clia_rustls_mod/manual/features.rs
1/*!
2
3The below list reflects the support provided with the default crate features.
4Items marked with an asterisk `*` can be extended or altered via public
5APIs ([`CryptoProvider`] for example).
6
7[`CryptoProvider`]: crate::crypto::CryptoProvider
8
9## Current features
10
11* TLS1.2 and TLS1.3
12* ECDSA, Ed25519 or RSA server authentication by clients `*`
13* ECDSA, Ed25519 or RSA server authentication by servers `*`
14* Forward secrecy using ECDHE; with curve25519, nistp256 or nistp384 curves `*`
15* AES128-GCM and AES256-GCM bulk encryption, with safe nonces `*`
16* ChaCha20-Poly1305 bulk encryption ([RFC7905](https://tools.ietf.org/html/rfc7905)) `*`
17* ALPN support
18* SNI support
19* Tunable fragment size to make TLS messages match size of underlying transport
20* Optional use of vectored IO to minimise system calls
21* TLS1.2 session resumption
22* TLS1.2 resumption via tickets ([RFC5077](https://tools.ietf.org/html/rfc5077))
23* TLS1.3 resumption via tickets or session storage
24* TLS1.3 0-RTT data
25* Server and optional client authentication
26* Extended master secret support ([RFC7627](https://tools.ietf.org/html/rfc7627))
27* Exporters ([RFC5705](https://tools.ietf.org/html/rfc5705))
28* OCSP stapling by servers
29
30## Non-features
31
32For reasons explained in the other sections of this manual, rustls does not
33and will not support:
34
35* SSL1, SSL2, SSL3, TLS1 or TLS1.1
36* RC4
37* DES or triple DES
38* EXPORT ciphersuites
39* MAC-then-encrypt ciphersuites
40* Ciphersuites without forward secrecy
41* Renegotiation
42* Kerberos
43* TLS 1.2 protocol compression
44* Discrete-log Diffie-Hellman `*`
45* Automatic protocol version downgrade
46* Using CA certificates directly to authenticate a server/client (often called "self-signed
47 certificates"). _Rustls' default certificate verifier does not support using a trust anchor as
48 both a CA certificate and an end-entity certificate in order to limit complexity and risk in
49 path building. While dangerous, all authentication can be turned off if required --
50 see the [example code](https://github.com/rustls/rustls/blob/992e2364a006b2e84a8cf6a7c3eaf0bdb773c9de/examples/src/bin/tlsclient-mio.rs#L318)_ `*`
51
52*/