What does HackerNews think of rustls?

A modern TLS library in Rust

Language: Rust

#40 in Rust
OpenSSL Security Advisory [7th February 2023] | Feb 2023
A reminder that rustls exists, and leverages the Rust compiler to make sure no memory safety issues exist in your TLS implementation:

https://github.com/rustls/rustls

Some thoughts on lessons learned from other projects/vulnerabilities:

https://docs.rs/rustls/latest/rustls/manual/index.html

Improving Rust compile times to enable adoption of memory safety | Feb 2023
Expand Context ↕
> you could try to make OpenSSL memory safe by rewriting it in Rust

Or just write a better crypto stack without the many legacy constraints holding OpenSSL back. Rustls (https://github.com/rustls/rustls) does that. It has also been audited and found to be excellent - report (https://github.com/rustls/rustls/blob/main/audit/TLS-01-repo...).

You're suggesting writing this stack in a GC language. That's possible, except most people looking for an OpenSSL solution probably won't be willing to take the hit of slower run time perf and possible GC pauses (even if these might be small in practice). Also, these are hypothetical for now. Rustls exists today.
OpenSSL 3.0.7 fixes X.509 email address buffer overflows | Nov 2022
Expand Context ↕
rustls can serve as an alternative.[1] Dirkjan Ochtman, one of the main contributors, wrote about it in this thread.[2]

[1] https://github.com/rustls/rustls

[2] https://news.ycombinator.com/item?id=33423296
Patch OpenSSL on November 1 to avoid “critical” security vulnerability | Oct 2022
We have https://github.com/rustls/rustls though it doesn't aim to be especially OpenSSL compatible.

It has C bindings used in eg in this Apache httpd mod_tls: https://www.memorysafety.org/blog/memory-safe-httpd/

We rewrote a high-performance database in Rust | Oct 2022
Expand Context ↕
Aren't the most commonly used libraries for all of those written in C, not C++?

Regardless, I'm surprised you haven't heard of rustls - https://github.com/rustls/rustls
We rewrote a high-performance database in Rust | Oct 2022
> production grade and pure rust tls library

You mean rustls? https://github.com/rustls/rustls

When to use Bazel? | Sep 2022
Expand Context ↕
I just went through this recently (built a rust binary on my local machine, sent a binary to another person, they reported GLIBC errors, had to rebuild with the musl target, various crates depending on openssl failed) and found that every library that depended on openssl by default also had a `rusttls` feature in the crate that disabled openssl and enabled rusttls (https://github.com/rustls/rustls) instead.

So I just migrated everything over to that (which consisted of enabling the `rusttls` feature for every crate) and made another build with musl. Everything worked perfectly fine, and since it's not a performance sensitive application, there was basically no drawbacks. The binary became a bit bigger, but still under 4MB (with other assets baked into it) so wasn't a big issue.
OpenSSL Security Advisory [5 July 2022] | Jul 2022
Expand Context ↕
The modes of operation aren't the main reason people use OpenSSL; it's the support for all the gnarly (and less gnarly) protocols and wire formats that show up when doing applied cryptography.

Progress is being made on replacing OpenSSL in a lot of contexts (specifically, the RustCrypto[1] folks are doing excellent work and so is cryptography[2]), but there are still plenty of areas where OpenSSL is needed to compose the mostly algebraic cryptography with the right wire format.

Edit: I forgot to mention rustls[3], which uses ring[4] under the hood.

[1]: https://github.com/RustCrypto

[2]: https://github.com/pyca/cryptography

[3]: https://github.com/rustls/rustls

[4]: https://github.com/briansmith/ring
OpenSSL 3.0 | Sep 2021
Are there projects/organizations that are switching from openssl to these rust based projects?

rustls - https://github.com/rustls/rustls

ring - https://github.com/briansmith/ring

If yes, then what is their experience?