Lib.rs

Cryptography
#tls #openssl #aes #encryption

rustls-openssl

Rustls crypto provider for OpenSSL

by Tom Fay

6 releases (3 breaking)

Uses new Rust 2024

new 0.3.0 May 7, 2025
0.2.1 Mar 18, 2025
0.2.0 Nov 20, 2024
0.1.1 Nov 12, 2024
0.0.1 Nov 8, 2024

#1654 in Cryptography

Download history 8/week @ 2025-01-29 235/week @ 2025-02-05 524/week @ 2025-02-12 254/week @ 2025-02-19 132/week @ 2025-02-26 115/week @ 2025-03-05 234/week @ 2025-03-12 184/week @ 2025-03-19 82/week @ 2025-03-26 93/week @ 2025-04-02 167/week @ 2025-04-09 106/week @ 2025-04-16 148/week @ 2025-04-23 90/week @ 2025-04-30

524 downloads per month
Used in rustls-openssl-post-quant…

MIT license

140KB
3K SLoC

rustls-openssl

A rustls Crypto Provider that uses OpenSSL for cryptographic operations.

Documentation.

crates.io Build Status Documentation License: MIT Coverage Status (codecov.io)

lib.rs:

rustls-openssl

A rustls crypto provider that uses OpenSSL for crypto.

Supported Ciphers

Supported cipher suites are listed below, in descending order of preference.

If OpenSSL is compiled with the OPENSSL_NO_CHACHA option, or the fips feature is enabled, then the suites using ChaCha20-Poly1305 will not be available. If the tls12 feature is disabled then the TLS 1.2 cipher suites will not be available.

TLS 1.3

  • TLS13_AES_256_GCM_SHA384
  • TLS13_AES_128_GCM_SHA256
  • TLS13_CHACHA20_POLY1305_SHA256

TLS 1.2

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Supported Key Exchanges

In descending order of preference:

  • X25519MLKEM768 (OpenSSL 3.5+)
  • SECP384R1
  • SECP256R1
  • X25519
  • MLKEM768 (OpenSSL 3.5+)

If the fips feature is enabled then X25519 will not be available. If the prefer-post-quantum feature is enabled, X25519MLKEM768 will be the first group offered, otherwise it will be the last. MLKEM768 is not offered by default, but can be used by specifying it in the custom_provider() function.

Usage

Add rustls-openssl to your Cargo.toml:

[dependencies]
rustls = { version = "0.23.0", features = ["tls12", "std"], default-features = false }
rustls_openssl = "0.3.0"

Configuration

Use [default_provider()] to create a provider using cipher suites and key exchange groups listed above. Use [custom_provider()] to specify custom cipher suites and key exchange groups.

Features

  • tls12: Enables TLS 1.2 cipher suites. Enabled by default.
  • prefer-post-quantum: Enables X25519MLKEM768 as the first key exchange group. Enabled by default.
  • fips: Enabling this feature removes non-FIPS-approved cipher suites and key exchanges. Disabled by default. See [fips].
  • vendored: Enables vendored OpenSSL. Disabled by default. Supported cipher suites.

FIPS support

To use rustls with OpenSSL in FIPS mode, perform the following actions.

1. Enable the fips feature

This removes non-FIPS-approved cipher suites and key exchanges.

2. Specify require_ems when constructing rustls::ClientConfig or rustls::ServerConfig

See rustls documentation for rationale.

3. Enable FIPS mode for OpenSSL

See [enable()].

4. Validate the FIPS status of your ClientConfig or ServerConfig at runtime

See rustls documenation on FIPS.

Dependencies

~9–19MB
~336K SLoC