Hugging Face's logo

Washedashore
/
Law

Feature Extraction
Adapters
English
Model card Files Community
Law / Main
Washedashore's picture
Washedashore
Create Main
26488e7 verified
raw
history blame contribute delete
5.36 kB
# TLS 1.3 Implementations
name | language | role(s) | [version](Implementations#version-negotiation) | features/limitations
--- | --- | --- | --- | ---
[fizz](https://github.com/facebookincubator/fizz/) | C++ | C/S | RFC 8446 | Based on libsodium, includes secure design abstractions. Zero-copy for advanced performance.
[NSS](https://hg.mozilla.org/projects/nss) | C | C/S | RFC 8446 | Almost everything, except some crypto primitives
[Mint](https://github.com/bifurcation/mint) | Go | C/S | -18 | PSK resumption, 0-RTT, HRR
[nqsb](https://github.com/mirleft/ocaml-tls/tree/tls13) | OCaml | C/S | -11 | PSK/DHE-PSK, no EC*, no client auth, no 0RTT -- live server at tls13test.nqsb.io port 4433, records traces, ping [@hannesm](https://github.com/hannesm), contains a static PSK/DHE_PSK token: id: 0x0000 <details><summary>secret:</summary> 0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f</details>
ProtoTLS | JavaScript | C/S | -13 | EC/DHE/PSK, no HelloRetryRequest
miTLS | F* | C/S | RFC 8446 | EC/DHE/PSK/0-RTT, no RSA-PSS, no post-HS-auth, no ESNI
[Tris](https://github.com/cloudflare/tls-tris) | Go | C/S | RFC 8446 | ECDHE/PSK/0-RTT, no HelloRetryRequest
[BoringSSL](https://boringssl.googlesource.com/boringssl/) | C | C/S | -23, -28, RFC 8446 | P-256, X25519, HelloRetryRequest, resumption, 0-RTT, KeyUpdate
[Wireshark](https://www.wireshark.org) | C | other | -18 to -28, RFC 8446 | Full decryption and dissection support for drafts 19-21 since 2.4.0 ([keylog format](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format)). Supports 18-21 since 2.4.2, -22 since 2.4.3, -23 since 2.4.5, -24 to -28 (+0RTT trial decryption) since 2.6.0. [Tracking bug](https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12779).
[picotls](https://github.com/h2o/picotls)| C | C/S | -18,-21,-23,-26 | P-256, X25519, HelloRetryRequest, resumption, 0-RTT
[rustls](https://github.com/ctz/rustls) | Rust | C/S | -28 (final on branch) | P-256/P-384/curve25519, HRR, resumption, 0-RTT client |
[Haskell tls](https://github.com/kazu-yamamoto/hs-tls/tree/tls13) | Haskell | C/S | -28 | ECDHE w/ P* and X*, full, HRR, PSK, 0RTT
[Leto](https://github.com/Drawaes/Leto/tree/master) | C# | S | -18 | DHE, X25519, AES, no PSK no 0RTT. Tested against NSS
[OpenSSL](https://www.openssl.org) | C | C/S | RFC 8446 | P-256, P-384, P-521, FFDHE, X25519, X448, Ed25519, Ed448, HelloRetryRequest, resumption, PSK, 0-RTT, CCS, cookies, stateless server, Post-handshake auth, KeyUpdate, RSA-PSS certs
[wolfSSL](https://www.wolfssl.com) | C | C/S | RFC 8446 -18/-22/-23/-26/-28 | P-256, P-384, X25519, Ed25519, HelloRetryRequest, resumption, PSK, 0-RTT, CCS, cookies, stateless server, Post-Handshake Auth, KeyUpdate
[GnuTLS](https://www.gnutls.org) | C | C/S | RFC 8446 | P-256, P-384, X25519, FFDHE, RSA-PSS (keys and certs), HelloRetryRequest, KeyUpdate, Post-Handshake Auth, PSK
[tlslite-ng](https://github.com/tomato42/tlslite-ng) | Python | C/S | RFC 8446 | ECDHE (all), EdDHE (X25519, X448), FFDHE (all), AES-GCM, Chacha20, HelloRetryRequest, RSA, RSA-PSS keys and certificate signatures, cookie extension, CCS, PSK, resumption, in-handshake client auth, no ECDSA certificates, no post-handshake client auth, no 0-RTT, no KeyUpdate
[tlsfuzzer](https://github.com/tomato42/tlsfuzzer) | Python | C (other) | RFC 8446 | ECDHE (all), EdDHE (x25519, X448), FFDHE (all), AES-GCM, Chacha20, RSA, HelloRetryRequest, CCS, cookie extension, PSK, resumption, in-handshake auth, no KeyUpdate
[SwiftTLS](https://github.com/nsc/SwiftTLS) | Swift | C/S | -26,-28, RFC 8446 | ECDHE, P-256, 0-RTT, HelloRetryRequest
[JSSE/JDK](http://java.oracle.com) | Java | C/S | RFC 8446 | **JDK 11+:** All required extensions and algorithms, ChaCha20/Poly1305 ciphersuites (JDK 12+), all listed named groups (e.g. secp256r1, x25519/x448 (JDK 13+), FFDHE, etc.), RSA-PSS certs/signatures, PSK resumption, HelloRetryRequest, cookie extension, post handshake messages (NewSessionTicket/KeyUpdate), OCSP Stapling, Middlebox compatibility mode. **No support for:** previous drafts, 0-RTT, CCM, SCT, post_handshake_auth.
[CycloneSSL](https://www.oryx-embedded.com/cyclone_ssl.html) | C | C/S | RFC 8446 | P-256, P-384, X25519, X448, FFDHE, AES-GCM, AES-CCM, ChaCha20Poly1305, HelloRetryRequest, PSK, 0-RTT (client only), CCS, cookies, KeyUpdate, RSA-PSS certificates, ECDSA certificates, EdDSA certificates (Ed25519 and Ed448)
[tttls1.3](https://github.com/thekuwayama/tttls1.3) | Ruby | C/S | RFC 8446 | P-256/P-384/P-521, AES-GCM/ChaCha20Poly1305, HRR, PSK resumption(NewSessionTicket), 0-RTT(client only)
[Rebex TLS 1.3](https://www.rebex.net/tls/) | C# | C/S | RFC 8446 | All required extensions and algorithms, RSA-PSS certificates/signatures, HelloRetryRequest, PSK resumption, in-handshake auth, post-handshake auth (experimental), post handshake messages (NewSessionTicket, KeyUpdate (experimental)), Middlebox compatibility mode, P-256/P-384/P-521, AES-GCM, Chacha20/Poly1305, Cookie extension.
# Browsers
Default support in Firefox, Chrome, and Safari.
# Test servers
Implementation | URL
--- | ---
BoringSSL | https://tls.ctf.network/
rustls+nginx | https://rustls.jbp.io/
OpenSSL+nginx | https://tls13.pinterjann.is/
SwiftTLS | https://swifttls.org/
Tris+Caddy | https://www.henrock.net/
OpenSSL | https://tls13.akamai.io/
Rebex | https://test.rebex.net/