GitXplorerGitXplorer
s

rust-tls-api

public
50 stars
28 forks
6 issues

Commits

List of commits on branch master.
Verified
5f0c46553b60c226121d9cbe19b76783af54ebdd

Update README.md

sstepancheg committed 2 months ago
Verified
68a6f71c7eb2de1ca9ebc9965075bc2655c5d9ec

Update CHANGELOG.md

sstepancheg committed a year ago
Unverified
abef4384ea284da5e094d61b63bf82f4ffa3f5d2

Update dependencies

sstepancheg committed a year ago
Verified
d1b1c094649fc837359f7eea06c3ca4233913466

Update CHANGELOG.md

sstepancheg committed a year ago
Unverified
741606323a4fe7fa4c291271dcef634892409770

Remove unused dependencies from tls-api

llegoktm committed 2 years ago
Unverified
6337f77db1cb6dfb53bbe7f9ec6b0d258cf8224b

Bump version to 0.10.0-pre

sstepancheg committed 3 years ago

README

The README file for this repository.

This project has a new home

New home

Original notes

GitHub Workflow Status License crates.io

One TLS API to rule them all

Supports:

  • tokio and async-std
  • rustls, native-tls, openssl, security-framework

Crates in this repository

  • tls-api — TLS API without any implementation and without dependencies
  • tls-api-native-tls — implementation of TLS API over native-tls crate
  • tls-api-openssl — implementation of TLS API over openssl crate
  • tls-api-rustls — implementation of TLS API over rustls crate
  • tls-api-security-framework — implementation of TLS API over security framework crate
  • tls-api-schannel — missing implementation of TLS API over schannel crate
  • tls-api-stub — stub API implementation which returns an error on any operation
  • tls-api-not-tls — stub API implementation which pretends to be TLS, but returns wrapped plain socket
  • test-cert-gen — utility to generate certificate for unit tests

Why one might want to use TLS API instead of concrete implementation

  • it is not decided yet which TLS implementation is better, start prototyping with one, and then switch to another
  • something doesn't work, no idea why, maybe try another implementation which would provide better diagnostics
  • provide a library over TLS (like database client) and allow user do specify preferred TLS implementation
  • do a performace comparison of TLS implementations on the same code base
  • if one implementation is buggy, it's easy to switch to another without heavy rewrite

Example

download-rust-lang-org.rs contains the implementation of simple TLS client downloading rust-lang.org, which is invoked with four backends.

Implementations comparison

openssl rustls security-framework native-tls
Can fetch google.com:443 Yes Yes Yes Yes
Server works Yes Yes Yes Yes
Client ALPN Yes Yes Yes Yes
Server ALPN Yes Yes No No
Server init from DER key Yes Yes No No
Server init from PKCS12 Yes No Yes Yes

Why not simply use XXX

Why not simply use native-tls

  • does not support server side ALPN
  • requires PKCS #12 keys on the server side
  • building OpenSSL on Linux is not always trivial

Why not simply use openssl

  • sometimes it's hard to compile it
  • some concerns about OpenSSL safety

Why not simply use rustls

  • diagnostics of rustls is not perfect
  • certain TLS features are not supported

Why not simply use security-framework

  • only works on Apple
  • does not support server side ALPN