Crate rustls[−][src]
Expand description
Rustls - a modern TLS library
Rustls is a TLS library that aims to provide a good level of cryptographic security, requires no configuration to achieve that security, and provides no unsafe features or obsolete cryptography.
Current features
- TLS1.2 and TLS1.3.
- ECDSA, Ed25519 or RSA server authentication by clients.
- ECDSA, Ed25519 or RSA server authentication by servers.
- Forward secrecy using ECDHE; with curve25519, nistp256 or nistp384 curves.
- AES128-GCM and AES256-GCM bulk encryption, with safe nonces.
- ChaCha20-Poly1305 bulk encryption (RFC7905).
- ALPN support.
- SNI support.
- Tunable fragment size to make TLS messages match size of underlying transport.
- Optional use of vectored IO to minimise system calls.
- TLS1.2 session resumption.
- TLS1.2 resumption via tickets (RFC5077).
- TLS1.3 resumption via tickets or session storage.
- TLS1.3 0-RTT data for clients.
- Client authentication by clients.
- Client authentication by servers.
- Extended master secret support (RFC7627).
- Exporters (RFC5705).
- OCSP stapling by servers.
- SCT stapling by servers.
- SCT verification by clients.
Possible future features
- PSK support.
- OCSP verification by clients.
- Certificate pinning.
Non-features
The following things are broken, obsolete, badly designed, underspecified, dangerous and/or insane. Rustls does not support:
- SSL1, SSL2, SSL3, TLS1 or TLS1.1.
- RC4.
- DES or triple DES.
- EXPORT ciphersuites.
- MAC-then-encrypt ciphersuites.
- Ciphersuites without forward secrecy.
- Renegotiation.
- Kerberos.
- Compression.
- Discrete-log Diffie-Hellman.
- Automatic protocol version downgrade.
- AES-GCM with unsafe nonces.
There are plenty of other libraries that provide these features should you need them.
Platform support
Rustls uses ring for implementing the
cryptography in TLS. As a result, rustls only runs on platforms
supported by ring.
At the time of writing this means x86, x86-64, armv7, and aarch64.
Design Overview
Rustls does not take care of network IO
It doesn’t make or accept TCP connections, or do DNS, or read or write files.
There’s example client and server code which uses mio to do all needed network IO.
Rustls provides encrypted pipes
These are the ServerConnection and ClientConnection types. You supply raw TLS traffic
on the left (via the read_tls() and write_tls() methods) and then read/write the
plaintext on the right:
TLS Plaintext
=== =========
read_tls() +-----------------------+ reader() as io::Read
| |
+---------> ClientConnection +--------->
| or |
<---------+ ServerConnection <---------+
| |
write_tls() +-----------------------+ writer() as io::Write
Rustls takes care of server certificate verification
You do not need to provide anything other than a set of root certificates to trust. Certificate verification cannot be turned off or disabled in the main API.
Getting started
This is the minimum you need to do to make a TLS client connection.
First we load some root certificates. These are used to authenticate the server.
The recommended way is to depend on the webpki_roots crate which contains
the Mozilla set of root certificates.
let mut root_store = rustls::RootCertStore::empty(); root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0); let trusted_ct_logs = &[];
Next, we make a ClientConfig. You’re likely to make one of these per process,
and use it for all connections made by that process.
let config = rustls::ClientConfig::builder() .with_safe_defaults() .with_root_certificates(root_store, trusted_ct_logs) .with_no_client_auth();
Now we can make a connection. You need to provide the server’s hostname so we know what to expect to find in the server’s certificate.
let rc_config = Arc::new(config); let example_com = "example.com".try_into().unwrap(); let mut client = rustls::ClientConnection::new(rc_config, example_com);
Now you should do appropriate IO for the client object. If client.wants_read() yields
true, you should call client.read_tls() when the underlying connection has data.
Likewise, if client.wants_write() yields true, you should call client.write_tls()
when the underlying connection is able to send data. You should continue doing this
as long as the connection is valid.
The return types of read_tls() and write_tls() only tell you if the IO worked. No
parsing or processing of the TLS messages is done. After each read_tls() you should
therefore call client.process_new_packets() which parses and processes the messages.
Any error returned from process_new_packets is fatal to the connection, and will tell you
why. For example, if the server’s certificate is expired process_new_packets will
return Err(WebPkiError(CertExpired, ValidateServerCert)). From this point on,
process_new_packets will not do any new work and will return that error continually.
You can extract newly received data by calling client.reader() (which implements the
io::Read trait). You can send data to the peer by calling client.writer() (which
implements io::Write trait). Note that client.writer().write() buffers data you
send if the TLS connection is not yet established: this is useful for writing (say) a
HTTP request, but this is buffered so avoid large amounts of data.
The following code uses a fictional socket IO API for illustration, and does not handle errors.
use std::io;
client.writer().write(b"GET / HTTP/1.0\r\n\r\n").unwrap();
let mut socket = connect("example.com", 443);
loop {
if client.wants_read() && socket.ready_for_read() {
client.read_tls(&mut socket).unwrap();
client.process_new_packets().unwrap();
let mut plaintext = Vec::new();
client.reader().read_to_end(&mut plaintext).unwrap();
io::stdout().write(&plaintext).unwrap();
}
if client.wants_write() && socket.ready_for_write() {
client.write_tls(&mut socket).unwrap();
}
socket.wait_for_something_to_happen();
}
Examples
tlsserver and tlsclient are full worked examples. These both use mio.
Crate features
Here’s a list of what features are exposed by the rustls crate and what they mean.
-
logging: this makes the rustls crate depend on thelogcrate. rustls outputs interesting protocol-level messages attrace!anddebug!level, and protocol-level errors atwarn!anderror!level. The log messages do not contain secret key data, and so are safe to archive without affecting session security. This feature is in the default set. -
dangerous_configuration: this feature enables adangerous()method onClientConfigandServerConfigthat allows setting inadvisable options, such as replacing the certificate verification process. Applications requesting this feature should be reviewed carefully. -
quic: this feature exposes additional constructors and functions for using rustls as a TLS library for QUIC. See thequicmodule for details of these. You will only need this if you’re writing a QUIC implementation.
Modules
All defined ciphersuites appear in this module.
Internal classes which may be useful outside the library. The contents of this section DO NOT form part of the stable interface.
All defined key exchange groups appear in this module.
This is the rustls manual. This documentation primarily aims to explain design decisions taken in rustls.
quicAPIs for implementing QUIC TLS
Message signing interfaces and implementations.
All defined protocol versions appear in this module.
Structs
A ClientCertVerifier that will allow both anonymous and authenticated
clients, without any name checking.
A ClientCertVerifier that will ensure that every client provides a trusted
certificate, without any name checking.
This type contains a single certificate by value.
Zero-sized marker type representing verification of a client cert chain.
Common configuration for (typically) all connections made by a program.
This represents a single TLS client connection.
A struct representing the received Client Hello
An implementer of StoresClientSessions that stores everything
in memory. It enforces a limit on the number of entries
to bound memory usage.
Building a ServerConfig or ClientConfig in a linker-friendly and
complete way.
Accessor for dangerous configuration options.
A type which encapsuates a string that is a syntactically valid DNS name.
Marker types. These are used to bind the fact some verification (certificate chain or handshake signature) has taken place into protocol states. We use this to have the compiler check that there are no ‘goto fail’-style elisions of important checks before we reach the traffic stage.
KeyLog implementation that opens a file whose name is
given by the SSLKEYLOGFILE environment variable, and writes
keys into it.
Turns off client authentication.
An implementer of StoresClientSessions which does nothing.
KeyLog that does exactly nothing.
Something which never stores sessions.
This is like a webpki::TrustAnchor, except it owns
rather than borrows its memory. That prevents lifetimes
leaking up the object tree.
This type contains a private key by value.
A structure that implements std::io::Read for reading plaintext.
Something that resolves do different cert chains/keys based on client-supplied server name (via SNI).
A container for root certificates able to provide a root-of-trust for connection authentication.
Zero-sized marker type representing verification of a server cert chain.
Common configuration for a set of server sessions.
This represents a single TLS server connection.
An implementer of StoresServerSessions that stores everything
in memory. If enforces a limit on the number of stored sessions
to bound memory usage.
This type implements io::Read and io::Write, encapsulating
a Connection C and an underlying transport T, such as a socket.
This type implements io::Read and io::Write, encapsulating
and owning a Connection C and an underlying blocking transport
T, such as a socket.
A key-exchange group supported by rustls.
A TLS protocl version supported by rustls.
A concrete, safe ticket creation mechanism.
A TLS 1.2 cipher suite supported by rustls.
A TLS 1.3 cipher suite supported by rustls.
Config builder state where the caller must supply cipher suites.
A config builder state where the caller needs to supply whether and how to provide a client certificate.
Config builder state where the caller must supply key exchange groups.
A config builder state where the caller must supply how to provide a server certificate to the connecting peer.
Config builder state where the caller must supply a verifier.
Config builder state where the caller must supply TLS protocol versions.
Default ServerCertVerifier, see the trait impl for more information.
Stub that implements io::Write and dispatches to write_early_data.
A structure that implements std::io::Write for writing plaintext.
Enums
Bulk symmetric encryption scheme used by a cipher suite.
The CipherSuite TLS protocol enum. Values in this enum are taken
from the various RFCs covering TLS, and are listed by IANA.
The Unknown item is used when processing unrecognised ordinals.
rustls reports protocol errors using this type.
The ProtocolVersion TLS protocol enum. Values in this enum are taken
from the various RFCs covering TLS, and are listed by IANA.
The Unknown item is used when processing unrecognised ordinals.
Encodes ways a client can know the expected name of the server.
The SignatureScheme TLS protocol enum. Values in this enum are taken
from the various RFCs covering TLS, and are listed by IANA.
The Unknown item is used when processing unrecognised ordinals.
A cipher suite supported by rustls.
Reasons for a WebPKI operation to fail, used in Error.
Which WebPKI operation was performed, used in Error.
Statics
A list of all the cipher suites supported by rustls.
A list of all the key exchange groups supported by rustls.
A list of all the protocol versions supported by rustls.
The cipher suite configuration that an application should use by default.
The version configuration that an application should use by default.
Traits
Something that can verify a client certificate chain
Helper trait to abstract ConfigBuilder over building a ClientConfig or ServerConfig.
Generalises ClientConnection and ServerConnection
This trait represents the ability to do something useful with key material, such as logging it to a file for debugging.
A trait for the ability to encrypt and decrypt tickets.
A trait for the ability to choose a certificate chain and private key for the purposes of client authentication.
How to choose a certificate chain and signing key for use in server authentication.
Something that can verify a server certificate chain, and verify signatures made by certificates.
A trait for the ability to store client session data. The keys and values are opaque.
A trait for the ability to store server session data.