[Overview]
[News]
[Download]
[Commercial Support]
[Mailing lists]
[Documentation]
Below is a comparison of different free TLS implementations.
The colors green and red indicates good and bad situations. Some of these choices may be somewhat subjective. Based on your feedback, we'd might consider to change specific items to yellow.
| SSLv2.0 [1] | SSLv3.0 | TLSv1.0 | TLSv1.1 | TLSv1.2 | |
|---|---|---|---|---|---|
| GnuTLS | No | Yes | Yes | Yes | Yes |
| OpenSSL | Yes | Yes | Yes | No? | No? |
| NSS | Yes, off by default | Yes | Yes | No? | No? |
| Notes: |
| [1]: SSLv2 is insecure. |
| Anon-RSA | RSA | RSA EXPORT | DHE-RSA | DHE-DSS | SRP-DSS | SRP-RSA | SRP | PSK | DHE-PSK | ECC | |
|---|---|---|---|---|---|---|---|---|---|---|---|
| GnuTLS | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No |
| OpenSSL | Yes | Yes | Yes | Yes | Yes | No | No | No | No | No | Yes |
| NSS | Yes | Yes | Yes | Yes | Yes | No | No | No | No | No | Yes |
| AES-256 CBC | AES-128 CBC | 3DES CBC | DES CBC | RC4-128 CBC | RC4-40 [1] | RC2-40 [1] | Camellia | |
|---|---|---|---|---|---|---|---|---|
| GnuTLS | Yes | Yes | Yes | Yes | Yes | Yes, off by default | Yes, off by default | Yes |
| OpenSSL | Yes | Yes | Yes | Yes | Yes | Yes? | Yes? | Yes |
| NSS | Yes | Yes | Yes | Yes | Yes | Yes? | Yes? | Yes |
| Notes: |
| [1]: 40-bit encryption is insecure. |
| ZLIB | LZO [1] | |
|---|---|---|
| GnuTLS | Yes | Yes, off by default |
| OpenSSL | Yes? | No |
| NSS | No? | No |
| Notes: |
| [1]: LZO compression is non-standard. |
| OpenPGP | SRP | PSK | TLS/IA | Supplemental Data | Session Ticket (RFC 5077) | |
|---|---|---|---|---|---|---|
| GnuTLS | Yes | Yes | Yes | Yes | Yes | No |
| OpenSSL | No | No | No | No? | No? | No? |
| NSS | No | No | No | No | No? | Yes |
| kLOC | Debian etch x86 | OpenWRT 2008-05-11 [1] | |
|---|---|---|---|
| GnuTLS | 60kLoc (core library) | Total 944kb-1250kb 445kb (libgnutls) 327kb (libgcrypt) 73kb (libtasn1) 11kb (libgpg-error) 78kb (libz, optional) 53kb (libgnutls-extra, optional) 129kb (libopencdk, optional) 124kb (liblzo, optional) |
Total 323kb 153kb (libgnutls) 104kb (libgcrypt) 26kb (libtasn1) 5kb (libgpg-error) 35kb (zlib) |
| OpenSSL | ? | Total 1649kb 252kb (libssl) 1319kb (libcrypto) 78kb (libz) |
Total 506kb 471kb (libopenssl) 35kb (zlib) |
| NSS | ? | Total 1136kb 152kb (libssl3) 462kb (libnss3) 193kb (libnspr4) 307kb (libsoftokn3) 14kb (libplc4) 8kb (libplds4) |
Not ported |
| Notes: |
| [1]: Build tree available from http://josefsson.org/openwrt/. Built using default settings for all packages for a Asus WL-500gP as per 2008-05-11. |
| Namespace | Build tools | API manual | Crypto library | ASN.1 library | X.509 library | OpenPGP library | |
|---|---|---|---|---|---|---|---|
| GnuTLS | gnutls_* | Autoconf, automake, libtool | Texinfo (HTML, PDF, etc), GTK-DOC, Devhelp | External, libgcrypt | External, libtasn1 | Included, monolithic | External, OpenCDK |
| OpenSSL | SSL_* SHA1_* MD5_* EVP_* ... |
Makefile | Man pages | Included, monolithic | Included, monolithic | Included, monolithic | Not applicable |
| NSS | CERT_* SEC_* SECKEY_* NSS_* PK11_* ... |
Makefile | Online HTML | Included, PKCS#11 based [1] | Included, monolithic | Included, monolithic | Not applicable |
| Notes: |
| [1]: On the fly replaceable/augmentable. |
| Platform requirements | Network requirements | Thread-safety | Random seed | |
|---|---|---|---|---|
| GnuTLS | C89 | POSIX read() and write(). API to supply your own replacement. | Thread-safe, although libgcrypt needs mutex hooks | Random seed set through libgcrypt |
| OpenSSL | C89? | ? | Needs mutex callbacks | Set through native API |
| NSS | NSPR [1] | NSPR [1] | NSPR [1] | Platform dependent [2] |
| Notes: |
| [1]: NSPR (and NSS) has (have) been ported to the following platforms (that rrelyea@redhat.com know about): AIX, BSD, BeOS, HP-UX, IRIX, Linux, Mac OS X, Mac OS 9, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony playstation. |
| [2]: For Unix/Linux it uses /dev/urandom if available, for Windows it uses CAPI. For all platforms it gets data from clock, and tries to open system files. NSS has a set of platform dependent functions is uses to determine randomness. |
| License | Copyright owner | Origin | |
|---|---|---|---|
| GnuTLS | LGPL (core library), GPL (tools) | FSF | EU (Greece and Sweden) |
| OpenSSL | OpenSSL license, BSD with advertising clause | Eric Young, Tim Hudson, Sun, OpenSSL project, ...? | Australia |
| NSS | MPL, GPL or LGPL | Netscape Inc, Sun, RedHat, RSA Security, ...? | US |
| I need your help to maintain this page. Particular things which has been suggested to incorporate into this page, but I don't know how to do include: |
|
|
|
Please send inquiries about GNU and the FSF to
Free Software Foundation Voice: +1-617-542-5942
59 Temple Place - Suite 330 Fax: +1-617-542-2652
Boston MA 02111-1307 USA E-Mail: gnu@gnu.org
Please send broken links and other web page corrections (or suggestions) to
The GNU Webmasters
webmasters@gnu.org
Please see the Translations README for information on coordinating and submitting translations.
Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
MA 02111, USA
Verbatim copying and distribution of this entire article are
permitted worldwide without royalty in any medium provided
this notice is preserved.
Updated: $Date: 2008/08/29 15:21:10 $ $Author: jas $