Crate rustls_openssl

Expand description

§OpenSSL Provider for Rustls

A Rustls crypto provider that uses OpenSSL for crypto.

§Supported Ciphers

Supported cipher suites are listed below, ordered by preference. IE: The default configuration prioritizes TLS13_AES_256_GCM_SHA384 over TLS13_AES_128_GCM_SHA256.

§TLS 1.3

TLS13_AES_256_GCM_SHA384
TLS13_AES_128_GCM_SHA256
TLS13_CHACHA20_POLY1305_SHA256 // Requires the `chacha` feature

§TLS 1.2

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 // Requires the `chacha` feature
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 // Requires the `chacha` feature

§Supported Key Exchanges

Key exchanges are listed below, ordered by preference. IE: SECP384R1 is preferred over SECP256R1.

SECP384R1
SECP256R1
X25519 // Requires the `x25519` feature

§Usage

Add rustls-openssl to your Cargo.toml:

[dependencies]
rustls = { version = "0.23.0", features = ["tls12", "std"], default-features = false }
rustls_openssl = "0.1.0"

§Default Configuration

Use default_provider() for a ClientConfig that utilizes the default cipher suites and key exchange groups listed above:

use rustls::{ClientConfig, RootCertStore};
use rustls_openssl::default_provider;
use std::sync::Arc;
use webpki_roots;

let mut root_store = RootCertStore {
    roots: webpki_roots::TLS_SERVER_ROOTS.iter().cloned().collect(),
};

let mut config =
    ClientConfig::builder_with_provider(Arc::new(default_provider()))
        .with_safe_default_protocol_versions()
        .unwrap()
        .with_root_certificates(root_store)
        .with_no_client_auth();

§Custom Configuration

To modify or change the order of negotiated cipher suites for ClientConfig, use custom_provider().

use rustls::{ClientConfig, RootCertStore};
use rustls_openssl::custom_provider;
use rustls_openssl::cipher_suite::TLS13_AES_128_GCM_SHA256;
use rustls_openssl::kx_group::SECP256R1;
use std::sync::Arc;
use webpki_roots;

let mut root_store = RootCertStore {
    roots: webpki_roots::TLS_SERVER_ROOTS.iter().cloned().collect(),
};
  
// Set custom config of cipher suites that have been imported from rustls_openssl.
let cipher_suites = vec![TLS13_AES_128_GCM_SHA256];
let kx_group = vec![SECP256R1];

let mut config =
    ClientConfig::builder_with_provider(Arc::new(custom_provider(
        Some(cipher_suites), Some(kx_group))))
            .with_safe_default_protocol_versions()
            .unwrap()
            .with_root_certificates(root_store)
            .with_no_client_auth();

§Features

The following non-default features are available:

chacha: Enables ChaCha20-Poly1305 cipher suites for TLS 1.2 and TLS 1.3.
x25519: Enables X25519 key exchange group.

Modules§

cipher_suite
All supported cipher suites.
kx_group
All supported key exchange groups are exported via the kx_group module.
quic

Structs§

Provider
Rustls Openssl crypto provider. Implements SecureRandom and KeyProvider traits.

Constants§

ALL_KX_GROUPS
Supported KeyExchange groups.

Statics§

ALL_CIPHER_SUITES
DEFAULT_CIPHER_SUITES
List of supported cipher suites in a preference order. The first element has highest priority when negotiating cipher suites.
SUPPORTED_SIG_ALGS

Functions§

custom_provider
Create a CryptoProvider with specific cipher suites and key exchange groups during setup.
default_provider
default_provider returns a CryptoProvider using default and cipher suites. For cipher suites seeDEFAULT_CIPHER_SUITES.

Crate rustls_opensslCopy item path