[Overview]
[News]
[Download]
[Commercial Support]
[Mailing lists]
[Documentation]
Below is a comparison of different free TLS implementations.
The colors green and red indicates good and bad situations. Some of these choices may be somewhat subjective. Based on your feedback, we'd might consider to change specific items to yellow.
We compare stable versions for each software. The software compared includes GnuTLS 2.8.x, OpenSSL 0.9.8k, NSS 3.12.4, and YaSSL 1.9.6.
| SSLv2.0 [1] | SSLv3.0 | TLSv1.0 | TLSv1.1 | TLSv1.2 | |
|---|---|---|---|---|---|
| GnuTLS | No | Yes | Yes | Yes | Yes |
| OpenSSL | Yes | Yes | Yes | No | No |
| NSS | Yes, off by default | Yes | Yes | No? | No? |
| yaSSL | No | Yes | Yes | Yes | Yes |
| Notes: |
| [1]: SSLv2 is insecure. |
| Anon-RSA | RSA | RSA EXPORT | DHE-RSA | DHE-DSS | SRP-DSS | SRP-RSA | SRP | PSK | DHE-PSK | ECC | |
|---|---|---|---|---|---|---|---|---|---|---|---|
| GnuTLS | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No |
| OpenSSL | Yes | Yes | Yes | Yes | Yes | No | No | No | No | No | Yes |
| NSS | Yes | Yes | Yes | Yes | Yes | No | No | No | No | No | Yes |
| YaSSL | Yes | Yes | Yes | Yes | Yes | No | No | No | Yes | Yes | No |
| AES-256 CBC | AES-128 CBC | 3DES CBC | DES CBC | RC4-128 CBC | RC4-40 [1] | RC2-40 [1] | Camellia | |
|---|---|---|---|---|---|---|---|---|
| GnuTLS | Yes | Yes | Yes | Yes | Yes | Yes, off by default | Yes, off by default | Yes |
| OpenSSL | Yes | Yes | Yes | Yes | Yes | Yes? | Yes? | Yes |
| NSS | Yes | Yes | Yes | Yes | Yes | Yes? | Yes? | Yes |
| YaSSL | Yes | Yes | Yes | Yes | Yes | Yes, off by default | Yes, off by default | No |
| Notes: |
| [1]: 40-bit encryption is insecure. |
| ZLIB | LZO [1] | |
|---|---|---|
| GnuTLS | Yes | Yes, off by default |
| OpenSSL | Yes? | No |
| NSS | No? | No |
| YaSSL | Yes | No |
| Notes: |
| [1]: LZO compression is non-standard. |
| OpenPGP | SRP | PSK | TLS/IA | Supplemental Data | Session Ticket (RFC 5077) | |
|---|---|---|---|---|---|---|
| GnuTLS | Yes | Yes | Yes | Yes | Yes | Yes (2.9.x) |
| OpenSSL | No | No | No | No? | No? | Yes |
| NSS | No | No | No | No | No? | Yes |
| YaSSL | No | No | Yes | No | No | Yes |
| kLOC | Debian etch x86 | OpenWRT 2008-05-11 [1] | |
|---|---|---|---|
| GnuTLS | 60kLoc (core library) | Total 944kb-1250kb 445kb (libgnutls) 327kb (libgcrypt) 73kb (libtasn1) 11kb (libgpg-error) 78kb (libz, optional) 53kb (libgnutls-extra, optional) 129kb (libopencdk, optional) 124kb (liblzo, optional) |
Total 323kb 153kb (libgnutls) 104kb (libgcrypt) 26kb (libtasn1) 5kb (libgpg-error) 35kb (zlib) |
| OpenSSL | ? | Total 1649kb 252kb (libssl) 1319kb (libcrypto) 78kb (libz) |
Total 506kb 471kb (libopenssl) 35kb (zlib) |
| NSS | ? | Total 1136kb 152kb (libssl3) 462kb (libnss3) 193kb (libnspr4) 307kb (libsoftokn3) 14kb (libplc4) 8kb (libplds4) |
Not ported |
| YaSSL | 15kLoc | Total 90kb | Total 60kb |
| Notes: |
| [1]: Build tree available from http://josefsson.org/openwrt/. Built using default settings for all packages for a Asus WL-500gP as per 2008-05-11. |
| Namespace | Build tools | API manual | Crypto library | ASN.1 library | X.509 library | OpenPGP library | |
|---|---|---|---|---|---|---|---|
| GnuTLS | gnutls_* | Autoconf, automake, libtool | Texinfo (HTML, PDF, etc), GTK-DOC, Devhelp | External, libgcrypt | External, libtasn1 | Included, monolithic | External, OpenCDK |
| OpenSSL | SSL_* SHA1_* MD5_* EVP_* ... |
Makefile | Man pages | Included, monolithic | Included, monolithic | Included, monolithic | Not applicable |
| NSS | CERT_* SEC_* SECKEY_* NSS_* PK11_* ... |
Makefile | Online HTML | Included, PKCS#11 based [1] | Included, monolithic | Included, monolithic | Not applicable |
| YaSSL | yaSSL_*, CyaSSL_*, SSL_* | Autoconf, automake, libtool, MSVC project workspaces, XCode projects |
API manual (html) | Included, monolithic | Included, monolithic | Included, monolithic | Not applicable |
| Notes: |
| [1]: On the fly replaceable/augmentable. |
| Platform requirements | Network requirements | Thread-safety | Random seed | |
|---|---|---|---|---|
| GnuTLS | C89 | POSIX read() and write(). API to supply your own replacement. | Thread-safe, although libgcrypt needs mutex hooks | Random seed set through libgcrypt |
| OpenSSL | C89? | ? | Needs mutex callbacks | Set through native API |
| NSS | NSPR [1] | NSPR [1] | NSPR [1] | Platform dependent [2] |
| YaSSL | C89 | POSIX send() and recv(). API to supply your own replacement. | Thread-safe, needs mutex hooks if PThreads or WinThreads not available, can be turned off | Random seed set through TaoCrypt |
| Notes: |
| [1]: NSPR (and NSS) has (have) been ported to the following platforms (that rrelyea@redhat.com know about): AIX, BSD, BeOS, HP-UX, IRIX, Linux, Mac OS X, Mac OS 9, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony playstation. |
| [2]: For Unix/Linux it uses /dev/urandom if available, for Windows it uses CAPI. For all platforms it gets data from clock, and tries to open system files. NSS has a set of platform dependent functions is uses to determine randomness. |
| License | Copyright owner | Origin | |
|---|---|---|---|
| GnuTLS | LGPLv2.1+ (core library), GPLv3+ (tools) | FSF | EU (Greece and Sweden) |
| OpenSSL | OpenSSL license, BSD with advertising clause | Eric Young, Tim Hudson, Sun, OpenSSL project, ...? | Australia |
| NSS | MPL, GPL or LGPL | Netscape Inc, Sun, RedHat, RSA Security, ...? | US |
| YaSSL | GPLv2+, Commercial available | Licenses from yassl.com | US |
| I need your help to maintain this page. Particular things which has been suggested to incorporate into this page, but I don't know how to do include: |
|
|
Please send FSF & GNU inquiries to
<gnu@gnu.org>.
There are also other ways to contact
the FSF.
Please send broken links and other corrections or suggestions to
<bug-gnutls@gnu.org>.
Copyright © 2009 Free Software Foundation, Inc.
Verbatim copying and distribution of this entire article are permitted worldwide, without royalty, in any medium, provided this notice, and the copyright notice, are preserved.
Updated: $Date: 2009/11/06 15:46:55 $