Rustls

rustls is a memory-safe implementation of the Transport Layer Security protocol written in Rust. It provides a cryptographic stack for secure network communication, supporting both TLS 1.3 and 1.2 standards for client and server implementations.

The project is designed as a modular cryptographic library that allows swapping underlying cryptographic backends and primitive providers to meet specific security or performance requirements. It incorporates a post-quantum cryptography stack, utilizing hybrid key exchanges and signatures to protect data against future quantum computing threats.

The library includes capabilities for secure connection management, client authentication via digital certificates or raw public keys, and OS-delegated trust verification. It further implements latency optimizations such as zero round-trip time handshakes, certificate compression, and early data transmission.

Quality is maintained through protocol compliance validation, fuzz testing, and performance benchmarking.

Features

Secure Connection Managers - Provides a memory-safe cryptographic stack for establishing encrypted and authenticated TLS connections between clients and servers.

Secure Network Communication - Provides a complete implementation for encrypting and authenticating network traffic using the TLS protocol.

TLS Clients - Provides a full TLS client implementation for establishing secure connections and verifying server certificates.

TLS Servers - Implements a TLS server capable of managing secure handshakes and enforcing client authentication.

Cryptographic Abstractions - Employs Rust traits to decouple high-level protocol logic from specific cryptographic primitive implementations.

TLS Implementations - Implements the Transport Layer Security protocol specifically using the Rust programming language.

TLS 1.3 Protocol Implementations - Implements the TLS 1.3 and 1.2 standards for secure handshakes and encrypted data streams.

Client Certificate Authentication - Verifies the identity of connecting clients by checking digital certificates and validating them against revocation lists.

Cryptographic Backends - Provides an abstraction layer to swap underlying cryptographic libraries like ring or OpenSSL.

Handshake State Machines - Uses a formal state machine to manage the transitions between various TLS handshake phases.

Modular Cryptographic Providers - Provides a modular architecture for loading external security libraries to extend cryptographic functionality.

Post-Quantum Cryptographic Operations - Implements experimental quantum-resistant signature algorithms to ensure data security against future computing threats.

Post-Quantum Key Exchange - Protects sessions against future quantum decryption using hybrid cryptographic key exchange algorithms.

Memory-Safe Protocol Implementations - Offers a memory-safe alternative to C-based SSL libraries to eliminate common memory-related vulnerabilities.

System Trust Stores - Delegates certificate validation to native operating system platform verifiers to respect system-specific trust restrictions.

Performance Benchmarks - Measures CPU instructions and execution time during handshakes and data transfers to detect performance regressions.

Early Data Transmitters - Implements 0-RTT data transmission to allow application data to be sent before the handshake fully completes.

Encrypted Client Hello - Protects data sent during the initial handshake to prevent passive network observers from seeing client information.

Zero-RTT Handshakes - Minimizes connection latency by sending and receiving encrypted application data during the first handshake.

Post-Quantum Cryptography - Implements hybrid key exchanges and signatures to transition network security toward quantum-resistance.

Public Key Authentication - Verifies identity using raw public keys instead of full certificates to establish secure network connections.

Zero-Copy Buffers - Implements memory management strategies that process encrypted packets without intermediate copying to reduce overhead.

Fuzz Testing - Uses randomized input tests via external harnesses to discover edge cases and hidden vulnerabilities.

Protocol Compliance Testing - Runs integration tests against different cryptographic backends to ensure protocol compliance and functional correctness.

Protocol Fuzzing - Executes randomized input tests through external harnesses to discover edge cases and security vulnerabilities.

rustlsrustls

Features

Star history