Lib.rs

Cryptography
#openssl #key-exchange #cipher #tls #rustls #provider #fips

rustls-openssl

Rustls crypto provider for OpenSSL

by Tom Fay

4 releases (2 breaking)

0.2.0 Nov 20, 2024
0.1.1 Nov 12, 2024
0.1.0 Nov 12, 2024
0.0.1 Nov 8, 2024

#2173 in Cryptography

Download history 323/week @ 2024-11-08 159/week @ 2024-11-15 35/week @ 2024-11-22 11/week @ 2024-11-29 6/week @ 2024-12-06

230 downloads per month
Used in rustls-openssl-post-quant…

MIT license

185KB
2.5K SLoC

rustls-openssl

A rustls Crypto Provider that uses OpenSSL for cryptographic operations.

See the documentation for supported cipher suites and algorithms.

Status

Early in development.

lib.rs:

rustls-openssl

A rustls crypto provider that uses OpenSSL for crypto.

Supported Ciphers

Supported cipher suites are listed below, in descending order of preference.

If OpenSSL is compiled with the OPENSSL_NO_CHACHA option, or the fips feature is enabled, then the suites using ChaCha20-Poly1305 will not be available. If the tls12 feature is disabled then the TLS 1.2 cipher suites will not be available.

TLS 1.3

  • TLS13_AES_256_GCM_SHA384
  • TLS13_AES_128_GCM_SHA256
  • TLS13_CHACHA20_POLY1305_SHA256

TLS 1.2

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Supported Key Exchanges

In descending order of preference:

  • SECP384R1
  • SECP256R1
  • X25519

If the fips feature is enabled then X25519 will not be available.

Usage

Add rustls-openssl to your Cargo.toml:

[dependencies]
rustls = { version = "0.23.0", features = ["tls12", "std"], default-features = false }
rustls_openssl = "0.1.0"

Configuration

Use [default_provider()] to create a provider using cipher suites and key exchange groups listed above. Use [custom_provider()] to specify custom cipher suites and key exchange groups.

Features

  • tls12: Enables TLS 1.2 cipher suites. Enabled by default.
  • fips: Enabling this feature removes non-FIPS-approved cipher suites and key exchanges. Disabled by default. See [fips]. Supported cipher suites. Supported key exchange groups.

FIPS support

To use rustls with OpenSSL in FIPS mode, perform the following actions.

1. Enable the fips feature

This removes non-FIPS-approved cipher suites and key exchanges.

2. Specify require_ems when constructing rustls::ClientConfig or rustls::ServerConfig

See rustls documentation for rationale.

3. Enable FIPS mode for OpenSSL

See [enable()].

4. Validate the FIPS status of your ClientConfig or ServerConfig at runtime

See rustls documenation on FIPS.

Dependencies

~9–17MB
~327K SLoC