2016-05-30 20:34:05 +00:00
|
|
|
# Rustls
|
|
|
|
Rustls is a new, modern TLS library written in Rust. It's pronounced 'rustles'.
|
|
|
|
It uses [*ring*](https://github.com/briansmith/ring) for cryptography
|
|
|
|
and [libwebpki](https://github.com/briansmith/webpki) for certificate
|
|
|
|
verification.
|
|
|
|
|
|
|
|
# Status
|
|
|
|
Rustls is currently in development and hence unstable.
|
|
|
|
|
|
|
|
[![Build Status](https://travis-ci.org/ctz/rustls.svg?branch=master)](https://travis-ci.org/ctz/rustls)
|
|
|
|
|
|
|
|
# Approach
|
|
|
|
Rustls is built to a few rules:
|
|
|
|
|
|
|
|
- Modern, strong cryptography only:
|
|
|
|
- No RC4, no DES.
|
|
|
|
- No discrete-log DH or DSA.
|
|
|
|
- No discredited, little-used or legacy SSL/TLS features:
|
2016-06-08 21:53:26 +00:00
|
|
|
- No CBC-mode mac-then-encrypt ciphersuites.
|
2016-05-30 20:34:05 +00:00
|
|
|
- No unneccessary 'national pride' block ciphers like Camellia or ARIA.
|
|
|
|
- No renegotiation.
|
|
|
|
- No client authentication.
|
|
|
|
- No discrete-log DH. It's misdesigned in TLS.
|
|
|
|
- TLS1.2 or later only.
|
|
|
|
|
|
|
|
# Currently implemented
|
|
|
|
Client connections work to assorted internet servers. The
|
|
|
|
following ciphersuites are supported:
|
|
|
|
|
|
|
|
- `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
|
|
|
|
- `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
|
|
|
|
- `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
|
|
|
|
- `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
|
|
|
|
|
|
|
|
For ECDHE, the `nistp256` and `nistp384` curves are supported,
|
|
|
|
as well as `curve25519`.
|
|
|
|
|
2016-06-01 18:41:19 +00:00
|
|
|
The client test program is named `tlsclient`. It expects to
|
2016-05-30 20:34:05 +00:00
|
|
|
find root certificates in `/etc/ssl/certs/ca-certificates.crt`
|
|
|
|
and be given a hostname as its single argument. It connects
|
|
|
|
to that host and issues a basic HTTP request, eg:
|
|
|
|
|
|
|
|
```
|
2016-06-01 18:41:19 +00:00
|
|
|
$ ./target/debug/examples/tlsclient --http mozilla-modern.badssl.com
|
|
|
|
HTTP/1.1 200 OK
|
2016-05-30 20:34:05 +00:00
|
|
|
Server: nginx/1.6.2 (Ubuntu)
|
2016-06-01 18:41:19 +00:00
|
|
|
Date: Wed, 01 Jun 2016 18:44:00 GMT
|
2016-05-30 20:34:05 +00:00
|
|
|
Content-Type: text/html
|
|
|
|
Content-Length: 644
|
|
|
|
Last-Modified: Tue, 12 Apr 2016 01:21:49 GMT
|
|
|
|
Connection: close
|
|
|
|
ETag: "570c4dad-284"
|
|
|
|
Strict-Transport-Security: max-age=15768000
|
|
|
|
Cache-Control: no-store
|
|
|
|
Accept-Ranges: bytes
|
|
|
|
|
|
|
|
<!DOCTYPE html>
|
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
|
|
<link rel="shortcut icon" href="/icons/favicon-green.ico"/>
|
|
|
|
<link rel="apple-touch-icon" href="/icons/icon-green.png"/>
|
|
|
|
<title>mozilla-modern.badssl.com</title>
|
|
|
|
<link rel="stylesheet" href="/style.css">
|
|
|
|
<style>body { background: green; }</style>
|
|
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<div id="content">
|
|
|
|
<h1>
|
|
|
|
mozilla-modern.<br>badssl.com
|
|
|
|
</h1>
|
|
|
|
</div>
|
|
|
|
|
|
|
|
<div id="footer">
|
|
|
|
This site uses the Mozilla “<a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility">Modern</a>” TLS configuration.
|
|
|
|
</div>
|
|
|
|
|
|
|
|
</body>
|
|
|
|
</html>
|
2016-06-01 18:41:19 +00:00
|
|
|
Plaintext read error: Error { repr: Custom(Custom { kind: ConnectionAborted, error: StringError("CloseNotify alert received") }) }
|
|
|
|
Connection closed
|
2016-05-30 20:34:05 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
or
|
|
|
|
|
|
|
|
```
|
2016-06-01 18:41:19 +00:00
|
|
|
$ ./target/debug/examples/tlsclient --http expired.badssl.com
|
|
|
|
TLS error: WebPKIError(CertExpired)
|
|
|
|
Connection closed
|
2016-05-30 20:34:05 +00:00
|
|
|
```
|
|
|
|
|
2016-06-19 16:42:57 +00:00
|
|
|
# License
|
|
|
|
|
|
|
|
Rustls is distributed under the following three licenses:
|
|
|
|
|
|
|
|
- Apache License version 2.0.
|
|
|
|
- MIT license.
|
|
|
|
- ISC license.
|
|
|
|
|
|
|
|
These are included as LICENSE-APACHE, LICENSE-MIT and LICENSE-ISC
|
|
|
|
respectively. You may use this software under the terms of any
|
|
|
|
of these licenses, at your option.
|
|
|
|
|
2016-05-30 20:34:05 +00:00
|
|
|
# TODO list
|
2016-06-19 16:42:57 +00:00
|
|
|
- [x] Choose a license.
|
2016-06-05 20:18:46 +00:00
|
|
|
- [x] Improve testing.
|
|
|
|
- [ ] Improve testing some more.
|
|
|
|
- [x] ALPN.
|
2016-05-31 20:56:41 +00:00
|
|
|
- [ ] Tickets.
|
2016-06-08 00:49:03 +00:00
|
|
|
- [x] Resumption.
|
2016-05-31 20:56:41 +00:00
|
|
|
- [ ] chacha20poly1305 bulk encryption support.
|
|
|
|
- [ ] Signing support in *ring* to unblock server work.
|
|
|
|
- [ ] Server support.
|
|
|
|
- [ ] Write some more sample programs.
|
|
|
|
- [ ] Stabilise and document public API.
|