8 releases (1 stable)
✓ Uses Rust 2018 edition
|1.1.0-beta||Aug 14, 2019|
|1.0.0||Apr 2, 2019|
|0.8.0||Jan 27, 2019|
|0.7.2||Nov 24, 2018|
|0.6.1||Apr 9, 2018|
#111 in Network programming
1,254 stars & 48 watchers
A memory-safe and OpenSSL-compatible TLS library
MesaLink is a memory-safe and OpenSSL-compatible TLS library. MesaLink has been in production at Baidu with >10 million monthly active users.
Visit us on our website: https://mesalink.io.
- 1.0.0 (🎂 04-02-2019 🎂)
- CMake support; see the updated CROSS_COMPILE.md for cross-compilation instructions
- Windows builds (MSVC and MinGW)
- CI/CD migrated to Azure Pipelines
- NSIS installer for Win64 available
- Mutex/RwLock from parking_lot
- Session caches with hashbrown
- Optional jemalloc memory allocator with jemallocator
- Renovated website
- 0.8.0 (01-25-2019)
- 40 new OpenSSL APIs, covering BIO, EVP_PKEY, PEM and X509
- SSL_CTX and SSL are thread-safe
- Configurable session cache
- SHA1 signatures discontinued
- Tested with rust-san memory and leak sanitizers
- Rust 2018 edition
- Based on rustls 0.15, webpki 0.19, and *ring* 0.14
- TLS backend for curl since 7.62.0
- TLS backend for brpc, an industrial-grade RPC framework; see the
- Experimental SGX Remote Attestation for Untrusted Enclaves (see SGX_README.md)
- 0.7.2 (11-24-2018)
- Client authentication
- Use armv7-linux-androideabi for Android builds
- 0.7.1 (09-05-2018)
- Fix duplicate
See OLD_CHANGES.md for further change history.
- Memory safety. MesaLink is impervious to bugs like Heartbleed and buffer overflows becuse it is written in Rust.
- Cross Platform. Linux, macOS, Android, Windows; x86, x86_64, armv7, aarch64... you name it. MesaLink probably compiles for it.
- Modern Ciphersuites. MesaLink uses the best ciphersuites including AES-GCM, Chacha20Poly1305, and elliptic-curve key exchange with perfect forward secrecy.
- TLS 1.3. Eight years since TLS 1.2, the faster and more secure TLS standard, is now in Rustls and MesaLink.
- Blazing Fast. X25519 key exchange, AES-NI support, no language runtime like Java/Go. MesaLink runs at full speed on your metal.
- Flexible Configuration: MesaLink offers flexible configurations tailored to your needs. You can customize which ciphers and TLS versions are built-in.
- Transparent Replacement. MesaLink provides OpenSSL-compatible C APIs. Want to use MesaLink in curl or Android? No problem.
- Production Ready. Baidu uses MesaLink in production with 10M monthly active users as of 12/2018
- TLS 1.2 and TLS 1.3
- ECDSA and RSA server authentication
- Forced hostname validation
- Forward secrecy using ECDHE; with curve25519, nistp256 or nistp384 curves.
- Safe and fast crypto primitives from BoringSSL
- AES-128-GCM, AES-256-GCM and Chacha20-Poly1305 bulk encryption
- Built-in Mozilla's CA root certificates
$ sudo apt-get install m4 autoconf automake libtool make gcc curl $ curl https://sh.rustup.rs -sSf | sh $ git clone https://github.com/mesalock-linux/mesalink.git $ ./autogen.sh --enable-examples $ make
$ sudo apt-get install cmake make gcc curl $ curl https://sh.rustup.rs -sSf | sh $ git clone https://github.com/mesalock-linux/mesalink.git $ mkdir build && cd build $ cmake .. $ cmake --build .
MesaLink comes with two examples that demonstrate a TLS client and a TLS
server. Both of them are located at
The client example connects to a remote HTTPS server and prints the server's response.
$ ./examples/client/client api.ipify.org [+] Negotiated ciphersuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, enc_length=16, version=TLS1.2 [+] Subject name: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.ipify.org [+] Subject alternative names:*.ipify.org ipify.org [+] Sent 85 bytes GET / HTTP/1.0 Host: api.ipify.org Connection: close Accept-Encoding: identity HTTP/1.1 200 OK Server: Cowboy Connection: close Content-Type: text/plain Vary: Origin Date: Thu, 09 Aug 2018 21:44:35 GMT Content-Length: 10 Via: 1.1 vegur 18.104.22.168 [+] TLS protocol version: TLS1.2 [+] Received 177 bytes
The server example comes with a pair of certificate and private key. The certificate file is in the PEM format and contains a chain of certificates from the server's certificate to the root CA certificate. The private key file contains a PKCS8-encoded private key in the PEM format. Once the server is up and running, open https://127.0.0.1:8443 and expect to see the hello message.
$ ./examples/server/server Usage: ./examples/server/server <portnum> <cert_file> <private_key_file> $ cd examples/server/server $ ./server 8443 certificates private_key [+] Listening at 0.0.0.0:8443 [+] Negotiated ciphersuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, enc_length=16, version=TLS1.2 [+] Received: GET / HTTP/1.1 Host: 127.0.0.1:8443 Connection: keep-alive User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36 Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
MesaLink uses cargo for unit tests. Simply run
$ cargo test
BoGo is BoringSSL's protocol level test suite. We have ported BoGo for testing the functionality and compatibility of MesaLink. To run BoGo test cases, run the following:
$ cd bogo && ./runme
The MesaLink project would not have been possible without the following high-quality open source projects in the Rust community. Thanks for code and inspiration!
rustls: A modern TLS library in Rust, maintained by Joseph Birr-Pixton @ctz
sct.rs: Certificate transparency SCT verification library in rust, maintained by Joseph Birr-Pixton @ctz
ring: Safe, fast, small crypto using Rust, by Brian Smith @briansmith
webpki: WebPKI X.509 Certificate Validation in Rust, maintained by Brian Smith @briansmith
crypto-bench: Benchmarks for crypto libraries, maintained by Brian Smith @briansmith
- Special thanks to Brian Smith for insights and valuable discussion
- Yiming Jing
- Tao Wei
- Yulong Zhang
MesaLink is provided under the 3-Clause BSD license. For a copy, see the LICENSE file.