rust/rustls
rust
/
rustls
mirror of https://github.com/ctz/rustls
1
0
Fork 0
Code Issues Releases Wiki Activity
42 Commits 47 Branches 71 Tags 34 MiB
Rust 97.5%
Shell 1%
Python 0.8%
Diff 0.5%
Makefile 0.2%
Go to file
Joseph Birr-Pixton 5f165fb5b1 Add proper argument parsing to s_client 2016-06-01 00:15:45 +01:00
examples Add proper argument parsing to s_client 2016-06-01 00:15:45 +01:00
src Add proper argument parsing to s_client 2016-06-01 00:15:45 +01:00
test-ca Add proper argument parsing to s_client 2016-06-01 00:15:45 +01:00
.gitignore Add proper argument parsing to s_client 2016-06-01 00:15:45 +01:00
.travis.yml Add travis.yml 2016-05-30 20:14:38 +01:00
Cargo.toml Add proper argument parsing to s_client 2016-06-01 00:15:45 +01:00
README.md update readme 2016-05-31 21:56:41 +01:00
test-client.sh Enough to fully complete client handshake 2016-05-27 16:41:28 +01:00
test-server.sh many more things, including a server test program 2016-05-17 20:46:36 +01:00

README.md

Rustls

Rustls is a new, modern TLS library written in Rust. It's pronounced 'rustles'. It uses ring for cryptography and libwebpki for certificate verification.

Status

Rustls is currently in development and hence unstable.

Build Status

Approach

Rustls is built to a few rules:

  • Modern, strong cryptography only:
    • No RC4, no DES.
    • No discrete-log DH or DSA.
  • No discredited, little-used or legacy SSL/TLS features:
    • No CBC-mode EtM ciphersuites.
    • No unneccessary 'national pride' block ciphers like Camellia or ARIA.
    • No renegotiation.
    • No client authentication.
    • No discrete-log DH. It's misdesigned in TLS.
  • TLS1.2 or later only.

Currently implemented

Client connections work to assorted internet servers. The following ciphersuites are supported:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

For ECDHE, the nistp256 and nistp384 curves are supported, as well as curve25519.

The client test program is named s_client. It expects to find root certificates in /etc/ssl/certs/ca-certificates.crt and be given a hostname as its single argument. It connects to that host and issues a basic HTTP request, eg:

$ ./target/debug/s_client mozilla-modern.badssl.com
got HTTP/1.1 200 OK
Server: nginx/1.6.2 (Ubuntu)
Date: Mon, 30 May 2016 20:13:22 GMT
Content-Type: text/html
Content-Length: 644
Last-Modified: Tue, 12 Apr 2016 01:21:49 GMT
Connection: close
ETag: "570c4dad-284"
Strict-Transport-Security: max-age=15768000
Cache-Control: no-store
Accept-Ranges: bytes

<!DOCTYPE html>
<html>
<head>
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="shortcut icon" href="/icons/favicon-green.ico"/>
  <link rel="apple-touch-icon" href="/icons/icon-green.png"/>
  <title>mozilla-modern.badssl.com</title>
  <link rel="stylesheet" href="/style.css">
  <style>body { background: green; }</style>
</head>
<body>
<div id="content">
  <h1>
    mozilla-modern.<br>badssl.com
  </h1>
</div>

<div id="footer">
  This site uses the Mozilla &ldquo;<a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility">Modern</a>&rdquo; TLS configuration.
</div>

</body>
</html>

plaintext read error Error { repr: Custom(Custom { kind: ConnectionAborted, error: StringError("CloseNotify alert received") }) }
closing connection

or

$ ./target/debug/s_client expired.badssl.com
write rc=Ok(())
cannot process packet: Err(WebPKIError(CertExpired))
closing connection

TODO list

  • Improve testing.
  • ALPN.
  • Tickets.
  • Resumption.
  • chacha20poly1305 bulk encryption support.
  • Signing support in ring to unblock server work.
  • Server support.
  • Write some more sample programs.
  • Stabilise and document public API.