Comparison of TLS implementations

The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.

Implementation	Developed by	Open source	Software license	Copyright holder	Written in	Latest stable version, release date	Origin
Botan	Jack Lloyd	Yes	Simplified BSD License	Jack Lloyd	C++	3.6.1 (October 26, 2024; 2 months ago (2024-10-26)[1]) [±]	US (Vermont)
BoringSSL	Google	Yes	OpenSSL-SSLeay dual-license, ISC license	Eric Young, Tim Hudson, Sun, OpenSSL project, Google, and others	C, C++, Go, assembly	??	Australia/EU
Bouncy Castle	The Legion of the Bouncy Castle Inc.	Yes	MIT License	Legion of the Bouncy Castle Inc.	Java, C#	Java 1.79 / October 30, 2024; 2 months ago (2024-10-30)[2] Java LTS BC-LJA 2.73.7 / November 8, 2024; 2 months ago (2024-11-08)[3] Java FIPS BC-FJA 2.0.0 / July 30, 2024; 5 months ago (2024-07-30)[4] C# 2.4.0 / May 27, 2024; 7 months ago (2024-05-27)[5] C# FIPS BC-FNA 1.0.2 / March 11, 2024; 10 months ago (2024-03-11)[6]	Australia
BSAFE	Dell, formerly RSA Security	No	Proprietary	Dell	Java, C, assembly	SSL-J 6.6 (July 2, 2024; 6 months ago (2024-07-02)[7]) [±] SSL-J 7.3.1 (October 7, 2024; 3 months ago (2024-10-07)[8]) [±] Micro Edition Suite 5.0.3 (December 3, 2024; 52 days ago (2024-12-03)[9]) [±]	Australia
cryptlib	Peter Gutmann	Yes	Sleepycat License and commercial license	Peter Gutmann	C	3.4.5 (2019; 6 years ago (2019)[10]) [±]	NZ
GnuTLS	GnuTLS project	Yes	LGPL-2.1-or-later	Free Software Foundation	C	3.8.8[11]  2024-11-05	EU (Greece and Sweden)
Java Secure Socket Extension (JSSE)	Oracle	Yes	GNU GPLv2 and commercial license	Oracle	Java	23.0.1 (October 15, 2024; 3 months ago (2024-10-15)[12]) [±] 21.0.5 LTS (October 15, 2024; 3 months ago (2024-10-15)[13]) [±] 17.0.13 LTS (October 15, 2024; 3 months ago (2024-10-15)[14]) [±] 11.0.25 LTS (October 15, 2024; 3 months ago (2024-10-15)[15]) [±] 8u431 LTS (October 15, 2024; 3 months ago (2024-10-15)[16]) [±]	US
LibreSSL	OpenBSD Project	Yes	Apache-1.0, BSD-4-Clause, ISC, and public domain	Eric Young, Tim Hudson, Sun, OpenSSL project, OpenBSD Project, and others	C, assembly	4.0.0[17]  2024-10-14	Canada
MatrixSSL[18]	PeerSec Networks	Yes	GNU GPLv2+ and commercial license	PeerSec Networks	C	4.2.2 (September 11, 2019; 5 years ago (2019-09-11) [19]) [±]	US
Mbed TLS (previously PolarSSL)	Arm	Yes	Apache License 2.0, GNU GPLv2+ and commercial license	Arm Holdings	C	3.6.2[20] (15 October 2024; 3 months ago (15 October 2024)) [±]	EU (Netherlands)
Network Security Services (NSS)	Mozilla, AOL, Red Hat, Sun, Oracle, Google and others	Yes	MPL 2.0	NSS contributors	C, assembly	Standard 3.84 / October 12, 2022; 2 years ago (2022-10-12)[21] Extended Support Release 3.79.1 / August 18, 2022; 2 years ago (2022-08-18)[21]	US
OpenSSL	OpenSSL project	Yes	Apache-2.0[a]	Eric Young, Tim Hudson, Sun, OpenSSL project, and others	C, assembly	3.4.0[22]  2024-10-22	Australia/EU
Rustls	Joe Birr-Pixton, Dirkjan Ochtman, Daniel McCarney, Josh Aas, and open source contributors	Yes	Apache-2.0, MIT License and ISC	Open source contributors	Rust	v0.23.19 (November 27, 2024; 58 days ago (2024-11-27)[23]) [±]	United Kingdom
s2n	Amazon	Yes	Apache License 2.0, GNU GPLv2+ and commercial license	Amazon.com, Inc.	C	Continuous	US
Schannel	Microsoft	No	Proprietary	Microsoft Corporation		Windows 11, 2021-10-05	US
Secure Transport	Apple Inc.	Yes	APSL 2.0	Apple Inc.		57337.20.44 (OS X 10.11.2), 2015-12-08	US
wolfSSL (previously CyaSSL)	wolfSSL[24]	Yes	GNU GPLv2+ and commercial license	wolfSSL Inc.[25]	C, assembly	5.7.6 (December 31, 2024; 24 days ago (2024-12-31)[26]) [±]	US
Erlang/OTP SSL application	Ericsson	Yes	Apache License 2.0	Ericsson	Erlang	OTP-21, 2018-06-19	Sweden
Implementation	Developed by	Open source	Software license	Copyright owner	Written in	Latest stable version, release date	Origin

Several versions of the TLS protocol exist. SSL 2.0 is a deprecated^[27] protocol version with significant weaknesses. SSL 3.0 (1996) and TLS 1.0 (1999) are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay.^[28] TLS 1.1 (2006) fixed only one of the problems, by switching to random initialization vectors (IV) for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was addressed with RFC 7366.^[29] A workaround for SSL 3.0 and TLS 1.0, roughly equivalent to random IVs from TLS 1.1, was widely adopted by many implementations in late 2011.^[30] In 2014, the POODLE vulnerability of SSL 3.0 was discovered, which takes advantage of the known vulnerabilities in CBC, and an insecure fallback negotiation used in browsers.^[31]

TLS 1.2 (2008) introduced a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future (rsa,sha256/sha384/sha512) over the SSL 3.0 conservative choice (rsa,sha1+md5), the TLS 1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides (rsa,sha1) and even (rsa,md5).^[32]

Datagram Transport Layer Security (DTLS or Datagram TLS) 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLS 1.2 based on TLS 1.2 was published in January 2012.^[33]

TLS 1.3 (2018) specified in RFC 8446 includes major optimizations and security improvements. QUIC (2021) specified in RFC 9000 and DTLS 1.3 (2022) specified in RFC 9147 builds on TLS 1.3. The publishing of TLS 1.3 and DTLS 1.3 obsoleted TLS 1.2 and DTLS 1.2.

Note that there are known vulnerabilities in SSL 2.0 and SSL 3.0. In 2021, IETF published RFC 8996 also forbidding negotiation of TLS 1.0, TLS 1.1, and DTLS 1.0 due to known vulnerabilities. NIST SP 800-52 requires support of TLS 1.3 by January 2024. Support of TLS 1.3 means that two compliant nodes will never negotiate TLS 1.2.

Required components for NSA Suite B Cryptography (RFC 6460) are:

• Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits. For traffic flow, AES should be used with either the Counter Mode (CTR) for low bandwidth traffic or the Galois/Counter Mode (GCM) mode of operation for high bandwidth traffic (see Block cipher modes of operation) — symmetric encryption
• Elliptic Curve Digital Signature Algorithm (ECDSA) — digital signatures
• Elliptic Curve Diffie–Hellman (ECDH) — key agreement
• Secure Hash Algorithm 2 (SHA-256 and SHA-384) — message digest

Per CNSSP-15, the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.

Note that certain certifications have received serious negative criticism from people who are actually involved in them.^[75]

This section lists the certificate verification functionality available in the various implementations.

Notes

Notes

This section lists the supported elliptic curves by each implementation.

Notes

Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.

In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security ^{[citation needed]}. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.

This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.

This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.

• SCTP — with DTLS support
• DCCP — with DTLS support
• SRTP — with DTLS support (DTLS-SRTP) and Secure Real-Time Transport Control Protocol (SRTCP)