rustls

Rustls is a library that handles TLS, which is the encryption and authentication protocol that makes HTTPS connections secure. When software connects to a server over the internet, TLS is what verifies the server's identity and encrypts the data in transit. Rustls provides that functionality for programs written in Rust, and it is used in production at a variety of organizations and open source projects.

The library is designed to be secure without requiring the programmer to make the right configuration choices. It only supports modern protocol versions (TLS 1.2 and TLS 1.3), leaves out obsolete cipher options, and defaults to a strong security posture. The goal is that developers should not need to study cryptography to use it safely.

One notable aspect of the design is that rustls separates the core TLS logic from the cryptography math itself. The actual encryption work is handled by a pluggable backend called a crypto provider. The two officially maintained providers are rustls-aws-lc-rs (using a library derived from Amazon's fork of BoringSSL, with support for newer post-quantum algorithms) and rustls-ring (simpler to build but with fewer features). Third-party providers also exist for OpenSSL, Microsoft SymCrypt, and other backends, which matters for organizations with compliance requirements or constrained hardware.

The library works with Rust's async ecosystem. If you use Tokio (a popular async runtime for Rust), a companion crate called tokio-rustls makes integration straightforward. The README also points to example programs demonstrating a TLS client and TLS server, including how the library correctly rejects connections to servers with expired or invalid certificates.

Rustls is actively maintained and has a published roadmap. Contributions are welcome, and the project follows the OpenSSF Best Practices guidelines for open source security.