The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.

Overview

ImplementationDeveloped byOpen sourceSoftware licenseCopyright holderWritten inLatest stable version, release dateOrigin
BotanJack LloydYesSimplified BSD LicenseJack LloydC++3.11.0 (March 15, 2026; 30 days ago(2026-03-15)) [±]US (Vermont)
BoringSSLGoogleYesOpenSSL-SSLeay dual-license, ISC licenseEric Young, Tim Hudson, Sun, OpenSSL project, Google, and othersC, C++, Go, assemblyNo stable releasesAustralia/EU[citation needed]
Bouncy CastleThe Legion of the Bouncy Castle Inc.YesMIT LicenseLegion of the Bouncy Castle Inc.Java, C#Java1.83 / November 27, 2025; 4 months ago(2025-11-27)Java LTSBC-LJA 2.73.9 / September 19, 2025; 6 months ago(2025-09-19)Java FIPSBC-FJA 2.0.0 / July 30, 2024; 20 months ago(2024-07-30)C#2.6.2 / July 15, 2025; 8 months ago(2025-07-15)C# FIPSBC-FNA 1.0.2 / March 11, 2024; 2 years ago(2024-03-11)Australia
Java1.83 / November 27, 2025; 4 months ago(2025-11-27)
Java LTSBC-LJA 2.73.9 / September 19, 2025; 6 months ago(2025-09-19)
Java FIPSBC-FJA 2.0.0 / July 30, 2024; 20 months ago(2024-07-30)
C#2.6.2 / July 15, 2025; 8 months ago(2025-07-15)
C# FIPSBC-FNA 1.0.2 / March 11, 2024; 2 years ago(2024-03-11)
BSAFEDell, formerly RSA SecurityNoProprietaryDellJava, C, assemblySSL-J 7.4 (December 2, 2025; 4 months ago(2025-12-02)) [±] Micro Edition Suite 5.0.3 (December 3, 2024; 16 months ago(2024-12-03)) [±]Australia
cryptlibPeter GutmannYesSleepycat License and commercial licensePeter GutmannC3.4.8 (April 30, 2025; 11 months ago(2025-04-30)) [±]NZ
GnuTLSGnuTLS projectYesLGPL-2.1-or-laterFree Software FoundationC3.8.12 2026-02-09EU (Greece and Sweden)
Java Secure Socket Extension (JSSE)OracleYesGNU GPLv2 and commercial licenseOracleJava25.0.2 LTS (January 20, 2026; 2 months ago(2026-01-20)) [±] 21.0.10 LTS (January 20, 2026; 2 months ago(2026-01-20)) [±] 17.0.18 LTS (January 20, 2026; 2 months ago(2026-01-20)) [±] 11.0.30 LTS (January 20, 2026; 2 months ago(2026-01-20)) [±] 8u481 LTS (January 20, 2026; 2 months ago(2026-01-20)) [±]US
LibreSSLOpenBSD ProjectYesApache-1.0, BSD-4-Clause, ISC, and public domainEric Young, Tim Hudson, Sun, OpenSSL project, OpenBSD Project, and othersC, assembly4.2.1 2025-10-31Canada
MatrixSSLPeerSec NetworksYesGNU GPLv2+ and commercial licensePeerSec NetworksC4.2.2 (September 11, 2019; 6 years ago(2019-09-11) ) [±]US
Mbed TLS (previously PolarSSL)ArmYesApache License 2.0, GNU GPLv2+ and commercial licenseArm HoldingsC4.1.0 (31 March 2026; 14 days ago(31 March 2026)) [±]EU (Netherlands)
Network Security Services (NSS)Mozilla, AOL, Red Hat, Sun, Oracle, Google and othersYesMPL 2.0NSS contributorsC, assemblyStandard3.84 / October 12, 2022; 3 years ago(2022-10-12)Extended Support Release3.79.1 / August 18, 2022; 3 years ago(2022-08-18)US
Standard3.84 / October 12, 2022; 3 years ago(2022-10-12)
Extended Support Release3.79.1 / August 18, 2022; 3 years ago(2022-08-18)
OpenSSLOpenSSL projectYesApache-2.0Eric Young, Tim Hudson, Sun, OpenSSL project, and othersC, assembly4.0.0 2026-04-14Australia/EU
RustlsJoe Birr-Pixton, Dirkjan Ochtman, Daniel McCarney, Josh Aas, and open source contributorsYesApache-2.0, MIT License and ISCOpen source contributorsRustv0.23.31 (July 29, 2025; 8 months ago(2025-07-29)) [±]United Kingdom
s2nAmazonYesApache License 2.0, GNU GPLv2+ and commercial licenseAmazon.com, Inc.CContinuousUS
SchannelMicrosoftNoProprietaryMicrosoft CorporationWindows 11, 2021-10-05US
Secure TransportApple Inc.YesAPSL 2.0Apple Inc.57337.20.44 (OS X 10.11.2), 2015-12-08US
wolfSSL (previously CyaSSL)wolfSSLYesGNU GPLv3+ and commercial licensewolfSSL Inc.C, assembly5.8.4 (November 20, 2025; 4 months ago(2025-11-20)) [±]US
Erlang/OTP SSL applicationEricssonYesApache License 2.0EricssonErlangOTP-21, 2018-06-19Sweden
ImplementationDeveloped byOpen sourceSoftware licenseCopyright ownerWritten inLatest stable version, release dateOrigin

TLS/SSL protocol version support

Several versions of the TLS protocol exist. SSL 2.0 is a deprecated protocol version with significant weaknesses. SSL 3.0 (1996) and TLS 1.0 (1999) are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay. TLS 1.1 (2006) fixed only one of the problems, by switching to random initialization vectors (IV) for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was addressed with RFC 7366. A workaround for SSL 3.0 and TLS 1.0, roughly equivalent to random IVs from TLS 1.1, was widely adopted by many implementations in late 2011. In 2014, the POODLE vulnerability of SSL 3.0 was discovered, which takes advantage of the known vulnerabilities in CBC, and an insecure fallback negotiation used in browsers.

TLS 1.2 (2008) introduced a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future (rsa,sha256/sha384/sha512) over the SSL 3.0 conservative choice (rsa,sha1+md5), the TLS 1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides (rsa,sha1) and even (rsa,md5).

Datagram Transport Layer Security (DTLS or Datagram TLS) 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLS 1.2 based on TLS 1.2 was published in January 2012.

TLS 1.3 (2018) specified in RFC 8446 includes major optimizations and security improvements. QUIC (2021) specified in RFC 9000 and DTLS 1.3 (2022) specified in RFC 9147 builds on TLS 1.3. The publishing of TLS 1.3 and DTLS 1.3 obsoleted TLS 1.2 and DTLS 1.2.

Note that there are known vulnerabilities in SSL 2.0 and SSL 3.0. In 2021, IETF published RFC 8996 also forbidding negotiation of TLS 1.0, TLS 1.1, and DTLS 1.0 due to known vulnerabilities. NIST SP 800-52 requires support of TLS 1.3 by January 2024. Support of TLS 1.3 means that two compliant nodes will never negotiate TLS 1.2.

ImplementationSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0 (deprecated)TLS 1.1 (deprecated)TLS 1.2TLS 1.3DTLS 1.0 (deprecated)DTLS 1.2DTLS 1.3
BotanNoNoNoNoYesYesNoYesNo
BoringSSLYesYesYesYesYesYesNo
Bouncy CastleNoNoYesYesYesYesYesYesNo
BSAFE SSL-JNoDisabled by defaultNoNoYesYesNoNoNo
cryptlibNoNoYesYesYesYesNoNoNo
GnuTLSNoDisabled by defaultYesYesYesYesYesYesNo
JSSENoDisabled by defaultDisabled by defaultDisabled by defaultYesYesYesYesNo
LibreSSLNoNoYesYesYesYesYesYesNo
MatrixSSLNoDisabled by default at compile timeYesYesYesYesYesYesNo
Mbed TLSNoNoNoNoYesYes (experimental)YesYesNo
NSSNoDisabled by defaultYesYesYesYesYesYesNo
OpenSSLNoDisabled by defaultYesYesYesYesYesYesNo
RustlsNoNoNoNoYesYesNoNoNo
s2nNoDisabled by defaultYesYesYesYesNoNoNo
Schannel XP, 2003Disabled by default in MSIE 7Enabled by defaultEnabled by default in MSIE 7NoNoNoNoNoNo
Schannel VistaDisabled by defaultEnabled by defaultYesNoNoNoNoNoNo
Schannel 2008Disabled by defaultEnabled by defaultYesDisabled by default (KB4019276)Disabled by default (KB4019276)NoNoNoNo
Schannel 7, 2008R2Disabled by defaultDisabled by default in MSIE 11YesEnabled by default in MSIE 11Enabled by default in MSIE 11NoYesNoNo
Schannel 8, 2012Disabled by defaultEnabled by defaultYesDisabled by defaultDisabled by defaultNoYesNoNo
Schannel 8.1, 2012R2, 10 RTM & v1511Disabled by defaultDisabled by default in MSIE 11YesYesYesNoYesNoNo
Schannel 10 v1607 / 2016NoDisabled by defaultYesYesYesNoYesYesNo
Schannel 11 / 2022NoDisabled by defaultYesYesYesYesYesYesNo
Secure Transport OS X 10.2–10.7, iOS 1–4YesYesYesNoNoNoNoNo
Secure Transport OS X 10.8–10.10, iOS 5–8NoYesYesYesYesYesNoNo
Secure Transport OS X 10.11, iOS 9NoNoYesYesYesYesUnknownNo
Secure Transport OS X 10.13, iOS 11NoNoYesYesYesYes (draft version)YesUnknownNo
wolfSSLNoDisabled by defaultDisabled by defaultYesYesYesYesYesYes
Erlang/OTP SSL applicationNoNoDisabled by defaultDisabled by defaultYesPartiallyDisabled by defaultYesNo
ImplementationSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0 (deprecated)TLS 1.1 (deprecated)TLS 1.2TLS 1.3DTLS 1.0 (deprecated)DTLS 1.2DTLS 1.3

NSA Suite B Cryptography

Required components for NSA Suite B Cryptography (RFC 6460) are:

Per CNSSP-15, the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.

ImplementationTLS 1.2 Suite B
BotanYes
Bouncy CastleYes
BSAFEYes
cryptlibYes
GnuTLSYes
JSSEYes
LibreSSLYes
MatrixSSLYes
Mbed TLSYes
NSSNo
OpenSSLYes
RustlsYes
S2n
SchannelYes
Secure TransportNo
wolfSSLYes
ImplementationTLS 1.2 Suite B

Certifications

Note that certain certifications have received serious negative criticism from people who are actually involved in them.

ImplementationFIPS 140-1, FIPS 140-2FIPS 140-3
Level 1Level 2[disputed – discuss]Level 1
Botan
Bouncy CastleBC-FJA 2.0.0 (#4743) BC-FJA 2.1.0 (#4943) BC-FNA 1.0.2 (#4416
BSAFE SSL-JCrypto-J 6.0 (, ) Crypto-J 6.1 / 6.1.1.0.1 (, ) Crypto-J 6.2 / 6.2.1.1 (, ) Crypto-J 6.2.4 (, ) Crypto-J 6.2.5 (, ) Crypto-J 6.3 (, )Crypto-J 7.0 ()
cryptlib
GnuTLSRed Hat Enterprise Linux GnuTLS Cryptographic Module (#2780)
JSSE
LibreSSLno support
MatrixSSLSafeZone FIPS Cryptographic Module: 1.1 (#2389)
Mbed TLS
NSSNetwork Security Services: 3.2.2 (#247) Network Security Services Cryptographic Module: 3.11.4 (#815), 3.12.4 (#1278), 3.12.9.1 (#1837)Netscape Security Module: 1 (#7), 1.01 (#47) Network Security Services: 3.2.2 (#248) Network Security Services Cryptographic Module: 3.11.4 (#814), 3.12.4 (#1279, #1280)
OpenSSLOpenSSL FIPS Object Module: 1.0 (#624), 1.1.1 (#733), 1.1.2 (#918), 1.2, 1.2.1, 1.2.2, 1.2.3 or 1.2.4 (#1051) 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7 or 2.0.8 (#1747)
Rustlsaws-lc FIPS module ()
SchannelCryptographic modules in Windows NT 4.0, 95, 95, 2000, XP, Server 2003, CE 5, CE 6, Mobile 6.x, Vista, Server 2008, 7, Server 2008 R2, 8, Server 2012, RT, Surface, Phone 8 See details on
Secure TransportApple FIPS Cryptographic Module: 1.0 (OS X 10.6, #1514), 1.1 (OS X 10.7, #1701) Apple OS X CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (OS X 10.8, #1964, #1956), 4.0 (OS X 10.9, #2015, #2016) Apple iOS CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (iOS 6, #1963, #1944), 4.0 (iOS 7, #2020, #2021)
wolfSSLwolfCrypt FIPS Module: 4.0 (#3389) See details on for validated Operating Environments wolfCrypt FIPS Module: 3.6.0 (#2425) See details on for validated Operating EnvironmentswolfCrypt FIPS Module (#4178) See details on
ImplementationLevel 1Level 2Level 1
FIPS 140-1, FIPS 140-2FIPS 140-3

Key exchange algorithms (certificate-only)

This section lists the certificate verification functionality available in the various implementations.

ImplementationRSARSA-EXPORT (insecure)DHE-RSA (forward secrecy)DHE-DSS (forward secrecy)ECDH-ECDSAECDHE-ECDSA (forward secrecy)ECDH-RSAECDHE-RSA (forward secrecy)GOST R 34.10-94, 34.10-2001
BotanDisabled by defaultNoYesDisabled by defaultNoYesNoYesNo
BSAFEYesNoYesYesYesYesYesYesNo
cryptlibYesNoYesYesYesYesNoYesNo
GnuTLSYesNoYesDisabled by defaultNoYesNoYesNo
JSSEYesDisabled by defaultYesYesYesYesYesYesNo
LibreSSLYesNoYesYesNoYesNoYesYes
MatrixSSLYesNoYesNoYesYesYesYesNo
Mbed TLSYesNoYesNoYesYesYesYesNo
NSSYesDisabled by defaultYesYesYesYesYesYesNo
OpenSSLYesNoYesDisabled by defaultNoYesNoYesYes
RustlsNoNoNoNoNoYesNoYesNo
Schannel XP/2003YesYesNoXP: Max 1024 bits 2003: 1024 bits onlyNoNoNoNoNo
Schannel Vista/2008YesDisabled by defaultNo1024 bits by defaultNoYesNoexcept AES_GCMNo
Schannel 8/2012YesDisabled by defaultAES_GCM only1024 bits by defaultNoYesNoexcept AES_GCMNo
Schannel 7/2008R2, 8.1/2012R2YesDisabled by defaultYes2048 bits by defaultNoYesNoexcept AES_GCMNo
Schannel 10YesDisabled by defaultYes2048 bits by defaultNoYesNoYesNo
Secure Transport OS X 10.6YesYesexcept AES_GCMYesYesexcept AES_GCMyesexcept AES_GCMNo
Secure Transport OS X 10.8-10.10YesNoexcept AES_GCMNoYesexcept AES_GCMYesexcept AES_GCMNo
Secure Transport OS X 10.11YesNoYesNoNoYesNoYesNo
wolfSSLYesNoYesNoYesYesYesYesNo
Erlang/OTP SSL applicationYesNoYesYesYesYesYesYesNo
ImplementationRSARSA-EXPORT (insecure)DHE-RSA (forward secrecy)DHE-DSS (forward secrecy)ECDH-ECDSAECDHE-ECDSA (forward secrecy)ECDH-RSAECDHE-RSA (forward secrecy)GOST R 34.10-94, 34.10-2001

Key exchange algorithms (alternative key-exchanges)

ImplementationSRPSRP-DSSSRP-RSAPSK-RSAPSKDHE-PSK (forward secrecy)ECDHE-PSK (forward secrecy)KRB5DH-ANON (insecure)ECDH-ANON (insecure)
BotanNoNoNoNoYesNoYesNoNoNo
BSAFE SSL-JNoNoNoNoYesNoNoNoDisabled by defaultDisabled by default
cryptlibNoNoNoNoYesYesNoNoNoNo
GnuTLSYesYesYesYesYesYesYesNoDisabled by defaultDisabled by default
JSSENoNoNoNoNoNoNoNoDisabled by defaultDisabled by default
LibreSSLNoNoNoNoNoNoNoNoYesYes
MatrixSSLNoNoNoYesYesYesNoNoDisabled by defaultNo
Mbed TLSNoNoNoYesYesYesYesNoNoNo
NSSNoNoNoNoNoNoNoNoClient side only, disabled by defaultDisabled by default
OpenSSLYesYesYesYesYesYesYesYesDisabled by defaultDisabled by default
RustlsNoNoNoNoNoNoNoNoNoNo
SchannelNoNoNoNoNoNoNoYesNoNo
Secure TransportNoNoNoNoNoNoNoUnknownYesYes
wolfSSLYesYesYesYesYesYesYesYesNoNo
Erlang/OTP SSL applicationDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultNoNoDisabled by defaultDisabled by default
ImplementationSRPSRP-DSSSRP-RSAPSK-RSAPSKDHE-PSK (forward secrecy)ECDHE-PSK (forward secrecy)KRB5DH-ANON (insecure)ECDH-ANON (insecure)

Certificate verification methods

ImplementationApplication-definedPKIX path validationCRLOCSPDANE (DNSSEC)CT
BotanYesYesYesYesNoUnknown
Bouncy CastleYesYesYesYesYesUnknown
BSAFEYesYesYesYesNoUnknown
cryptlibYesYesYesYesNoUnknown
GnuTLSYesYesYesYesYesUnknown
JSSEYesYesYesYesNoNo
LibreSSLYesYesYesYesNoUnknown
MatrixSSLYesYesYesYesNoUnknown
Mbed TLSYesYesYesNoNoUnknown
NSSYesYesYesYesNoUnknown
OpenSSLYesYesYesYesYesYes
RustlsYesYesYesNoNoNo
s2nNoUnknownUnknown
SchannelUnknownYesYesYesNoUnknown
Secure TransportYesYesYesYesNoUnknown
wolfSSLYesYesYesYesNoUnknown
Erlang/OTP SSL applicationYesYesYesNoNoUnknown
ImplementationApplication-definedPKIX path validationCRLOCSPDANE (DNSSEC)CT

Encryption algorithms

ImplementationBlock cipher with mode of operationStream cipherNone
AES GCMAES CCMAES CBCCamellia GCMCamellia CBCARIA GCMARIA CBCSEED CBC3DES EDE CBC (insecure)GOST 28147-89 CNT (proposed)ChaCha20-Poly1305Null (insecure)
BotanYesYesYesYesYesNoNoDisabled by defaultDisabled by defaultNoYesNot implemented
BoringSSLYesNoYesNoNoNoNoNoYesNoYes
BSAFE SSL-JYesYesYesNoNoNoNoNoDisabled by defaultNoNoDisabled by default
cryptlibYesNoYesNoNoNoNoNoYesNoNoNot implemented
GnuTLSYesYesYesYesYesNoNoNoDisabled by defaultNoYesDisabled by default
JSSEYesNoYesNoNoNoNoNoDisabled by defaultNoYes (JDK 12+)Disabled by default
LibreSSLYesNoYesNoYesNoNoNoYesYesYesDisabled by default
MatrixSSLYesNoYesNoNoNoNoYesDisabled by defaultNoYesDisabled by default
Mbed TLSYesYesYesYesYesYesYesNoNoNoYesDisabled by default at compile time
NSSYesNoYesNoYesNoNoYesYesNoYesDisabled by default
OpenSSLYesDisabled by defaultYesNoDisabled by defaultDisabled by defaultNoDisabled by defaultDisabled by defaultYesYesDisabled by default
RustlsYesNoNoNoNoNoNoNoNoNoYesNot implemented
Schannel XP/2003NoNo2003 onlyNoNoNoNoNoYesNoNoDisabled by default
Schannel Vista/2008, 2008R2, 2012NoNoYesNoNoNoNoNoYesNoNoDisabled by default
Schannel 7, 8, 8.1/2012R2Yes except ECDHE_RSANoYesNoNoNoNoNoYesNoNoDisabled by default
Schannel 10YesNoYesNoNoNoNoNoYesNoNoDisabled by default
Secure Transport OS X 10.6 - 10.10NoNoYesNoNoNoNoNoYesNoNoDisabled by default
Secure Transport OS X 10.11YesNoYesNoNoNoNoNoYesNoNoDisabled by default
wolfSSLYesYesYesNoNoNoNoNoYesNoYesDisabled by default
Erlang/OTP SSL applicationYesNoYesNoNoNoNoNoDisabled by defaultNoExperimentalDisable by default
ImplementationBlock cipher with mode of operationStream cipherNone
AES GCMAES CCMAES CBCCamellia GCMCamellia CBCARIA GCMARIA CBCSEED CBC3DES EDE CBC (insecure)GOST 28147-89 CNT (proposed)ChaCha20-Poly1305Null (insecure)

Notes

Obsolete algorithms

ImplementationBlock cipher with mode of operationStream cipher
IDEA CBC (insecure)DES CBC (insecure)DES-40 CBC (EXPORT, insecure)RC2-40 CBC (EXPORT, insecure)RC4-128 (insecure)RC4-40 (EXPORT, insecure)
BotanNoNoNoNoNoNo
BoringSSLNoNoNoNoDisabled by default at compile timeNo
BSAFE SSL-JNoDisabled by defaultDisabled by defaultNoDisabled by defaultDisabled by default
cryptlibNoDisabled by default at compile timeNoNoDisabled by default at compile timeNo
GnuTLSNoNoNoNoDisabled by defaultNo
JSSENoDisabled by defaultDisabled by defaultNoDisabled by defaultDisabled by default
LibreSSLYesYesNoNoYesNo
MatrixSSLYesNoNoNoDisabled by defaultNo
Mbed TLSNoDisabled by default at compile timeNoNoDisabled by default at compile timeNo
NSSYesDisabled by defaultDisabled by defaultDisabled by defaultLowest priorityDisabled by default
OpenSSLDisabled by defaultDisabled by defaultNoNoDisabled by defaultNo
RustlsNoNoNoNoNoNo
Schannel XP/2003NoYesYesYesYesYes
Schannel Vista/2008NoDisabled by defaultDisabled by defaultDisabled by defaultYesDisabled by default
Schannel 7/2008R2NoDisabled by defaultDisabled by defaultDisabled by defaultLowest priority will be disabled soonDisabled by default
Schannel 8/2012NoDisabled by defaultDisabled by defaultDisabled by defaultOnly as fallbackDisabled by default
Schannel 8.1/2012R2NoDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultDisabled by default
Schannel 10NoDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultDisabled by default
Secure Transport OS X 10.6YesYesYesYesYesYes
Secure Transport OS X 10.7YesUnknownUnknownUnknownYesUnknown
Secure Transport OS X 10.8-10.9YesDisabled by defaultDisabled by defaultDisabled by defaultYesDisabled by default
Secure Transport OS X 10.10-10.11YesDisabled by defaultDisabled by defaultDisabled by defaultLowest priorityDisabled by default
Secure Transport macOS 10.12YesDisabled by defaultDisabled by defaultDisabled by defaultDisabled by defaultDisabled by default
wolfSSLDisabled by defaultNoNoNoDisabled by defaultNo
Erlang/OTP SSL applicationnoDisabled by defaultnonoDisabled by defaultno
ImplementationBlock cipher with mode of operationStream cipher
IDEA CBC (insecure)DES CBC (insecure)DES-40 CBC (EXPORT, insecure)RC2-40 CBC (EXPORT, insecure)RC4-128 (insecure)RC4-40 (EXPORT, insecure)

Notes

Supported elliptic curves

This section lists the supported elliptic curves by each implementation.

Defined curves in RFC 8446 (for TLS 1.3) and RFC 8422, 7027 (for TLS 1.2 and earlier)

applicable TLS versionTLS 1.3 and earlierTLS 1.2 and earlier
Implementationsecp256r1 prime256v1 NIST P-256 (0x0017, 23)secp384r1 NIST P-384 (0x0018, 24)secp521r1 NIST P-521 (0x0019, 25)X25519 (0x001D, 29)X448 (0x001E, 30)brainpoolP256r1 (26)brainpoolP384r1 (27)brainpoolP512r1 (28)
BotanYesYesYesYesNoYesYesYes
BoringSSLYesYesYes (disabled by default)YesNoNoNoNo
BSAFEYesYesYesNoNoNoNoNo
GnuTLSYesYesYesYesYesNoNoNo
JSSEYesYesYesYes x25519: JDK 13+ Ed25519:JDK 15+Yes x448: JDK 13+ Ed448: JDK 15+NoNoNo
LibreSSLYesYesYesYesNoYesYesYes
MatrixSSLYesYesYesTLS 1.3 onlyNoYesYesYes
Mbed TLSYesYesYesPrimitive onlyPrimitive onlyYesYesYes
NSSYesYesYesYesNoNoNoNo
OpenSSLYesYesYesYesYesYesYesYes
RustlsYesYesYesYesNoNoNoNo
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10YesYesYesNoNoNoNoNo
Secure TransportYesYesYesNoNoNoNoNo
wolfSSLYesYesYesYesYesYesYesYes
Erlang/OTP SSL applicationYesYesYesNoNoYesYesYes
Implementationsecp256r1 prime256v1 NIST P-256 (0x0017, 23)secp384r1 NIST P-384 (0x0018, 24)secp521r1 NIST P-521 (0x0019, 25)X25519 (0x001D, 29)X448 (0x001E, 30)brainpoolP256r1 (26)brainpoolP384r1 (27)brainpoolP512r1 (28)

Deprecated curves in RFC 8422

Implementationsect163k1 NIST K-163 (1)sect163r1 (2)sect163r2 NIST B-163 (3)sect193r1 (4)sect193r2 (5)sect233k1 NIST K-233 (6)sect233r1 NIST B-233 (7)sect239k1 (8)sect283k1 NIST K-283 (9)sect283r1 NIST B-283 (10)sect409k1 NIST K-409 (11)sect409r1 NIST B-409 (12)sect571k1 NIST K-571 (13)sect571r1 NIST B-571 (14)
BotanNoNoNoNoNoNoNoNoNoNoNoNoNoNo
BoringSSLNoNoNoNoNoNoNoNoNoNoNoNoNoNo
BSAFEYesNoYesNoNoYesYesNoYesYesYesYesYesYes
GnuTLSNoNoNoNoNoNoNoNoNoNoNoNoNoNo
JSSENotesNotesNotesNotesNotesNotesNotesNotesNotesNotesNotesNotesNotesNotes
LibreSSLYesYesYesYesYesYesYesYesYesYesYesYesYesYes
MatrixSSLNoNoNoNoNoNoNoNoNoNoNoNoNoNo
Mbed TLSNoNoNoNoNoNoNoNoNoNoNoNoNoNo
NSSYesYesYesYesYesYesYesYesYesYesYesYesYesYes
OpenSSLYesYesYesYesYesYesYesYesYesYesYesYesYesYes
RustlsNoNoNoNoNoNoNoNoNoNoNoNoNoNo
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10NoNoNoNoNoNoNoNoNoNoNoNoNoNo
Secure TransportNoNoNoNoNoNoNoNoNoNoNoNoNoNo
wolfSSLNoNoNoNoNoNoNoNoNoNoNoNoNoNo
Erlang/OTP SSL applicationYesYesYesYesYesYesYesYesYesYesYesYesYesYes
Implementationsect163k1 NIST K-163 (1)sect163r1 (2)sect163r2 NIST B-163 (3)sect193r1 (4)sect193r2 (5)sect233k1 NIST K-233 (6)sect233r1 NIST B-233 (7)sect239k1 (8)sect283k1 NIST K-283 (9)sect283r1 NIST B-283 (10)sect409k1 NIST K-409 (11)sect409r1 NIST B-409 (12)sect571k1 NIST K-571 (13)sect571r1 NIST B-571 (14)
Implementationsecp160k1 (15)secp160r1 (16)secp160r2 (17)secp192k1 (18)secp192r1 prime192v1 NIST P-192 (19)secp224k1 (20)secp224r1 NIST P-244 (21)secp256k1 (22)arbitrary prime curves (0xFF01)arbitrary char2 curves (0xFF02)
BotanNoNoNoNoNoNoNoNoNoNo
BoringSSLNoNoNoNoNoNoYesNoNoNo
BSAFENoNoNoNoYesNoYesNoNoNo
GnuTLSNoNoNoNoYesNoYesNoNoNo
JSSENotesNotesNotesNotesNotesNotesNotesNotesNoNo
LibreSSLYesYesYesYesYesYesYesYesNoNo
MatrixSSLNoNoNoNoYesNoYesNoNoNo
Mbed TLSNoNoNoYesYesYesYesYesNoNo
NSSYesYesYesYesYesYesYesYesNoNo
OpenSSLYesYesYesYesYesYesYesYesNoNo
RustlsNoNoNoNoNoNoNoNoNoNo
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10NoNoNoNoNoNoNoNoNoNo
Secure TransportNoNoNoNoYesNoNoNoNoNo
wolfSSLYesYesYesYesYesYesYesYesNoNo
Erlang/OTP SSL applicationYesYesYesYesYesYesYesYesNoNo
Implementationsecp160k1 (15)secp160r1 (16)secp160r2 (17)secp192k1 (18)secp192r1 prime192v1 NIST P-192 (19)secp224k1 (20)secp224r1 NIST P-244 (21)secp256k1 (22)arbitrary prime curves (0xFF01)arbitrary char2 curves (0xFF02)

Notes

Data integrity

ImplementationHMAC-MD5HMAC-SHA1HMAC-SHA256/384AEADGOST 28147-89 IMITGOST R 34.11-94
BotanNoYesYesYesNoNo
BSAFEYesYesYesYesNoNo
cryptlibYesYesYesYesNoNo
GnuTLSYesYesYesYesNoNo
JSSEDisabled by DefaultYesYesYesNoNo
LibreSSLYesYesYesYesYesYes
MatrixSSLYesYesYesYesNoNo
Mbed TLSYesYesYesYesNoNo
NSSYesYesYesYesNoNo
OpenSSLYesYesYesYesYesYes
RustlsNoNoNoYesNoNo
Schannel XP/2003, Vista/2008YesYesXP SP3, 2003 SP2 via hotfixNoNoNo
Schannel 7/2008R2, 8/2012, 8.1/2012R2YesYesYesexcept ECDHE_RSANoNo
Schannel 10YesYesYesYesNoNo
Secure TransportYesYesYesYesNoNo
wolfSSLDisabled by DefaultYesYesYesNoNo
Erlang/OTP SSL applicationYesYesYesYesNoNo
ImplementationHMAC-MD5HMAC-SHA1HMAC-SHA256/384AEADGOST 28147-89 IMITGOST R 34.11-94

Compression

Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.

ImplementationDEFLATE (insecure)
BotanNo
BSAFENo
cryptlibNo
GnuTLSDisabled by default
JSSENo
LibreSSLNo
MatrixSSLDisabled by default
Mbed TLSDisabled by default
NSSDisabled by default
OpenSSLDisabled by default
RustlsNo
SchannelNo
Secure TransportNo
wolfSSLDisabled by default
Erlang/OTP SSL applicationNo
ImplementationDEFLATE

Extensions

In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security [citation needed]. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.

ImplementationSecure RenegotiationServer Name IndicationALPNCertificate Status RequestOpenPGPSupplemental DataSession TicketKeying Material ExporterMaximum Fragment LengthEncrypt-then-MACTLS Fallback SCSVExtended Master SecretClientHello PaddingRaw Public Keys
BotanYesYesYesNoNoNoYesYesYesYesYesYesNoUnknown
BSAFE SSL-JYesYesNoYesNoNoNoNoYesNoNoYesNoNo
cryptlibYesYesNoNoNoYesNoNoNoYesYesYesNoUnknown
GnuTLSYesYesYesYesNoYesYesYesYesYesYesYesYesYes
JSSEYesYesYesYesNoNoYesNoYesNoNoYesNoNo
LibreSSLYesYesYesYesNoNo?YesYes?NoNoServer side onlyNoYesNo
MatrixSSLYesYesYesYesNoNoYesNoYesNoYesYesNoUnknown
Mbed TLSYesYesYesNoNoNoYesNoYesYesYesYesNoNo
NSSYesYesYesYesNoNoYesYesNoNoYesYesYesUnknown
OpenSSLYesYesYesYesNoNo?YesYesYesYesYesYesYesYes
RustlsYesYesYesYesNoNoYesYesNoNoNoYesNoUnknown
Schannel XP/2003NoNoNoNoNoYesNoNoNoNoNoNoNoUnknown
Schannel Vista/2008YesYesNoNoNoYesNoNoNoNoNoYesNoUnknown
Schannel 7/2008R2YesYesNoYesNoYesNoNoNoNoNoYesNoUnknown
Schannel 8/2012YesYesNoYesNoYesClient side onlyNoNoNoNoYesNoUnknown
Schannel 8.1/2012R2, 10YesYesYesYesNoYesYesNoNoNoNoYesNoUnknown
Secure TransportYesYesUnknownNoNoYesNoNoNoNoNoNoNoUnknown
wolfSSLYesYesYesYesNoNoYesNoYesYesNoYesNoYes
Erlang/OTP SSL applicationYesYesYesNoNoNoNoNoNoNoYesNoNoUnknown
ImplementationSecure RenegotiationServer Name IndicationALPNCertificate Status RequestOpenPGPSupplemental DataSession TicketKeying Material ExporterMaximum Fragment LengthEncrypt-then-MACTLS Fallback SCSVExtended Master SecretClientHello PaddingRaw Public Keys

Assisted cryptography

This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.

ImplementationPKCS #11 deviceIntel AES-NIVIA PadLockARMv8-AIntel SHANXP CAAMTPM 2.0NXP SE050Microchip ATECCSTMicro STSAFEMaxim MAXQ
BotanYesYesNoYesNoYesNoNoNoNo
BSAFE SSL-JYesYesNoYesYesNoNoNoNoNoNo
cryptlibYesYesYesNoYesNoNoNoNo
Crypto++YesYesNoNoNoNo
GnuTLSYesYesYesYesYesNoNoNoNoNo
JSSEYesYesNoNoNoNoNoNoNo
LibreSSLNoYesYesNoNoNoNoNo
MatrixSSLYesYesNoYesNoNoNoNoNo
Mbed TLSYesYesYesNoNoPartialYesNoNo
NSSYesYesNoNoNoNoNoNoNo
OpenSSLYesYesYesYesYesPartialPartialPartialNoPartialNo
RustlsYesYesYesNoNoNoNo
SchannelNoYesNoNoNoNoNoNoNo
Secure TransportNoYesNoYesNoNoNoNoNo
wolfSSLYesYesNoYesYesYesYesYesYesYesYes
ImplementationPKCS #11 deviceIntel AES-NIVIA PadLockARMv8-AIntel SHANXP CAAMTPM 2.0NXP SE050Microchip ATECCSTMicro STSAFEMaxim MAXQ

System-specific backends

This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.

Implementation/dev/cryptoaf_algWindows CSPCommonCryptoOpenSSL engine
BotanNoNoNoNoPartial
BSAFENoNoNoNoNo
cryptlibYesNoNoNoNo
GnuTLSYesYesNoNoNo
JSSENoNoYesNoNo
LibreSSLNoNoNoNoNo
MatrixSSLNoNoNoYesYes
Mbed TLSNoNoNoNoNo
NSSNoNoNoNoNo
OpenSSLYesYesNoNoYes
RustlsNoYesNoNoNo
SchannelNoNoYesNoNo
Secure TransportNoNoNoYesNo
wolfSSLYesYesPartialNoYes
Erlang/OTP SSL applicationNoNoNoNoYes
Implementation/dev/cryptoaf_algWindows CSPCommonCryptoOpenSSL engine

Cryptographic module/token support

ImplementationTPM supportHardware token supportObjects identified via
BotanPartialPKCS #11
BSAFE SSL-JNoNo
cryptlibYesPKCS #11User-defined label
GnuTLSYesPKCS #11RFC 7512 PKCS #11 URLs
JSSENoPKCS11 Java Cryptography Architecture, Java Cryptography Extension
LibreSSLYesPKCS #11 (via 3rd party module)Custom method
MatrixSSLNoPKCS #11
Mbed TLSNoPKCS #11 (via libpkcs11-helper) or standard hooksCustom method
NSSNoPKCS #11
OpenSSLYesPKCS #11 (via 3rd party module)RFC 7512 PKCS #11 URLs
RustlsNoMicrosoft CryptoAPICustom method
SchannelNoMicrosoft CryptoAPIUUID, User-defined label
Secure Transport
wolfSSLYesPKCS #11
ImplementationTPM supportHardware token supportObjects identified via

Code dependencies

ImplementationDependenciesOptional dependencies
BotanC++20SQLite zlib (compression) bzip2 (compression) liblzma (compression) boost trousers (TPM)
GnuTLSlibc nettle gmpzlib (compression) p11-kit (PKCS #11) trousers (TPM) libunbound (DANE)
JSSEJava
MatrixSSLnonezlib (compression)
MatrixSSL-openlibc or newlib
Mbed TLSlibclibpkcs11-helper (PKCS #11) zlib (compression)
NSSlibc libnspr4 libsoftokn3 libplc4 libplds4zlib (compression)
Rustlsrust core libraryrust std library zlib-rs (compression) brotli (compression) ring (cryptography) aws-lc-rs (cryptography)
OpenSSLlibczlib (compression) brotli (compression) zstd (compression)
wolfSSLNonelibc zlib (compression)
Erlang/OTP SSL applicationlibcrypto (from OpenSSL), Erlang/OTP and its public_key, crypto and asn1 applicationsErlang/OTP -inets (http fetching of CRLs)
ImplementationDependenciesOptional dependencies

Development environment

ImplementationNamespaceBuild toolsAPI manualCrypto back-endOpenSSL compatibility Layer[clarification needed]
BotanBotan::TLSMakefileSphinxIncluded (pluggable)No
Bouncy Castleorg.bouncycastleJava Development EnvironmentProgrammers reference manual (PDF)Included (pluggable)No
BSAFE SSL-Jcom.rsa.asn1 com.rsa.certj com.rsa.jcp com.rsa.jsafe com.rsa.ssl com.rsa.jsseJava class loaderJavadoc, Developer's guide (HTML)IncludedNo
cryptlibcrypt*makefile, MSVC project workspacesProgrammers reference manual (PDF), architecture design manual (PDF)Included (monolithic)No
GnuTLSgnutls_*Autoconf, automake, libtoolManual and API reference (HTML, PDF)External, libnettleYes (limited)
JSSEjavax.net.ssl sun.security.sslMakefileAPI Reference (HTML) +Java Cryptography Architecture, Java Cryptography ExtensionNo
MatrixSSLmatrixSsl_* ps*Makefile, MSVC project workspaces, Xcode projects for OS X and iOSAPI Reference (PDF), Integration GuideIncluded (pluggable)Yes (Subset: SSL_read, SSL_write, etc.)
Mbed TLSmbedtls_ssl_* mbedtls_sha1_* mbedtls_md5_* mbedtls_x509* ...Makefile, CMake, MSVC project workspaces, yottaAPI Reference + High Level and Module Level Documentation (HTML)Included (monolithic)No
NSSCERT_* SEC_* SECKEY_* NSS_* PK11_* SSL_* ...MakefileManual (HTML)Included, PKCS#11 basedYes (separate package called nss_compat_ossl)
OpenSSLSSL_* SHA1_* MD5_* EVP_* ...MakefileMan pagesIncluded (monolithic)—N/a
Rustlsrustls::cargoand, included. Pluggable with OpenSSL, BoringSSL, Microsoft SymCrypt, wolfCrypt, Mbed TLS, Graviola, and RustCrypto.Yes (subset)
wolfSSLwolfSSL_* CyaSSL_* SSL_*Autoconf, automake, libtool, MSVC project workspaces, XCode projects, CodeWarrior projects, MPLAB X projects, Keil, IAR, Clang, GCC, e2StudioManual and API Reference (HTML, PDF)Included (monolithic)Yes (about 60% of API)
ImplementationNamespaceBuild toolsAPI manualCrypto back-endOpenSSL compatibility layer

Portability concerns

ImplementationPlatform requirementsNetwork requirementsThread safetyRandom seedAble to cross-compileNo OS (bare metal)Supported operating systems
BotanC++11NoneThread-safePlatform-dependentYesWindows, Linux, macOS, Android, iOS, FreeBSD, OpenBSD, Solaris, AIX, HP-UX, QNX, BeOS, IncludeOS
BSAFE SSL-JJavaJava SE network componentsThread-safeDepends on java.security.SecureRandomYesNoFreeBSD, Linux, macOS, Microsoft Windows, Android, AIX, Solaris
cryptlibC89POSIX send() and recv(). API to supply your own replacementThread-safePlatform-dependent, including hardware sourcesYesYesAMX, BeOS, ChorusOS, DOS, eCos, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, Palm OS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, macOS, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK
GnuTLSC89POSIX send() and recv(). API to supply your own replacement.Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available.Platform dependentYesNoGenerally any POSIX platforms or Windows, commonly tested platforms include Linux, Win32/64, macOS, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD.
JSSEJavaJava SE network componentsThread-safeDepends on java.security.SecureRandomYesJava based, platform-independent
MatrixSSLC89NoneThread-safePlatform dependentYesYesAll
Mbed TLSC89POSIX read() and write(). API to supply your own replacement.Threading layer available (POSIX or own hooks)Random seed set through entropy poolYesYesKnown to work on: Win32/64, Linux, macOS, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, eCos, SeggerOS, RISC OS
NSSC89, NSPRNSPR PR_Send() and PR_Recv(). API to supply your own replacement.Thread-safePlatform dependentYes (but cumbersome)NoAIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, macOS, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation
RustlsRust (programming language)NoneThread-safePlatform dependentYesYesAll supported by Rust (programming language)
OpenSSLC89NoneThread-safePlatform dependentYesNoUnix-like, DOS (with djgpp), Windows, OpenVMS, NetWare, eCos
wolfSSLC89POSIX send() and recv(). API to supply your own replacement.Thread-safeRandom seed set through wolfCryptYesYesWin32/64, Linux, macOS, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Yocto Project, OpenEmbedded, WinCE, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and GameCube through DevKitPro, QNX, MontaVista, NonStop, TRON/ITRON/μITRON, eCos, Micrium μC/OS-III, FreeRTOS, SafeRTOS, NXP/Freescale MQX, Nucleus, TinyOS, HP/UX, AIX, ARC MQX, Keil RTX, TI-RTOS, uTasker, embOS, INtime, Mbed, uT-Kernel, RIOT, CMSIS-RTOS, FROSTED, Green Hills INTEGRITY, TOPPERS, PetaLinux, Apache mynewt
ImplementationPlatform requirementsNetwork requirementsThread safetyRandom seedAble to cross-compileNo OS (bare metal)Supported operating systems

See also

  • SCTP — with DTLS support
  • DCCP — with DTLS support
  • SRTP — with DTLS support (DTLS-SRTP) and Secure Real-Time Transport Control Protocol (SRTCP)