wolfcrypt-tls 0.1.5

Safe Rust TLS API backed by wolfSSL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154

# wolfcrypt-tls

Safe Rust TLS client and server backed by [wolfSSL](https://wolfssl.com).
Published as the `wolfssl` crate (`lib.name = "wolfssl"`).

## Why

wolfSSL is a FIPS 140-3 validated TLS library used in billions of embedded and
server deployments. `wolfcrypt-tls` gives you:

- **FIPS 140-3** — TLS with a validated crypto backend for regulated
  environments (commercial license required;
  [contact wolfSSL](https://www.wolfssl.com/license/))
- **Small footprint** — designed for embedded targets alongside full server
  deployments; a single dependency chain, no OpenSSL
- **Familiar Rust API**`TlsClient`/`TlsServer` types that wrap standard
  `std::io::Read + Write` streams
- **Async-ready** — config types expose raw `WOLFSSL_CTX` and `WOLFSSL`
  pointers and a session builder with custom IO callbacks, so async runtimes
  (e.g. `wolfcrypt-tls-tokio`) can build on top without duplicating
  cert/key loading logic

## Usage

```toml
[dependencies]
wolfcrypt-tls = "0.1"
```

### TLS client

```rust
use wolfssl::{TlsClientConfig, TlsClient, RootCertStore};
use std::io::{Read, Write};
use std::net::TcpStream;

let mut roots = RootCertStore::new();
roots.add_pem(include_bytes!("ca.pem"));

let config = TlsClientConfig::builder()
    .with_root_certificates(roots)
    .with_no_client_auth()
    .build()?;

let stream = TcpStream::connect("example.com:443")?;
let mut tls = TlsClient::new(config, "example.com", stream)?;
tls.write_all(b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n")?;
let mut buf = [0u8; 4096];
let n = tls.read(&mut buf)?;
```

### TLS server

```rust
use wolfssl::{TlsServerConfig, TlsAcceptor, Certificate, PrivateKey};
use std::net::TcpListener;

let config = TlsServerConfig::builder()
    .with_certificate_chain(
        Certificate::from_pem(include_bytes!("server.pem")),
        PrivateKey::from_pem(include_bytes!("server-key.pem")),
    )
    .with_no_client_auth()
    .build()?;

let acceptor = TlsAcceptor::new(config);
let listener = TcpListener::bind("0.0.0.0:443")?;

for stream in listener.incoming() {
    let mut tls = acceptor.accept(stream?)?;
    // tls: TlsServer<TcpStream> — implements Read + Write
}
```

### Mutual TLS (mTLS)

```rust
// Server: require client certificates
let config = TlsServerConfig::builder()
    .with_certificate_chain(cert, key)
    .with_client_auth(client_ca_store)
    .build()?;

// Client: present a certificate
let config = TlsClientConfig::builder()
    .with_root_certificates(roots)
    .with_client_auth(client_cert, client_key)
    .build()?;
```

### Protocol version control

```rust
use wolfssl::ProtocolVersion;

let config = TlsClientConfig::builder()
    .with_root_certificates(roots)
    .with_no_client_auth()
    .with_protocol_versions(&[ProtocolVersion::Tls13])
    .build()?;
```

## How it works

```text
wolfssl-src      Compiles wolfSSL C source via the cc crate
wolfcrypt-sys    bindgen FFI bindings to wolfSSL
wolfcrypt-tls    Safe TlsClient / TlsServer API (this crate)
                 Exported as lib.name = "wolfssl"
```

`TlsClientConfig` and `TlsServerConfig` wrap `WOLFSSL_CTX` in an
`Arc`-backed RAII type. `TlsClient` and `TlsServer` wrap `WOLFSSL` session
objects and implement `Read + Write`. The underlying transport is plugged in
via `wolfSSL_set_fd`; any type implementing `AsRawFd` (Unix) or
`AsRawSocket` (Windows) works.

For async runtimes that cannot hand wolfSSL a raw file descriptor, the config
types expose `new_ssl_with_io_callbacks` — a session builder that wires custom
recv/send callbacks and returns an owned `*mut WOLFSSL`. See
`wolfcrypt-tls-tokio` for the tokio async layer built on this API.

## Features

| Feature | Description |
|---------|-------------|
| `vendored` | Compile wolfSSL from source (requires `WOLFSSL_SRC` or pkg-config) |
| `fips` | Enable the wolfSSL FIPS 140-3 code path |

FIPS 140-3 validated builds require a wolfSSL commercial license and the
validated source tree. [Contact wolfSSL](https://www.wolfssl.com/license/)
for a commercial FIPS license. See the
[workspace README](https://github.com/wolfSSL/wolfssl-rs) for details.

## Status

- TLS 1.2 and TLS 1.3
- Client and server, including mutual TLS (mTLS)
- Blocking I/O over any `Read + Write + AsRawFd` transport
- Async IO callback API for building async adapters
- Unix and Windows socket support

## Copyright

Copyright (C) 2006-2026 wolfSSL Inc.

## License

GPL-3.0-only OR LicenseRef-wolfSSL-commercial — see [LICENSE](LICENSE).

The underlying wolfSSL C library is licensed under GPL-2.0-or-later with a
commercial option available from [wolfSSL Inc.](https://www.wolfssl.com/license/)