Comparison of TLS implementations

This article is about TLS libraries comparison. For cryptographic libraries comparison, see Comparison of cryptography libraries.

"Secure Transport" redirects here. For the transportation of valuables, see Armored car (valuables).

The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.

Overview

Implementation	Developed by	Open source	Software license	Copyright holder	Written in	Latest stable version, release date	Origin
Botan	Jack Lloyd	Yes	Simplified BSD License	Jack Lloyd	C++	3.8.1 (May 7, 2025; 13 days ago (2025-05-07)[1]) [±]	US (Vermont)
BoringSSL	Google	Yes	OpenSSL-SSLeay dual-license, ISC license	Eric Young, Tim Hudson, Sun, OpenSSL project, Google, and others	C, C++, Go, assembly	??	Australia/EU
Bouncy Castle	The Legion of the Bouncy Castle Inc.	Yes	MIT License	Legion of the Bouncy Castle Inc.	Java, C#	Java 1.80 / January 14, 2025; 4 months ago (2025-01-14)[2] Java LTS BC-LJA 2.73.7 / November 8, 2024; 6 months ago (2024-11-08)[3] Java FIPS BC-FJA 2.0.0 / July 30, 2024; 9 months ago (2024-07-30)[4] C# 2.5.1 / February 14, 2025; 3 months ago (2025-02-14)[5] C# FIPS BC-FNA 1.0.2 / March 11, 2024; 14 months ago (2024-03-11)[6]	Australia
BSAFE	Dell, formerly RSA Security	No	Proprietary	Dell	Java, C, assembly	SSL-J 6.6 (July 2, 2024; 10 months ago (2024-07-02)[7]) [±] SSL-J 7.3.1 (October 7, 2024; 7 months ago (2024-10-07)[8]) [±] Micro Edition Suite 5.0.3 (December 3, 2024; 5 months ago (2024-12-03)[9]) [±]	Australia
cryptlib	Peter Gutmann	Yes	Sleepycat License and commercial license	Peter Gutmann	C	3.4.5 (2019; 6 years ago (2019)[10]) [±]	NZ
GnuTLS	GnuTLS project	Yes	LGPL-2.1-or-later	Free Software Foundation	C	3.8.9[11]  2025-02-08	EU (Greece and Sweden)
Java Secure Socket Extension (JSSE)	Oracle	Yes	GNU GPLv2 and commercial license	Oracle	Java	23.0.1 (October 15, 2024; 7 months ago (2024-10-15)[12]) [±] 21.0.5 LTS (October 15, 2024; 7 months ago (2024-10-15)[13]) [±] 17.0.13 LTS (October 15, 2024; 7 months ago (2024-10-15)[14]) [±] 11.0.25 LTS (October 15, 2024; 7 months ago (2024-10-15)[15]) [±] 8u431 LTS (October 15, 2024; 7 months ago (2024-10-15)[16]) [±]	US
LibreSSL	OpenBSD Project	Yes	Apache-1.0, BSD-4-Clause, ISC, and public domain	Eric Young, Tim Hudson, Sun, OpenSSL project, OpenBSD Project, and others	C, assembly	4.1.0[17]  2025-04-30	Canada
MatrixSSL[18]	PeerSec Networks	Yes	GNU GPLv2+ and commercial license	PeerSec Networks	C	4.2.2 (September 11, 2019; 5 years ago (2019-09-11) [19]) [±]	US
Mbed TLS (previously PolarSSL)	Arm	Yes	Apache License 2.0, GNU GPLv2+ and commercial license	Arm Holdings	C	3.6.3[20] (24 March 2025; 57 days ago (24 March 2025)) [±]	EU (Netherlands)
Network Security Services (NSS)	Mozilla, AOL, Red Hat, Sun, Oracle, Google and others	Yes	MPL 2.0	NSS contributors	C, assembly	Standard 3.84 / October 12, 2022; 2 years ago (2022-10-12)[21] Extended Support Release 3.79.1 / August 18, 2022; 2 years ago (2022-08-18)[21]	US
OpenSSL	OpenSSL project	Yes	Apache-2.0[a]	Eric Young, Tim Hudson, Sun, OpenSSL project, and others	C, assembly	3.5.0[22]  2025-04-08	Australia/EU
Rustls	Joe Birr-Pixton, Dirkjan Ochtman, Daniel McCarney, Josh Aas, and open source contributors	Yes	Apache-2.0, MIT License and ISC	Open source contributors	Rust	v0.23.25 (March 17, 2025; 2 months ago (2025-03-17)[23]) [±]	United Kingdom
s2n	Amazon	Yes	Apache License 2.0, GNU GPLv2+ and commercial license	Amazon.com, Inc.	C	Continuous	US
Schannel	Microsoft	No	Proprietary	Microsoft Corporation		Windows 11, 2021-10-05	US
Secure Transport	Apple Inc.	Yes	APSL 2.0	Apple Inc.		57337.20.44 (OS X 10.11.2), 2015-12-08	US
wolfSSL (previously CyaSSL)	wolfSSL[24]	Yes	GNU GPLv2+ and commercial license	wolfSSL Inc.[25]	C, assembly	5.8.0 (April 24, 2025; 26 days ago (2025-04-24)[26]) [±]	US
Erlang/OTP SSL application	Ericsson	Yes	Apache License 2.0	Ericsson	Erlang	OTP-21, 2018-06-19	Sweden
Implementation	Developed by	Open source	Software license	Copyright owner	Written in	Latest stable version, release date	Origin

1. Apache-2.0 for OpenSSL 3.0 and later releases. OpenSSL-SSLeay dual-license for any release before OpenSSL 3.0.

TLS/SSL protocol version support

Several versions of the TLS protocol exist. SSL 2.0 is a deprecated^[27] protocol version with significant weaknesses. SSL 3.0 (1996) and TLS 1.0 (1999) are successors with two weaknesses in CBC-padding that were explained in 2001 by Serge Vaudenay.^[28] TLS 1.1 (2006) fixed only one of the problems, by switching to random initialization vectors (IV) for CBC block ciphers, whereas the more problematic use of mac-pad-encrypt instead of the secure pad-mac-encrypt was addressed with RFC 7366.^[29] A workaround for SSL 3.0 and TLS 1.0, roughly equivalent to random IVs from TLS 1.1, was widely adopted by many implementations in late 2011.^[30] In 2014, the POODLE vulnerability of SSL 3.0 was discovered, which takes advantage of the known vulnerabilities in CBC, and an insecure fallback negotiation used in browsers.^[31]

TLS 1.2 (2008) introduced a means to identify the hash used for digital signatures. While permitting the use of stronger hash functions for digital signatures in the future (rsa,sha256/sha384/sha512) over the SSL 3.0 conservative choice (rsa,sha1+md5), the TLS 1.2 protocol change inadvertently and substantially weakened the default digital signatures and provides (rsa,sha1) and even (rsa,md5).^[32]

Datagram Transport Layer Security (DTLS or Datagram TLS) 1.0 is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated. The revision DTLS 1.2 based on TLS 1.2 was published in January 2012.^[33]

TLS 1.3 (2018) specified in RFC 8446 includes major optimizations and security improvements. QUIC (2021) specified in RFC 9000 and DTLS 1.3 (2022) specified in RFC 9147 builds on TLS 1.3. The publishing of TLS 1.3 and DTLS 1.3 obsoleted TLS 1.2 and DTLS 1.2.

Note that there are known vulnerabilities in SSL 2.0 and SSL 3.0. In 2021, IETF published RFC 8996 also forbidding negotiation of TLS 1.0, TLS 1.1, and DTLS 1.0 due to known vulnerabilities. NIST SP 800-52 requires support of TLS 1.3 by January 2024. Support of TLS 1.3 means that two compliant nodes will never negotiate TLS 1.2.

Implementation	SSL 2.0 (insecure)[34]	SSL 3.0 (insecure)[35]	TLS 1.0 (deprecated)[36]	TLS 1.1 (deprecated)[37]	TLS 1.2[38]	TLS 1.3	DTLS 1.0 (deprecated)[39]	DTLS 1.2[33]
Botan	No	No[40]	No	No	Yes	Yes	No	Yes
BoringSSL			Yes	Yes	Yes	Yes	Yes	Yes
Bouncy Castle	No	No	Yes	Yes	Yes	Yes (draft version)	Yes	Yes
BSAFE SSL-J[41]	No	Disabled by default	No[a]	No[a]	Yes	Yes	No	No
cryptlib	No	Disabled by default at compile time	Yes	Yes	Yes		No	No
GnuTLS	No[b]	Disabled by default[42]	Yes	Yes	Yes	Yes[43]	Yes	Yes
JSSE	No[b]	Disabled by default[44]	Disabled by default[45]	Disabled by default[45]	Yes	Yes	Yes	Yes
LibreSSL	No[46]	No[47]	Yes	Yes	Yes	Yes	Yes	Yes[48]
MatrixSSL	No	Disabled by default at compile time[49]	Yes	Yes	Yes	Yes	Yes	Yes
Mbed TLS	No	No[50]	No[50]	No[50]	Yes	Yes (experimental)	Yes[51]	Yes[51]
NSS	No[c]	Disabled by default[52]	Yes	Yes[53]	Yes[54]	Yes[55]	Yes[53]	Yes[56]
OpenSSL	No[57]	Disabled by default	Yes	Yes[58]	Yes[58]	Yes	Yes	Yes[59]
Rustls	No[60]	No[60]	No[60]	No[60]	Yes[60]	Yes[60]	No	No
s2n[61]	No	Disabled by default	Yes	Yes	Yes	Yes	No	No
Schannel XP, 2003[62]	Disabled by default in MSIE 7	Enabled by default	Enabled by default in MSIE 7	No	No	No	No	No
Schannel Vista[63]	Disabled by default	Enabled by default	Yes	No	No	No	No	No
Schannel 2008[63]	Disabled by default	Enabled by default	Yes	Disabled by default (KB4019276)	Disabled by default (KB4019276)	No	No	No
Schannel 7, 2008R2[64]	Disabled by default	Disabled by default in MSIE 11	Yes	Enabled by default in MSIE 11	Enabled by default in MSIE 11	No	Yes[65]	No[65]
Schannel 8, 2012[64]	Disabled by default	Enabled by default	Yes	Disabled by default	Disabled by default	No	Yes	No
Schannel 8.1, 2012R2, 10 RTM & v1511[64]	Disabled by default	Disabled by default in MSIE 11	Yes	Yes	Yes	No	Yes	No
Schannel 10 v1607 / 2016[66]	No	Disabled by default	Yes	Yes	Yes	No	Yes	Yes
Schannel 11 / 2022[67]	No	Disabled by default	Yes	Yes	Yes	Yes	Yes	Yes
Secure Transport OS X 10.2-10.7, iOS 1-4	Yes	Yes	Yes	No	No		No	No
Secure Transport OS X 10.8-10.10, iOS 5-8	No[d]	Yes	Yes	Yes[d]	Yes[d]		Yes[d]	No
Secure Transport OS X 10.11, iOS 9	No	No[d]	Yes	Yes	Yes		Yes	Un­known
Secure Transport OS X 10.13, iOS 11	No	No[d]	Yes	Yes	Yes	Yes (draft version)[68]	Yes	Un­known
wolfSSL	No	Disabled by default[69]	Disabled by default[70]	Yes	Yes	Yes	Yes	Yes
Erlang/OTP SSL application[71]	No [e]	No [f]	Disabled by default [e]	Disabled by default [e]	Yes	Partially [g]	Disabled by default [e]	Yes
Implementation	SSL 2.0 (insecure)[34]	SSL 3.0 (insecure)[35]	TLS 1.0 (deprecated)[36]	TLS 1.1 (deprecated)[37]	TLS 1.2[38]	TLS 1.3	DTLS 1.0 (deprecated)[39]	DTLS 1.2[33]

1. As of SSL-J 7.0, support for TLS 1.0 and 1.1 has been removed
2. SSL 2.0 client hello is supported for backward compatibility reasons even though SSL 2.0 is not supported.
3. Server-side implementation of the SSL/TLS protocol still supports processing of received v2-compatible client hello messages."NSS 3.24 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2016-08-26. Retrieved 2016-06-19.
4. Secure Transport: SSL 2.0 was discontinued in OS X 10.8. SSL 3.0 was discontinued in OS X 10.11 and iOS 9.TLS 1.1, 1.2 and DTLS are available on iOS 5.0 and later, and OS X 10.9 and later."Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
5. Since OTP 22
6. Since OTP 23
7. "Erlang OTP SSL application TLS 1.3 compliance table".

NSA Suite B Cryptography

Required components for NSA Suite B Cryptography (RFC 6460) are:

• Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits. For traffic flow, AES should be used with either the Counter Mode (CTR) for low bandwidth traffic or the Galois/Counter Mode (GCM) mode of operation for high bandwidth traffic (see Block cipher modes of operation) — symmetric encryption
• Elliptic Curve Digital Signature Algorithm (ECDSA) — digital signatures
• Elliptic Curve Diffie–Hellman (ECDH) — key agreement
• Secure Hash Algorithm 2 (SHA-256 and SHA-384) — message digest

Per CNSSP-15, the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.

Implementation	TLS 1.2 Suite B
Botan	Yes
Bouncy Castle	Yes
BSAFE	Yes[41]
cryptlib	Yes
GnuTLS	Yes
JSSE	Yes[72]
LibreSSL	Yes
MatrixSSL	Yes
Mbed TLS	Yes
NSS	No[73]
OpenSSL	Yes[59]
Rustls	Yes[60]
S2n
Schannel	Yes[74]
Secure Transport	No
wolfSSL	Yes
Implementation	TLS 1.2 Suite B

Certifications

Note that certain certifications have received serious negative criticism from people who are actually involved in them.^[75]

Implementation	FIPS 140-1, FIPS 140-2[76]		FIPS 140-3
	Level 1	Level 2[disputed – discuss]	Level 1
Botan[77]
Bouncy Castle	BC-FJA 1.0.0 (#2768) BC-FJA 1.0.1 (#3152)
BSAFE SSL-J[78]	Crypto-J 6.0 (1785, 1786) Crypto-J 6.1 / 6.1.1.0.1 (2057, 2058) Crypto-J 6.2 / 6.2.1.1 (2468, 2469) Crypto-J 6.2.4 (3172, 3184) Crypto-J 6.2.5 (#3819, #3820) Crypto-J 6.3 (#4696, #4697)		Crypto-J 7.0 (4892)
cryptlib[79]
GnuTLS[80]	Red Hat Enterprise Linux GnuTLS Cryptographic Module (#2780)
JSSE
LibreSSL[46]	no support
MatrixSSL[81]	SafeZone FIPS Cryptographic Module: 1.1 (#2389)
Mbed TLS[82]
NSS[83]	Network Security Services: 3.2.2 (#247) Network Security Services Cryptographic Module: 3.11.4 (#815), 3.12.4 (#1278), 3.12.9.1 (#1837)	Netscape Security Module: 1 (#7[notes 1]), 1.01 (#47[notes 2]) Network Security Services: 3.2.2 (#248[notes 3]) Network Security Services Cryptographic Module: 3.11.4 (#814[notes 4]), 3.12.4 (#1279, #1280[notes 5])
OpenSSL[84]	OpenSSL FIPS Object Module: 1.0 (#624), 1.1.1 (#733), 1.1.2 (#918), 1.2, 1.2.1, 1.2.2, 1.2.3 or 1.2.4 (#1051) 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7 or 2.0.8 (#1747)
Rustls			aws-lc FIPS module[85] (#4759)
Schannel[86]	Cryptographic modules in Windows NT 4.0, 95, 95, 2000, XP, Server 2003, CE 5, CE 6, Mobile 6.x, Vista, Server 2008, 7, Server 2008 R2, 8, Server 2012, RT, Surface, Phone 8 See details on Microsoft FIPS 140 Validated Cryptographic Modules
Secure Transport	Apple FIPS Cryptographic Module: 1.0 (OS X 10.6, #1514), 1.1 (OS X 10.7, #1701) Apple OS X CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (OS X 10.8, #1964, #1956), 4.0 (OS X 10.9, #2015, #2016) Apple iOS CoreCrypto Module; CoreCrypto Kernel Module: 3.0 (iOS 6, #1963, #1944), 4.0 (iOS 7, #2020, #2021)
wolfSSL[87]	wolfCrypt FIPS Module: 4.0 (#3389) See details on NIST certificate for validated Operating Environments wolfCrypt FIPS Module: 3.6.0 (#2425) See details on NIST certificate for validated Operating Environments		wolfCrypt FIPS Module (#4178) See details on NIST certificate
Implementation	Level 1	Level 2	Level 1
	FIPS 140-1, FIPS 140-2		FIPS 140-3

1. with Sun Sparc 5 w/ Sun Solaris v 2.4SE (ITSEC-rated)
2. with Sun Ultra-5 w/ Sun Trusted Solaris version 2.5.1 (ITSEC-rated)
3. with Solaris v8.0 with AdminSuite 3.0.1 as specified in UK IT SEC CC Report No. P148 EAL4 on a SUN SPARC Ultra-1
4. with these platforms; Red Hat Enterprise Linux Version 4 Update 1 AS on IBM xSeries 336 with Intel Xeon CPU, Trusted Solaris 8 4/01 on Sun Blade 2500 Workstation with UltraSPARC IIIi CPU
5. with these platforms; Red Hat Enterprise Linux v5 running on an IBM System x3550, Red Hat Enterprise Linux v5 running on an HP ProLiant DL145, Sun Solaris 10 5/08 running on a Sun SunBlade 2000 workstation, Sun Solaris 10 5/08 running on a Sun W2100z workstation

Key exchange algorithms (certificate-only)

This section lists the certificate verification functionality available in the various implementations.

Implementation	RSA[38]	RSA-EXPORT (insecure)[38]	DHE-RSA (forward secrecy)[38]	DHE-DSS (forward secrecy)[38]	ECDH-ECDSA[88]	ECDHE-ECDSA (forward secrecy)[88]	ECDH-RSA[88]	ECDHE-RSA (forward secrecy)[88]	GOST R 34.10-94, 34.10-2001[89]
Botan	Disabled by default	No	Yes	Disabled by default	No	Yes	No	Yes	No
BSAFE	Yes	No	Yes	Yes	Yes	Yes	Yes	Yes	No
cryptlib	Yes	No	Yes	Yes	No	Yes	No	No	No
GnuTLS	Yes	No	Yes	Disabled by default[42]	No	Yes	No	Yes	No
JSSE	Yes	Disabled by default	Yes	Yes	Yes	Yes	Yes	Yes	No
LibreSSL	Yes	No[46]	Yes	Yes	No	Yes	No	Yes	Yes[90]
MatrixSSL	Yes	No	Yes	No	Yes	Yes	Yes	Yes	No
Mbed TLS	Yes	No	Yes	No	Yes	Yes	Yes	Yes	No
NSS	Yes	Disabled by default	Yes[91]	Yes	Yes	Yes	Yes	Yes	No[92][93]
OpenSSL	Yes	No[57]	Yes	Disabled by default[57]	No	Yes	No	Yes	Yes[94]
Rustls	No	No	No	No	No	Yes[60]	No	Yes[60]	No
Schannel XP/2003	Yes	Yes	No	XP: Max 1024 bits 2003: 1024 bits only	No	No	No	No	No[95]
Schannel Vista/2008	Yes	Disabled by default	No	1024 bits by default[96]	No	Yes	No	except AES_GCM	No[95]
Schannel 8/2012	Yes	Disabled by default	AES_GCM only[97][98][99]	1024 bits by default[96]	No	Yes	No	except AES_GCM	No[95]
Schannel 7/2008R2, 8.1/2012R2	Yes	Disabled by default	Yes	2048 bits by default[96]	No	Yes	No	except AES_GCM	No[95]
Schannel 10	Yes	Disabled by default	Yes	2048 bits by default[96]	No	Yes	No	Yes	No[95]
Secure Transport OS X 10.6	Yes	Yes	except AES_GCM	Yes	Yes	except AES_GCM	yes	except AES_GCM	No
Secure Transport OS X 10.8-10.10	Yes	No	except AES_GCM	No	Yes	except AES_GCM	Yes	except AES_GCM	No
Secure Transport OS X 10.11	Yes	No	Yes	No	No	Yes	No	Yes	No
wolfSSL	Yes	No	Yes	No	Yes	Yes	Yes	Yes	No
Erlang/OTP SSL application	Yes	No	Yes	Yes	Yes	Yes	Yes	Yes	No
Implementation	RSA[38]	RSA-EXPORT (insecure)[38]	DHE-RSA (forward secrecy)[38]	DHE-DSS (forward secrecy)[38]	ECDH-ECDSA[88]	ECDHE-ECDSA (forward secrecy)[88]	ECDH-RSA[88]	ECDHE-RSA (forward secrecy)[88]	GOST R 34.10-94, 34.10-2001[89]

Key exchange algorithms (alternative key-exchanges)

Implementation	SRP[100]	SRP-DSS[100]	SRP-RSA[100]	PSK-RSA[101]	PSK[101]	DHE-PSK (forward secrecy)[101]	ECDHE-PSK (forward secrecy)[102]	KRB5[103]	DH-ANON[38] (insecure)	ECDH-ANON[88] (insecure)
Botan	No	No	No	No	Yes	No	Yes	No	No	No
BSAFE SSL-J	No	No	No	No	Yes[104]	No	No	No	Disabled by default	Disabled by default
cryptlib	No	No	No	No	Yes	Yes	No	Un­known	No	No
GnuTLS	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	Disabled by default	Disabled by default
JSSE	No	No	No	No	No	No	No	No	Disabled by default	Disabled by default
LibreSSL	No[105]	No[105]	No[105]	No	No	No	No	No	Yes	Yes
MatrixSSL	No	No	No	Yes	Yes	Yes	No	No	Disabled by default	No
Mbed TLS	No	No	No	Yes	Yes	Yes	Yes	No	No	No
NSS	No[106]	No[106]	No[106]	No[107]	No[107]	No[107]	No[107]	No	Client side only, disabled by default[108]	Disabled by default[109]
OpenSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes[110]	Disabled by default[111]	Disabled by default[111]
Rustls	No	No	No	No	No	No	No	No	No	No
Schannel	No	No	No	No	No	No	No	Yes	No	No
Secure Transport	No	No	No	No	No	No	No	Un­known	Yes	Yes
wolfSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes[112]	Yes	No	No
Erlang/OTP SSL application	Disabled by default	Disabled by default	Disabled by default	Disabled by default	Disabled by default	Disabled by default	No	No	Disabled by default	Disabled by default
Implementation	SRP[100]	SRP-DSS[100]	SRP-RSA[100]	PSK-RSA[101]	PSK[101]	DHE-PSK (forward secrecy)[101]	ECDHE-PSK (forward secrecy)[102]	KRB5[103]	DH-ANON[38] (insecure)	ECDH-ANON[88] (insecure)

Certificate verification methods

Implementation	Application-defined	PKIX path validation[113]	CRL[114]	OCSP[115]	DANE (DNSSEC)[116][117]	CT[118]
Botan	Yes	Yes	Yes	Yes	No	Un­known
Bouncy Castle	Yes	Yes	Yes	Yes	Yes	Un­known
BSAFE	Yes	Yes	Yes	Yes	No	Un­known
cryptlib	Yes	Yes	Yes	Yes	No	Un­known
GnuTLS	Yes	Yes	Yes	Yes	Yes	Un­known
JSSE	Yes	Yes	Yes	Yes	No	No
LibreSSL	Yes	Yes	Yes	Yes	No	Un­known
MatrixSSL	Yes	Yes	Yes	Yes[119]	No	Un­known
Mbed TLS	Yes	Yes	Yes	No[120]	No	Un­known
NSS	Yes	Yes	Yes	Yes	No[121]	Un­known
OpenSSL	Yes	Yes	Yes	Yes	Yes	Yes
Rustls	Yes	Yes	Yes	No	No	No
s2n			No [122]	Un­known [123]		Un­known [124]
Schannel	Un­known	Yes	Yes[125]	Yes[125]	No	Un­known
Secure Transport	Yes	Yes	Yes	Yes	No	Un­known
wolfSSL	Yes	Yes	Yes	Yes	No	Un­known
Erlang/OTP SSL application	Yes	Yes	Yes	No	No	Un­known
Implementation	Application-defined	PKIX path validation	CRL	OCSP	DANE (DNSSEC)	CT

Encryption algorithms

Implementation	Block cipher with mode of operation										Stream cipher	None
	AES GCM [126]	AES CCM [127]	AES CBC	Camellia GCM [128]	Camellia CBC [129][128]	ARIA GCM [130]	ARIA CBC [130]	SEED CBC [131]	3DES EDE CBC (insecure)[132]	GOST 28147-89 CNT (proposed) [89][n 1]	ChaCha20-Poly1305 [133]	Null (insecure) [n 2]
Botan	Yes	Yes	Yes	Yes	Yes	No	No	Disabled by default	Disabled by default	No	Yes[134]	Not implemented
BoringSSL	Yes	No	Yes	No	No	No	No	No	Yes	No	Yes
BSAFE SSL-J	Yes	Yes	Yes	No	No	No	No	No	Disabled by default	No	No	Disabled by default
cryptlib	Yes	No	Yes	No	No	No	No	No	Yes	No	No	Not implemented
GnuTLS	Yes	Yes[42]	Yes	Yes	Yes	No	No	No	Disabled by default[135]	No	Yes[136]	Disabled by default
JSSE	Yes	No	Yes	No	No	No	No	No	Disabled by default[137]	No	Yes (JDK 12+)[138]	Disabled by default
LibreSSL	Yes[46]	No	Yes	No	Yes[90]	No	No	No[46]	Yes	Yes[90]	Yes[46]	Disabled by default
MatrixSSL	Yes	No	Yes	No	No	No	No	Yes	Disabled by default	No	Yes[139]	Disabled by default
Mbed TLS	Yes	Yes [140]	Yes	Yes	Yes	Yes[141]	Yes[141]	No	No[50]	No	Yes[142]	Disabled by default at compile time
NSS	Yes[143]	No	Yes	No[144][n 3]	Yes[145]	No	No	Yes[146]	Yes	No[92][93]	Yes[147]	Disabled by default
OpenSSL	Yes[148]	Disabled by default[57]	Yes	No	Disabled by default[57]	Disabled by default[149]	No	Disabled by default[57]	Disabled by default[57]	Yes[94]	Yes[57]	Disabled by default
Rustls	Yes[60]	No	No	No	No	No	No	No	No	No	Yes[60]	Not implemented
Schannel XP/2003	No	No	2003 only[150]	No	No	No	No	No	Yes	No[95]	No	Disabled by default
Schannel Vista/2008, 2008R2, 2012	No	No	Yes	No	No	No	No	No	Yes	No[95]	No	Disabled by default
Schannel 7, 8, 8.1/2012R2	Yes except ECDHE_RSA [97][98]	No	Yes	No	No	No	No	No	Yes	No[95]	No	Disabled by default
Schannel 10[151]	Yes	No	Yes	No	No	No	No	No	Yes	No[95]	No	Disabled by default
Secure Transport OS X 10.6 - 10.10	No	No	Yes	No	No	No	No	No	Yes	No	No	Disabled by default
Secure Transport OS X 10.11	Yes	No	Yes	No	No	No	No	No	Yes	No	No	Disabled by default
wolfSSL	Yes	Yes	Yes	No	No	No	No	No	Yes	No	Yes	Disabled by default
Erlang/OTP SSL application	Yes	No	Yes	No	No	No	No	No	Disabled by default	No	Experimental	Disable by default
Implementation	Block cipher with mode of operation										Stream cipher	None
	AES GCM [126]	AES CCM [127]	AES CBC	Camellia GCM [128]	Camellia CBC [129][128]	ARIA GCM [130]	ARIA CBC [130]	SEED CBC [131]	3DES EDE CBC (insecure)[132]	GOST 28147-89 CNT (proposed) [89][n 1]	ChaCha20-Poly1305 [133]	Null (insecure) [n 2]

Notes

1. This algorithm is not defined yet as TLS cipher suites in RFCs, is proposed in drafts.
2. authentication only, no encryption
3. This algorithm is implemented in an NSS fork used by Pale Moon.

Obsolete algorithms

Implementation	Block cipher with mode of operation				Stream cipher
	IDEA CBC [n 1](insecure)[153]	DES CBC (insecure) [n 1]	DES-40 CBC (EXPORT, insecure) [n 2]	RC2-40 CBC (EXPORT, insecure) [n 2]	RC4-128 (insecure) [n 3]	RC4-40 (EXPORT, insecure) [n 4][n 2]
Botan	No	No	No	No	No[154]	No
BoringSSL	No	No	No	No	Disabled by default at compile time	No
BSAFE SSL-J	No	Disabled by default	Disabled by default	No	Disabled by default	Disabled by default
cryptlib	No	Disabled by default at compile time	No	No	Disabled by default at compile time	No
GnuTLS	No	No	No	No	Disabled by default[42]	No
JSSE	No	Disabled by default	Disabled by default	No	Disabled by default	Disabled by default [155]
LibreSSL	Yes	Yes	No[46]	No[46]	Yes	No[46]
MatrixSSL	Yes	No	No	No	Disabled by default	No
Mbed TLS	No	Disabled by default at compile time	No	No	Disabled by default at compile time[51]	No
NSS	Yes	Disabled by default	Disabled by default	Disabled by default	Lowest priority[156][157]	Disabled by default
OpenSSL	Disabled by default[57]	Disabled by default	No[57]	No[57]	Disabled by default	No[57]
Rustls	No	No	No	No	No	No
Schannel XP/2003	No	Yes	Yes	Yes	Yes	Yes
Schannel Vista/2008	No	Disabled by default	Disabled by default	Disabled by default	Yes	Disabled by default
Schannel 7/2008R2	No	Disabled by default	Disabled by default	Disabled by default	Lowest priority will be disabled soon[158]	Disabled by default
Schannel 8/2012	No	Disabled by default	Disabled by default	Disabled by default	Only as fallback	Disabled by default
Schannel 8.1/2012R2	No	Disabled by default	Disabled by default	Disabled by default	Disabled by default[158]	Disabled by default
Schannel 10[151]	No	Disabled by default	Disabled by default	Disabled by default	Disabled by default[158]	Disabled by default
Secure Transport OS X 10.6	Yes	Yes	Yes	Yes	Yes	Yes
Secure Transport OS X 10.7	Yes	Un­known	Un­known	Un­known	Yes	Un­known
Secure Transport OS X 10.8-10.9	Yes	Disabled by default	Disabled by default	Disabled by default	Yes	Disabled by default
Secure Transport OS X 10.10-10.11	Yes	Disabled by default	Disabled by default	Disabled by default	Lowest priority	Disabled by default
Secure Transport macOS 10.12	Yes	Disabled by default	Disabled by default	Disabled by default	Disabled by default	Disabled by default
wolfSSL	Disabled by default[159]	No	No	No	Disabled by default	No
Erlang/OTP SSL application	no	Disabled by default	no	no	Disabled by default	no
Implementation	Block cipher with mode of operation				Stream cipher
	IDEA CBC [n 1](insecure)[153]	DES CBC (insecure) [n 1]	DES-40 CBC (EXPORT, insecure) [n 2]	RC2-40 CBC (EXPORT, insecure) [n 2]	RC4-128 (insecure) [n 3]	RC4-40 (EXPORT, insecure) [n 4][n 2]

Notes

1. IDEA and DES have been removed from TLS 1.2.^[152]
2. 40 bits strength of cipher suites were designed to operate at reduced key lengths in order to comply with US regulations about the export of cryptographic software containing certain strong encryption algorithms (see Export of cryptography from the United States). These weak suites are forbidden in TLS 1.1 and later.
3. The RC4 attacks weaken or break RC4 used in SSL/TLS. Use of RC4 is prohibited by RFC 7465.
4. The RC4 attacks weaken or break RC4 used in SSL/TLS.

Supported elliptic curves

This section lists the supported elliptic curves by each implementation.

Defined curves in RFC 8446 (for TLS 1.3) and RFC 8422, 7027 (for TLS 1.2 and earlier)

applicable TLS version	TLS 1.3 and earlier					TLS 1.2 and earlier
Implementation	secp256r1 prime256v1 NIST P-256 (0x0017,[160] 23[161])	secp384r1 NIST P-384 (0x0018,[160] 24[161])	secp521r1 NIST P-521 (0x0019,[160] 25[161])	X25519 (0x001D,[160] 29[161])	X448 (0x001E,[160] 30[161])	brainpoolP256r1 (26)[162]	brainpoolP384r1 (27)[162]	brainpoolP512r1 (28)[162]
Botan	Yes	Yes	Yes	Yes[134]	No	Yes[163]	Yes[163]	Yes[163]
BoringSSL	Yes	Yes	Yes (disabled by default)	Yes	No	No	No	No
BSAFE	Yes	Yes	Yes	No	No	No	No	No
GnuTLS	Yes	Yes	Yes	Yes[164]	Yes[165]	No	No	No
JSSE	Yes	Yes	Yes	Yes x25519: JDK 13+[166] Ed25519:JDK 15+[167]	Yes x448: JDK 13+[166] Ed448: JDK 15+[167]	No	No	No
LibreSSL	Yes	Yes	Yes	Yes[168]	No	Yes[46]	Yes[46]	Yes[46]
MatrixSSL	Yes	Yes	Yes	TLS 1.3 only[169]	No	Yes	Yes	Yes
Mbed TLS	Yes	Yes	Yes	Primitive only[170]	Primitive only[171]	Yes[172]	Yes[172]	Yes[172]
NSS	Yes	Yes	Yes	Yes[173]	No[174][175]	No[176]	No[176]	No[176]
OpenSSL	Yes	Yes	Yes	Yes[177][178]	Yes[179][180]	Yes[59]	Yes[59]	Yes[59]
Rustls	Yes	Yes	No	Yes	No	No	No	No
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10	Yes	Yes	Yes	No	No	No	No	No
Secure Transport	Yes	Yes	Yes	No	No	No	No	No
wolfSSL	Yes	Yes	Yes	Yes[181]	Yes[182]	Yes	Yes	Yes
Erlang/OTP SSL application	Yes	Yes	Yes	No	No	Yes	Yes	Yes
Implementation	secp256r1 prime256v1 NIST P-256 (0x0017, 23)	secp384r1 NIST P-384 (0x0018, 24)	secp521r1 NIST P-521 (0x0019, 25)	X25519 (0x001D, 29)	X448 (0x001E, 30)	brainpoolP256r1 (26)	brainpoolP384r1 (27)	brainpoolP512r1 (28)

Deprecated curves in RFC 8422

Implementation	sect163k1 NIST K-163 (1)[88]	sect163r1 (2)[88]	sect163r2 NIST B-163 (3)[88]	sect193r1 (4)[88]	sect193r2 (5)[88]	sect233k1 NIST K-233 (6)[88]	sect233r1 NIST B-233 (7)[88]	sect239k1 (8)[88]	sect283k1 NIST K-283 (9)[88]	sect283r1 NIST B-283 (10)[88]	sect409k1 NIST K-409 (11)[88]	sect409r1 NIST B-409 (12)[88]	sect571k1 NIST K-571 (13)[88]	sect571r1 NIST B-571 (14)[88]
Botan	No	No	No	No	No	No	No	No	No	No	No	No	No	No
BoringSSL	No	No	No	No	No	No	No	No	No	No	No	No	No	No
BSAFE	Yes	No	Yes	No	No	Yes	Yes	No	Yes	Yes	Yes	Yes	Yes	Yes
GnuTLS	No	No	No	No	No	No	No	No	No	No	No	No	No	No
JSSE	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]
LibreSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
MatrixSSL	No	No	No	No	No	No	No	No	No	No	No	No	No	No
Mbed TLS	No	No	No	No	No	No	No	No	No	No	No	No	No	No
NSS	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
OpenSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Rustls	No	No	No	No	No	No	No	No	No	No	No	No	No	No
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10	No	No	No	No	No	No	No	No	No	No	No	No	No	No
Secure Transport	No	No	No	No	No	No	No	No	No	No	No	No	No	No
wolfSSL	No	No	No	No	No	No	No	No	No	No	No	No	No	No
Erlang/OTP SSL application	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Implementation	sect163k1 NIST K-163 (1)	sect163r1 (2)	sect163r2 NIST B-163 (3)	sect193r1 (4)	sect193r2 (5)	sect233k1 NIST K-233 (6)	sect233r1 NIST B-233 (7)	sect239k1 (8)	sect283k1 NIST K-283 (9)	sect283r1 NIST B-283 (10)	sect409k1 NIST K-409 (11)	sect409r1 NIST B-409 (12)	sect571k1 NIST K-571 (13)	sect571r1 NIST B-571 (14)

Implementation	secp160k1 (15)[88]	secp160r1 (16)[88]	secp160r2 (17)[88]	secp192k1 (18)[88]	secp192r1 prime192v1 NIST P-192 (19)[88]	secp224k1 (20)[88]	secp224r1 NIST P-244 (21)[88]	secp256k1 (22)[88]	arbitrary prime curves (0xFF01)[88][185]	arbitrary char2 curves (0xFF02)[88][185]
Botan	No	No	No	No	No	No	No	No	No	No
BoringSSL	No	No	No	No	No	No	Yes	No	No	No
BSAFE	No	No	No	No	Yes	No	Yes	No	No	No
GnuTLS	No	No	No	No	Yes	No	Yes	No	No	No
JSSE	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]	Notes[a][b]	No	No
LibreSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
MatrixSSL	No	No	No	No	Yes	No	Yes	No	No	No
Mbed TLS	No	No	No	Yes	Yes	Yes	Yes	Yes	No	No
NSS	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
OpenSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
Rustls	No	No	No	No	No	No	No	No	No	No
Schannel Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2, 10	No	No	No	No	No	No	No	No	No	No
Secure Transport	No	No	No	No	Yes	No	No	No	No	No
wolfSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
Erlang/OTP SSL application	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No
Implementation	secp160k1 (15)	secp160r1 (16)	secp160r2 (17)	secp192k1 (18)	secp192r1 prime192v1 NIST P-192 (19)	secp224k1 (20)	secp224r1 NIST P-244 (21)	secp256k1 (22)	arbitrary prime curves (0xFF01)	arbitrary char2 curves (0xFF02)

Notes

1. These elliptic curves were "Disabled by Default" in current JDK families as part of JDK-8236730.^[183]
2. These elliptic curves were subsequently removed in JDK 16+ as part of JDK-8252601.^[184]

Data integrity

Implementation	HMAC-MD5	HMAC-SHA1	HMAC-SHA256/384	AEAD	GOST 28147-89 IMIT [89]	GOST R 34.11-94 [89]
Botan	No	Yes	Yes	Yes	No	No
BSAFE	Yes	Yes	Yes	Yes	No	No
cryptlib	Yes	Yes	Yes	Yes	No	No
GnuTLS	Yes	Yes	Yes	Yes	No	No
JSSE	Disabled by Default	Yes	Yes	Yes	No	No
LibreSSL	Yes	Yes	Yes	Yes	Yes [90]	Yes [90]
MatrixSSL	Yes	Yes	Yes	Yes	No	No
Mbed TLS	Yes	Yes	Yes	Yes	No	No
NSS	Yes	Yes	Yes	Yes	No [92][93]	No [92][93]
OpenSSL	Yes	Yes	Yes	Yes	Yes [94]	Yes [94]
Rustls	No	No	No	Yes	No	No
Schannel XP/2003, Vista/2008	Yes	Yes	XP SP3, 2003 SP2 via hotfix [186]	No	No [95]	No [95]
Schannel 7/2008R2, 8/2012, 8.1/2012R2	Yes	Yes	Yes	except ECDHE_RSA [97][98][99]	No [95]	No [95]
Schannel 10	Yes	Yes	Yes	Yes [151]	No [95]	No [95]
Secure Transport	Yes	Yes	Yes	Yes	No	No
wolfSSL	Yes	Yes	Yes	Yes	No	No
Erlang/OTP SSL application	Yes	Yes	Yes	Yes	No	No
Implementation	HMAC-MD5	HMAC-SHA1	HMAC-SHA256/384	AEAD	GOST 28147-89 IMIT	GOST R 34.11-94

Compression

Note the CRIME security exploit takes advantage of TLS compression, so conservative implementations do not enable compression at the TLS level. HTTP compression is unrelated and unaffected by this exploit, but is exploited by the related BREACH attack.

Implementation	DEFLATE[187] (insecure)
Botan	No
BSAFE[41]	No
cryptlib	No
GnuTLS	Disabled by default
JSSE	No
LibreSSL	No[46]
MatrixSSL	Disabled by default
Mbed TLS	Disabled by default
NSS	Disabled by default
OpenSSL	Disabled by default
Rustls	No
Schannel	No
Secure Transport	No
wolfSSL	Disabled by default
Erlang/OTP SSL application	No
Implementation	DEFLATE

Extensions

In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security ^{[citation needed]}. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.

Implementation	Secure Renegotiation [188]	Server Name Indication [189]	ALPN [190]	Certificate Status Request [189]	OpenPGP [191]	Supplemental Data [192]	Session Ticket [193]	Keying Material Exporter [194]	Maximum Fragment Length [189]	Encrypt-then-MAC [29]	TLS Fallback SCSV [195]	Extended Master Secret [196]	ClientHello Padding [197]	Raw Public Keys [198]
Botan	Yes	Yes	Yes[199]	No	No	No	Yes	Yes	Yes	Yes	Yes[200]	Yes[201]	No	Un­known
BSAFE SSL-J	Yes	Yes	No	Yes	No	No	No	No	Yes	No	No	Yes	No	No
cryptlib	Yes	Yes	No	No	No	Yes	No	No	No[202]	Yes	Yes	Yes	No	Un­known
GnuTLS	Yes	Yes	Yes[203]	Yes	No[204]	Yes	Yes	Yes	Yes	Yes[42]	Yes[205]	Yes[42]	Yes[206]	Yes[207]
JSSE	Yes	Yes[72]	Yes[72]	Yes	No	No	Yes	No	Yes	No	No	Yes	No	No
LibreSSL	Yes	Yes	Yes[208]	Yes	No	No?	Yes	Yes?	No	No	Server side only[209]	No	Yes	No
MatrixSSL	Yes	Yes	Yes[210]	Yes[139]	No	No	Yes	No	Yes	No	Yes[139]	Yes[139]	No	Un­known
Mbed TLS	Yes	Yes	Yes[211]	No	No	No	Yes	No	Yes	Yes[212]	Yes[212]	Yes[212]	No	No
NSS	Yes	Yes	Yes[213]	Yes	No[214]	No	Yes	Yes	No	No[215]	Yes[216]	Yes[217]	Yes[213]	Un­known
OpenSSL	Yes	Yes	Yes[59]	Yes	No	No?	Yes	Yes	Yes	Yes	Yes[218]	Yes[57]	Yes[219]	Yes[220]
Rustls	Yes	Yes	Yes	Yes	No	No	Yes	Yes	No	No	No [221]	Yes	No	Un­known
Schannel XP/2003	No	No	No	No	No	Yes	No	No	No	No	No	No	No	Un­known
Schannel Vista/2008	Yes	Yes	No	No	No	Yes	No	No	No	No	No	Yes[222]	No	Un­known
Schannel 7/2008R2	Yes	Yes	No	Yes	No	Yes	No	No	No	No	No	Yes[222]	No	Un­known
Schannel 8/2012	Yes	Yes	No	Yes	No	Yes	Client side only[223]	No	No	No	No	Yes[222]	No	Un­known
Schannel 8.1/2012R2, 10	Yes	Yes	Yes	Yes	No	Yes	Yes[223]	No	No	No	No	Yes[222]	No	Un­known
Secure Transport	Yes	Yes	Un­known	No	No	Yes	No	No	No	No	No	No	No	Un­known
wolfSSL	Yes	Yes	Yes[159]	Yes	No	No	Yes	No	Yes	Yes[224]	No	Yes	No	Yes[225]
Erlang/OTP SSL application	Yes	Yes	Yes	No	No	No	No	No	No	No	Yes	No	No	Un­known
Implementation	Secure Renegotiation	Server Name Indication	ALPN	Certificate Status Request	OpenPGP	Supplemental Data	Session Ticket	Keying Material Exporter	Maximum Fragment Length	Encrypt-then-MAC	TLS Fallback SCSV	Extended Master Secret	ClientHello Padding	Raw Public Keys

Assisted cryptography

This section lists the known ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.

Implementation	PKCS #11 device	Intel AES-NI	VIA PadLock	ARMv8-A	Intel SHA	NXP CAAM	TPM 2.0	NXP SE050	Microchip ATECC	STMicro STSAFE	Maxim MAXQ
Botan	Yes[226]	Yes	No	Yes		No	Yes[227]	No	No	No	No
BSAFE SSL-J [a][b]	Yes	Yes	No	Yes	Yes	No	No[230]	No	No	No	No
cryptlib	Yes	Yes	Yes	No				No	No	No	No
Crypto++		Yes			Yes			No	No	No	No
GnuTLS	Yes	Yes	Yes	Yes[231]	Yes		No[232]	No	No	No	No
JSSE	Yes	Yes[233]	No	No		No		No	No	No	No
LibreSSL	No	Yes	Yes	No				No	No	No	No
MatrixSSL	Yes	Yes	No	Yes		No		No	No	No	No
Mbed TLS	Yes	Yes[234]	Yes	No		No		Partial[235]	Yes[236]	No	No
NSS	Yes[237]	Yes[238]	No[239]	No		No		No	No	No	No
OpenSSL	Yes[240][241][242]	Yes	Yes	Yes[243]	Yes	Partial	Partial[244][245]	Partial[246]	No	Partial[247]	No
Rustls		Yes		Yes	Yes			No	No	No	No
Schannel	No	Yes	No	No		No		No	No	No	No
Secure Transport	No	Yes[248][249]	No	Yes		No		No	No	No	No
wolfSSL	Yes	Yes	No	Yes		Yes[250]	Yes[251][252]	Yes[253]	Yes[254]	Yes[255]	Yes[256]
Implementation	PKCS #11 device	Intel AES-NI	VIA PadLock	ARMv8-A	Intel SHA	NXP CAAM	TPM 2.0	NXP SE050	Microchip ATECC	STMicro STSAFE	Maxim MAXQ

1. Pure Java implementations relies on JVM processor optimization capabilities, such as OpenJDK support for AES-NI^[228]
2. BSAFE SSL-J can be configured to run in native mode, using BSAFE Crypto-C Micro Edition to benefit from processor optimization.^[229]

System-specific backends

This section lists the ability of an implementation to take advantage of the available operating system specific backends, or even the backends provided by another implementation.

Implementation	/dev/crypto	af_alg	Windows CSP	CommonCrypto	OpenSSL engine
Botan	No	No	No	No	Partial
BSAFE	No	No	No	No	No
cryptlib	No	No	No	No	No
GnuTLS	Yes	Yes	No	No	No
JSSE	No	No	Yes	No	No
LibreSSL	No	No	No	No	No[257]
MatrixSSL	No	No	No	Yes	Yes
Mbed TLS	No	No	No	No	No
NSS	No	No	No	No	No
OpenSSL	Yes	Yes	No	No	Yes
Rustls	No	Yes [258]	No	No	No
Schannel	No	No	Yes	No	No
Secure Transport	No	No	No	Yes	No
wolfSSL	Yes	Yes	Partial	No	Yes[259]
Erlang/OTP SSL application	No	No	No	No	Yes
Implementation	/dev/crypto	af_alg	Windows CSP	CommonCrypto	OpenSSL engine

Cryptographic module/token support

Implementation	TPM support	Hardware token support	Objects identified via
Botan	Partial[201]	PKCS #11
BSAFE SSL-J	No	No
cryptlib	No	PKCS #11	User-defined label
GnuTLS	Yes	PKCS #11	RFC 7512 PKCS #11 URLs[260]
JSSE	No	PKCS11 Java Cryptography Architecture, Java Cryptography Extension
LibreSSL	Yes	PKCS #11 (via 3rd party module)	Custom method
MatrixSSL	No	PKCS #11
Mbed TLS	No	PKCS #11 (via libpkcs11-helper) or standard hooks	Custom method
NSS	No	PKCS #11
OpenSSL	Yes	PKCS #11 (via 3rd party module)[261]	RFC 7512 PKCS #11 URLs[260]
Rustls	No	Microsoft CryptoAPI [262]	Custom method
Schannel	No	Microsoft CryptoAPI	UUID, User-defined label
Secure Transport
wolfSSL	Yes	PKCS #11
Implementation	TPM support	Hardware token support	Objects identified via

Code dependencies

Implementation	Dependencies	Optional dependencies
Botan	C++20	SQLite zlib (compression) bzip2 (compression) liblzma (compression) boost trousers (TPM)
GnuTLS	libc nettle gmp	zlib (compression) p11-kit (PKCS #11) trousers (TPM) libunbound (DANE)
JSSE	Java
MatrixSSL	none	zlib (compression)
MatrixSSL-open	libc or newlib
Mbed TLS	libc	libpkcs11-helper (PKCS #11) zlib (compression)
NSS	libc libnspr4 libsoftokn3 libplc4 libplds4	zlib (compression)
Rustls	rust core library	rust std library zlib-rs (compression) brotli (compression) ring (cryptography) aws-lc-rs (cryptography)
OpenSSL	libc	zlib (compression) brotli (compression) zstd (compression)
wolfSSL	None	libc zlib (compression)
Erlang/OTP SSL application	libcrypto (from OpenSSL), Erlang/OTP and its public_key, crypto and asn1 applications	Erlang/OTP -inets (http fetching of CRLs)
Implementation	Dependencies	Optional dependencies

Development environment

Implementation	Namespace	Build tools	API manual	Crypto back-end	OpenSSL compatibility Layer[clarify]
Botan	Botan::TLS	Makefile	Sphinx	Included (pluggable)	No
Bouncy Castle	org.bouncycastle	Java Development Environment	Programmers reference manual (PDF)	Included (pluggable)	No
BSAFE SSL-J	com.rsa.asn1[a] com.rsa.certj[b] com.rsa.jcp[c] com.rsa.jsafe[d] com.rsa.ssl[e] com.rsa.jsse[f]	Java class loader	Javadoc, Developer's guide (HTML)	Included	No
cryptlib	crypt*	makefile, MSVC project workspaces	Programmers reference manual (PDF), architecture design manual (PDF)	Included (monolithic)	No
GnuTLS	gnutls_*	Autoconf, automake, libtool	Manual and API reference (HTML, PDF)	External, libnettle	Yes (limited)
JSSE	javax.net.ssl sun.security.ssl	Makefile	API Reference (HTML) + JSSE Reference Guide	Java Cryptography Architecture, Java Cryptography Extension	No
MatrixSSL	matrixSsl_* ps*	Makefile, MSVC project workspaces, Xcode projects for OS X and iOS	API Reference (PDF), Integration Guide	Included (pluggable)	Yes (Subset: SSL_read, SSL_write, etc.)
Mbed TLS	mbedtls_ssl_* mbedtls_sha1_* mbedtls_md5_* mbedtls_x509* ...	Makefile, CMake, MSVC project workspaces, yotta	API Reference + High Level and Module Level Documentation (HTML)	Included (monolithic)	No
NSS	CERT_* SEC_* SECKEY_* NSS_* PK11_* SSL_* ...	Makefile	Manual (HTML)	Included, PKCS#11 based[263]	Yes (separate package called nss_compat_ossl[264])
OpenSSL	SSL_* SHA1_* MD5_* EVP_* ...	Makefile	Man pages	Included (monolithic)	—
Rustls	rustls::	cargo	API reference and design manual	Two options included (pluggable)	Yes[265] (subset)
wolfSSL	wolfSSL_* CyaSSL_* SSL_*	Autoconf, automake, libtool, MSVC project workspaces, XCode projects, CodeWarrior projects, MPLAB X projects, Keil, IAR, Clang, GCC, e2Studio	Manual and API Reference (HTML, PDF)	Included (monolithic)	Yes (about 60% of API)
Implementation	Namespace	Build tools	API manual	Crypto back-end	OpenSSL compatibility layer

1. ^
   ASN.1 manipulation classes
2. ^
   Cert-J proprietary API
3. ^
   Certificate Path manipulation classes
4. ^
   Crypto-J proprietary API, JCE, CMS and PKI
API
5. ^
   SSLJ proprietary API
6. ^
   JSSE API

Portability concerns

Implementation	Platform requirements	Network requirements	Thread safety	Random seed	Able to cross-compile	No OS (bare metal)	Supported operating systems
Botan	C++11	None	Thread-safe	Platform-dependent	Yes		Windows, Linux, macOS, Android, iOS, FreeBSD, OpenBSD, Solaris, AIX, HP-UX, QNX, BeOS, IncludeOS
BSAFE SSL-J	Java	Java SE network components	Thread-safe	Depends on java.security.SecureRandom	Yes	No	FreeBSD, Linux, macOS, Microsoft Windows, Android, AIX, Solaris
cryptlib	C89	POSIX send() and recv(). API to supply your own replacement	Thread-safe	Platform-dependent, including hardware sources	Yes	Yes	AMX, BeOS, ChorusOS, DOS, eCos, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, Palm OS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, macOS, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK
GnuTLS	C89	POSIX send() and recv(). API to supply your own replacement.	Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available.	Platform dependent	Yes	No	Generally any POSIX platforms or Windows, commonly tested platforms include Linux, Win32/64, macOS, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD.
JSSE	Java	Java SE network components	Thread-safe	Depends on java.security.SecureRandom	Yes		Java based, platform-independent
MatrixSSL	C89	None	Thread-safe	Platform dependent	Yes	Yes	All
Mbed TLS	C89	POSIX read() and write(). API to supply your own replacement.	Threading layer available (POSIX or own hooks)	Random seed set through entropy pool	Yes	Yes	Known to work on: Win32/64, Linux, macOS, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, eCos, SeggerOS, RISC OS
NSS	C89, NSPR[266]	NSPR[266] PR_Send() and PR_Recv(). API to supply your own replacement.	Thread-safe	Platform dependent[267]	Yes (but cumbersome)	No	AIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, macOS, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation
Rustls	Rust (programming language)	None	Thread-safe	Platform dependent	Yes	Yes	All supported by Rust (programming language)
OpenSSL	C89	None	Thread-safe	Platform dependent	Yes	No	Unix-like, DOS (with djgpp), Windows, OpenVMS, NetWare, eCos
wolfSSL	C89	POSIX send() and recv(). API to supply your own replacement.	Thread-safe	Random seed set through wolfCrypt	Yes	Yes	Win32/64, Linux, macOS, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Yocto Project, OpenEmbedded, WinCE, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, NonStop, TRON/ITRON/μITRON, eCos, Micrium μC/OS-III, FreeRTOS, SafeRTOS, NXP/Freescale MQX, Nucleus, TinyOS, HP/UX, AIX, ARC MQX, Keil RTX, TI-RTOS, uTasker, embOS, INtime, Mbed, uT-Kernel, RIOT, CMSIS-RTOS, FROSTED, Green Hills INTEGRITY, TOPPERS, PetaLinux, Apache mynewt
Implementation	Platform requirements	Network requirements	Thread safety	Random seed	Able to cross-compile	No OS (bare metal)	Supported operating systems

See also

• SCTP — with DTLS support
• DCCP — with DTLS support
• SRTP — with DTLS support (DTLS-SRTP) and Secure Real-Time Transport Control Protocol (SRTCP)