Steven V edited this page Aug 16, 2018 · 192 revisions

Here's a list of implementations of TLS 1.3. Add your own. Talk to @martinthomson if you have questions.


name language role(s) version features/limitations
fizz C++ C/S -28 Based on libsodium, includes secure design abstractions. Zero-copy for advanced performance.
NSS C C/S -28 Almost everything, except post-handshake auth and X448
Mint Go C/S -18 PSK resumption, 0-RTT, HRR
nqsb OCaml C/S -11 PSK/DHE-PSK, no EC*, no client auth, no 0RTT -- live server at port 4433, records traces, ping @hannesm, contains a static PSK/DHE_PSK token: id: 0x0000
secret: 0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
ProtoTLS JavaScript C/S -13 EC/DHE/PSK, no HelloRetryRequest
Tris Go S -22 ECDHE/PSK/0-RTT, no HelloRetryRequest
BoringSSL C C/S -23, -28, RFC 8446 P-256, X25519, HelloRetryRequest, resumption, 0-RTT, KeyUpdate
Wireshark C other -18 to -28, RFC 8446 Full decryption and dissection support for drafts 19-21 since 2.4.0 (keylog format). Supports 18-21 since 2.4.2, -22 since 2.4.3, -23 since 2.4.5, -24 to -28 (+0RTT trial decryption) since 2.6.0. Tracking bug.
picotls C C/S -18,-21,-23,-26 P-256, X25519, HelloRetryRequest, resumption, 0-RTT
rustls Rust C/S -28 (final on branch) P-256/P-384/curve25519, HRR, resumption, 0-RTT client
Haskell tls Haskell C/S -28 ECDHE w/ P* and X*, full, HRR, PSK, 0RTT
Leto C# S -18 DHE, X25519, AES, no PSK no 0RTT. Tested against NSS
OpenSSL C C/S -26/-27/-28 P-256, P-384, P-521, X25519, X448, Ed25519, Ed448, HelloRetryRequest, resumption, PSK, 0-RTT, CCS, cookies, stateless server, Post-handshake auth, KeyUpdate, RSA-PSS certs, no FFDHE
wolfSSL C C/S -18/-22/-23/-26/-28 P-256, P-384, X25519, Ed25519, HelloRetryRequest, resumption, PSK, 0-RTT, CCS, cookies, stateless server, Post-Handshake Auth, KeyUpdate
GnuTLS C C/S -28 P-256, P-384, X25519, FFDHE, RSA-PSS (keys and certs), HelloRetryRequest, KeyUpdate, Post-Handshake Auth
tlslite-ng Python C/S -28 ECDHE (all), EdDHE (X25519, X448), FFDHE (all), AES-GCM, Chacha20, HelloRetryRequest, RSA, RSA-PSS keys and certificate signatures, cookie extension, CCS, PSK, resumption, no ECDSA certificates, no client auth, no 0-RTT
tlsfuzzer Python C (other) -28 ECDHE (all), EdDHE (x25519, X448), FFDHE (all), AES-GCM, Chacha20, RSA, HelloRetryRequest, CCS, cookie extension, PSK, resumption
SwiftTLS Swift C/S -26,-28, RFC 8446 ECDHE, P-256, 0-RTT, HelloRetryRequest

Version Negotiation

As of draft-16 version negotiation is in the "supported_versions" extension. Versions should advertise a draft version of TLS 1.3 as {0x7f, <version-number>} (for draft-16: {0x7f, 10}).



Available in all versions. TLS 1.3 is enabled by default from Firefox 60 (draft 23) on. Firefox 61 will support the final draft 28. On earlier versions, TLS 1.3 is disabled by default on the Release channel (set security.tls.version.max to 4 in about:config to enable it).


Need Chrome Version 57, uses BoringSSL (draft -18). Chrome 65 has implemented draft-22 and draft-23.

Go to chrome://flags/#tls13-variant and set the TLS 1.3 variant to Enabled (Draft) (observed in Chromium 61).


Need macOS High Sierra or iOS 11. draft -18

On macOS, execute: defaults write /Library/Preferences/ tcp_connect_enable_tls13 1

On iOS, install the following profile:

Test servers

Implementation Version URL
BoringSSL+nginx -28
mod_nss -28
BoringSSL -23, -28, RFC8446
rustls+nginx RFC8446
picotls+H2O -18
Haskell tls -28
OpenSSL -18
OpenSSL -22
OpenSSL+nginx -26
OpenSSL+nginx -28
OpenSSL -23
SwiftTLS -26,-28, RFC8446
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.