- Comparison of TLS Implementations
-
The Transport Layer Security (TLS) protocol provide the ability to secure communications across networks. There are several TLS implementations which are free and open source software and sometimes choosing between the available implementations can be tough. Below, you will find a side-by-side comparison of several of the most prominent libraries.
All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.
Overview
Implementation Developed By Open Source Software License Copyright Owner Latest Stable Version Release Date Origin Website axTLS Cameron Rich Yes BSD style licensing Cameron Rich 1.4.3 07/29/2011 Australia http://axtls.sourceforge.net/ cryptlib Peter Gutmann Yes Sleepycat License and commercial license Peter Gutmann 3.4.1 07/27/2011 NZ http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ CyaSSL yaSSL Yes GPLv2 and commercial license yassl.com 1.9.0 03/02/2011 US http://www.yassl.com GnuTLS GnuTLS project Yes LGPL Free Software Foundation 3.0.5 10/27/2011 EU (Greece and Sweden) http://www.gnutls.org/ MatrixSSL PeerSec Networks No Proprietary PeerSec Networks 3.2.0 06/07/2011 US http://www.matrixssl.org MatrixSSL-open PeerSec Networks Yes GPLv2 PeerSec Networks 3.2.2 06/07/2011 US http://www.matrixssl.org NSS Yes LGPL and Mozilla_Public_License NSS contributors 3.12.9 1/12/2011 US http://www.mozilla.org/projects/security/pki/nss/ OpenSSL OpenSSL project Yes OpenSSL / SSLeay dual-license Eric Young, Tim Hudson, Sun, OpenSSL project, and others 0.9.8r / 1.0.0e 09/06/2011 Australia/EU http://openssl.org/ PolarSSL Offspark Yes GPLv2 and commercial license Brainspark B.V. (brainspark.nl) 1.0.0 09/08/2011 EU (Netherlands) http://polarssl.org SChannel Microsoft No Proprietary Microsoft Inc. Windows 7 10/22/2009 US http://microsoft.com Security Builder SSL-C Certicom No Proprietary Certicom Corp., A Subsidiary of Research In Motion 5.5.1 2/28/2011 Canada http://www.certicom.com JSSE Oracle Yes GPLv2 and commercial license Oracle JDK 6, JDK 7 in EA stage 02/03/2011(ea snapshot release) US http://openjdk.java.net/ http://www.java.net/ http://www.java.com/ Implementation Developed By Open Source Software License Copyright Owner Latest Stable Version Release Date Origin Website Protocol Support
Several versions of the TLS protocol exist. SSL 2.0 is a deprecated protocol, vulnerable to several attacks. SSL 3.0 and TLS 1.0 are its successors without any major known vulnerabilities. TLS 1.1 fixes all the known issues in TLS 1.0, and TLS 1.2 is the latest published version, introducing new features. DTLS 1.0 or Datagram TLS is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated.
Note that there are known vulnerabilities in SSL 2.0, SSL 3.0 and TLS 1.0[1] protocols.
Implementation SSL 2.0[2] SSL 3.0 TLS 1.0[3] TLS 1.1[4] TLS 1.2[5] DTLS 1.0[6] axTLS No[7] No Yes Yes No No cryptlib No Yes Yes Yes Yes No CyaSSL No Yes Yes Yes Yes Yes[8] GnuTLS No[7] Yes Yes Yes Yes Yes MatrixSSL No Yes Yes Yes Yes Yes MatrixSSL-open No Yes Yes Yes No No NSS Yes Yes Yes No No No OpenSSL Yes Yes Yes No[9] No[9] Yes PolarSSL No Yes Yes Yes No No SChannel Yes Yes Yes Yes Yes No Security Builder SSL-C Yes Yes Yes Yes Yes Yes JSSE No[7] Yes Yes Yes Yes No Implementation SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 DTLS 1.0 CipherSuite Profiles
Implementation TLS 1.2 Suite B axTLS No cryptlib Yes CyaSSL No GnuTLS Yes NSS No MatrixSSL No OpenSSL No PolarSSL No SChannel No Security Builder SSL-C Yes JSSE No Implementation TLS 1.2 Suite B Key Exchange Algorithms (Certificate-only)
Implementation RSA[10] RSA-EXPORT[10] DHE-RSA[10] DHE-DSS[10] ECDH-ECDSA[11] ECDHE-ECDSA[11] ECDH-RSA[11] ECDHE-RSA[11] VKO GOST R 34.10-2001[12][13] axTLS Yes No No No No No No No No cryptlib Yes No Yes Yes No Yes No No No CyaSSL Yes No Yes No No No No No No GnuTLS Yes Yes Yes Yes No Yes No Yes No MatrixSSL Yes No Yes No Yes Yes Yes Yes No MatrixSSL-open Yes No No No No No No No No NSS Yes Yes Partial[14] Partial[14] Yes Yes No No No OpenSSL Yes Yes Yes Yes No Yes No Yes Yes PolarSSL Yes No Yes No No No No No No SChannel Yes No No Yes No Yes No No No[15] Security Builder SSL-C Yes Yes Yes Yes Yes Yes Yes Yes No JSSE Yes Yes Yes Yes Yes Yes No No No[15] Implementation RSA RSA EXPORT DHE-RSA DHE-DSS ECDH-ECDSA ECDHE-ECDSA ECDH-RSA ECDHE-RSA VKO GOST R 34.10-2001 Key Exchange Algorithms (Alternative key-exchanges)
Implementation DH-ANON[10] SRP[16] SRP-DSS[16] SRP-RSA[16] PSK-RSA[16] PSK[17] DHE-PSK[17] ECDHE-PSK[18] ECDH-ANON[11] axTLS No No No No No No No No No cryptlib No No No No No Yes Yes No No CyaSSL No No No No No Yes No No No GnuTLS Yes Yes Yes Yes No Yes Yes Yes Yes MatrixSSL Yes No No No No Yes No No No MatrixSSL-open No No No No No No No No No NSS No No No No No No No No No OpenSSL Yes No No No No Yes No No Yes PolarSSL No No No No No No No No No SChannel No No No No No No No No No Security Builder SSL-C Yes No No No Yes Yes Yes Yes Yes JSSE Yes No No No No No No No No Implementation DH-ANON SRP SRP-DSS SRP-RSA PSK-RSA PSK DHE-PSK ECDHE-PSK ECDH-ANON Encryption Algorithms
Implementation AES-CBC AES-GCM[19] 3DES-CBC DES-CBC[20] RC4-128 RC4-40[21] CAMELLIA-CBC[22] GOST28147-89[12] axTLS Yes No No No Yes No No No cryptlib Yes Yes Yes No Yes No No No CyaSSL Yes No Yes No Yes No No No GnuTLS Yes Yes Yes No Yes Yes Yes No MatrixSSL Yes No Yes No Yes No No No MatrixSSL-open Yes No Yes No Yes No No No NSS Yes No Yes Yes Yes Yes Yes No OpenSSL Yes No Yes Yes Yes Yes Yes Yes PolarSSL Yes No Yes No Yes No No No SChannel Yes Partial[23] Yes Yes Yes No No No[15] Security Builder SSL-C Yes Yes Yes Yes Yes Yes No No JSSE Yes No Yes Yes Yes Yes No No[15] Implementation AES-CBC AES-GCM 3DES-CBC DES-CBC RC4-128 RC4-40 CAMELLIA-CBC GOST28147-89 CPU-assisted cryptography
This section lists the ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware accelerators.
Implementation /dev/crypto PKCS #11 device Windows CSP Intel AES-NI VIA Padlock axTLS No No No No No cryptlib No Yes No No Yes CyaSSL No No No Yes No GnuTLS Yes No No Yes Yes MatrixSSL No No No No No MatrixSSL-open No No No No No NSS No No No Yes No OpenSSL Yes No No Yes Yes PolarSSL No No No No No SChannel No No Yes Yes No Security Builder SSL-C No Yes No No No JSSE No No No No No Implementation /dev/crypto PKCS #11 device Windows CSP Intel AES-NI VIA Padlock MAC Functions
Implementation AEAD HMAC-MD5 HMAC-SHA-1 HMAC-SHA-256 GOST28147-89-MAC[12] GOST 34.11-94[12] axTLS No Yes Yes No No No cryptlib Yes Yes Yes Yes No No CyaSSL No Yes Yes Yes No No GnuTLS Yes Yes Yes Yes No No MatrixSSL No Yes Yes Yes No No MatrixSSL-open No Yes Yes No No No NSS No Yes Yes Yes No No OpenSSL No Yes Yes Yes Yes Yes PolarSSL No Yes Yes Yes No No SChannel Yes Yes Yes Yes No[15] No[15] Security Builder SSL-C Yes Yes Yes Yes No No JSSE No Yes Yes Yes No[15] No[15] Implementation AEAD HMAC-MD5 HMAC-SHA-1 HMAC-SHA-256 GOST28147-89-MAC GOST 34.11-94 Compression
Implementation DEFLATE[24] axTLS No cryptlib No CyaSSL Yes GnuTLS Yes MatrixSSL No MatrixSSL-open No NSS Yes OpenSSL Yes PolarSSL No SChannel No Security Builder SSL-C Yes JSSE No Implementation DEFLATE Cryptographic module/token support
Implementation Hardware token support Objects identified via axTLS No cryptlib PKCS11 User-defined label CyaSSL No GnuTLS PKCS11 PKCS #11 URLs[25] MatrixSSL No MatrixSSL-open No NSS PKCS11 OpenSSL PKCS11 (via external module) Custom method PolarSSL No SChannel Microsoft CryptoAPI UUID, User-defined label Security Builder SSL-C PKCS11 (via external module) JSSE PKCS11 Java_Cryptography_Architecture/
Java_Cryptography_ExtensionImplementation Hardware token support Objects identified via Extensions
In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.
Implementation Secure
Renegotiation[26]Server Name
Indication[27]Certificate Status
Request[27]OpenPGP[28] Supplemental
Data[29]Session
Ticket[30]Keying Material
Exporter[31]Maximum
Fragment Length[27]Truncated
HMAC[27]axTLS No No No No No No No No No cryptlib Yes Yes No No Yes No No No[32] No CyaSSL No No No No No No No No No GnuTLS Yes Yes No Yes Yes Yes Yes Yes No MatrixSSL Yes No No No No No No No No MatrixSSL-open Yes No No No No No No No No NSS Yes Yes No No No Yes No[33] No No OpenSSL Yes Yes Yes No No? Yes Yes? No No PolarSSL No Partial[14] No No No No No No No SChannel Yes Yes Yes No Yes No No No No Security Builder SSL-C Yes Yes No No No Yes No Yes No JSSE Yes Partial[14] No No No No No No No Implementation Secure
RenegotiationServer Name
IndicationCertificate Status
RequestOpenPGP Supplemental
DataSession
TicketKeying Material
ExporterMaximum
Fragment LengthTruncated
HMACCode Size and Dependencies
Implementation Code size Dependencies Optional
dependenciesaxTLS 12kLoc libc CyaSSL 27kLoc libc zlib (compression) GnuTLS 71 kLoc libc
libnettle (crypto)
gmp (bignum)zlib (compression)
p11-kit (PKCS #11)MatrixSSL 22kLoc libc MatrixSSL-open 18kLoc libc NSS libc
libnspr4
libsoftokn3
libplc4
libplds4zlib (compression) OpenSSL 159 kLoc libc zlib (compression) PolarSSL 14 kLOC libc JSSE 37 kLOC
(Framework and Oracle provider)
Java Implementation Code size Dependencies Optional
dependenciesDevelopment Environment
Implementation Namespace Build Tools API Manual Crypto Back-end OpenSSL Compatibility Layer axTLS SSL_CTX, SSL Makefile, mconf API Reference (HTML) Included (monolithic) Yes (limited) cryptlib crypt* makefile, MSVC project workspaces Programmers reference manual (PDF), architecture design manual (PDF) Included (monolithic) No CyaSSL CyaSSL_*
SSL_*
Autoconf, automake, libtool, MSVC project workspaces, XCode projects API Reference (HTML) Included (monolithic) Yes (about 10% of API) GnuTLS gnutls_* Autoconf, automake, libtool Manual and API reference (HTML, PDF) External, libnettle Yes (limited) MatrixSSL matrixSsl_*
ps*
automake, MSVC project workspaces, XCode projects API Reference (PDF) Included (monolithic) No MatrixSSL-open matrixSsl_*
ps*
automake, MSVC project workspaces, XCode projects API Reference (PDF) Included (monolithic) No NSS CERT_*
SEC_*
SECKEY_*
NSS_*
PK11_*
SSL_*
...Makefile Manual (HTML) Included, PKCS#11 based[34] Yes (separate package called nss_compat_ossl[35]) OpenSSL SSL_*
SHA1_*
MD5_*
EVP_*
...Makefile Man pages Included (monolithic) Not Applicable PolarSSL ssl_*
sha1_*
md5_*
x509parse_*
...Makefile, CMake, MSVC project workspaces API Reference + High Level and Module Level Documentation (HTML) Included (monolithic) No Security Builder SSL-C ssl_* makefile Programmers reference manual (PDF), User Guide (PDF) Included (monolithic) No JSSE javax.net.ssl Makefile API Reference (HTML) + Java_Cryptography_Architecture/
Java_Cryptography_ExtensionImplementation Namespace Build Tools API Manual Crypto Back-end OpenSSL Compatibility Layer Portability Concerns
Implementation Platform Requirements Network Requirements Thread Safety Random Seed Able to Cross-Compile Supported Operating Systems axTLS C89 none POSIX threads (optional) /dev/urandom or platform dependent. Yes Generally any POSIX or Windows based platforms. cryptlib C89 POSIX send() and recv(). API to supply your own replacement Thread-safe. Platform-dependent, including hardware sources Yes AMX, BeOS, ChorusOS, DOS, eCOS, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, PalmOS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, OS X, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK) CyaSSL C89 POSIX send() and recv(). API to supply your own replacement. Thread-safe, needs mutex hooks if PThreads or WinThreads not available, can be turned off Random seed set through TaoCrypt Yes Win32/64, Linux, Mac OS X, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, OpenCL, NonStop, Tron/itron/microitron, Micrium's µC OS, FreeRTOS GnuTLS C89 POSIX send() and recv(). API to supply your own replacement. Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available. platform dependent Yes Generally any POSIX platforms or Windows, commonly tested platforms include GNU/Linux, Win32/64, Mac OS X, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD. MatrixSSL C89 none Thread-safe platform dependent Yes MatrixSSL-open C89 none Thread-safe platform dependent Yes NSS C89, NSPR[36] NSPR[36] PR_Send() and PR_Recv(). API to supply your own replacement. Thread-safe Platform dependent[37] Yes (but cumbersome) AIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, Mac OS X, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation OpenSSL C89? ? Needs mutex callbacks Set through native API Unix, DOS (with djgpp), Windows, OpenVMS, MacOS, NetWare PolarSSL C89 POSIX read() and write(). API to supply your own replacement. Thread-safe Random seed set through HAVEGE random engine Yes Known to work on: Win32/64, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox Security Builder SSL-C C89 Must write your own application callbacks for socket I/O Thread-safe under certain documented conditions platform dependent Yes JSSE Java Java SE network components Thread-safe Depends on java.security.SecureRandom Yes Java based, platform-independent Implementation Platform Requirements Network Requirements Thread Safety Random Seed Able to Cross-Compile Supported Operating Systems References
- ^ Bard attack
- ^ SSLv2 is insecure
- ^ RFC 2246
- ^ RFC 4346
- ^ RFC 5246
- ^ RFC 4347
- ^ a b c SSLv2 client hello is supported
- ^ CyaSSL's DTLS support is labeled as "This is only for testing purposes at this time. Rebroadcast and reordering aren't fully implemented at this time but will be for the next release."
- ^ a b planned for version 1.0.1 www.openssl.org/news/changelog.html
- ^ a b c d e RFC 5246
- ^ a b c d e RFC 4492
- ^ a b c d draft-chudov-cryptopro-cptls-04
- ^ RFC 4357
- ^ a b c d Client side only
- ^ a b c d e f g h Extensions to support this functionality might be available.
- ^ a b c d RFC 5054
- ^ a b RFC 4279
- ^ RFC 5489
- ^ RFC 5288
- ^ DES is insecure
- ^ 40-bit encryption is insecure
- ^ RFC 5932
- ^ Support is erratic, in many cases SChannel will simply drop the connection if a suite with this algorithm is specified.
- ^ RFC 3749
- ^ PKCS #11 URLs is a way to refer to objects stored in PKCS #11 tokens
- ^ RFC 5746
- ^ a b c d RFC 4366
- ^ RFC 6091
- ^ RFC 4680
- ^ RFC 5077
- ^ RFC 5705
- ^ Present but disabled by default due to lack of use by any implementation.
- ^ Patch is available
- ^ On the fly replaceable/augmentable.
- ^ http://fedoraproject.org/wiki/Nss_compat_ossl
- ^ a b Netscape Portable Runtime (NSPR)
- ^ For Unix/Linux it uses /dev/urandom if available, for Windows it uses CAPI. For all platforms it gets data from clock, and tries to open system files. NSS has a set of platform dependent functions is uses to determine randomness.
External links
Categories:- Cryptographic software
- Software comparisons
Wikimedia Foundation. 2010.
