Expand description
§rustls-openssl
A rustls crypto provider that uses OpenSSL for crypto.
§Supported Ciphers
Supported cipher suites are listed below, in descending order of preference.
If OpenSSL is compiled with the OPENSSL_NO_CHACHA
option, or the fips
feature is enabled,
then the suites using ChaCha20-Poly1305 will not be available.
If the tls12
feature is disabled then the TLS 1.2 cipher suites will not be available.
§TLS 1.3
- TLS13_AES_256_GCM_SHA384
- TLS13_AES_128_GCM_SHA256
- TLS13_CHACHA20_POLY1305_SHA256
§TLS 1.2
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
§Supported Key Exchanges
In descending order of preference:
- X25519MLKEM768 (OpenSSL 3.5+)
- SECP384R1
- SECP256R1
- X25519
- MLKEM768 (OpenSSL 3.5+)
If the fips
feature is enabled then X25519 will not be available.
If the prefer-post-quantum
feature is enabled, X25519MLKEM768 will be the first group offered, otherwise it will be the last.
MLKEM768 is not offered by default, but can be used by specifying it in the custom_provider()
function.
§Usage
Add rustls-openssl
to your Cargo.toml
:
[dependencies]
rustls = { version = "0.23.0", features = ["tls12", "std"], default-features = false }
rustls_openssl = "0.3.0"
§Configuration
Use default_provider() to create a provider using cipher suites and key exchange groups listed above. Use custom_provider() to specify custom cipher suites and key exchange groups.
§Features
tls12
: Enables TLS 1.2 cipher suites. Enabled by default.prefer-post-quantum
: Enables X25519MLKEM768 as the first key exchange group. Enabled by default.fips
: Enabling this feature removes non-FIPS-approved cipher suites and key exchanges. Disabled by default. See fips.vendored
: Enables vendored OpenSSL. Disabled by default.
Modules§
- cipher_
suite - Supported cipher suites.
- fips
- FIPS support
- kx_
group - Key exchange groups using OpenSSL
Structs§
- KeyProvider
- A struct that implements rustls::crypto::KeyProvider.
- Secure
Random - A struct that implements rustls::crypto::SecureRandom.
Statics§
- ALL_
CIPHER_ SUITES - All supported cipher suites in descending order of preference:
- SUPPORTED_
SIG_ ALGS - A WebPkiSupportedAlgorithms value defining the supported signature algorithms.
Functions§
- custom_
provider - Create a CryptoProvider with specific cipher suites and key exchange groups
- default_
provider - Returns an OpenSSL-based CryptoProvider using default available cipher suites (ALL_CIPHER_SUITES) and key exchange groups ([ALL_KX_GROUPS]).