Rustls is a modern TLS library written in Rust. Status Rustls is used in production at many organizations and projects. We aim to maintain reasonable API surface stability but the…
Rustls is a modern TLS library written in Rust.
Status
Rustls is used in production at many organizations and projects. We aim to maintain
reasonable API surface stability but the API may evolve as we make changes to accommodate
new features or performance improvements.
We have a roadmap for our future plans. We also have benchmarks to
prevent performance regressions and to let you evaluate rustls on your target hardware.
If you'd like to help out, please see CONTRIBUTING.md.
The maintainers pronounce "rustls" as rustles (rather than rust-TLS), but we don't feel strongly
about it.
Changelog
The detailed list of changes in each release can be found at
https://github.com/rustls/rustls/releases.
Documentation
Approach
Rustls is a TLS library that aims to provide a good level of cryptographic security,
requires no configuration to achieve that security, and provides no unsafe features or
obsolete cryptography by default.
Rustls implements TLS1.2 and TLS1.3 for both clients and servers. See the full
list of protocol features.
Platform support
While Rustls itself is platform independent, it requires the use of cryptography primitives
for implementing the cryptography algorithms used in TLS. In Rustls, a
[crypto::CryptoProvider] represents a collection of crypto primitive implementations.
By providing a custom instance of the [crypto::CryptoProvider] struct, you
can replace all cryptography dependencies of rustls. This is a route to being portable
to a wider set of architectures and environments, or compliance requirements. See the
[crypto::CryptoProvider] documentation for more details.
[crypto::CryptoProvider]: https://docs.rs/rustls/latest/rustls/crypto/struct.CryptoProvider.html
Cryptography providers
Since Rustls 0.22 it has been possible to choose the provider of the cryptographic primitives
that Rustls uses. This may be appealing if you have specific platform, compliance or feature
requirements.
From 0.24, users must explicitly provide a crypto provider when constructing ClientConfig orServerConfig instances. See the [crypto::CryptoProvider] documentation for more details.
First-party providers
The Rustls project currently maintains two cryptography providers:
- [
rustls-aws-lc-rs] - a provider that uses the [aws-lc-rs] crate for cryptography.
- [
rustls-ring] - a provider that uses the [ring] crate for cryptography. This
The Rustls team recommends using the [rustls-aws-lc-rs] crate for its complete feature set
and performance. See [the aws-lc-rs FAQ][aws-lc-rs-platforms-faq] for more details of the
platform/architecture support constraints in aws-lc-rs.
See the documentation for [crypto::CryptoProvider] for details on how providers are
selected.
(For rustls versions prior to 0.24, both of these providers were shipped as part of the rustls
crate, and Cargo features were used to select the preferred provider. The aws-lc-rs feature
was enabled by default.)
[rustls-aws-lc-rs]: https://crates.io/crates/rustls-aws-lc-rs
[aws-lc-rs]: https://crates.io/crates/aws-lc-rs
[aws-lc-rs-platforms-faq]: https://aws.github.io/aws-lc-rs/faq.html#can-i-run-aws-lc-rs-on-x-platform-or-architecture
[rustls-ring]: https://crates.io/crates/rustls-ring
[ring]: https://crates.io/crates/ring
Third-party providers
The community has also started developing third-party providers for Rustls:
- [
boring-rustls-provider] - a work-in-progress provider that uses [boringssl] for
- [
rustls-ccm] - adds AES-CCM cipher suites (TLS 1.2 and 1.3) using [RustCrypto], for IoT/constrained-device protocols (IEEE 2030.5, Matter, RFC 7925). - [
rustls-graviola] - a provider that uses [graviola] for cryptography. - [
rustls-mbedtls-provider] - a provider that uses [mbedtls] for cryptography. - [
rustls-openssl] - a provider that uses [OpenSSL] for cryptography. - [
rustls-rustcrypto] - an experimental provider that uses the crypto primitives
RustCrypto] for cryptography.
- [
rustls-symcrypt] - a provider that uses Microsoft's [SymCrypt] library. - [
rustls-wolfcrypt-provider] - a work-in-progress provider that uses [wolfCrypt] for cryptography.
rustls-ccm]: https://github.com/jsulmont/rustls-ccm
[rustls-graviola]: https://crates.io/crates/rustls-graviola
[graviola]: https://github.com/ctz/graviola
[rustls-mbedtls-provider]: https://github.com/fortanix/rustls-mbedtls-provider
[mbedtls]: https://github.com/Mbed-TLS/mbedtls
[rustls-openssl]: https://github.com/tofay/rustls-openssl
[OpenSSL]: https://openssl-library.org/
[rustls-symcrypt]: https://github.com/microsoft/rustls-symcrypt
[SymCrypt]: https://github.com/microsoft/SymCrypt
[boring-rustls-provider]: https://github.com/janrueth/boring-rustls-provider
[boringssl]: https://github.com/google/boringssl
[rustls-rustcrypto]: https://github.com/RustCrypto/rustls-rustcrypto
[RustCrypto]: https://github.com/RustCrypto
[rustls-wolfcrypt-provider]: https://github.com/wolfSSL/rustls-wolfcrypt-provider
[wolfCrypt]: https://www.wolfssl.com/products/wolfcrypt
See the [Making a custom CryptoProvider] section of the documentation for more information
on this topic.
[Making a custom CryptoProvider]: https://docs.rs/rustls/latest/rustls/crypto/struct.CryptoProvider.html#making-a-custom-cryptoprovider
Example code
Our [examples] directory contains demos that show how to handle I/O using the
[stream::Stream] helper, as well as more complex asynchronous I/O using [mio].
If you're already using Tokio for an async runtime you may prefer to use
[tokio-rustls] instead of interacting with rustls directly.
The [mio] based examples are the most complete, and discussed below. Users
new to Rustls may prefer to look at the simple client/server examples before
diving in to the more complex MIO examples.
[examples]: examples/
[stream::Stream]: https://docs.rs/rustls/latest/rustls/struct.Stream.html
[mio]: https://docs.rs/mio/latest/mio/
[tokio-rustls]: https://docs.rs/tokio-rustls/latest/tokio_rustls/
Client example program
The MIO client example program is named tlsclient-mio.
Some sample runs:
$ cargo run --bin tlsclient-mio -- --http mozilla-modern.badssl.com
HTTP/1.1 200 OK
Server: nginx/1.6.2 (Ubuntu)
Date: Wed, 01 Jun 2016 18:44:00 GMT
Content-Type: text/html
Content-Length: 644
(...)or
$ cargo run --bin tlsclient-mio -- --http expired.badssl.com
TLS error: InvalidCertificate(Expired)
Connection closedRun cargo run --bin tlsclient-mio -- --help for more options.
Server example program
The MIO server example program is named tlsserver-mio.
Here's a sample run; we start a TLS echo server, then connect to it withopenssl and tlsclient-mio:
$ cargo run --bin tlsserver-mio -- --certs test-ca/rsa-2048/end.fullchain --key test-ca/rsa-2048/end.key -p 8443 echo &
$ echo hello world | openssl s_client -ign_eof -quiet -connect localhost:8443
depth=2 CN = ponytown RSA CA
verify error:num=19:self signed certificate in certificate chain
hello world
^C
$ echo hello world | cargo run --bin tlsclient-mio -- --cafile test-ca/rsa-2048/ca.cert --port 8443 localhost
hello world
^CRun cargo run --bin tlsserver-mio -- --help for more options.
License
Rustls is distributed under the following three licenses:
- Apache License version 2.0.
- MIT license.
- ISC license.
Project Membership
- Joe Birr-Pixton ([@ctz], Project Founder - full-time funded by [Prossimo])
- Dirkjan Ochtman ([@djc], Co-maintainer)
- Daniel McCarney ([@cpu], Co-maintainer)
- Josh Aas ([@bdaehlie], Project Management)
Code of conduct
This project adopts the Rust Code of Conduct.
Please email [email protected] to report any instance of misconduct, or if you
have any comments or questions on the Code of Conduct.
-
rustls
A modern TLS library in Rust
Rust ★ 7.5k 1d agoExplain → -
rcgen
Generate X.509 certificates, CSRs
Rust ★ 492 11d agoExplain → -
hyper-rustls
Integration between hyper HTTP library and rustls TLS stack
Rust ★ 357 3d agoExplain → -
rustls-native-certs
Integration with OS certificate stores for rustls
Rust ★ 240 20d agoExplain → -
tokio-rustls
Async TLS for the Tokio runtime
Rust ★ 228 1d agoExplain → -
rustls-ffi
Use Rustls from any language
Rust ★ 168 16d agoExplain → -
webpki
WebPKI X.509 Certificate Validation in Rust
Rust ★ 156 9d agoExplain → -
rustls-platform-verifier
A certificate verification library for rustls that uses the operating system's verifier
Rust ★ 147 4d agoExplain → -
webpki-roots
CA certificates for use with webpki
Rust ★ 147 4d agoExplain → -
ktls
Safer wrappers over ktls-sys
Rust ★ 93 4mo agoExplain → -
rustls-openssl-compat
OpenSSL compatibility layers
Rust ★ 80 6d agoExplain → -
pemfile ▣
Basic parser for PEM formatted keys and certificates
Rust ★ 72 10mo agoExplain → -
openssl-probe
No description.
Rust ★ 61 5mo agoExplain → -
sct.rs
Certificate transparency SCT verification library in rust
Rust ★ 55 12d agoExplain → -
pki-types
No description.
Rust ★ 36 11d agoExplain → -
upki
upki implements platform-independent browser-grade certificate infrastructure
Rust ★ 29 2d agoExplain → -
futures-rustls
No description.
Rust ★ 22 1d agoExplain → -
ct-logs ▣
Google's list of Certificate Transparency logs as a rust crate for use with sct.rs
Rust ★ 14 3y agoExplain → -
rustls-bench-app
No description.
Rust ★ 13 2d agoExplain → -
rustls-cng
Windows CNG bridge for rustls
Rust ★ 11 3d agoExplain → -
homebrew-tap
A Homebrew tap for installing Rustls software and associated packages
Ruby ★ 6 1mo agoExplain → -
ktls-sys ▣
Bindings for include/uapi/linux/tls.h
★ 6 1y agoExplain → -
boringssl
Mirror of BoringSSL, with a branch containing our patches to their test suite
C++ ★ 4 7mo agoExplain → -
upki-go-demo
No description.
Go ★ 0 27d agoExplain → -
clubcard-crlite ⑂
No description.
Rust ★ 0 3d agoExplain → -
clubcard ⑂
No description.
★ 0 3mo agoExplain → -
rustls-fuzzing-corpora
Fuzzing corpora to accelerate coverage
★ 0 1y agoExplain →
No repos match these filters.