES_GCM only[97][98][99]1024 bits by default[96]NoYesNoexcept AES_GCMNo[95]
Schannel 7/2008R2, 8.1/2012R2YesDisabled by defaultYes2048 bits by default[96]NoYesNoexcept AES_GCMNo[95]
Schannel 10YesDisabled by defaultYes2048 bits by default[96]NoYesNoYesNo[95]
Secure Transport OS X 10.6YesYesexcept AES_GCMYesYesexcept AES_GCMyesexcept AES_GCMNo
Secure Transport OS X 10.8-10.10YesNoexcept AES_GCMNoYesexcept AES_GCMYesexcept AES_GCMNo
Secure Transport OS X 10.11YesNoYesNoNoYesNoYesNo
wolfSSLYesNoYesNoYesYesYesYesNo
Erlang/OTP SSL applicationYesNoYesYesYesYesYesYesNo
ImplementationRSA[38]RSA-EXPORT (insecure)[38]DHE-RSA (forward secrecy)[38]DHE-DSS (forward secrecy)[38]ECDH-ECDSA[88]ECDHE-ECDSA (forward secrecy)[88]ECDH-RSA[88]ECDHE-RSA (forward secrecy)[88]GOST R 34.10-94, 34.10-2001[89]

Key exchange algorithms (alternative key-exchanges)

[edit]
ImplementationSRP[100]SRP-DSS[100]SRP-RSA[100]PSK-RSA[101]PSK[101]DHE-PSK (forward secrecy)[101]ECDHE-PSK (forward secrecy)[102]KRB5[103]DH-ANON[38] (insecure)ECDH-ANON[88] (insecure)
BotanNoNoNoNoYesNoYesNoNoNo
BSAFE SSL-JNoNoNoNoYes[104]NoNoNoDisabled by defaultDisabled by default
cryptlibNoNoNoNoYesYesNoNoNoNo
GnuTLSYesYesYesYesYesYesYesNoDisabled by defaultDisabled by default
JSSENoNoNoNoNoNoNoNoDisabled by defaultDisabled by default
LibreSSLNo[105]No[105]No[105]NoNoNoNoNoYesYes
MatrixSSLNoNoNoYesYesYesNoNoDisabled by defaultNo
Mbed TLSNoNoNoYesYesYesYesNoNoNo
NSSNo[106]No[106]No[106]No[107]No[107]No[107]No[107]NoClient side only, disabled by default[108]Disabled by default[109]
OpenSSLYesYesYesYesYesYesYesYes[110]Disabled by default[111]Disabled by default[111]
RustlsNoNoNoNoNoNoNoNoNoNo
SchannelNoNoNoNoNoNoNoYesNoNo
Secure TransportNoNoNoNoNoNoNoUnknownYesYes
wolfSSLYesYesYesYesYesYesYes[112]YesNoNo
Erlang/OTP SSL applicationDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultNoNoDisabled by defaultDisabled by default
ImplementationSRP[100]SRP-DSS[100]SRP-RSA[100]PSK-RSA[101]PSK[101]DHE-PSK (forward secrecy)[101]ECDHE-PSK (forward secrecy)[102]KRB5[103]DH-ANON[38] (insecure)ECDH-ANON[88] (insecure)

Certificate verification methods

[edit]
ImplementationApplication-definedPKIX path validation[113]CRL[114]OCSP[115]DANE (DNSSEC)[116][117]CT[118]
BotanYesYesYesYesNoUnknown
Bouncy CastleYesYesYesYesYesUnknown
BSAFEYesYesYesYesNoUnknown
cryptlibYesYesYesYesNoUnknown
GnuTLSYesYesYesYesYesUnknown
JSSEYesYesYesYesNoNo
LibreSSLYesYesYesYesNoUnknown
MatrixSSLYesYesYesYes[119]NoUnknown
Mbed TLSYesYesYesNo[120]NoUnknown
NSSYesYesYesYesNo[121]Unknown
OpenSSLYesYesYesYesYesYes
RustlsYesYesYesNoNoNo
s2nNo [122]Unknown [123]Unknown [124]
SchannelUnknownYesYes[125]Yes[125]NoUnknown
Secure TransportYesYesYesYesNoUnknown
wolfSSLYesYesYesYesNoUnknown
Erlang/OTP SSL applicationYesYesYesNoNoUnknown
ImplementationApplication-definedPKIX path validationCRLOCSPDANE (DNSSEC)CT

Encryption algorithms

[edit]
ImplementationBlock cipher with mode of operationStream cipherNone
AES GCM
[126]
AES CCM
[127]
AES CBCCamellia GCM
[128]
Camellia CBC
[129][128]
ARIA GCM
[130]
ARIA CBC
[130]
SEED CBC
[131]
3DES EDE CBC
(insecure)[132]
GOST 28147-89 CNT
(proposed)
[89][n 1]
ChaCha20-Poly1305
[133]
Null
(insecure)
[n 2]
BotanYesYesYesYesYesNoNoDisabled by defaultDisabled by defaultNoYes[134]Not implemented
BoringSSLYesNoYesNoNoNoNoNoYesNoYes
BSAFE SSL-JYesYesYesNoNoNoNoNoDisabled by defaultNoNoDisabled by default
cryptlibYesNoYesNoNoNoNoNoYesNoNoNot implemented
GnuTLSYesYes[42]YesYesYesNoNoNoDisabled by default[135]NoYes[136]Disabled by default
JSSEYesNoYesNoNoNoNoNoDisabled by default[137]NoYes
(JDK 12+)[138]
Disabled by default
LibreSSLYes[46]NoYesNoYes[90]NoNoNo[46]YesYes[90]Yes[46]Disabled by default
MatrixSSLYesNoYesNoNoNoNoYesDisabled by defaultNoYes[139]Disabled by default
Mbed TLSYesYes [140]YesYesYesYes[141]Yes[141]NoNo[50]NoYes[142]Disabled by default at compile time
NSSYes[143]NoYesNo[144][n 3]Yes[145]NoNoYes[146]YesNo[92][93]Yes[147]Disabled by default
OpenSSLYes[148]Disabled by default[57]YesNoDisabled by default[57]Disabled by default[149]NoDisabled by default[57]Disabled by default[57]Yes[94]Yes[57]Disabled by default
RustlsYes[60]NoNoNoNoNoNoNoNoNoYes[60]Not implemented
Schannel XP/2003NoNo2003 only[150]NoNoNoNoNoYesNo[95]NoDisabled by default
Schannel Vista/2008, 2008R2, 2012NoNoYesNoNoNoNoNoYesNo[95]NoDisabled by default
Schannel 7, 8, 8.1/2012R2Yes except ECDHE_RSA
[97][98]
NoYesNoNoNoNoNoYesNo[95]NoDisabled by default
Schannel 10[151]YesNoYesNoNoNoNoNoYesNo[95]NoDisabled by default
Secure Transport OS X 10.6 - 10.10NoNoYesNoNoNoNoNoYesNoNoDisabled by default
Secure Transport OS X 10.11YesNoYesNoNoNoNoNoYesNoNoDisabled by default
wolfSSLYesYesYesNoNoNoNoNoYesNoYesDisabled by default
Erlang/OTP SSL applicationYesNoYesNoNoNoNoNoDisabled by defaultNoExperimentalDisable by default
ImplementationBlock cipher with mode of operationStream cipherNone
AES GCM
[126]
AES CCM
[127]
AES CBCCamellia GCM
[128]
Camellia CBC
[129][128]
ARIA GCM
[130]
ARIA CBC
[130]
SEED CBC
[131]
3DES EDE CBC
(insecure)[132]
GOST 28147-89 CNT
(proposed)
[89][n 1]
ChaCha20-Poly1305
[133]
Null
(insecure)
[n 2]
Notes
  1. ^ a b This algorithm is not defined yet as TLS cipher suites in RFCs, is proposed in drafts.
  2. ^ a b authentication only, no encryption
  3. ^ This algorithm is implemented in an NSS fork used by Pale Moon.

Obsolete algorithms

[edit]
ImplementationBlock cipher with mode of operationStream cipher
IDEA CBC
[n 1](insecure)[153]
DES CBC
(insecure)
[n 1]
DES-40 CBC
(EXPORT, insecure)
[n 2]
RC2-40 CBC
(EXPORT, insecure)
[n 2]
RC4-128
(insecure)
[n 3]
RC4-40
(EXPORT, insecure)
[n 4][n 2]
BotanNoNoNoNoNo[154]No
BoringSSLNoNoNoNoDisabled by default at compile timeNo
BSAFE SSL-JNoDisabled by defaultDisabled by defaultNoDisabled by defaultDisabled by default
cryptlibNoDisabled by default at compile timeNoNoDisabled by default at compile timeNo
GnuTLSNoNoNoNoDisabled by default[42]No
JSSENoDisabled by defaultDisabled by defaultNoDisabled by defaultDisabled by default [155]
LibreSSLYesYesNo[46]No[46]YesNo[46]
MatrixSSLYesNoNoNoDisabled by defaultNo
Mbed TLSNoDisabled by default at compile timeNoNoDisabled by default at compile time[51]No
NSSYesDisabled by defaultDisabled by defaultDisabled by defaultLowest priority[156][157]Disabled by default
OpenSSLDisabled by default[57]Disabled by defaultNo[57]No[57]Disabled by defaultNo[57]
RustlsNoNoNoNoNoNo
Schannel XP/2003NoYesYesYesYesYes
Schannel Vista/2008NoDisabled by defaultDisabled by defaultDisabled by defaultYesDisabled by default
Schannel 7/2008R2NoDisabled by defaultDisabled by defaultDisabled by defaultLowest priority
will be disabled soon[158]
Disabled by default
Schannel 8/2012NoDisabled by defaultDisabled by defaultDisabled by defaultOnly as fallbackDisabled by default
Schannel 8.1/2012R2NoDisabled by defaultDisabled by defaultDisabled by defaultDisabled by default[158]Disabled by default
Schannel 10[151]NoDisabled by defaultDisabled by defaultDisabled by defaultDisabled by default[158]Disabled by default
Secure Transport OS X 10.6YesYesYesYesYesYes
Secure Transport OS X 10.7YesUnknownUnknownUnknownYesUnknown
Secure Transport OS X 10.8-10.9YesDisabled by defaultDisabled by defaultDisabled by defaultYesDisabled by default
Secure Transport OS X 10.10-10.11YesDisabled by defaultDisabled by defaultDisabled by defaultLowest priorityDisabled by default
Secure Transport macOS 10.12YesDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultDisabled by default
wolfSSLDisabled by default[159]NoNoNoDisabled by defaultNo
Erlang/OTP SSL applicationnoDisabled by defaultnonoDisabled by defaultno
ImplementationBlock cipher with mode of operationStream cipher
IDEA CBC
[n 1](insecure)[153]
DES CBC
(insecure)
[n 1]
DES-40 CBC
(EXPORT, insecure)
[n 2]
RC2-40 CBC
(EXPORT, insecure)
[n 2]
RC4-128
(insecure)
[n 3]
RC4-40
(EXPORT, insecure)
[n 4][n 2]
Notes
  1. ^ a b c d IDEA and DES have been removed from TLS 1.2.[152]
  2. ^ a b c d e f 40 bits strength of cipher suites were designed to operate at reduced key lengths in order to comply with US regulations about the export of cryptographic software containing certain strong encryption algorithms (see Export of cryptography from the United States). These weak suites are forbidden in TLS 1.1 and later.
  3. ^ a b The RC4 attacks weaken or break RC4 used in SSL/TLS. Use of RC4 is prohibited by RFC 7465.
  4. ^ a b The RC4 attacks weaken or break RC4 used in SSL/TLS.

Supported elliptic curves

[edit]

This section lists the supported elliptic curves by each implementation.

Defined curves in RFC 8446 (for TLS 1.3) and RFC 8422, 7027 (for TLS 1.2 and earlier)

[edit]
applicable TLS versionTLS 1.3 and earlierTLS 1.2 and earlier
Implementationsecp256r1
prime256v1
NIST P-256
(0x0017,[160] 23[161])
secp384r1
NIST P-384
(0x0018,[160] 24[161])
secp521r1
NIST P-521
(0x0019,[160] 25[161])
X25519
(0x001D,[160] 29[161])
X448
(0x001E,[160] 30[161])
brainpoolP256r1
(26)[162]
brainpoolP384r1
(27)[162]
brainpoolP512r1
(28)[162]
BotanYesYesYesYes[134]NoYes[163]Yes[163]Yes[163]
BoringSSLYesYesYes (disabled by default)YesNoNoNoNo
BSAFEYesYesYesNoNoNoNoNo
GnuTLSYesYesYesYes[164]Yes[165]NoNoNo
JSSEYesYesYesYes
x25519: JDK 13+[166]
Ed25519:JDK 15+[167]
Yes
x448: JDK 13+[166]
Ed448: JDK 15+[167]
NoNoNo
LibreSSLYesYesYesYes[168]NoYes[46]Yes[46]Yes[46]
MatrixSSLYesYesYesTLS 1.3 only[169]NoYesYesYes
Mbed TLSYesYesYesPrimitive only[170]Primitive only[171]Yes[172]Yes[172]Yes[172]
NSSYesYesYesYes[173]No[174][175]No[176]No[176]No[176]
OpenSSLYesYesYesYes[177][178]Yes[179][180]Yes[59]Yes[59]Yes[59]
RustlsYesYesNoYesNoNoNoNo
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10YesYesYesNoNoNoNoNo
Secure TransportYesYesYesNoNoNoNoNo
wolfSSLYesYesYesYes[181]Yes[182]YesYesYes
Erlang/OTP SSL applicationYesYesYesNoNoYesYesYes
Implementationsecp256r1
prime256v1
NIST P-256
(0x0017, 23)
secp384r1
NIST P-384
(0x0018, 24)
secp521r1
NIST P-521
(0x0019, 25)
X25519
(0x001D, 29)
X448
(0x001E, 30)
brainpoolP256r1
(26)
brainpoolP384r1
(27)
brainpoolP512r1
(28)

Deprecated curves in RFC 8422

[edit]
Implementationsect163k1
NIST K-163
(1)[88]
sect163r1
(2)[88]
sect163r2
NIST B-163
(3)[88]
sect193r1
(4)[88]
sect193r2
(5)[88]
sect233k1
NIST K-233
(6)[88]
sect233r1
NIST B-233
(7)[88]
sect239k1
(8)[88]
sect283k1
NIST K-283
(9)[88]
sect283r1
NIST B-283
(10)[88]
sect409k1
NIST K-409
(11)[88]
sect409r1
NIST B-409
(12)[88]
sect571k1
NIST K-571
(13)[88]
sect571r1
NIST B-571
(14)[88]
BotanNoNoNoNoNoNoNoNoNoNoNoNoNoNo
BoringSSLNoNoNoNoNoNoNoNoNoNoNoNoNoNo
BSAFEYesNoYesNoNoYesYesNoYesYesYesYesYesYes
GnuTLSNoNoNoNoNoNoNoNoNoNoNoNoNoNo
JSSENotes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]
LibreSSLYesYesYesYesYesYesYesYesYesYesYesYesYesYes
MatrixSSLNoNoNoNoNoNoNoNoNoNoNoNoNoNo
Mbed TLSNoNoNoNoNoNoNoNoNoNoNoNoNoNo
NSSYesYesYesYesYesYesYesYesYesYesYesYesYesYes
OpenSSLYesYesYesYesYesYesYesYesYesYesYesYesYesYes
RustlsNoNoNoNoNoNoNoNoNoNoNoNoNoNo
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10NoNoNoNoNoNoNoNoNoNoNoNoNoNo
Secure TransportNoNoNoNoNoNoNoNoNoNoNoNoNoNo
wolfSSLNoNoNoNoNoNoNoNoNoNoNoNoNoNo
Erlang/OTP SSL applicationYesYesYesYesYesYesYesYesYesYesYesYesYesYes
Implementationsect163k1
NIST K-163
(1)
sect163r1
(2)
sect163r2
NIST B-163
(3)
sect193r1
(4)
sect193r2
(5)
sect233k1
NIST K-233
(6)
sect233r1
NIST B-233
(7)
sect239k1
(8)
sect283k1
NIST K-283
(9)
sect283r1
NIST B-283
(10)
sect409k1
NIST K-409
(11)
sect409r1
NIST B-409
(12)
sect571k1
NIST K-571
(13)
sect571r1
NIST B-571
(14)
Implementationsecp160k1
(15)[88]
secp160r1
(16)[88]
secp160r2
(17)[88]
secp192k1
(18)[88]
secp192r1
prime192v1
NIST P-192
(19)[88]
secp224k1
(20)[88]
secp224r1
NIST P-244
(21)[88]
secp256k1
(22)[88]
arbitrary prime curves
(0xFF01)[88][185]
arbitrary char2 curves
(0xFF02)[88][185]
BotanNoNoNoNoNoNoNoNoNoNo
BoringSSLNoNoNoNoNoNoYesNoNoNo
BSAFENoNoNoNoYesNoYesNoNoNo
GnuTLSNoNoNoNoYesNoYesNoNoNo
JSSENotes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]NoNo
LibreSSLYesYesYesYesYesYesYesYesNoNo
MatrixSSLNoNoNoNoYesNoYesNoNoNo
Mbed TLSNoNoNoYesYesYesYesYesNoNo
NSSYesYesYesYesYesYesYesYesNoNo
OpenSSLYesYesYesYesYesYesYesYesNoNo
RustlsNoNoNoNoNoNoNoNoNoNo
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10NoNoNoNoNoNoNoNoNoNo
Secure TransportNoNoNoNoYesNoNoNoNoNo
wolfSSLYesYesYesYesYesYesYesYesNoNo
Erlang/OTP SSL applicationYesYesYesYesYesYesYesYesNoNo
Implementationsecp160k1
(15)
secp160r1
(16)
secp160r2
(17)
secp192k1
(18)
secp192r1
prime192v1
NIST P-192
(19)
secp224k1
(20)
secp224r1
NIST P-244
(21)
secp256k1
(22)
arbitrary prime curves
(0xFF01)
arbitrary char2 curves
(0xFF02)
Notes
  1. ^ a b c d e f g h i j k l m n o p q r s t u v These elliptic curves were "Disabled by Default" in current JDK families as part of JDK-8236730.[183]
  2. ^ a b c d e f g h i j k l m n o p q r s t u v These elliptic curves were subsequently removed in JDK 16+ as part of JDK-8252601.[184]

Data integrity

[edit]
ImplementationHMAC-MD5HMAC-SHA1HMAC-SHA256/384AEADGOST 28147-89 IMIT
[89]
GOST R 34.11-94
[89]
BotanNoYesYesYesNoNo
BSAFEYesYesYesYesNoNo
cryptlibYesYesYesYesNoNo
GnuTLSYesYesYesYesNoNo
JSSEDisabled by DefaultYesYesYesNoNo
LibreSSLYesYesYesYesYes
[90]
Yes
[90]
MatrixSSLYesYesYesYesNoNo
Mbed TLSYesYesYesYesNoNo
NSSYesYesYesYesNo
[92][93]
No
[92][93]
OpenSSLYesYesYesYesYes
[94]
Yes
[94]
RustlsNoNoNoYesNoNo
Schannel XP/2003, Vista/2008YesYesXP SP3, 2003 SP2 via hotfix
[186]
NoNo
[95]
No
[95]
Schannel 7/2008R2, 8/2012, 8.1/2012R2YesYesYesexcept ECDHE_RSA
[97][98][99]
No
[95]
No
[95]
Schannel 10YesYesYesYes
[151]
No
[95]
No
[95]
Secure TransportYesYesYesYesNoNo
wolfSSLDisabled by DefaultYesYesYesNoNo
Erlang/OTP SSL applicationYesYesYesYesNoNo
ImplementationHMAC-MD5HMAC-SHA1HMAC-SHA256/384AEADGOST 28147-89 IMITGOST R 34.11-94

Compression

[edit]

Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.

ImplementationDEFLATE[187]
(insecure)
BotanNo
BSAFE[41]No
cryptlibNo
GnuTLSDisabled by default
JSSENo
LibreSSLNo[46]
MatrixSSLDisabled by default
Mbed TLSDisabled by default
NSSDisabled by default
OpenSSLDisabled by default
RustlsNo
SchannelNo
Secure TransportNo
wolfSSLDisabled by default
Erlang/OTP SSL applicationNo
ImplementationDEFLATE

Extensions

[edit]

In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security [citation needed]. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.

ImplementationSecure Renegotiation
[188]
Server Name Indication
[189]
ALPN
[190]
Certificate Status Request
[189]
OpenPGP
[191]
Supplemental Data
[192]
Session Ticket
[193]
Keying Material Exporter
[194]
Maximum Fragment Length
[189]
Encrypt-then-MAC
[29]
TLS Fallback SCSV
[195]
Extended Master Secret
[196]
ClientHello Padding
[197]
Raw Public Keys
[198]
BotanYesYesYes[199]NoNoNoYesYesYesYesYes[200]Yes[201]NoUnknown
BSAFE SSL-JYesYesNoYesNoNoNoNoYesNoNoYesNoNo
cryptlibYesYesNoNoNoYesNoNoNo[202]YesYesYesNoUnknown
GnuTLSYesYesYes[203]YesNo[204]YesYesYesYesYes[42]Yes[205]Yes[42]Yes[206]Yes[207]
JSSEYesYes[72]Yes[72]YesNoNoYesNoYesNoNoYesNoNo
LibreSSLYesYesYes[208]YesNoNo?YesYes?NoNoServer side only[209]NoYesNo
MatrixSSLYesYesYes[210]Yes[139]NoNoYesNoYesNoYes[139]Yes[139]NoUnknown
Mbed TLSYesYesYes[211]NoNoNoYesNoYesYes[212]Yes[212]Yes[212]NoNo
NSSYesYesYes[213]YesNo[214]NoYesYesNoNo[215]Yes[216]Yes[217]Yes[213]Unknown
OpenSSLYesYesYes[59]YesNoNo?YesYesYesYesYes[218]Yes[57]Yes[219]Yes[220]
RustlsYesYesYesYesNoNoYesYesNoNoNo [221]YesNoUnknown
Schannel XP/2003NoNoNoNoNoYesNoNoNoNoNoNoNoUnknown
Schannel Vista/2008YesYesNoNoNoYesNoNoNoNoNoYes[222]NoUnknown
Schannel 7/2008R2YesYesNoYesNoYesNoNoNoNoNoYes[222]NoUnknown
Schannel 8/2012YesYesNoYesNoYesClient side only[223]NoNoNoNoYes[222]NoUnknown
Schannel 8.1/2012R2, 10YesYesYesYesNoYesYes[223]NoNoNoNoYes[222]NoUnknown
Secure TransportYesYesUnknownNoNoYesNoNoNoNoNoNoNoUnknown
wolfSSLYesYesYes[159]YesNoNoYesNoYesYes[224]NoYesNoYes[225]
Erlang/OTP SSL applicationYesYesYesNoNoNoNoNoNoNoYesNoNoUnknown
ImplementationSecure RenegotiationServer Name IndicationALPNCertificate Status RequestOpenPGPSupplemental DataSession TicketKeying Material ExporterMaximum Fragment LengthEncrypt-then-MACTLS Fallback SCSVExtended Master SecretClientHello PaddingRaw Public Keys

Assisted cryptography

[edit]

This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.

ImplementationPKCS #11 deviceIntel AES-NIVIA PadLockARMv8-AIntel SHANXP CAAMTPM 2.0NXP SE050Microchip ATECCSTMicro STSAFEMaxim MAXQ
BotanYes[226]YesNoYesNoYes[227]NoNoNoNo
BSAFE SSL-J [a][b]YesYesNoYesYesNoNo[230]NoNoNoNo
cryptlibYesYesYesNoYesNoNoNoNo
Crypto++YesYesNoNoNoNo
GnuTLSYesYesYesYes[231]YesNo[232]NoNoNoNo
JSSEYesYes[233]NoNoNoNoNoNoNo
LibreSSLNoYesYesNoNoNoNoNo
MatrixSSLYesYesNoYesNoNoNoNoNo
Mbed TLSYesYes[234]YesNoNoPartial[235]Yes[236]NoNo
NSSYes[237]Yes[238]No[239]NoNoNoNoNoNo
OpenSSLYes[240][241][242]YesYesYes[243]YesPartialPartial[244][245]Partial[235]NoPartial[246]No
RustlsYesYesYesNoNoNoNo
SchannelNoYesNoNoNoNoNoNoNo
Secure TransportNoYes[247][248]NoYesNoNoNoNoNo
wolfSSLYesYesNoYesYesYes[249]Yes[250][251]Yes[252]Yes[253]Yes[254]Yes[255]
ImplementationPKCS #11 deviceIntel AES-NIVIA PadLockARMv8-AIntel SHANXP CAAMTPM 2.0NXP SE050Microchip ATECCSTMicro STSAFEMaxim MAXQ
  1. ^ Pure Java implementations relies on JVM processor optimization capabilities, such as OpenJDK support for AES-NI[228]
  2. ^ BSAFE SSL-J can be configured to run in native mode, using BSAFE Crypto-C Micro Edition to benefit from processor optimization.[229]

System-specific backends

[edit]

This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.

Implementation/dev/cryptoaf_algWindows CSPCommonCryptoOpenSSL engine
BotanNoNoNoNoPartial
BSAFENoNoNoNoNo
cryptlibYesNoNoNoNo
GnuTLSYesYesNoNoNo
JSSENoNoYesNoNo
LibreSSLNoNoNoNoNo[256]
MatrixSSLNoNoNoYesYes
Mbed TLSNoNoNoNoNo
NSSNoNoNoNoNo
OpenSSLYesYesNoNoYes
RustlsNoYes [257]NoNoNo
SchannelNoNoYesNoNo
Secure TransportNoNoNoYesNo
wolfSSLYesYesPartialNoYes[258]
Erlang/OTP SSL applicationNoNoNoNoYes
Implementation/dev/cryptoaf_algWindows CSPCommonCryptoOpenSSL engine

Cryptographic module/token support

[edit]
ImplementationTPM supportHardware token supportObjects identified via
BotanPartial[201]PKCS #11
BSAFE SSL-JNoNo
cryptlibYesPKCS #11User-defined label
GnuTLSYesPKCS #11RFC 7512 PKCS #11 URLs[259]
JSSENoPKCS11 Java Cryptography Architecture,
Java Cryptography Extension
LibreSSLYesPKCS #11 (via 3rd party module)Custom method
MatrixSSLNoPKCS #11
Mbed TLSNoPKCS #11 (via libpkcs11-helper) or standard hooksCustom method
NSSNoPKCS #11
OpenSSLYesPKCS #11 (via 3rd party module)[260]RFC 7512 PKCS #11 URLs[259]
RustlsNoMicrosoft CryptoAPI [261]Custom method
SchannelNoMicrosoft CryptoAPIUUID, User-defined label
Secure Transport
wolfSSLYesPKCS #11
ImplementationTPM supportHardware token supportObjects identified via

Code dependencies

[edit]
ImplementationDependenciesOptional dependencies
BotanC++20SQLite
zlib (compression)
bzip2 (compression)
liblzma (compression)
boost
trousers (TPM)
GnuTLSlibc
nettle
gmp
zlib (compression)
p11-kit (PKCS #11)
trousers (TPM)
libunbound (DANE)
JSSEJava
MatrixSSLnonezlib (compression)
MatrixSSL-openlibc or newlib
Mbed TLSlibclibpkcs11-helper (PKCS #11)
zlib (compression)
NSSlibc
libnspr4
libsoftokn3
libplc4
libplds4
zlib (compression)
Rustlsrust core libraryrust std library
zlib-rs (compression)
brotli (compression)
ring (cryptography)
aws-lc-rs (cryptography)
OpenSSLlibczlib (compression)
brotli (compression)
zstd (compression)
wolfSSLNonelibc
zlib (compression)
Erlang/OTP SSL applicationlibcrypto (from OpenSSL), Erlang/OTP and its public_key, crypto and asn1 applicationsErlang/OTP -inets (http fetching of CRLs)
ImplementationDependenciesOptional dependencies

Development environment

[edit]
ImplementationNamespaceBuild toolsAPI manualCrypto back-endOpenSSL compatibility Layer[clarify]
BotanBotan::TLSMakefileSphinxIncluded (pluggable)No
Bouncy Castleorg.bouncycastleJava Development EnvironmentProgrammers reference manual (PDF)Included (pluggable)No
BSAFE SSL-Jcom.rsa.asn1[a]

com.rsa.certj[b]
com.rsa.jcp[c]
com.rsa.jsafe[d]
com.rsa.ssl[e]
com.rsa.jsse[f]

Java class loaderJavadoc, Developer's guide (HTML)IncludedNo
cryptlibcrypt*makefile, MSVC project workspacesProgrammers reference manual (PDF), architecture design manual (PDF)Included (monolithic)No
GnuTLSgnutls_*Autoconf, automake, libtoolManual and API reference (HTML, PDF)External, libnettleYes (limited)
JSSEjavax.net.ssl

sun.security.ssl

MakefileAPI Reference (HTML) +

JSSE Reference Guide

Java Cryptography Architecture,
Java Cryptography Extension
No
MatrixSSLmatrixSsl_*

ps*

Makefile, MSVC project workspaces, Xcode projects for OS X and iOSAPI Reference (PDF), Integration GuideIncluded (pluggable)Yes (Subset: SSL_read, SSL_write, etc.)
Mbed TLSmbedtls_ssl_*

mbedtls_sha1_*
mbedtls_md5_*
mbedtls_x509*
...

Makefile, CMake, MSVC project workspaces, yottaAPI Reference + High Level and Module Level Documentation (HTML)Included (monolithic)No
NSSCERT_*

SEC_*
SECKEY_*
NSS_*
PK11_*
SSL_*
...

MakefileManual (HTML)Included, PKCS#11 based[262]Yes (separate package called nss_compat_ossl[263])
OpenSSLSSL_*

SHA1_*
MD5_*
EVP_*
...

MakefileMan pagesIncluded (monolithic)N/a
Rustlsrustls::cargoAPI reference and design manualTwo options included (pluggable)Yes[264] (subset)
wolfSSLwolfSSL_*

CyaSSL_*
SSL_*

Autoconf, automake, libtool, MSVC project workspaces, XCode projects, CodeWarrior projects, MPLAB X projects, Keil, IAR, Clang, GCC, e2StudioManual and API Reference (HTML, PDF)Included (monolithic)Yes (about 60% of API)
ImplementationNamespaceBuild toolsAPI manualCrypto back-endOpenSSL compatibility layer
  1. ^
    ASN.1 manipulation classes
  2. ^
    Cert-J proprietary API
  3. ^
    Certificate Path manipulation classes
  4. ^
    Crypto-J proprietary API, JCE, CMS and PKI
  5. API
  6. ^
    SSLJ proprietary API
  7. ^
    JSSE API

Portability concerns

[edit]
ImplementationPlatform requirementsNetwork requirementsThread safetyRandom seedAble to cross-compileNo OS (bare metal)Supported operating systems
BotanC++11NoneThread-safePlatform-dependentYesWindows, Linux, macOS, Android, iOS, FreeBSD, OpenBSD, Solaris, AIX, HP-UX, QNX, BeOS, IncludeOS
BSAFE SSL-JJavaJava SE network componentsThread-safeDepends on java.security.SecureRandomYesNoFreeBSD, Linux, macOS, Microsoft Windows, Android, AIX, Solaris
cryptlibC89POSIX send() and recv(). API to supply your own replacementThread-safePlatform-dependent, including hardware sourcesYesYesAMX, BeOS, ChorusOS, DOS, eCos, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, Palm OS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, macOS, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK
GnuTLSC89POSIX send() and recv(). API to supply your own replacement.Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available.Platform dependentYesNoGenerally any POSIX platforms or Windows, commonly tested platforms include Linux, Win32/64, macOS, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD.
JSSEJavaJava SE network componentsThread-safeDepends on java.security.SecureRandomYesJava based, platform-independent
MatrixSSLC89NoneThread-safePlatform dependentYesYesAll
Mbed TLSC89POSIX read() and write(). API to supply your own replacement.Threading layer available (POSIX or own hooks)Random seed set through entropy poolYesYesKnown to work on: Win32/64, Linux, macOS, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, eCos, SeggerOS, RISC OS
NSSC89, NSPR[265]NSPR[265] PR_Send() and PR_Recv(). API to supply your own replacement.Thread-safePlatform dependent[266]Yes (but cumbersome)NoAIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, macOS, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation
RustlsRust (programming language)NoneThread-safePlatform dependentYesYesAll supported by Rust (programming language)
OpenSSLC89NoneThread-safePlatform dependentYesNoUnix-like, DOS (with djgpp), Windows, OpenVMS, NetWare, eCos
wolfSSLC89POSIX send() and recv(). API to supply your own replacement.Thread-safeRandom seed set through wolfCryptYesYesWin32/64, Linux, macOS, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Yocto Project, OpenEmbedded, WinCE, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and GameCube through DevKitPro, QNX, MontaVista, NonStop, TRON/ITRON/μITRON, eCos, Micrium μC/OS-III, FreeRTOS, SafeRTOS, NXP/Freescale MQX, Nucleus, TinyOS, HP/UX, AIX, ARC MQX, Keil RTX, TI-RTOS, uTasker, embOS, INtime, Mbed, uT-Kernel, RIOT, CMSIS-RTOS, FROSTED, Green Hills INTEGRITY, TOPPERS, PetaLinux, Apache mynewt
ImplementationPlatform requirementsNetwork requirementsThread safetyRandom seedAble to cross-compileNo OS (bare metal)Supported operating systems

See also

[edit]
  • SCTP — with DTLS support
  • DCCP — with DTLS support
  • SRTP — with DTLS support (DTLS-SRTP) and Secure Real-Time Transport Control Protocol (SRTCP)

References

[edit]
  1. ^ "Botan: Release Notes". Retrieved 2025-12-22.
  2. ^ "BoringSSL README.md". boringssl.googlesource.com. Retrieved 2025-11-11.
  3. ^ "Download Bouncy Castle for Java - bouncycastle.org". 2025-11-27. Retrieved 2025-12-01.
  4. ^ "Download Bouncy Castle for Java LTS - bouncycastle.org". 2025-09-19. Retrieved 2025-12-01.
  5. ^ "Download Bouncy Castle for Java FIPS - bouncycastle.org". 2024-07-30. Retrieved 2024-11-29.
  6. ^ "Download Bouncy Castle for C# .NET - bouncycastle.org". 2025-07-15. Retrieved 2025-12-01.
  7. ^ "Download Bouncy Castle for C# .NET FIPS - bouncycastle.org". 2024-03-11. Retrieved 2024-11-29.
  8. ^ "Dell BSAFE SSL-J 7.4 Release Advisory". Dell.
  9. ^ "Dell BSAFE Micro Edition Suite 5.0.3 Release Advisory".
  10. ^ Gutmann, Peter (May 1, 2025). "cryptlib". Github. Retrieved 2025-08-02.
  11. ^ Daiki Ueno (20 November 2025). "gnutls 3.8.11 released". Retrieved 20 November 2025.
  12. ^ "Java Development Kit 25 Release Notes". Oracle Corporation. Retrieved 2025-06-09.
  13. ^ "Java™ SE Development Kit 21, 21.0.5 Release Notes". Oracle Corporation. Retrieved 2024-10-16.
  14. ^ "Java™ SE Development Kit 17, 17.0.13 Release Notes". Oracle Corporation. Retrieved 2024-10-16.
  15. ^ "Java™ SE Development Kit 11, 11.0.25 Release Notes". Oracle Corporation. Retrieved 2024-10-16.
  16. ^ "Java™ SE Development Kit 8, Update 431 Release Notes". Oracle Corporation. Retrieved 2024-10-16.
  17. ^ "LibreSSL 4.1.2 and 4.2.1 released". 31 October 2025. Retrieved 3 November 2025.
  18. ^ The features listed are for the closed source version
  19. ^ "MatrixSSL 4.2.2 Open release". 2019-09-11. Retrieved 2020-03-20.
  20. ^ "Release 4.0.0". 15 October 2025. Retrieved 21 October 2025.
  21. ^ a b "NSS:Release versions". Mozilla Wiki. Retrieved 7 November 2022.
  22. ^ "OpenSSL 3.6.0". 1 October 2025. Retrieved 1 October 2025.
  23. ^ "rustls/rustls releases". Github. Retrieved 15 August 2025.
  24. ^ "wolfSSL product description". Retrieved 2016-05-03.
  25. ^ "wolfSSL Embedded SSL/TLS". Retrieved 2016-05-03.
  26. ^ "wolfSSL ChangeLog". 2025-11-20. Retrieved 2025-11-20.
  27. ^ Prohibiting Secure Sockets Layer (SSL) Version 2.0. doi:10.17487/RFC6176. RFC 6176.
  28. ^ Vaudenay, Serge (2001). "CBC-Padding: Security Flaws in SSL, IPsec, WTLS,..." (PDF).
  29. ^ a b Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security. doi:10.17487/RFC7366. RFC 7366.
  30. ^ "Rizzo/Duong BEAST Countermeasures". Archived from the original on 2016-03-11.
  31. ^ Möller, Bodo; Duong, Thai; Kotowicz, Krzysztof (September 2014). "This POODLE Bites: Exploiting The SSL 3.0 Fallback" (PDF). Archived from the original (PDF) on 15 October 2014. Retrieved 15 October 2014.
  32. ^ "TLSv1.2's Major Differences from TLSv1.1". The Transport Layer Security (TLS) Protocol Version 1.2. sec. 1.2. doi:10.17487/RFC5246. RFC 5246.
  33. ^ a b c RFC 6347. doi:10.17487/RFC6347.
  34. ^ a b Elgamal, Taher; Hickman, Kipp E. B. (19 April 1995). The SSL Protocol. I-D draft-hickman-netscape-ssl-00.
  35. ^ a b RFC 6101. doi:10.17487/RFC6101.
  36. ^ a b RFC 2246. doi:10.17487/RFC2246.
  37. ^ a b RFC 4346. doi:10.17487/RFC4346.
  38. ^ a b c d e f g h i j k l RFC 5246. doi:10.17487/RFC5246.
  39. ^ a b RFC 4347. doi:10.17487/RFC4347.
  40. ^ "Version 1.11.13, 2015-01-11 — Botan". 2015-01-11. Archived from the original on 2015-01-09. Retrieved 2015-01-16.
  41. ^ a b c "RSA BSAFE Technical Specification Comparison Tables" (PDF). Archived from the original (PDF) on 2015-09-24. Retrieved 2015-01-09.
  42. ^ a b c d e f "[gnutls-devel] GnuTLS 3.4.0 released". 2015-04-08. Retrieved 2015-04-16.
  43. ^ "[gnutls-devel] GnuTLS 3.6.3". 2018-07-16. Retrieved 2018-09-16.
  44. ^ "Java SE Development Kit 8, Update 31 Release Notes". Retrieved 2024-01-14.
  45. ^ a b "Release Note: Disable TLS 1.0 and 1.1". Retrieved 2024-01-14.
  46. ^ a b c d e f g h i j k l m "OpenBSD 5.6 Released". 2014-11-01. Retrieved 2015-01-20.
  47. ^ "LibreSSL 2.3.0 Released". 2015-09-23. Retrieved 2015-09-24.
  48. ^ "LibreSSL 3.3.3 Released". 2021-05-04. Retrieved 2021-05-04.
  49. ^ "MatrixSSL - News". Archived from the original on 2015-02-14. Retrieved 2014-11-09.
  50. ^ a b c d "Mbed TLS 3.0.0 branch released". GitHub. 2021-07-07. Retrieved 2021-08-13.
  51. ^ a b c "mbed TLS 2.0.0 released". 2015-07-10. Retrieved 2015-07-14.
  52. ^ "NSS 3.19 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2015-06-05. Retrieved 2015-05-06.
  53. ^ a b "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2013-01-17. Retrieved 2012-10-27.
  54. ^ "NSS 3.15.1 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-08-10.
  55. ^ "NSS 3.39 release notes". Mozilla Developer Network. Mozilla. 2018-08-31. Archived from the original on 2021-12-07. Retrieved 2018-09-15.
  56. ^ "NSS 3.16.2 release notes". Mozilla Developer Network. Mozilla. 2014-06-30. Archived from the original on 2021-12-07. Retrieved 2014-06-30.
  57. ^ a b c d e f g h i j k l m "OpenSSL 1.1.0 Series Release Notes". www.openssl.org. Archived from the original on 2018-03-17. Retrieved 2016-09-03.
  58. ^ a b "Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]". 2012-03-14. Archived from the original on December 5, 2014. Retrieved 2015-01-20.
  59. ^ a b c d e f "Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]". Archived from the original on September 4, 2014. Retrieved 2015-01-22.
  60. ^ a b c d e f g h i j k "rustls implemented and unimplemented features documentation". Retrieved 2024-08-28.
  61. ^ "S2N Readme". GitHub. 2019-12-21.
  62. ^ "TLS Cipher Suites (Windows)". msdn.microsoft.com. 14 July 2023.
  63. ^ a b "TLS Cipher Suites in Windows Vista (Windows)". msdn.microsoft.com. 25 October 2021.
  64. ^ a b c "Cipher Suites in TLS/SSL (Schannel SSP) (Windows)". msdn.microsoft.com. 14 July 2023.
  65. ^ a b "An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. Retrieved 13 November 2012.
  66. ^ "Protocols in TLS/SSL (Schannel SSP)". Microsoft. 2022-05-25. Retrieved 2023-11-18.
  67. ^ "Protocols in TLS/SSL (Schannel SSP)". 25 May 2022. Retrieved 6 November 2022.
  68. ^ "@badger: the 1.3 stuff is apparently in iOS 11 and macOS 10.13". 2018-03-09. Retrieved 2018-03-09.
  69. ^ "[wolfssl] wolfSSL 3.6.6 Released". 2015-08-20. Retrieved 2015-08-24.
  70. ^ "[wolfssl] wolfSSL 3.13.0 Released". 2017-12-21. Retrieved 2022-01-17.
  71. ^ "Erlang -- Standards Compliance".
  72. ^ a b c "Security Enhancements in JDK 8". docs.oracle.com.
  73. ^ "Bug 663320 - (NSA-Suite-B-TLS) Implement RFC6460 (NSA Suite B profile for TLS)". Mozilla. Retrieved 2014-05-19.
  74. ^ "Introducing Compliance to Suite B Cryptography". 18 September 2012.
  75. ^ "Speeds and Feeds › Secure or Compliant, Pick One". Archived from the original on December 27, 2013.
  76. ^ "Search - Cryptographic Module Validation Program - CSRC". csrc.nist.gov. Archived from the original on 2014-12-26. Retrieved 2014-03-18.
  77. ^ ""Is botan FIPS 140 certified?" Frequently Asked Questions — Botan". Archived from the original on 2014-11-29. Retrieved 2014-11-16.
  78. ^ "Search - Cryptographic Module Validation Program - CSRC". csrc.nist.gov. 11 October 2016.
  79. ^ "cryptlib". 11 October 2013. Archived from the original on 11 October 2013.
  80. ^ "B.5 Certification". GnuTLS 3.7.7. Retrieved 26 September 2022.
  81. ^ "Matrix SSL Toolkit" (PDF).
  82. ^ "Is mbed TLS FIPS certified? - Mbed TLS documentation". Mbed TLS documentation.
  83. ^ "FIPS Validation - MozillaWiki". wiki.mozilla.org.
  84. ^ "OpenSSL and FIPS 140-2". Archived from the original on 2013-05-28. Retrieved 2014-11-15.
  85. ^ "rustls FIPS documentation". Retrieved 2024-08-28.
  86. ^ "Microsoft FIPS 140 Validated Cryptographic Modules".
  87. ^ "wolfCrypt FIPS 140-2 Information - wolfSSL Embedded SSL/TLS Library".
  88. ^ a b c d e f g h i j k l m n o p q r s t u v w x y z aa ab ac ad ae af ag ah RFC 4492. doi:10.17487/RFC4492.
  89. ^ a b c d e "LibreSSL 2.1.2 released". 2014-12-09. Retrieved 2015-01-20.
  90. ^ "NSS 3.20 release notes". Mozilla. 2015-08-19. Archived from the original on 2021-12-07. Retrieved 2015-08-20.
  91. ^ a b c d Mozilla.org. "Bug 518787 - Add GOST crypto algorithm support in NSS". Retrieved 2014-07-01.
  92. ^ a b c d Mozilla.org. "Bug 608725 - Add Russian GOST cryptoalgorithms to NSS and Thunderbird". Retrieved 2014-07-01.
  93. ^ a b c d "OpenSSL: CVS Web Interface". Archived from the original on 2013-04-15. Retrieved 2014-11-12.
  94. ^ a b c d e f g h i j k l m n o Extensions to support GOST in Schannel might be available.[citation needed]
  95. ^ a b c d "Microsoft Security Advisory 3174644". 14 October 2022.
  96. ^ a b c "Microsoft Security Bulletin MS14-066 - Critical (Section Update FAQ)". Microsoft. November 11, 2014. Retrieved 11 November 2014.
  97. ^ a b c Thomlinson, Matt (November 11, 2014). "Hundreds of Millions of Microsoft Customers Now Benefit from Best-in-Class Encryption". Microsoft Security. Retrieved 11 November 2014.
  98. ^ a b "Update adds new TLS cipher suites and changes cipher suite priorities in Windows 8.1 and Windows Server 2012 R2". support.microsoft.com.
  99. ^ a b c d e f RFC 5054. doi:10.17487/RFC5054.
  100. ^ a b c d e f RFC 4279. doi:10.17487/RFC4279.
  101. ^ a b RFC 5489. doi:10.17487/RFC5489.
  102. ^ a b RFC 2712. doi:10.17487/RFC2712.
  103. ^ "RSA BSAFE SSL-J 6.2.4 Release Notes". 2018-09-05. Archived from the original on 2018-09-10.
  104. ^ a b c "LibreSSL 2.0.4 released". Retrieved 2014-08-04.
  105. ^ a b c "Bug 405155 - add support for TLS-SRP, rfc5054". Mozilla. Retrieved 2014-01-25.
  106. ^ a b c d "Bug 306435 - Mozilla browsers should support the new IETF TLS-PSK protocol to help reduce phishing". Mozilla. Retrieved 2014-01-25.
  107. ^ "Bug 1170510 - Implement NSS server side support for DH_anon". Mozilla. Retrieved 2015-06-03.
  108. ^ "Bug 236245 - Update ECC/TLS to conform to RFC 4492". Mozilla. Retrieved 2014-06-09.
  109. ^ "Changes between 0.9.6h and 0.9.7 [31 Dec 2002]". Retrieved 2016-01-29.
  110. ^ a b "Changes between 0.9.8n and 1.0.0 [29 Mar 2010]". Retrieved 2016-01-29.
  111. ^ "wolfSSL (Formerly CyaSSL) Release 3.9.0 (03/18/2016)". 2016-03-18. Retrieved 2016-04-05.
  112. ^ RFC 5280. doi:10.17487/RFC5280.
  113. ^ RFC 3280. doi:10.17487/RFC3280.
  114. ^ RFC 2560. doi:10.17487/RFC2560.
  115. ^ RFC 6698. doi:10.17487/RFC6698.
  116. ^ RFC 7218. doi:10.17487/RFC7218.
  117. ^ Laurie, B.; Langley, A.; Kasper, E. (June 2013). Certificate Transparency. IETF. doi:10.17487/RFC6962. ISSN 2070-1721. RFC 6962. Retrieved 2020-08-31.
  118. ^ "MatrixSSL 3.8.3". Archived from the original on 2017-01-19. Retrieved 2017-01-18.
  119. ^ "mbed TLS 2.0 defaults implement best practices". Retrieved 2017-01-18.
  120. ^ "Bug 672600 - Use DNSSEC/DANE chain stapled into TLS handshake in certificate chain validation". Mozilla. Retrieved 2014-06-18.
  121. ^ "CRL Validation · Issue #3499 · aws/s2n-tls". GitHub. Retrieved 2022-11-01.
  122. ^ "OCSP digest support for SHA-256 · Issue #2854 · aws/s2n-tls · GitHub". GitHub. Retrieved 2022-11-01.
  123. ^ "[RFC 6962] s2n Client can Validate Signed Certificate Timestamp TLS Extension · Issue #457 · aws/s2n-tls · GitHub". GitHub. Retrieved 2022-11-01.
  124. ^ a b "How Certificate Revocation Works". Microsoft TechNet. Microsoft. March 16, 2012. Retrieved July 10, 2013.
  125. ^ a b
  126. ^ a b RFC 6655, RFC 7251
  127. ^ a b c d RFC 6367. doi:10.17487/RFC6367.
  128. ^ a b RFC 5932. doi:10.17487/RFC5932.
  129. ^ a b c d RFC 6209. doi:10.17487/RFC6209.
  130. ^ a b RFC 4162. doi:10.17487/RFC4162.
  131. ^ a b "Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN". sweet32.info.
  132. ^ a b RFC 7905. doi:10.17487/RFC7905.
  133. ^ a b "Version 1.11.12, 2015-01-02 — Botan". 2015-01-02. Retrieved 2015-01-09.
  134. ^ "gnutls 3.6.0". 2017-09-21. Retrieved 2018-01-07.
  135. ^ "gnutls 3.4.12". 2016-05-20. Archived from the original on 2016-10-13. Retrieved 2016-05-29.
  136. ^ "Java SE DevelopmentK Kit 10 - 10.0.1 Release Notes". 2018-04-17. Retrieved 2024-01-14.
  137. ^ "JDK 12 Release Notes". Retrieved 2024-01-14.
  138. ^ a b c d "Changes in 3.8.3". GitHub. Retrieved 2016-06-19.[permanent dead link]
  139. ^ "PolarSSL 1.3.8 release notes". Archived from the original on 2014-07-14.
  140. ^ a b "Mbed TLS 2.11.0, 2.7.4 and 2.1.13 released". Retrieved 2018-08-30.
  141. ^ "Mbed TLS 2.12.0, 2.7.5 and 2.1.14 released". Retrieved 2018-08-30.
  142. ^ "NSS 3.25 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2021-12-07. Retrieved 2016-07-01.
  143. ^ "Bug 940119 - libssl does not support any TLS_ECDHE_*_CAMELLIA_*_GCM cipher suites". Mozilla. Retrieved 2013-11-19.
  144. ^ "NSS 3.12 is released". Retrieved 2013-11-19.
  145. ^ "NSS 3.12.3 Release Notes". Mozilla Developer Network. Mozilla. Archived from the original on 2023-04-02. Retrieved 2023-04-01.
  146. ^ "NSS 3.23 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2021-04-14. Retrieved 2016-03-09.
  147. ^ "openssl/CHANGES at OpenSSL_1_0_1-stable · openssl/openssl". GitHub. Retrieved 2015-01-20.
  148. ^ "OpenSSL 1.1.1 Series Release Notes". www.openssl.org. Archived from the original on 2024-01-16.
  149. ^ "Cipher Suites in TLS/SSL (Schannel SSP) - Win32 apps". docs.microsoft.com. 14 July 2023.
  150. ^ a b c "Qualys SSL Labs - Projects / User Agent Capabilities: IE 11 / Win 10 Preview". dev.ssllabs.com. Archived from the original on 2023-07-14.
  151. ^ RFC 5469
  152. ^ a b "Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN".
  153. ^ "Version 1.11.15, 2015-03-08 — Botan". 2015-03-08. Retrieved 2015-03-11.
  154. ^ "Java Cryptography Architecture Oracle Providers Documentation". docs.oracle.com.
  155. ^ "NSS 3.15.3 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2014-06-05. Retrieved 2014-07-13.
  156. ^ "MFSA 2013-103: Miscellaneous Network Security Services (NSS) vulnerabilities". Mozilla. Retrieved 2014-07-13.
  157. ^ a b c "RC4 is now disabled in Microsoft Edge and Internet Explorer 11 - Microsoft Edge Dev BlogMicrosoft Edge Dev Blog". blogs.windows.com. 2016-08-09.
  158. ^ a b "wolfSSL (Formerly CyaSSL) Release 3.7.0 (10/26/2015)". 2015-10-26. Retrieved 2015-11-19.
  159. ^ a b c d e RFC 8446
  160. ^ a b c d e RFC 8422
  161. ^ a b c RFC 7027
  162. ^ a b c "Version 1.11.5, 2013-11-10 — Botan". 2013-11-10. Retrieved 2015-01-23.
  163. ^ "An overview of the new features in GnuTLS 3.5.0". 2016-05-02. Retrieved 2016-12-09.
  164. ^ "gnutls 3.6.12". 2020-02-01. Retrieved 2021-08-31.
  165. ^ a b "JDK 13 Early-Access Release Notes". Archived from the original on 2020-04-01. Retrieved 2019-06-20.
  166. ^ a b "JEP 339: Edwards-Curve Digital Signature Algorithm (EdDSA)". Retrieved 2024-01-14.
  167. ^ "LibreSSL 2.5.1 release notes". OpenBSD. 2017-01-31. Retrieved 2017-02-23.
  168. ^ "MatrixSSL 4.0 changelog". GitHub. Retrieved 2018-09-18.
  169. ^ "PolarSSL 1.3.3 released". 2013-12-31. Archived from the original on 2014-01-07. Retrieved 2015-01-23.
  170. ^ "Mbed TLS 2.9.0, 2.7.3 and 2.1.12 released". Retrieved 2018-08-30.
  171. ^ a b c "PolarSSL 1.3.1 released". 2013-10-15. Archived from the original on 2015-01-23. Retrieved 2015-01-23.
  172. ^ "Bug 957105 - Add support for curve25519 Key Exchange and UMAC MAC support for TLS". Mozilla. Retrieved 2017-02-23.
  173. ^ "Bug 1305243 - Support for X448". Mozilla. Retrieved 2022-08-04.
  174. ^ "Bug 1597057 - Curve448 or named Ed448-Goldilocks support needed (both X448 key exchange and Ed448 signature algorithm )". Mozilla. Retrieved 2022-08-04.
  175. ^ a b c "Bug 943639 - Support for Brainpool ECC Curve (rfc5639)". Mozilla. Retrieved 2014-01-25.
  176. ^ "OpenSSL 1.1.0x Release Notes". 25 August 2016. Archived from the original on 18 May 2018. Retrieved 18 May 2018.
  177. ^ "OpenSSL GitHub Issue #487 Tracker". GitHub. 2 December 2015. Retrieved 18 May 2018.
  178. ^ "OpenSSL CHANGES". 1 May 2018. Archived from the original on 18 May 2018. Retrieved 18 May 2018.
  179. ^ "OpenSSL GitHub Issue #5049 Tracker". GitHub. 9 January 2018. Retrieved 18 May 2018.
  180. ^ "wolfSSL (Formerly CyaSSL) Release 3.4.6 (03/30/2015)". 2015-03-30. Retrieved 2015-11-19.
  181. ^ "wolfSSL Release 4.4.0 (04/22/2020)". 2020-04-22. Retrieved 2022-10-18.
  182. ^ "Release Note: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default". JDK Bug System (JBS). Retrieved 25 December 2024.
  183. ^ "Release Note: Removal of Legacy Elliptic Curves". JDK Bug System (JBS). Retrieved 25 December 2024.
  184. ^ a b Negotiation of arbitrary curves has been shown to be insecure for certain curve sizes Mavrogiannopoulos, Nikos and Vercautern, Frederik and Velichkov, Vesselin and Preneel, Bart (2012). "A cross-protocol attack on the TLS protocol" (PDF). Proceedings of the 2012 ACM conference on Computer and communications security. Association for Computing Machinery. pp. 62–72. doi:10.1145/2382196.2382206. ISBN 978-1-4503-1651-4.{{cite conference}}: CS1 maint: multiple names: authors list (link)
  185. ^ "SHA2 and Windows". Retrieved 2024-12-25.
  186. ^ RFC 3749
  187. ^ RFC 5746
  188. ^ a b c RFC 6066
  189. ^ RFC 7301
  190. ^ RFC 6091
  191. ^ RFC 4680
  192. ^ RFC 5077. doi:10.17487/RFC5077.
  193. ^ RFC 5705. doi:10.17487/RFC5705.
  194. ^ RFC 7507. doi:10.17487/RFC7507.
  195. ^ RFC 7627
  196. ^ RFC 7685
  197. ^ RFC 7250
  198. ^ "Version 1.11.16, 2015-03-29 — Botan". 2016-03-29. Retrieved 2016-09-08.
  199. ^ "Version 1.11.10, 2014-12-10 — Botan". 2014-12-10. Retrieved 2014-12-14.
  200. ^ a b "Version 1.11.26, 2016-01-04 — Botan". 2016-01-04. Retrieved 2016-02-25.
  201. ^ Present, but disabled by default due to lack of use by any implementation.
  202. ^ "gnutls 3.2.0". Archived from the original on 2016-01-31. Retrieved 2015-01-26.
  203. ^ Mavrogiannopoulos, Nikos (August 21, 2017). "[gnutls-help] GnuTLS 3.6.0 released".
  204. ^ "gnutls 3.4.4". Archived from the original on 2017-07-17. Retrieved 2015-08-25.
  205. ^ "%DUMBFW priority keyword". Retrieved 2017-04-30.
  206. ^ "gnutls 3.6.6". 2019-01-25. Retrieved 2019-09-01.
  207. ^ "LibreSSL 2.1.3 released". 2015-01-22. Retrieved 2015-01-22.
  208. ^ "LibreSSL 2.1.4 released". 2015-03-04. Retrieved 2015-03-04.
  209. ^ "MatrixSSL - News". 2014-12-04. Archived from the original on 2015-02-14. Retrieved 2015-01-26.
  210. ^ "Download overview - PolarSSL". 2014-04-11. Archived from the original on 2015-02-09. Retrieved 2015-01-26.
  211. ^ a b c "mbed TLS 1.3.10 released". 2015-02-08. Archived from the original on 2015-02-09. Retrieved 2015-02-09.
  212. ^ a b "NSS 3.15.5 release notes". Mozilla Developer Network. Mozilla. Archived from the original on January 26, 2015. Retrieved 2015-01-26.
  213. ^ "Bug 961416 - Support RFC6091 - Using OpenPGP Keys for Transport Layer Security Authentication (TLS1.2)". Mozilla. Retrieved 2014-06-18.
  214. ^ "Bug 972145 - Implement the encrypt-then-MAC TLS extension". Mozilla. Retrieved 2014-11-06.
  215. ^ "NSS 3.17.1 release notes". Archived from the original on 2019-04-19. Retrieved 2014-10-17.
  216. ^ "NSS 3.21 release notes". Archived from the original on 2021-12-07. Retrieved 2015-11-14.
  217. ^ "OpenSSL Security Advisory [15 Oct 2014]". 2014-10-15.
  218. ^ "Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]". 2014-04-07. Archived from the original on 2015-01-20. Retrieved 2015-02-10.
  219. ^ "OpenSSL Announces Final Release of OpenSSL 3.2.0". 2023-11-23. Retrieved 2024-10-11.
  220. ^ rustls does not implement earlier versions that would warrant protection against insecure downgrade
  221. ^ a b c d "Microsoft Security Bulletin MS15-121". March 2023. Retrieved 2024-04-28.
  222. ^ a b "What's New in TLS/SSL (Schannel SSP)". 31 August 2016. Retrieved 2024-04-28.
  223. ^ "wolfSSL Version 4.2.0 is Now Available!". 22 October 2019. Retrieved 2021-08-13.
  224. ^ "wolfSSL supports Raw Public Keys". August 2023. Retrieved 2024-10-25.
  225. ^ "Version 1.11.31, 2015-08-30 — Botan". 2016-08-30. Retrieved 2016-09-08.
  226. ^ "Trusted Platform Module (TPM) — Botan".
  227. ^ "JEP 164: Leverage CPU Instructions for AES Cryptography". openjdk.org.
  228. ^ "RSA SecurID PASSCODE Request". sso.rsasecurity.com.
  229. ^ "Comparison of BSAFE TLS libraries: Micro Edition Suite vs SSL-J | Dell Malaysia".
  230. ^ Mavrogiannopoulos, Nikos (October 9, 2016). "[gnutls-devel] gnutls 3.5.5".
  231. ^ "Trusted Platform Module (GnuTLS 3.8.4)".
  232. ^ "Java SSL provider with AES-NI support". stackoverflow.com.
  233. ^ "PolarSSL 1.3.3 released". 2013-12-31. Archived from the original on 2014-01-07. Retrieved 2014-01-07. We've incorporated support for AES-NI in our AES and GCM modules.
  234. ^ a b "NXP/Plug-and-trust". GitHub.
  235. ^ "ARMmbed/Mbed-os-atecc608a". GitHub.
  236. ^ Normally NSS's libssl performs all operations via the PKCS#11 interface, either to hardware or software tokens
  237. ^ "Bug 706024 - AES-NI enhancements to NSS on Sandy Bridge systems". Retrieved 2013-09-28.
  238. ^ "Bug 479744 - RFE : VIA Padlock ACE support (hardware RNG, AES, SHA1 and SHA256)". Retrieved 2014-04-11.
  239. ^ "Подключаем Рутокен ЭЦП к OpenSSL" (in Russian). 16 December 2011.
  240. ^ "Поддержка Рутокен ЭЦП в OpenSSL (Страница 1) — Рутокен и Open Source — Форум Рутокен" (in Russian).
  241. ^ "OpenSSL ГОСТ" (in Russian). Archived from the original on 2018-06-23.
  242. ^ "git.openssl.org Git - openssl.git/commitdiff". git.openssl.org.
  243. ^ "Tpm2-software/Tpm2-openssl". GitHub.
  244. ^ "Provider - OpenSSL Documentation".
  245. ^ "STSW-STSA110-SSL - STSAFE-A integration within OpenSSL security stack". STMicroelectronics.
  246. ^ SecECKey.c on GitHub
  247. ^ "Crypto Officer Role Guide for FIPS 140-2 Compliance OS X Mountain Lion v10.8" (PDF). Apple Inc. 2013.
  248. ^ "CAAM support in wolfSSL". 10 March 2020.
  249. ^ "wolfTPM Portable TPM 2.0 Library".
  250. ^ "Announcing wolfSSL TPM support for the Espressif ESP32". 20 June 2024.
  251. ^ "WolfSSL SSL/TLS Support for NXP SE050 – wolfSSL". 22 February 2024.
  252. ^ "WolfSSL support for the ATECC608 Crypto Coprocessor – wolfSSL". 13 October 2021.
  253. ^ "WolfSSL support for STSAFE-A100 crypto coprocessor – wolfSSL". 20 September 2018.
  254. ^ "Support for MAXQ1065 in wolfSSL – wolfSSL". 29 November 2022.
  255. ^ "LibreSSL 2.2.1 Released". 2015-07-08. Retrieved 2016-01-30.
  256. ^ "ktls integration for rustls". GitHub. Retrieved 2024-08-29.
  257. ^ "wolfProvider". 2021-11-10. Retrieved 2022-01-17.
  258. ^ a b The PKCS #11 URI Scheme. doi:10.17487/RFC7512. RFC 7512.
  259. ^ "libp11: PKCS#11 wrapper library". 19 January 2018 – via GitHub.
  260. ^ "Windows CNG bridge for rustls". GitHub. Retrieved 2024-08-29.
  261. ^ On the fly replaceable/augmentable.
  262. ^ "Nss compat ossl - Fedora Project Wiki". fedoraproject.org.
  263. ^ "rustls-openssl compatibility layer". GitHub. Retrieved 2024-08-29.
  264. ^ a b "NSPR". Mozilla Developer Network.
  265. ^ For Unix/Linux it uses /dev/urandom if available, for Windows it uses CAPI. For other platforms it gets data from clock, and tries to open system files. NSS has a set of platform dependent functions it uses to determine randomness.

    The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

    All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.

    Overview

    ImplementationDeveloped byOpen sourceSoftware licenseCopyright holderWritten inLatest stable version, release dateOrigin
    BotanJack LloydYesSimplified BSD LicenseJack LloydC++3.10.0 (November 6, 2025; 57 days ago (2025-11-06)[1]) [±]US (Vermont)
    BoringSSLGoogleYesOpenSSL-SSLeay dual-license, ISC licenseEric Young, Tim Hudson, Sun, OpenSSL project, Google, and othersC, C++, Go, assemblyNo stable releases[2]Australia/EU[citation needed]
    Bouncy CastleThe Legion of the Bouncy Castle Inc.YesMIT LicenseLegion of the Bouncy Castle Inc.Java, C#
    Java1.83 / November 27, 2025; 36 days ago (2025-11-27)[3]
    Java LTSBC-LJA 2.73.9 / September 19, 2025; 3 months ago (2025-09-19)[4]
    Java FIPSBC-FJA 2.0.0 / July 30, 2024; 17 months ago (2024-07-30)[5]
    C#2.6.2 / July 15, 2025; 5 months ago (2025-07-15)[6]
    C# FIPSBC-FNA 1.0.2 / March 11, 2024; 21 months ago (2024-03-11)[7]
    Australia
    BSAFEDell, formerly RSA SecurityNoProprietaryDellJava, C, assemblySSL-J 7.4 (December 2, 2025; 31 days ago (2025-12-02)[8]) [±]

    Micro Edition Suite 5.0.3 (December 3, 2024; 12 months ago (2024-12-03)[9]) [±]

    Australia
    cryptlibPeter GutmannYesSleepycat License and commercial licensePeter GutmannC3.4.8 (April 30, 2025; 8 months ago (2025-04-30)[10]) [±]NZ
    GnuTLSGnuTLS projectYesLGPL-2.1-or-laterFree Software FoundationC3.8.11[11]  2025-11-20EU (Greece and Sweden)
    Java Secure Socket Extension (JSSE)OracleYesGNU GPLv2 and commercial licenseOracleJava

    25 LTS (September 16, 2025; 3 months ago (2025-09-16)[12]) [±]
    21.0.5 LTS (October 15, 2024; 14 months ago (2024-10-15)[13]) [±]
    17.0.13 LTS (October 15, 2024; 14 months ago (2024-10-15)[14]) [±]
    11.0.25 LTS (October 15, 2024; 14 months ago (2024-10-15)[15]) [±]
    8u431 LTS (October 15, 2024; 14 months ago (2024-10-15)[16]) [±]

    US
    LibreSSLOpenBSD ProjectYesApache-1.0, BSD-4-Clause, ISC, and public domainEric Young, Tim Hudson, Sun, OpenSSL project, OpenBSD Project, and othersC, assembly4.2.1[17]  2025-10-31Canada
    MatrixSSL[18]PeerSec NetworksYesGNU GPLv2+ and commercial licensePeerSec NetworksC4.2.2 (September 11, 2019; 6 years ago (2019-09-11) [19]) [±]US
    Mbed TLS (previously PolarSSL)ArmYesApache License 2.0, GNU GPLv2+ and commercial licenseArm HoldingsC4.0.0[20] (15 October 2025; 2 months ago (15 October 2025)) [±]EU (Netherlands)
    Network Security Services (NSS)Mozilla, AOL, Red Hat, Sun, Oracle, Google and othersYesMPL 2.0NSS contributorsC, assembly
    Standard3.84 / October 12, 2022; 3 years ago (2022-10-12)[21]
    Extended Support Release3.79.1 / August 18, 2022; 3 years ago (2022-08-18)[21]
    US
    OpenSSLOpenSSL projectYesApache-2.0[a]Eric Young, Tim Hudson, Sun, OpenSSL project, and othersC, assembly3.6.0[22]  2025-10-01Australia/EU
    RustlsJoe Birr-Pixton, Dirkjan Ochtman, Daniel McCarney, Josh Aas, and open source contributorsYesApache-2.0, MIT License and ISCOpen source contributorsRustv0.23.31 (July 29, 2025; 5 months ago (2025-07-29)[23]) [±]United Kingdom
    s2nAmazonYesApache License 2.0, GNU GPLv2+ and commercial licenseAmazon.com, Inc.CContinuousUS
    SchannelMicrosoftNoProprietaryMicrosoft CorporationWindows 11, 2021-10-05US
    Secure TransportApple Inc.YesAPSL 2.0Apple Inc.57337.20.44 (OS X 10.11.2), 2015-12-08US
    wolfSSL (previously CyaSSL)wolfSSL[24]YesGNU GPLv3+ and commercial licensewolfSSL Inc.[25]C, assembly5.8.4 (November 20, 2025; 43 days ago (2025-11-20)[26]) [±]US
    Erlang/OTP SSL applicationEricssonYesApache License 2.0EricssonErlangOTP-21, 2018-06-19Sweden
    ImplementationDeveloped byOpen sourceSoftware licenseCopyright ownerWritten inLatest stable version, release dateOrigin
    1. ^ Apache-2.0 for OpenSSL 3.0 and later releases. OpenSSL-SSLeay dual-license for any release before OpenSSL 3.0.

    TLS/SSL protocol version support

    Several versions of the TLS protocol exist. SSL 2.0 is a deprecated[27] protocol version with significant weaknesses. SSL 3.0 (1996) and TLS 1.0 (1999) are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay.[28] TLS 1.1 (2006) fixed only one of the problems, by switching to random initialization vectors (IV) for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was addressed with RFC 7366.[29] A workaround for SSL 3.0 and TLS 1.0, roughly equivalent to random IVs from TLS 1.1, was widely adopted by many implementations in late 2011.[30] In 2014, the POODLE vulnerability of SSL 3.0 was discovered, which takes advantage of the known vulnerabilities in CBC, and an insecure fallback negotiation used in browsers.[31]

    TLS 1.2 (2008) introduced a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future (rsa,sha256/sha384/sha512) over the SSL 3.0 conservative choice (rsa,sha1+md5), the TLS 1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides (rsa,sha1) and even (rsa,md5).[32]

    Datagram Transport Layer Security (DTLS or Datagram TLS) 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLS 1.2 based on TLS 1.2 was published in January 2012.[33]

    TLS 1.3 (2018) specified in RFC 8446 includes major optimizations and security improvements. QUIC (2021) specified in RFC 9000 and DTLS 1.3 (2022) specified in RFC 9147 builds on TLS 1.3. The publishing of TLS 1.3 and DTLS 1.3 obsoleted TLS 1.2 and DTLS 1.2.

    Note that there are known vulnerabilities in SSL 2.0 and SSL 3.0. In 2021, IETF published RFC 8996 also forbidding negotiation of TLS 1.0, TLS 1.1, and DTLS 1.0 due to known vulnerabilities. NIST SP 800-52 requires support of TLS 1.3 by January 2024. Support of TLS 1.3 means that two compliant nodes will never negotiate TLS 1.2.

    ImplementationSSL 2.0 (insecure)[34]SSL 3.0 (insecure)[35]TLS 1.0 (deprecated)[36]TLS 1.1 (deprecated)[37]TLS 1.2[38]TLS 1.3DTLS 1.0 (deprecated)[39]DTLS 1.2[33]DTLS 1.3
    BotanNoNo[40]NoNoYesYesNoYesNo
    BoringSSLYesYesYesYesYesYesNo
    Bouncy CastleNoNoYesYesYesYesYesYesNo
    BSAFE SSL-J[41]NoDisabled by defaultNo[a]No[a]YesYesNoNoNo
    cryptlibNoNoYesYesYesYesNoNoNo
    GnuTLSNo[b]Disabled by default[42]YesYesYesYes[43]YesYesNo
    JSSENo[b]Disabled by default[44]Disabled by default[45]Disabled by default[45]YesYesYesYesNo
    LibreSSLNo[46]No[47]YesYesYesYesYesYes[48]No
    MatrixSSLNoDisabled by default at compile time[49]YesYesYesYesYesYesNo
    Mbed TLSNoNo[50]No[50]No[50]YesYes
    (experimental)
    Yes[51]Yes[51]No
    NSSNo[c]Disabled by default[52]YesYes[53]Yes[54]Yes[55]Yes[53]Yes[56]No
    OpenSSLNo[57]Disabled by defaultYesYes[58]Yes[58]YesYesYes[59]No
    RustlsNo[60]No[60]No[60]No[60]Yes[60]Yes[60]NoNoNo
    s2n[61]NoDisabled by defaultYesYesYesYesNoNoNo
    Schannel XP, 2003[62]Disabled by default in MSIE 7Enabled by defaultEnabled by default in MSIE 7NoNoNoNoNoNo
    Schannel Vista[63]Disabled by defaultEnabled by defaultYesNoNoNoNoNoNo
    Schannel 2008[63]Disabled by defaultEnabled by defaultYesDisabled by default (KB4019276)Disabled by default (KB4019276)NoNoNoNo
    Schannel 7, 2008R2[64]Disabled by defaultDisabled by default in MSIE 11YesEnabled by default in MSIE 11Enabled by default in MSIE 11NoYes[65]No[65]No
    Schannel 8, 2012[64]Disabled by defaultEnabled by defaultYesDisabled by defaultDisabled by defaultNoYesNoNo
    Schannel 8.1, 2012R2, 10 RTM & v1511[64]Disabled by defaultDisabled by default in MSIE 11YesYesYesNoYesNoNo
    Schannel 10 v1607 / 2016[66]NoDisabled by defaultYesYesYesNoYesYesNo
    Schannel 11 / 2022[67]NoDisabled by defaultYesYesYesYesYesYesNo
    Secure Transport

    OS X 10.2–10.7, iOS 1–4

    YesYesYesNoNoNoNoNo
    Secure Transport OS X 10.8–10.10, iOS 5–8No[d]YesYesYes[d]Yes[d]Yes[d]NoNo
    Secure Transport OS X 10.11, iOS 9NoNo[d]YesYesYesYesUnknownNo
    Secure Transport OS X 10.13, iOS 11NoNo[d]YesYesYesYes
    (draft version)[68]
    YesUnknownNo
    wolfSSLNoDisabled by default[69]Disabled by default[70]YesYesYesYesYesYes
    Erlang/OTP SSL application[71]No [e]No [f]Disabled by default [e]Disabled by default [e]YesPartially [g]Disabled by default [e]YesNo
    ImplementationSSL 2.0 (insecure)[34]SSL 3.0 (insecure)[35]TLS 1.0 (deprecated)[36]TLS 1.1 (deprecated)[37]TLS 1.2[38]TLS 1.3DTLS 1.0 (deprecated)[39]DTLS 1.2[33]DTLS 1.3
    1. ^ a b As of SSL-J 7.0, support for TLS 1.0 and 1.1 has been removed
    2. ^ a b SSL 2.0 client hello is supported for backward compatibility reasons even though SSL 2.0 is not supported.
    3. ^ Server-side implementation of the SSL/TLS protocol still supports processing of received v2-compatible client hello messages."NSS 3.24 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2016-08-26. Retrieved 2016-06-19.
    4. ^ a b c d e f Secure Transport: SSL 2.0 was discontinued in OS X 10.8. SSL 3.0 was discontinued in OS X 10.11 and iOS 9.TLS 1.1, 1.2 and DTLS are available on iOS 5.0 and later, and OS X 10.9 and later."Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
    5. ^ a b c d Since OTP 22
    6. ^ Since OTP 23
    7. ^ "Erlang OTP SSL application TLS 1.3 compliance table".

    NSA Suite B Cryptography

    Required components for NSA Suite B Cryptography (RFC 6460) are:

    Per CNSSP-15, the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.

    ImplementationTLS 1.2 Suite B
    BotanYes
    Bouncy CastleYes
    BSAFEYes[41]
    cryptlibYes
    GnuTLSYes
    JSSEYes[72]
    LibreSSLYes
    MatrixSSLYes
    Mbed TLSYes
    NSSNo[73]
    OpenSSLYes[59]
    RustlsYes[60]
    S2n
    SchannelYes[74]
    Secure TransportNo
    wolfSSLYes
    ImplementationTLS 1.2 Suite B

    Certifications

    Note that certain certifications have received serious negative criticism from people who are actually involved in them.[75]

    ImplementationFIPS 140-1, FIPS 140-2[76]FIPS 140-3
    Level 1Level 2[disputeddiscuss]Level 1
    Botan[77]
    Bouncy CastleBC-FJA 2.0.0 (#4743)
    BC-FJA 2.1.0 (#4943)
    BC-FNA 1.0.2 (#4416
    BSAFE SSL-J[78]Crypto-J 6.0 (1785, 1786)
    Crypto-J 6.1 / 6.1.1.0.1 (2057, 2058)
    Crypto-J 6.2 / 6.2.1.1 (2468, 2469)
    Crypto-J 6.2.4 (3172, 3184)
    Crypto-J 6.2.5 (#3819, #3820)
    Crypto-J 6.3 (#4696, #4697)
    Crypto-J 7.0 (4892)
    cryptlib[79]
    GnuTLS[80]Red Hat Enterprise Linux GnuTLS Cryptographic Module (#2780)
    JSSE
    LibreSSL[46]no support
    MatrixSSL[81]SafeZone FIPS Cryptographic Module: 1.1 (#2389)
    Mbed TLS[82]
    NSS[83]Network Security Services: 3.2.2 (#247)
    Network Security Services Cryptographic Module: 3.11.4 (#815), 3.12.4 (#1278), 3.12.9.1 (#1837)
    Netscape Security Module: 1 (#7[notes 1]), 1.01 (#47[notes 2])
    Network Security Services: 3.2.2 (#248[notes 3])
    Network Security Services Cryptographic Module: 3.11.4 (#814[notes 4]), 3.12.4 (#1279, #1280[notes 5])
    OpenSSL[84]OpenSSL FIPS Object Module: 1.0 (#624), 1.1.1 (#733), 1.1.2 (#918), 1.2, 1.2.1, 1.2.2, 1.2.3 or 1.2.4 (#1051)
    2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7 or 2.0.8 (#1747)
    Rustlsaws-lc FIPS module[85] (#4759)
    Schannel[86]Cryptographic modules in Windows NT 4.0, 95, 95, 2000, XP, Server 2003, CE 5, CE 6, Mobile 6.x, Vista, Server 2008, 7, Server 2008 R2, 8, Server 2012, RT, Surface, Phone 8
    See details on Microsoft FIPS 140 Validated Cryptographic Modules
    Secure TransportApple FIPS Cryptographic Module: 1.0 (OS X 10.6, #1514), 1.1 (OS X 10.7, #1701)
    Apple OS X CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (OS X 10.8, #1964, #1956), 4.0 (OS X 10.9, #2015, #2016)
    Apple iOS CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (iOS 6, #1963, #1944), 4.0 (iOS 7, #2020, #2021)
    wolfSSL[87]wolfCrypt FIPS Module: 4.0 (#3389)
    See details on NIST certificate for validated Operating Environments
    wolfCrypt FIPS Module: 3.6.0 (#2425)
    See details on NIST certificate for validated Operating Environments
    wolfCrypt FIPS Module (#4178)
    See details on NIST certificate
    ImplementationLevel 1Level 2Level 1
    FIPS 140-1, FIPS 140-2FIPS 140-3
    1. ^ with Sun Sparc 5 w/ Sun Solaris v 2.4SE (ITSEC-rated)
    2. ^ with Sun Ultra-5 w/ Sun Trusted Solaris version 2.5.1 (ITSEC-rated)
    3. ^ with Solaris v8.0 with AdminSuite 3.0.1 as specified in UK IT SEC CC Report No. P148 EAL4 on a SUN SPARC Ultra-1
    4. ^ with these platforms; Red Hat Enterprise Linux Version 4 Update 1 AS on IBM xSeries 336 with Intel Xeon CPU, Trusted Solaris 8 4/01 on Sun Blade 2500 Workstation with UltraSPARC IIIi CPU
    5. ^ with these platforms; Red Hat Enterprise Linux v5 running on an IBM System x3550, Red Hat Enterprise Linux v5 running on an HP ProLiant DL145, Sun Solaris 10 5/08 running on a Sun SunBlade 2000 workstation, Sun Solaris 10 5/08 running on a Sun W2100z workstation

    Key exchange algorithms (certificate-only)

    This section lists the certificate verification functionality available in the various implementations.

    ImplementationRSA[38]RSA-EXPORT (insecure)[38]DHE-RSA (forward secrecy)[38]DHE-DSS (forward secrecy)[38]ECDH-ECDSA[88]ECDHE-ECDSA (forward secrecy)[88]ECDH-RSA[88]ECDHE-RSA (forward secrecy)[88]GOST R 34.10-94, 34.10-2001[89]
    BotanDisabled by defaultNoYesDisabled by defaultNoYesNoYesNo
    BSAFEYesNoYesYesYesYesYesYesNo
    cryptlibYesNoYesYesYesYesNoYesNo
    GnuTLSYesNoYesDisabled by default[42]NoYesNoYesNo
    JSSEYesDisabled by defaultYesYesYesYesYesYesNo
    LibreSSLYesNo[46]YesYesNoYesNoYesYes[90]
    MatrixSSLYesNoYesNoYesYesYesYesNo
    Mbed TLSYesNoYesNoYesYesYesYesNo
    NSSYesDisabled by defaultYes[91]YesYesYesYesYesNo[92][93]
    OpenSSLYesNo[57]YesDisabled by default[57]NoYesNoYesYes[94]
    RustlsNoNoNoNoNoYes[60]NoYes[60]No
    Schannel XP/2003YesYesNoXP: Max 1024 bits
    2003: 1024 bits only
    NoNoNoNoNo[95]
    Schannel Vista/2008YesDisabled by defaultNo1024 bits by default[96]NoYesNoexcept AES_GCMNo[95]
    Schannel 8/2012YesDisabled by defaultAES_GCM only[97][98][99]1024 bits by default[96]NoYesNoexcept AES_GCMNo[95]
    Schannel 7/2008R2, 8.1/2012R2YesDisabled by defaultYes2048 bits by default[96]NoYesNoexcept AES_GCMNo[95]
    Schannel 10YesDisabled by defaultYes2048 bits by default[96]NoYesNoYesNo[95]
    Secure Transport OS X 10.6YesYesexcept AES_GCMYesYesexcept AES_GCMyesexcept AES_GCMNo
    Secure Transport OS X 10.8-10.10YesNoexcept AES_GCMNoYesexcept AES_GCMYesexcept AES_GCMNo
    Secure Transport OS X 10.11YesNoYesNoNoYesNoYesNo
    wolfSSLYesNoYesNoYesYesYesYesNo
    Erlang/OTP SSL applicationYesNoYesYesYesYesYesYesNo
    ImplementationRSA[38]RSA-EXPORT (insecure)[38]DHE-RSA (forward secrecy)[38]DHE-DSS (forward secrecy)[38]ECDH-ECDSA[88]ECDHE-ECDSA (forward secrecy)[88]ECDH-RSA[88]ECDHE-RSA (forward secrecy)[88]GOST R 34.10-94, 34.10-2001[89]

    Key exchange algorithms (alternative key-exchanges)

    ImplementationSRP[100]SRP-DSS[100]SRP-RSA[100]PSK-RSA[101]PSK[101]DHE-PSK (forward secrecy)[101]ECDHE-PSK (forward secrecy)[102]KRB5[103]DH-ANON[38] (insecure)ECDH-ANON[88] (insecure)
    BotanNoNoNoNoYesNoYesNoNoNo
    BSAFE SSL-JNoNoNoNoYes[104]NoNoNoDisabled by defaultDisabled by default
    cryptlibNoNoNoNoYesYesNoNoNoNo
    GnuTLSYesYesYesYesYesYesYesNoDisabled by defaultDisabled by default
    JSSENoNoNoNoNoNoNoNoDisabled by defaultDisabled by default
    LibreSSLNo[105]No[105]No[105]NoNoNoNoNoYesYes
    MatrixSSLNoNoNoYesYesYesNoNoDisabled by defaultNo
    Mbed TLSNoNoNoYesYesYesYesNoNoNo
    NSSNo[106]No[106]No[106]No[107]No[107]No[107]No[107]NoClient side only, disabled by default[108]Disabled by default[109]
    OpenSSLYesYesYesYesYesYesYesYes[110]Disabled by default[111]Disabled by default[111]
    RustlsNoNoNoNoNoNoNoNoNoNo
    SchannelNoNoNoNoNoNoNoYesNoNo
    Secure TransportNoNoNoNoNoNoNoUnknownYesYes
    wolfSSLYesYesYesYesYesYesYes[112]YesNoNo
    Erlang/OTP SSL applicationDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultNoNoDisabled by defaultDisabled by default
    ImplementationSRP[100]SRP-DSS[100]SRP-RSA[100]PSK-RSA[101]PSK[101]DHE-PSK (forward secrecy)[101]ECDHE-PSK (forward secrecy)[102]KRB5[103]DH-ANON[38] (insecure)ECDH-ANON[88] (insecure)

    Certificate verification methods

    ImplementationApplication-definedPKIX path validation[113]CRL[114]OCSP[115]DANE (DNSSEC)[116][117]CT[118]
    BotanYesYesYesYesNoUnknown
    Bouncy CastleYesYesYesYesYesUnknown
    BSAFEYesYesYesYesNoUnknown
    cryptlibYesYesYesYesNoUnknown
    GnuTLSYesYesYesYesYesUnknown
    JSSEYesYesYesYesNoNo
    LibreSSLYesYesYesYesNoUnknown
    MatrixSSLYesYesYesYes[119]NoUnknown
    Mbed TLSYesYesYesNo[120]NoUnknown
    NSSYesYesYesYesNo[121]Unknown
    OpenSSLYesYesYesYesYesYes
    RustlsYesYesYesNoNoNo
    s2nNo [122]Unknown [123]Unknown [124]
    SchannelUnknownYesYes[125]Yes[125]NoUnknown
    Secure TransportYesYesYesYesNoUnknown
    wolfSSLYesYesYesYesNoUnknown
    Erlang/OTP SSL applicationYesYesYesNoNoUnknown
    ImplementationApplication-definedPKIX path validationCRLOCSPDANE (DNSSEC)CT

    Encryption algorithms

    ImplementationBlock cipher with mode of operationStream cipherNone
    AES GCM
    [126]
    AES CCM
    [127]
    AES CBCCamellia GCM
    [128]
    Camellia CBC
    [129][128]
    ARIA GCM
    [130]
    ARIA CBC
    [130]
    SEED CBC
    [131]
    3DES EDE CBC
    (insecure)[132]
    GOST 28147-89 CNT
    (proposed)
    [89][n 1]
    ChaCha20-Poly1305
    [133]
    Null
    (insecure)
    [n 2]
    BotanYesYesYesYesYesNoNoDisabled by defaultDisabled by defaultNoYes[134]Not implemented
    BoringSSLYesNoYesNoNoNoNoNoYesNoYes
    BSAFE SSL-JYesYesYesNoNoNoNoNoDisabled by defaultNoNoDisabled by default
    cryptlibYesNoYesNoNoNoNoNoYesNoNoNot implemented
    GnuTLSYesYes[42]YesYesYesNoNoNoDisabled by default[135]NoYes[136]Disabled by default
    JSSEYesNoYesNoNoNoNoNoDisabled by default[137]NoYes
    (JDK 12+)[138]
    Disabled by default
    LibreSSLYes[46]NoYesNoYes[90]NoNoNo[46]YesYes[90]Yes[46]Disabled by default
    MatrixSSLYesNoYesNoNoNoNoYesDisabled by defaultNoYes[139]Disabled by default
    Mbed TLSYesYes [140]YesYesYesYes[141]Yes[141]NoNo[50]NoYes[142]Disabled by default at compile time
    NSSYes[143]NoYesNo[144][n 3]Yes[145]NoNoYes[146]YesNo[92][93]Yes[147]Disabled by default
    OpenSSLYes[148]Disabled by default[57]YesNoDisabled by default[57]Disabled by default[149]NoDisabled by default[57]Disabled by default[57]Yes[94]Yes[57]Disabled by default
    RustlsYes[60]NoNoNoNoNoNoNoNoNoYes[60]Not implemented
    Schannel XP/2003NoNo2003 only[150]NoNoNoNoNoYesNo[95]NoDisabled by default
    Schannel Vista/2008, 2008R2, 2012NoNoYesNoNoNoNoNoYesNo[95]NoDisabled by default
    Schannel 7, 8, 8.1/2012R2Yes except ECDHE_RSA
    [97][98]
    NoYesNoNoNoNoNoYesNo[95]NoDisabled by default
    Schannel 10[151]YesNoYesNoNoNoNoNoYesNo[95]NoDisabled by default
    Secure Transport OS X 10.6 - 10.10NoNoYesNoNoNoNoNoYesNoNoDisabled by default
    Secure Transport OS X 10.11YesNoYesNoNoNoNoNoYesNoNoDisabled by default
    wolfSSLYesYesYesNoNoNoNoNoYesNoYesDisabled by default
    Erlang/OTP SSL applicationYesNoYesNoNoNoNoNoDisabled by defaultNoExperimentalDisable by default
    ImplementationBlock cipher with mode of operationStream cipherNone
    AES GCM
    [126]
    AES CCM
    [127]
    AES CBCCamellia GCM
    [128]
    Camellia CBC
    [129][128]
    ARIA GCM
    [130]
    ARIA CBC
    [130]
    SEED CBC
    [131]
    3DES EDE CBC
    (insecure)[132]
    GOST 28147-89 CNT
    (proposed)
    [89][n 1]
    ChaCha20-Poly1305
    [133]
    Null
    (insecure)
    [n 2]
    Notes
    1. ^ a b This algorithm is not defined yet as TLS cipher suites in RFCs, is proposed in drafts.
    2. ^ a b authentication only, no encryption
    3. ^ This algorithm is implemented in an NSS fork used by Pale Moon.

    Obsolete algorithms

    ImplementationBlock cipher with mode of operationStream cipher
    IDEA CBC
    [n 1](insecure)[153]
    DES CBC
    (insecure)
    [n 1]
    DES-40 CBC
    (EXPORT, insecure)
    [n 2]
    RC2-40 CBC
    (EXPORT, insecure)
    [n 2]
    RC4-128
    (insecure)
    [n 3]
    RC4-40
    (EXPORT, insecure)
    [n 4][n 2]
    BotanNoNoNoNoNo[154]No
    BoringSSLNoNoNoNoDisabled by default at compile timeNo
    BSAFE SSL-JNoDisabled by defaultDisabled by defaultNoDisabled by defaultDisabled by default
    cryptlibNoDisabled by default at compile timeNoNoDisabled by default at compile timeNo
    GnuTLSNoNoNoNoDisabled by default[42]No
    JSSENoDisabled by defaultDisabled by defaultNoDisabled by defaultDisabled by default [155]
    LibreSSLYesYesNo[46]No[46]YesNo[46]
    MatrixSSLYesNoNoNoDisabled by defaultNo
    Mbed TLSNoDisabled by default at compile timeNoNoDisabled by default at compile time[51]No
    NSSYesDisabled by defaultDisabled by defaultDisabled by defaultLowest priority[156][157]Disabled by default
    OpenSSLDisabled by default[57]Disabled by defaultNo[57]No[57]Disabled by defaultNo[57]
    RustlsNoNoNoNoNoNo
    Schannel XP/2003NoYesYesYesYesYes
    Schannel Vista/2008NoDisabled by defaultDisabled by defaultDisabled by defaultYesDisabled by default
    Schannel 7/2008R2NoDisabled by defaultDisabled by defaultDisabled by defaultLowest priority
    will be disabled soon[158]
    Disabled by default
    Schannel 8/2012NoDisabled by defaultDisabled by defaultDisabled by defaultOnly as fallbackDisabled by default
    Schannel 8.1/2012R2NoDisabled by defaultDisabled by defaultDisabled by defaultDisabled by default[158]Disabled by default
    Schannel 10[151]NoDisabled by defaultDisabled by defaultDisabled by defaultDisabled by default[158]Disabled by default
    Secure Transport OS X 10.6YesYesYesYesYesYes
    Secure Transport OS X 10.7YesUnknownUnknownUnknownYesUnknown
    Secure Transport OS X 10.8-10.9YesDisabled by defaultDisabled by defaultDisabled by defaultYesDisabled by default
    Secure Transport OS X 10.10-10.11YesDisabled by defaultDisabled by defaultDisabled by defaultLowest priorityDisabled by default
    Secure Transport macOS 10.12YesDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultDisabled by default
    wolfSSLDisabled by default[159]NoNoNoDisabled by defaultNo
    Erlang/OTP SSL applicationnoDisabled by defaultnonoDisabled by defaultno
    ImplementationBlock cipher with mode of operationStream cipher
    IDEA CBC
    [n 1](insecure)[153]
    DES CBC
    (insecure)
    [n 1]
    DES-40 CBC
    (EXPORT, insecure)
    [n 2]
    RC2-40 CBC
    (EXPORT, insecure)
    [n 2]
    RC4-128
    (insecure)
    [n 3]
    RC4-40
    (EXPORT, insecure)
    [n 4][n 2]
    Notes
    1. ^ a b c d IDEA and DES have been removed from TLS 1.2.[152]
    2. ^ a b c d e f 40 bits strength of cipher suites were designed to operate at reduced key lengths in order to comply with US regulations about the export of cryptographic software containing certain strong encryption algorithms (see Export of cryptography from the United States). These weak suites are forbidden in TLS 1.1 and later.
    3. ^ a b The RC4 attacks weaken or break RC4 used in SSL/TLS. Use of RC4 is prohibited by RFC 7465.
    4. ^ a b The RC4 attacks weaken or break RC4 used in SSL/TLS.

    Supported elliptic curves

    This section lists the supported elliptic curves by each implementation.

    Defined curves in RFC 8446 (for TLS 1.3) and RFC 8422, 7027 (for TLS 1.2 and earlier)

    applicable TLS versionTLS 1.3 and earlierTLS 1.2 and earlier
    Implementationsecp256r1
    prime256v1
    NIST P-256
    (0x0017,[160] 23[161])
    secp384r1
    NIST P-384
    (0x0018,[160] 24[161])
    secp521r1
    NIST P-521
    (0x0019,[160] 25[161])
    X25519
    (0x001D,[160] 29[161])
    X448
    (0x001E,[160] 30[161])
    brainpoolP256r1
    (26)[162]
    brainpoolP384r1
    (27)[162]
    brainpoolP512r1
    (28)[162]
    BotanYesYesYesYes[134]NoYes[163]Yes[163]Yes[163]
    BoringSSLYesYesYes (disabled by default)YesNoNoNoNo
    BSAFEYesYesYesNoNoNoNoNo
    GnuTLSYesYesYesYes[164]Yes[165]NoNoNo
    JSSEYesYesYesYes
    x25519: JDK 13+[166]
    Ed25519:JDK 15+[167]
    Yes
    x448: JDK 13+[166]
    Ed448: JDK 15+[167]
    NoNoNo
    LibreSSLYesYesYesYes[168]NoYes[46]Yes[46]Yes[46]
    MatrixSSLYesYesYesTLS 1.3 only[169]NoYesYesYes
    Mbed TLSYesYesYesPrimitive only[170]Primitive only[171]Yes[172]Yes[172]Yes[172]
    NSSYesYesYesYes[173]No[174][175]No[176]No[176]No[176]
    OpenSSLYesYesYesYes[177][178]Yes[179][180]Yes[59]Yes[59]Yes[59]
    RustlsYesYesNoYesNoNoNoNo
    Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10YesYesYesNoNoNoNoNo
    Secure TransportYesYesYesNoNoNoNoNo
    wolfSSLYesYesYesYes[181]Yes[182]YesYesYes
    Erlang/OTP SSL applicationYesYesYesNoNoYesYesYes
    Implementationsecp256r1
    prime256v1
    NIST P-256
    (0x0017, 23)
    secp384r1
    NIST P-384
    (0x0018, 24)
    secp521r1
    NIST P-521
    (0x0019, 25)
    X25519
    (0x001D, 29)
    X448
    (0x001E, 30)
    brainpoolP256r1
    (26)
    brainpoolP384r1
    (27)
    brainpoolP512r1
    (28)

    Deprecated curves in RFC 8422

    Implementationsect163k1
    NIST K-163
    (1)[88]
    sect163r1
    (2)[88]
    sect163r2
    NIST B-163
    (3)[88]
    sect193r1
    (4)[88]
    sect193r2
    (5)[88]
    sect233k1
    NIST K-233
    (6)[88]
    sect233r1
    NIST B-233
    (7)[88]
    sect239k1
    (8)[88]
    sect283k1
    NIST K-283
    (9)[88]
    sect283r1
    NIST B-283
    (10)[88]
    sect409k1
    NIST K-409
    (11)[88]
    sect409r1
    NIST B-409
    (12)[88]
    sect571k1
    NIST K-571
    (13)[88]
    sect571r1
    NIST B-571
    (14)[88]
    BotanNoNoNoNoNoNoNoNoNoNoNoNoNoNo
    BoringSSLNoNoNoNoNoNoNoNoNoNoNoNoNoNo
    BSAFEYesNoYesNoNoYesYesNoYesYesYesYesYesYes
    GnuTLSNoNoNoNoNoNoNoNoNoNoNoNoNoNo
    JSSENotes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]
    LibreSSLYesYesYesYesYesYesYesYesYesYesYesYesYesYes
    MatrixSSLNoNoNoNoNoNoNoNoNoNoNoNoNoNo
    Mbed TLSNoNoNoNoNoNoNoNoNoNoNoNoNoNo
    NSSYesYesYesYesYesYesYesYesYesYesYesYesYesYes
    OpenSSLYesYesYesYesYesYesYesYesYesYesYesYesYesYes
    RustlsNoNoNoNoNoNoNoNoNoNoNoNoNoNo
    Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10NoNoNoNoNoNoNoNoNoNoNoNoNoNo
    Secure TransportNoNoNoNoNoNoNoNoNoNoNoNoNoNo
    wolfSSLNoNoNoNoNoNoNoNoNoNoNoNoNoNo
    Erlang/OTP SSL applicationYesYesYesYesYesYesYesYesYesYesYesYesYesYes
    Implementationsect163k1
    NIST K-163
    (1)
    sect163r1
    (2)
    sect163r2
    NIST B-163
    (3)
    sect193r1
    (4)
    sect193r2
    (5)
    sect233k1
    NIST K-233
    (6)
    sect233r1
    NIST B-233
    (7)
    sect239k1
    (8)
    sect283k1
    NIST K-283
    (9)
    sect283r1
    NIST B-283
    (10)
    sect409k1
    NIST K-409
    (11)
    sect409r1
    NIST B-409
    (12)
    sect571k1
    NIST K-571
    (13)
    sect571r1
    NIST B-571
    (14)
    Implementationsecp160k1
    (15)[88]
    secp160r1
    (16)[88]
    secp160r2
    (17)[88]
    secp192k1
    (18)[88]
    secp192r1
    prime192v1
    NIST P-192
    (19)[88]
    secp224k1
    (20)[88]
    secp224r1
    NIST P-244
    (21)[88]
    secp256k1
    (22)[88]
    arbitrary prime curves
    (0xFF01)[88][185]
    arbitrary char2 curves
    (0xFF02)[88][185]
    BotanNoNoNoNoNoNoNoNoNoNo
    BoringSSLNoNoNoNoNoNoYesNoNoNo
    BSAFENoNoNoNoYesNoYesNoNoNo
    GnuTLSNoNoNoNoYesNoYesNoNoNo
    JSSENotes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]Notes[a][b]NoNo
    LibreSSLYesYesYesYesYesYesYesYesNoNo
    MatrixSSLNoNoNoNoYesNoYesNoNoNo
    Mbed TLSNoNoNoYesYesYesYesYesNoNo
    NSSYesYesYesYesYesYesYesYesNoNo
    OpenSSLYesYesYesYesYesYesYesYesNoNo
    RustlsNoNoNoNoNoNoNoNoNoNo
    Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10NoNoNoNoNoNoNoNoNoNo
    Secure TransportNoNoNoNoYesNoNoNoNoNo
    wolfSSLYesYesYesYesYesYesYesYesNoNo
    Erlang/OTP SSL applicationYesYesYesYesYesYesYesYesNoNo
    Implementationsecp160k1
    (15)
    secp160r1
    (16)
    secp160r2
    (17)
    secp192k1
    (18)
    secp192r1
    prime192v1
    NIST P-192
    (19)
    secp224k1
    (20)
    secp224r1
    NIST P-244
    (21)
    secp256k1
    (22)
    arbitrary prime curves
    (0xFF01)
    arbitrary char2 curves
    (0xFF02)
    Notes
    1. ^ a b c d e f g h i j k l m n o p q r s t u v These elliptic curves were "Disabled by Default" in current JDK families as part of JDK-8236730.[183]
    2. ^ a b c d e f g h i j k l m n o p q r s t u v These elliptic curves were subsequently removed in JDK 16+ as part of JDK-8252601.[184]

    Data integrity

    ImplementationHMAC-MD5HMAC-SHA1HMAC-SHA256/384AEADGOST 28147-89 IMIT
    [89]
    GOST R 34.11-94
    [89]
    BotanNoYesYesYesNoNo
    BSAFEYesYesYesYesNoNo
    cryptlibYesYesYesYesNoNo
    GnuTLSYesYesYesYesNoNo
    JSSEDisabled by DefaultYesYesYesNoNo
    LibreSSLYesYesYesYesYes
    [90]
    Yes
    [90]
    MatrixSSLYesYesYesYesNoNo
    Mbed TLSYesYesYesYesNoNo
    NSSYesYesYesYesNo
    [92][93]
    No
    [92][93]
    OpenSSLYesYesYesYesYes
    [94]
    Yes
    [94]
    RustlsNoNoNoYesNoNo
    Schannel XP/2003, Vista/2008YesYesXP SP3, 2003 SP2 via hotfix
    [186]
    NoNo
    [95]
    No
    [95]
    Schannel 7/2008R2, 8/2012, 8.1/2012R2YesYesYesexcept ECDHE_RSA
    [97][98][99]
    No
    [95]
    No
    [95]
    Schannel 10YesYesYesYes
    [151]
    No
    [95]
    No
    [95]
    Secure TransportYesYesYesYesNoNo
    wolfSSLDisabled by DefaultYesYesYesNoNo
    Erlang/OTP SSL applicationYesYesYesYesNoNo
    ImplementationHMAC-MD5HMAC-SHA1HMAC-SHA256/384AEADGOST 28147-89 IMITGOST R 34.11-94

    Compression

    Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.

    ImplementationDEFLATE[187]
    (insecure)
    BotanNo
    BSAFE[41]No
    cryptlibNo
    GnuTLSDisabled by default
    JSSENo
    LibreSSLNo[46]
    MatrixSSLDisabled by default
    Mbed TLSDisabled by default
    NSSDisabled by default
    OpenSSLDisabled by default
    RustlsNo
    SchannelNo
    Secure TransportNo
    wolfSSLDisabled by default
    Erlang/OTP SSL applicationNo
    ImplementationDEFLATE

    Extensions

    In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security [citation needed]. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.

    ImplementationSecure Renegotiation
    [188]
    Server Name Indication
    [189]
    ALPN
    [190]
    Certificate Status Request
    [189]
    OpenPGP
    [191]
    Supplemental Data
    [192]
    Session Ticket
    [193]
    Keying Material Exporter
    [194]
    Maximum Fragment Length
    [189]
    Encrypt-then-MAC
    [29]
    TLS Fallback SCSV
    [195]
    Extended Master Secret
    [196]
    ClientHello Padding
    [197]
    Raw Public Keys
    [198]
    BotanYesYesYes[199]NoNoNoYesYesYesYesYes[200]Yes[201]NoUnknown
    BSAFE SSL-JYesYesNoYesNoNoNoNoYesNoNoYesNoNo
    cryptlibYesYesNoNoNoYesNoNoNo[202]YesYesYesNoUnknown
    GnuTLSYesYesYes[203]YesNo[204]YesYesYesYesYes[42]Yes[205]Yes[42]Yes[206]Yes[207]
    JSSEYesYes[72]Yes[72]YesNoNoYesNoYesNoNoYesNoNo
    LibreSSLYesYesYes[208]YesNoNo?YesYes?NoNoServer side only[209]NoYesNo
    MatrixSSLYesYesYes[210]Yes[139]NoNoYesNoYesNoYes[139]Yes[139]NoUnknown
    Mbed TLSYesYesYes[211]NoNoNoYesNoYesYes[212]Yes[212]Yes[212]NoNo
    NSSYesYesYes[213]YesNo[214]NoYesYesNoNo[215]Yes[216]Yes[217]Yes[213]Unknown
    OpenSSLYesYesYes[59]YesNoNo?YesYesYesYesYes[218]Yes[57]Yes[219]Yes[220]
    RustlsYesYesYesYesNoNoYesYesNoNoNo [221]YesNoUnknown
    Schannel XP/2003NoNoNoNoNoYesNoNoNoNoNoNoNoUnknown
    Schannel Vista/2008YesYesNoNoNoYesNoNoNoNoNoYes[222]NoUnknown
    Schannel 7/2008R2YesYesNoYesNoYesNoNoNoNoNoYes[222]NoUnknown
    Schannel 8/2012YesYesNoYesNoYesClient side only[223]NoNoNoNoYes[222]NoUnknown
    Schannel 8.1/2012R2, 10YesYesYesYesNoYesYes[223]NoNoNoNoYes[222]NoUnknown
    Secure TransportYesYesUnknownNoNoYesNoNoNoNoNoNoNoUnknown
    wolfSSLYesYesYes[159]YesNoNoYesNoYesYes[224]NoYesNoYes[225]
    Erlang/OTP SSL applicationYesYesYesNoNoNoNoNoNoNoYesNoNoUnknown
    ImplementationSecure RenegotiationServer Name IndicationALPNCertificate Status RequestOpenPGPSupplemental DataSession TicketKeying Material ExporterMaximum Fragment LengthEncrypt-then-MACTLS Fallback SCSVExtended Master SecretClientHello PaddingRaw Public Keys

    Assisted cryptography

    This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.

    ImplementationPKCS #11 deviceIntel AES-NIVIA PadLockARMv8-AIntel SHANXP CAAMTPM 2.0NXP SE050Microchip ATECCSTMicro STSAFEMaxim MAXQ
    BotanYes[226]YesNoYesNoYes[227]NoNoNoNo
    BSAFE SSL-J [a][b]YesYesNoYesYesNoNo[230]NoNoNoNo
    cryptlibYesYesYesNoYesNoNoNoNo
    Crypto++YesYesNoNoNoNo
    GnuTLSYesYesYesYes[231]YesNo[232]NoNoNoNo
    JSSEYesYes[233]NoNoNoNoNoNoNo
    LibreSSLNoYesYesNoNoNoNoNo
    MatrixSSLYesYesNoYesNoNoNoNoNo
    Mbed TLSYesYes[234]YesNoNoPartial[235]Yes[236]NoNo
    NSSYes[237]Yes[238]No[239]NoNoNoNoNoNo
    OpenSSLYes[240][241][242]YesYesYes[243]YesPartialPartial[244][245]Partial[235]NoPartial[246]No
    RustlsYesYesYesNoNoNoNo
    SchannelNoYesNoNoNoNoNoNoNo
    Secure TransportNoYes[247][248]NoYesNoNoNoNoNo
    wolfSSLYesYesNoYesYesYes[249]Yes[250][251]Yes[252]Yes[253]Yes[254]Yes[255]
    ImplementationPKCS #11 deviceIntel AES-NIVIA PadLockARMv8-AIntel SHANXP CAAMTPM 2.0NXP SE050Microchip ATECCSTMicro STSAFEMaxim MAXQ
    1. ^ Pure Java implementations relies on JVM processor optimization capabilities, such as OpenJDK support for AES-NI[228]
    2. ^ BSAFE SSL-J can be configured to run in native mode, using BSAFE Crypto-C Micro Edition to benefit from processor optimization.[229]

    System-specific backends

    This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.

    Implementation/dev/cryptoaf_algWindows CSPCommonCryptoOpenSSL engine
    BotanNoNoNoNoPartial
    BSAFENoNoNoNoNo
    cryptlibYesNoNoNoNo
    GnuTLSYesYesNoNoNo
    JSSENoNoYesNoNo
    LibreSSLNoNoNoNoNo[256]
    MatrixSSLNoNoNoYesYes
    Mbed TLSNoNoNoNoNo
    NSSNoNoNoNoNo
    OpenSSLYesYesNoNoYes
    RustlsNoYes [257]NoNoNo
    SchannelNoNoYesNoNo
    Secure TransportNoNoNoYesNo
    wolfSSLYesYesPartialNoYes[258]
    Erlang/OTP SSL applicationNoNoNoNoYes
    Implementation/dev/cryptoaf_algWindows CSPCommonCryptoOpenSSL engine

    Cryptographic module/token support

    ImplementationTPM supportHardware token supportObjects identified via
    BotanPartial[201]PKCS #11
    BSAFE SSL-JNoNo
    cryptlibYesPKCS #11User-defined label
    GnuTLSYesPKCS #11RFC 7512 PKCS #11 URLs[259]
    JSSENoPKCS11 Java Cryptography Architecture,
    Java Cryptography Extension
    LibreSSLYesPKCS #11 (via 3rd party module)Custom method
    MatrixSSLNoPKCS #11
    Mbed TLSNoPKCS #11 (via libpkcs11-helper) or standard hooksCustom method
    NSSNoPKCS #11
    OpenSSLYesPKCS #11 (via 3rd party module)[260]RFC 7512 PKCS #11 URLs[259]
    RustlsNoMicrosoft CryptoAPI [261]Custom method
    SchannelNoMicrosoft CryptoAPIUUID, User-defined label
    Secure Transport
    wolfSSLYesPKCS #11
    ImplementationTPM supportHardware token supportObjects identified via

    Code dependencies

    ImplementationDependenciesOptional dependencies
    BotanC++20SQLite
    zlib (compression)
    bzip2 (compression)
    liblzma (compression)
    boost
    trousers (TPM)
    GnuTLSlibc
    nettle
    gmp
    zlib (compression)
    p11-kit (PKCS #11)
    trousers (TPM)
    libunbound (DANE)
    JSSEJava
    MatrixSSLnonezlib (compression)
    MatrixSSL-openlibc or newlib
    Mbed TLSlibclibpkcs11-helper (PKCS #11)
    zlib (compression)
    NSSlibc
    libnspr4
    libsoftokn3
    libplc4
    libplds4
    zlib (compression)
    Rustlsrust core libraryrust std library
    zlib-rs (compression)
    brotli (compression)
    ring (cryptography)
    aws-lc-rs (cryptography)
    OpenSSLlibczlib (compression)
    brotli (compression)
    zstd (compression)
    wolfSSLNonelibc
    zlib (compression)
    Erlang/OTP SSL applicationlibcrypto (from OpenSSL), Erlang/OTP and its public_key, crypto and asn1 applicationsErlang/OTP -inets (http fetching of CRLs)
    ImplementationDependenciesOptional dependencies

    Development environment

    ImplementationNamespaceBuild toolsAPI manualCrypto back-endOpenSSL compatibility Layer[clarify]
    BotanBotan::TLSMakefileSphinxIncluded (pluggable)No
    Bouncy Castleorg.bouncycastleJava Development EnvironmentProgrammers reference manual (PDF)Included (pluggable)No
    BSAFE SSL-Jcom.rsa.asn1[a]

    com.rsa.certj[b]
    com.rsa.jcp[c]
    com.rsa.jsafe[d]
    com.rsa.ssl[e]
    com.rsa.jsse[f]

    Java class loaderJavadoc, Developer's guide (HTML)IncludedNo
    cryptlibcrypt*makefile, MSVC project workspacesProgrammers reference manual (PDF), architecture design manual (PDF)Included (monolithic)No
    GnuTLSgnutls_*Autoconf, automake, libtoolManual and API reference (HTML, PDF)External, libnettleYes (limited)
    JSSEjavax.net.ssl

    sun.security.ssl

    MakefileAPI Reference (HTML) +

    JSSE Reference Guide

    Java Cryptography Architecture,
    Java Cryptography Extension
    No
    MatrixSSLmatrixSsl_*

    ps*

    Makefile, MSVC project workspaces, Xcode projects for OS X and iOSAPI Reference (PDF), Integration GuideIncluded (pluggable)Yes (Subset: SSL_read, SSL_write, etc.)
    Mbed TLSmbedtls_ssl_*

    mbedtls_sha1_*
    mbedtls_md5_*
    mbedtls_x509*
    ...

    Makefile, CMake, MSVC project workspaces, yottaAPI Reference + High Level and Module Level Documentation (HTML)Included (monolithic)No
    NSSCERT_*

    SEC_*
    SECKEY_*
    NSS_*
    PK11_*
    SSL_*
    ...

    MakefileManual (HTML)Included, PKCS#11 based[262]Yes (separate package called nss_compat_ossl[263])
    OpenSSLSSL_*

    SHA1_*
    MD5_*
    EVP_*
    ...

    MakefileMan pagesIncluded (monolithic)N/a
    Rustlsrustls::cargoAPI reference and design manualTwo options included (pluggable)Yes[264] (subset)
    wolfSSLwolfSSL_*

    CyaSSL_*
    SSL_*

    Autoconf, automake, libtool, MSVC project workspaces, XCode projects, CodeWarrior projects, MPLAB X projects, Keil, IAR, Clang, GCC, e2StudioManual and API Reference (HTML, PDF)Included (monolithic)Yes (about 60% of API)
    ImplementationNamespaceBuild toolsAPI manualCrypto back-endOpenSSL compatibility layer
    1. ^
      ASN.1 manipulation classes
    2. ^
      Cert-J proprietary API
    3. ^
      Certificate Path manipulation classes
    4. ^
      Crypto-J proprietary API, JCE, CMS and PKI
    5. API
    6. ^
      SSLJ proprietary API
    7. ^
      JSSE API

    Portability concerns

    ImplementationPlatform requirementsNetwork requirementsThread safetyRandom seedAble to cross-compileNo OS (bare metal)Supported operating systems
    BotanC++11NoneThread-safePlatform-dependentYesWindows, Linux, macOS, Android, iOS, FreeBSD, OpenBSD, Solaris, AIX, HP-UX, QNX, BeOS, IncludeOS
    BSAFE SSL-JJavaJava SE network componentsThread-safeDepends on java.security.SecureRandomYesNoFreeBSD, Linux, macOS, Microsoft Windows, Android, AIX, Solaris
    cryptlibC89POSIX send() and recv(). API to supply your own replacementThread-safePlatform-dependent, including hardware sourcesYesYesAMX, BeOS, ChorusOS, DOS, eCos, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, Palm OS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, macOS, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK
    GnuTLSC89POSIX send() and recv(). API to supply your own replacement.Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available.Platform dependentYesNoGenerally any POSIX platforms or Windows, commonly tested platforms include Linux, Win32/64, macOS, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD.
    JSSEJavaJava SE network componentsThread-safeDepends on java.security.SecureRandomYesJava based, platform-independent
    MatrixSSLC89NoneThread-safePlatform dependentYesYesAll
    Mbed TLSC89POSIX read() and write(). API to supply your own replacement.Threading layer available (POSIX or own hooks)Random seed set through entropy poolYesYesKnown to work on: Win32/64, Linux, macOS, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, eCos, SeggerOS, RISC OS
    NSSC89, NSPR[265]NSPR[265] PR_Send() and PR_Recv(). API to supply your own replacement.Thread-safePlatform dependent[266]Yes (but cumbersome)NoAIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, macOS, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation
    RustlsRust (programming language)NoneThread-safePlatform dependentYesYesAll supported by Rust (programming language)
    OpenSSLC89NoneThread-safePlatform dependentYesNoUnix-like, DOS (with djgpp), Windows, OpenVMS, NetWare, eCos
    wolfSSLC89POSIX send() and recv(). API to supply your own replacement.Thread-safeRandom seed set through wolfCryptYesYesWin32/64, Linux, macOS, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Yocto Project, OpenEmbedded, WinCE, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and GameCube through DevKitPro, QNX, MontaVista, NonStop, TRON/ITRON/μITRON, eCos, Micrium μC/OS-III, FreeRTOS, SafeRTOS, NXP/Freescale MQX, Nucleus, TinyOS, HP/UX, AIX, ARC MQX, Keil RTX, TI-RTOS, uTasker, embOS, INtime, Mbed, uT-Kernel, RIOT, CMSIS-RTOS, FROSTED, Green Hills INTEGRITY, TOPPERS, PetaLinux, Apache mynewt
    ImplementationPlatform requirementsNetwork requirementsThread safetyRandom seedAble to cross-compileNo OS (bare metal)Supported operating systems

    See also

    • SCTP — with DTLS support
    • DCCP — with DTLS support
    • SRTP — with DTLS support (DTLS-SRTP) and Secure Real-Time Transport Control Protocol (SRTCP)

    References

    1. ^ "Botan: Release Notes". Retrieved 2025-12-22.
    2. ^ "BoringSSL README.md". boringssl.googlesource.com. Retrieved 2025-11-11.
    3. ^ "Download Bouncy Castle for Java - bouncycastle.org". 2025-11-27. Retrieved 2025-12-01.
    4. ^ "Download Bouncy Castle for Java LTS - bouncycastle.org". 2025-09-19. Retrieved 2025-12-01.
    5. ^ "Download Bouncy Castle for Java FIPS - bouncycastle.org". 2024-07-30. Retrieved 2024-11-29.
    6. ^ "Download Bouncy Castle for C# .NET - bouncycastle.org". 2025-07-15. Retrieved 2025-12-01.
    7. ^ "Download Bouncy Castle for C# .NET FIPS - bouncycastle.org". 2024-03-11. Retrieved 2024-11-29.
    8. ^ "Dell BSAFE SSL-J 7.4 Release Advisory". Dell.
    9. ^ "Dell BSAFE Micro Edition Suite 5.0.3 Release Advisory".
    10. ^ Gutmann, Peter (May 1, 2025). "cryptlib". Github. Retrieved 2025-08-02.
    11. ^ Daiki Ueno (20 November 2025). "gnutls 3.8.11 released". Retrieved 20 November 2025.
    12. ^ "Java Development Kit 25 Release Notes". Oracle Corporation. Retrieved 2025-06-09.
    13. ^ "Java™ SE Development Kit 21, 21.0.5 Release Notes". Oracle Corporation. Retrieved 2024-10-16.
    14. ^ "Java™ SE Development Kit 17, 17.0.13 Release Notes". Oracle Corporation. Retrieved 2024-10-16.
    15. ^ "Java™ SE Development Kit 11, 11.0.25 Release Notes". Oracle Corporation. Retrieved 2024-10-16.
    16. ^ "Java™ SE Development Kit 8, Update 431 Release Notes". Oracle Corporation. Retrieved 2024-10-16.
    17. ^ "LibreSSL 4.1.2 and 4.2.1 released". 31 October 2025. Retrieved 3 November 2025.
    18. ^ The features listed are for the closed source version
    19. ^ "MatrixSSL 4.2.2 Open release". 2019-09-11. Retrieved 2020-03-20.
    20. ^ "Release 4.0.0". 15 October 2025. Retrieved 21 October 2025.
    21. ^ a b "NSS:Release versions". Mozilla Wiki. Retrieved 7 November 2022.
    22. ^ "OpenSSL 3.6.0". 1 October 2025. Retrieved 1 October 2025.
    23. ^ "rustls/rustls releases". Github. Retrieved 15 August 2025.
    24. ^ "wolfSSL product description". Retrieved 2016-05-03.
    25. ^ "wolfSSL Embedded SSL/TLS". Retrieved 2016-05-03.
    26. ^ "wolfSSL ChangeLog". 2025-11-20. Retrieved 2025-11-20.
    27. ^ Prohibiting Secure Sockets Layer (SSL) Version 2.0. doi:10.17487/RFC6176. RFC 6176.
    28. ^ Vaudenay, Serge (2001). "CBC-Padding: Security Flaws in SSL, IPsec, WTLS,..." (PDF).
    29. ^ a b Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security. doi:10.17487/RFC7366. RFC 7366.
    30. ^ "Rizzo/Duong BEAST Countermeasures". Archived from the original on 2016-03-11.
    31. ^ Möller, Bodo; Duong, Thai; Kotowicz, Krzysztof (September 2014). "This POODLE Bites: Exploiting The SSL 3.0 Fallback" (PDF). Archived from the original (PDF) on 15 October 2014. Retrieved 15 October 2014.
    32. ^ "TLSv1.2's Major Differences from TLSv1.1". The Transport Layer Security (TLS) Protocol Version 1.2. sec. 1.2. doi:10.17487/RFC5246. RFC 5246.
    33. ^ a b c RFC 6347. doi:10.17487/RFC6347.
    34. ^ a b Elgamal, Taher; Hickman, Kipp E. B. (19 April 1995). The SSL Protocol. I-D draft-hickman-netscape-ssl-00.
    35. ^ a b RFC 6101. doi:10.17487/RFC6101.
    36. ^ a b RFC 2246. doi:10.17487/RFC2246.
    37. ^ a b RFC 4346. doi:10.17487/RFC4346.
    38. ^ a b c d e f g h i j k l RFC 5246. doi:10.17487/RFC5246.
    39. ^ a b RFC 4347. doi:10.17487/RFC4347.
    40. ^ "Version 1.11.13, 2015-01-11 — Botan". 2015-01-11. Archived from the original on 2015-01-09. Retrieved 2015-01-16.
    41. ^ a b c "RSA BSAFE Technical Specification Comparison Tables" (PDF). Archived from the original (PDF) on 2015-09-24. Retrieved 2015-01-09.
    42. ^ a b c d e f "[gnutls-devel] GnuTLS 3.4.0 released". 2015-04-08. Retrieved 2015-04-16.
    43. ^ "[gnutls-devel] GnuTLS 3.6.3". 2018-07-16. Retrieved 2018-09-16.
    44. ^ "Java SE Development Kit 8, Update 31 Release Notes". Retrieved 2024-01-14.
    45. ^ a b "Release Note: Disable TLS 1.0 and 1.1". Retrieved 2024-01-14.
    46. ^ a b c d e f g h i j k l m "OpenBSD 5.6 Released". 2014-11-01. Retrieved 2015-01-20.
    47. ^ "LibreSSL 2.3.0 Released". 2015-09-23. Retrieved 2015-09-24.
    48. ^ "LibreSSL 3.3.3 Released". 2021-05-04. Retrieved 2021-05-04.
    49. ^ "MatrixSSL - News". Archived from the original on 2015-02-14. Retrieved 2014-11-09.
    50. ^ a b c d "Mbed TLS 3.0.0 branch released". GitHub. 2021-07-07. Retrieved 2021-08-13.
    51. ^ a b c "mbed TLS 2.0.0 released". 2015-07-10. Retrieved 2015-07-14.
    52. ^ "NSS 3.19 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2015-06-05. Retrieved 2015-05-06.
    53. ^ a b "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2013-01-17. Retrieved 2012-10-27.
    54. ^ "NSS 3.15.1 release notes". Mozilla Developer Network. Mozilla. Retrieved 2013-08-10.
    55. ^ "NSS 3.39 release notes". Mozilla Developer Network. Mozilla. 2018-08-31. Archived from the original on 2021-12-07. Retrieved 2018-09-15.
    56. ^ "NSS 3.16.2 release notes". Mozilla Developer Network. Mozilla. 2014-06-30. Archived from the original on 2021-12-07. Retrieved 2014-06-30.
    57. ^ a b c d e f g h i j k l m "OpenSSL 1.1.0 Series Release Notes". www.openssl.org. Archived from the original on 2018-03-17. Retrieved 2016-09-03.
    58. ^ a b "Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]". 2012-03-14. Archived from the original on December 5, 2014. Retrieved 2015-01-20.
    59. ^ a b c d e f "Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]". Archived from the original on September 4, 2014. Retrieved 2015-01-22.
    60. ^ a b c d e f g h i j k "rustls implemented and unimplemented features documentation". Retrieved 2024-08-28.
    61. ^ "S2N Readme". GitHub. 2019-12-21.
    62. ^ "TLS Cipher Suites (Windows)". msdn.microsoft.com. 14 July 2023.
    63. ^ a b "TLS Cipher Suites in Windows Vista (Windows)". msdn.microsoft.com. 25 October 2021.
    64. ^ a b c "Cipher Suites in TLS/SSL (Schannel SSP) (Windows)". msdn.microsoft.com. 14 July 2023.
    65. ^ a b "An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. Retrieved 13 November 2012.
    66. ^ "Protocols in TLS/SSL (Schannel SSP)". Microsoft. 2022-05-25. Retrieved 2023-11-18.
    67. ^ "Protocols in TLS/SSL (Schannel SSP)". 25 May 2022. Retrieved 6 November 2022.
    68. ^ "@badger: the 1.3 stuff is apparently in iOS 11 and macOS 10.13". 2018-03-09. Retrieved 2018-03-09.
    69. ^ "[wolfssl] wolfSSL 3.6.6 Released". 2015-08-20. Retrieved 2015-08-24.
    70. ^ "[wolfssl] wolfSSL 3.13.0 Released". 2017-12-21. Retrieved 2022-01-17.
    71. ^ "Erlang -- Standards Compliance".
    72. ^ a b c "Security Enhancements in JDK 8". docs.oracle.com.
    73. ^ "Bug 663320 - (NSA-Suite-B-TLS) Implement RFC6460 (NSA Suite B profile for TLS)". Mozilla. Retrieved 2014-05-19.
    74. ^ "Introducing Compliance to Suite B Cryptography". 18 September 2012.
    75. ^ "Speeds and Feeds › Secure or Compliant, Pick One". Archived from the original on December 27, 2013.
    76. ^ "Search - Cryptographic Module Validation Program - CSRC". csrc.nist.gov. Archived from the original on 2014-12-26. Retrieved 2014-03-18.
    77. ^ ""Is botan FIPS 140 certified?" Frequently Asked Questions — Botan". Archived from the original on 2014-11-29. Retrieved 2014-11-16.
    78. ^ "Search - Cryptographic Module Validation Program - CSRC". csrc.nist.gov. 11 October 2016.
    79. ^ "cryptlib". 11 October 2013. Archived from the original on 11 October 2013.
    80. ^ "B.5 Certification". GnuTLS 3.7.7. Retrieved 26 September 2022.
    81. ^ "Matrix SSL Toolkit" (PDF).
    82. ^ "Is mbed TLS FIPS certified? - Mbed TLS documentation". Mbed TLS documentation.
    83. ^ "FIPS Validation - MozillaWiki". wiki.mozilla.org.
    84. ^ "OpenSSL and FIPS 140-2". Archived from the original on 2013-05-28. Retrieved 2014-11-15.
    85. ^ "rustls FIPS documentation". Retrieved 2024-08-28.
    86. ^ "Microsoft FIPS 140 Validated Cryptographic Modules".
    87. ^ "wolfCrypt FIPS 140-2 Information - wolfSSL Embedded SSL/TLS Library".
    88. ^ a b c d e f g h i j k l m n o p q r s t u v w x y z aa ab ac ad ae af ag ah RFC 4492. doi:10.17487/RFC4492.
    89. ^ a b c d e "LibreSSL 2.1.2 released". 2014-12-09. Retrieved 2015-01-20.
    90. ^ "NSS 3.20 release notes". Mozilla. 2015-08-19. Archived from the original on 2021-12-07. Retrieved 2015-08-20.
    91. ^ a b c d Mozilla.org. "Bug 518787 - Add GOST crypto algorithm support in NSS". Retrieved 2014-07-01.
    92. ^ a b c d Mozilla.org. "Bug 608725 - Add Russian GOST cryptoalgorithms to NSS and Thunderbird". Retrieved 2014-07-01.
    93. ^ a b c d "OpenSSL: CVS Web Interface". Archived from the original on 2013-04-15. Retrieved 2014-11-12.
    94. ^ a b c d e f g h i j k l m n o Extensions to support GOST in Schannel might be available.[citation needed]
    95. ^ a b c d "Microsoft Security Advisory 3174644". 14 October 2022.
    96. ^ a b c "Microsoft Security Bulletin MS14-066 - Critical (Section Update FAQ)". Microsoft. November 11, 2014. Retrieved 11 November 2014.
    97. ^ a b c Thomlinson, Matt (November 11, 2014). "Hundreds of Millions of Microsoft Customers Now Benefit from Best-in-Class Encryption". Microsoft Security. Retrieved 11 November 2014.
    98. ^ a b "Update adds new TLS cipher suites and changes cipher suite priorities in Windows 8.1 and Windows Server 2012 R2". support.microsoft.com.
    99. ^ a b c d e f RFC 5054. doi:10.17487/RFC5054.
    100. ^ a b c d e f RFC 4279. doi:10.17487/RFC4279.
    101. ^ a b RFC 5489. doi:10.17487/RFC5489.
    102. ^ a b RFC 2712. doi:10.17487/RFC2712.
    103. ^ "RSA BSAFE SSL-J 6.2.4 Release Notes". 2018-09-05. Archived from the original on 2018-09-10.
    104. ^ a b c "LibreSSL 2.0.4 released". Retrieved 2014-08-04.
    105. ^ a b c "Bug 405155 - add support for TLS-SRP, rfc5054". Mozilla. Retrieved 2014-01-25.
    106. ^ a b c d "Bug 306435 - Mozilla browsers should support the new IETF TLS-PSK protocol to help reduce phishing". Mozilla. Retrieved 2014-01-25.
    107. ^ "Bug 1170510 - Implement NSS server side support for DH_anon". Mozilla. Retrieved 2015-06-03.
    108. ^ "Bug 236245 - Update ECC/TLS to conform to RFC 4492". Mozilla. Retrieved 2014-06-09.
    109. ^ "Changes between 0.9.6h and 0.9.7 [31 Dec 2002]". Retrieved 2016-01-29.
    110. ^ a b "Changes between 0.9.8n and 1.0.0 [29 Mar 2010]". Retrieved 2016-01-29.
    111. ^ "wolfSSL (Formerly CyaSSL) Release 3.9.0 (03/18/2016)". 2016-03-18. Retrieved 2016-04-05.
    112. ^ RFC 5280. doi:10.17487/RFC5280.
    113. ^ RFC 3280. doi:10.17487/RFC3280.
    114. ^ RFC 2560. doi:10.17487/RFC2560.
    115. ^ RFC 6698. doi:10.17487/RFC6698.
    116. ^ RFC 7218. doi:10.17487/RFC7218.
    117. ^ Laurie, B.; Langley, A.; Kasper, E. (June 2013). Certificate Transparency. IETF. doi:10.17487/RFC6962. ISSN 2070-1721. RFC 6962. Retrieved 2020-08-31.
    118. ^ "MatrixSSL 3.8.3". Archived from the original on 2017-01-19. Retrieved 2017-01-18.
    119. ^ "mbed TLS 2.0 defaults implement best practices". Retrieved 2017-01-18.
    120. ^ "Bug 672600 - Use DNSSEC/DANE chain stapled into TLS handshake in certificate chain validation". Mozilla. Retrieved 2014-06-18.
    121. ^ "CRL Validation · Issue #3499 · aws/s2n-tls". GitHub. Retrieved 2022-11-01.
    122. ^ "OCSP digest support for SHA-256 · Issue #2854 · aws/s2n-tls · GitHub". GitHub. Retrieved 2022-11-01.
    123. ^ "[RFC 6962] s2n Client can Validate Signed Certificate Timestamp TLS Extension · Issue #457 · aws/s2n-tls · GitHub". GitHub. Retrieved 2022-11-01.
    124. ^ a b "How Certificate Revocation Works". Microsoft TechNet. Microsoft. March 16, 2012. Retrieved July 10, 2013.
    125. ^ a b
      • RFC 5288. doi:10.17487/RFC5288.
      • RFC 5289. doi:10.17487/RFC5289.
    126. ^ a b RFC 6655, RFC 7251
    127. ^ a b c d RFC 6367. doi:10.17487/RFC6367.
    128. ^ a b RFC 5932. doi:10.17487/RFC5932.
    129. ^ a b c d RFC 6209. doi:10.17487/RFC6209.
    130. ^ a b RFC 4162. doi:10.17487/RFC4162.
    131. ^ a b "Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN". sweet32.info.
    132. ^ a b RFC 7905. doi:10.17487/RFC7905.
    133. ^ a b "Version 1.11.12, 2015-01-02 — Botan". 2015-01-02. Retrieved 2015-01-09.
    134. ^ "gnutls 3.6.0". 2017-09-21. Retrieved 2018-01-07.
    135. ^ "gnutls 3.4.12". 2016-05-20. Archived from the original on 2016-10-13. Retrieved 2016-05-29.
    136. ^ "Java SE DevelopmentK Kit 10 - 10.0.1 Release Notes". 2018-04-17. Retrieved 2024-01-14.
    137. ^ "JDK 12 Release Notes". Retrieved 2024-01-14.
    138. ^ a b c d "Changes in 3.8.3". GitHub. Retrieved 2016-06-19.[permanent dead link]
    139. ^ "PolarSSL 1.3.8 release notes". Archived from the original on 2014-07-14.
    140. ^ a b "Mbed TLS 2.11.0, 2.7.4 and 2.1.13 released". Retrieved 2018-08-30.
    141. ^ "Mbed TLS 2.12.0, 2.7.5 and 2.1.14 released". Retrieved 2018-08-30.
    142. ^ "NSS 3.25 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2021-12-07. Retrieved 2016-07-01.
    143. ^ "Bug 940119 - libssl does not support any TLS_ECDHE_*_CAMELLIA_*_GCM cipher suites". Mozilla. Retrieved 2013-11-19.
    144. ^ "NSS 3.12 is released". Retrieved 2013-11-19.
    145. ^ "NSS 3.12.3 Release Notes". Mozilla Developer Network. Mozilla. Archived from the original on 2023-04-02. Retrieved 2023-04-01.
    146. ^ "NSS 3.23 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2021-04-14. Retrieved 2016-03-09.
    147. ^ "openssl/CHANGES at OpenSSL_1_0_1-stable · openssl/openssl". GitHub. Retrieved 2015-01-20.
    148. ^ "OpenSSL 1.1.1 Series Release Notes". www.openssl.org. Archived from the original on 2024-01-16.
    149. ^ "Cipher Suites in TLS/SSL (Schannel SSP) - Win32 apps". docs.microsoft.com. 14 July 2023.
    150. ^ a b c "Qualys SSL Labs - Projects / User Agent Capabilities: IE 11 / Win 10 Preview". dev.ssllabs.com. Archived from the original on 2023-07-14.
    151. ^ RFC 5469
    152. ^ a b "Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN".
    153. ^ "Version 1.11.15, 2015-03-08 — Botan". 2015-03-08. Retrieved 2015-03-11.
    154. ^ "Java Cryptography Architecture Oracle Providers Documentation". docs.oracle.com.
    155. ^ "NSS 3.15.3 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2014-06-05. Retrieved 2014-07-13.
    156. ^ "MFSA 2013-103: Miscellaneous Network Security Services (NSS) vulnerabilities". Mozilla. Retrieved 2014-07-13.
    157. ^ a b c "RC4 is now disabled in Microsoft Edge and Internet Explorer 11 - Microsoft Edge Dev BlogMicrosoft Edge Dev Blog". blogs.windows.com. 2016-08-09.
    158. ^ a b "wolfSSL (Formerly CyaSSL) Release 3.7.0 (10/26/2015)". 2015-10-26. Retrieved 2015-11-19.
    159. ^ a b c d e RFC 8446
    160. ^ a b c d e RFC 8422
    161. ^ a b c RFC 7027
    162. ^ a b c "Version 1.11.5, 2013-11-10 — Botan". 2013-11-10. Retrieved 2015-01-23.
    163. ^ "An overview of the new features in GnuTLS 3.5.0". 2016-05-02. Retrieved 2016-12-09.
    164. ^ "gnutls 3.6.12". 2020-02-01. Retrieved 2021-08-31.
    165. ^ a b "JDK 13 Early-Access Release Notes". Archived from the original on 2020-04-01. Retrieved 2019-06-20.
    166. ^ a b "JEP 339: Edwards-Curve Digital Signature Algorithm (EdDSA)". Retrieved 2024-01-14.
    167. ^ "LibreSSL 2.5.1 release notes". OpenBSD. 2017-01-31. Retrieved 2017-02-23.
    168. ^ "MatrixSSL 4.0 changelog". GitHub. Retrieved 2018-09-18.
    169. ^ "PolarSSL 1.3.3 released". 2013-12-31. Archived from the original on 2014-01-07. Retrieved 2015-01-23.
    170. ^ "Mbed TLS 2.9.0, 2.7.3 and 2.1.12 released". Retrieved 2018-08-30.
    171. ^ a b c "PolarSSL 1.3.1 released". 2013-10-15. Archived from the original on 2015-01-23. Retrieved 2015-01-23.
    172. ^ "Bug 957105 - Add support for curve25519 Key Exchange and UMAC MAC support for TLS". Mozilla. Retrieved 2017-02-23.
    173. ^ "Bug 1305243 - Support for X448". Mozilla. Retrieved 2022-08-04.
    174. ^ "Bug 1597057 - Curve448 or named Ed448-Goldilocks support needed (both X448 key exchange and Ed448 signature algorithm )". Mozilla. Retrieved 2022-08-04.
    175. ^ a b c "Bug 943639 - Support for Brainpool ECC Curve (rfc5639)". Mozilla. Retrieved 2014-01-25.
    176. ^ "OpenSSL 1.1.0x Release Notes". 25 August 2016. Archived from the original on 18 May 2018. Retrieved 18 May 2018.
    177. ^ "OpenSSL GitHub Issue #487 Tracker". GitHub. 2 December 2015. Retrieved 18 May 2018.
    178. ^ "OpenSSL CHANGES". 1 May 2018. Archived from the original on 18 May 2018. Retrieved 18 May 2018.
    179. ^ "OpenSSL GitHub Issue #5049 Tracker". GitHub. 9 January 2018. Retrieved 18 May 2018.
    180. ^ "wolfSSL (Formerly CyaSSL) Release 3.4.6 (03/30/2015)". 2015-03-30. Retrieved 2015-11-19.
    181. ^ "wolfSSL Release 4.4.0 (04/22/2020)". 2020-04-22. Retrieved 2022-10-18.
    182. ^ "Release Note: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default". JDK Bug System (JBS). Retrieved 25 December 2024.
    183. ^ "Release Note: Removal of Legacy Elliptic Curves". JDK Bug System (JBS). Retrieved 25 December 2024.
    184. ^ a b Negotiation of arbitrary curves has been shown to be insecure for certain curve sizes Mavrogiannopoulos, Nikos and Vercautern, Frederik and Velichkov, Vesselin and Preneel, Bart (2012). "A cross-protocol attack on the TLS protocol" (PDF). Proceedings of the 2012 ACM conference on Computer and communications security. Association for Computing Machinery. pp. 62–72. doi:10.1145/2382196.2382206. ISBN 978-1-4503-1651-4.{{cite conference}}: CS1 maint: multiple names: authors list (link)
    185. ^ "SHA2 and Windows". Retrieved 2024-12-25.
    186. ^ RFC 3749
    187. ^ RFC 5746
    188. ^ a b c RFC 6066
    189. ^ RFC 7301
    190. ^ RFC 6091
    191. ^ RFC 4680
    192. ^ RFC 5077. doi:10.17487/RFC5077.
    193. ^ RFC 5705. doi:10.17487/RFC5705.
    194. ^ RFC 7507. doi:10.17487/RFC7507.
    195. ^ RFC 7627
    196. ^ RFC 7685
    197. ^ RFC 7250
    198. ^ "Version 1.11.16, 2015-03-29 — Botan". 2016-03-29. Retrieved 2016-09-08.
    199. ^ "Version 1.11.10, 2014-12-10 — Botan". 2014-12-10. Retrieved 2014-12-14.
    200. ^ a b "Version 1.11.26, 2016-01-04 — Botan". 2016-01-04. Retrieved 2016-02-25.
    201. ^ Present, but disabled by default due to lack of use by any implementation.
    202. ^ "gnutls 3.2.0". Archived from the original on 2016-01-31. Retrieved 2015-01-26.
    203. ^ Mavrogiannopoulos, Nikos (August 21, 2017). "[gnutls-help] GnuTLS 3.6.0 released".
    204. ^ "gnutls 3.4.4". Archived from the original on 2017-07-17. Retrieved 2015-08-25.
    205. ^ "%DUMBFW priority keyword". Retrieved 2017-04-30.
    206. ^ "gnutls 3.6.6". 2019-01-25. Retrieved 2019-09-01.
    207. ^ "LibreSSL 2.1.3 released". 2015-01-22. Retrieved 2015-01-22.
    208. ^ "LibreSSL 2.1.4 released". 2015-03-04. Retrieved 2015-03-04.
    209. ^ "MatrixSSL - News". 2014-12-04. Archived from the original on 2015-02-14. Retrieved 2015-01-26.
    210. ^ "Download overview - PolarSSL". 2014-04-11. Archived from the original on 2015-02-09. Retrieved 2015-01-26.
    211. ^ a b c "mbed TLS 1.3.10 released". 2015-02-08. Archived from the original on 2015-02-09. Retrieved 2015-02-09.
    212. ^ a b "NSS 3.15.5 release notes". Mozilla Developer Network. Mozilla. Archived from the original on January 26, 2015. Retrieved 2015-01-26.
    213. ^ "Bug 961416 - Support RFC6091 - Using OpenPGP Keys for Transport Layer Security Authentication (TLS1.2)". Mozilla. Retrieved 2014-06-18.
    214. ^ "Bug 972145 - Implement the encrypt-then-MAC TLS extension". Mozilla. Retrieved 2014-11-06.
    215. ^ "NSS 3.17.1 release notes". Archived from the original on 2019-04-19. Retrieved 2014-10-17.
    216. ^ "NSS 3.21 release notes". Archived from the original on 2021-12-07. Retrieved 2015-11-14.
    217. ^ "OpenSSL Security Advisory [15 Oct 2014]". 2014-10-15.
    218. ^ "Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]". 2014-04-07. Archived from the original on 2015-01-20. Retrieved 2015-02-10.
    219. ^ "OpenSSL Announces Final Release of OpenSSL 3.2.0". 2023-11-23. Retrieved 2024-10-11.
    220. ^ rustls does not implement earlier versions that would warrant protection against insecure downgrade
    221. ^ a b c d "Microsoft Security Bulletin MS15-121". March 2023. Retrieved 2024-04-28.
    222. ^ a b "What's New in TLS/SSL (Schannel SSP)". 31 August 2016. Retrieved 2024-04-28.
    223. ^ "wolfSSL Version 4.2.0 is Now Available!". 22 October 2019. Retrieved 2021-08-13.
    224. ^ "wolfSSL supports Raw Public Keys". August 2023. Retrieved 2024-10-25.
    225. ^ "Version 1.11.31, 2015-08-30 — Botan". 2016-08-30. Retrieved 2016-09-08.
    226. ^ "Trusted Platform Module (TPM) — Botan".
    227. ^ "JEP 164: Leverage CPU Instructions for AES Cryptography". openjdk.org.
    228. ^ "RSA SecurID PASSCODE Request". sso.rsasecurity.com.
    229. ^ "Comparison of BSAFE TLS libraries: Micro Edition Suite vs SSL-J | Dell Malaysia".
    230. ^ Mavrogiannopoulos, Nikos (October 9, 2016). "[gnutls-devel] gnutls 3.5.5".
    231. ^ "Trusted Platform Module (GnuTLS 3.8.4)".
    232. ^ "Java SSL provider with AES-NI support". stackoverflow.com.
    233. ^ "PolarSSL 1.3.3 released". 2013-12-31. Archived from the original on 2014-01-07. Retrieved 2014-01-07. We've incorporated support for AES-NI in our AES and GCM modules.
    234. ^ a b "NXP/Plug-and-trust". GitHub.
    235. ^ "ARMmbed/Mbed-os-atecc608a". GitHub.
    236. ^ Normally NSS's libssl performs all operations via the PKCS#11 interface, either to hardware or software tokens
    237. ^ "Bug 706024 - AES-NI enhancements to NSS on Sandy Bridge systems". Retrieved 2013-09-28.
    238. ^ "Bug 479744 - RFE : VIA Padlock ACE support (hardware RNG, AES, SHA1 and SHA256)". Retrieved 2014-04-11.
    239. ^ "Подключаем Рутокен ЭЦП к OpenSSL" (in Russian). 16 December 2011.
    240. ^ "Поддержка Рутокен ЭЦП в OpenSSL (Страница 1) — Рутокен и Open Source — Форум Рутокен" (in Russian).
    241. ^ "OpenSSL ГОСТ" (in Russian). Archived from the original on 2018-06-23.
    242. ^ "git.openssl.org Git - openssl.git/commitdiff". git.openssl.org.
    243. ^ "Tpm2-software/Tpm2-openssl". GitHub.
    244. ^ "Provider - OpenSSL Documentation".
    245. ^ "STSW-STSA110-SSL - STSAFE-A integration within OpenSSL security stack". STMicroelectronics.
    246. ^ SecECKey.c on GitHub
    247. ^ "Crypto Officer Role Guide for FIPS 140-2 Compliance OS X Mountain Lion v10.8" (PDF). Apple Inc. 2013.
    248. ^ "CAAM support in wolfSSL". 10 March 2020.
    249. ^ "wolfTPM Portable TPM 2.0 Library".
    250. ^ "Announcing wolfSSL TPM support for the Espressif ESP32". 20 June 2024.
    251. ^ "WolfSSL SSL/TLS Support for NXP SE050 – wolfSSL". 22 February 2024.
    252. ^ "WolfSSL support for the ATECC608 Crypto Coprocessor – wolfSSL". 13 October 2021.
    253. ^ "WolfSSL support for STSAFE-A100 crypto coprocessor – wolfSSL". 20 September 2018.
    254. ^ "Support for MAXQ1065 in wolfSSL – wolfSSL". 29 November 2022.
    255. ^ "LibreSSL 2.2.1 Released". 2015-07-08. Retrieved 2016-01-30.
    256. ^ "ktls integration for rustls". GitHub. Retrieved 2024-08-29.
    257. ^ "wolfProvider". 2021-11-10. Retrieved 2022-01-17.
    258. ^ a b The PKCS #11 URI Scheme. doi:10.17487/RFC7512. RFC 7512.
    259. ^ "libp11: PKCS#11 wrapper library". 19 January 2018 – via GitHub.
    260. ^ "Windows CNG bridge for rustls". GitHub. Retrieved 2024-08-29.
    261. ^ On the fly replaceable/augmentable.
    262. ^ "Nss compat ossl - Fedora Project Wiki". fedoraproject.org.
    263. ^ "rustls-openssl compatibility layer". GitHub. Retrieved 2024-08-29.
    264. ^ a b "NSPR". Mozilla Developer Network.
    265. ^ For Unix/Linux it uses /dev/urandom if available, for Windows it uses CAPI. For other platforms it gets data from clock, and tries to open system files. NSS has a set of platform dependent functions it uses to determine randomness.
    Retrieved from "https://en.wikipedia.org/w/index.php?title=Comparison_of_TLS_implementations&oldid=1323474394"