OpenSSL compatibility layer for the Rust SSL/TLS stack

Related tags

Cryptography tls rust
Overview

An OpenSSL compatibility layer for the Rust SSL/TLS stack.

Build Status Build Status Coverage Status Documentation Status Release License

MesaLink is an OpenSSL compatibility layer for the Rust SSL/TLS stack, namely rustls, webpki, and ring.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Release history

  • 1.0.0/0.10.0 (Apr 2, 2019)
    • CMake support; see the updated CROSS_COMPILE.md for cross-compilation instructions
    • Windows builds (MSVC and MinGW)
    • CI/CD migrated to Azure Pipelines
    • NSIS installer for Win64 available
    • Mutex/RwLock from parking_lot
    • Session caches with hashbrown
    • Optional jemalloc memory allocator with jemallocator
    • Renovated website
  • 0.8.0 (Jan 25, 2019)
    • 40 new OpenSSL APIs, covering BIO, EVP_PKEY, PEM and X509
    • SSL_CTX and SSL are thread-safe
    • Configurable session cache
    • SHA1 signatures discontinued
    • Tested with rust-san memory and leak sanitizers
    • Rust 2018 edition
    • Based on rustls 0.15, webpki 0.19, and *ring* 0.14
    • TLS backend for curl since 7.62.0
    • TLS backend for brpc, an industrial-grade RPC framework; see the patches directory
    • Experimental SGX Remote Attestation for Untrusted Enclaves (see SGX_README.md)

See OLD_CHANGES.md for further change history.

Supported ciphersuites

  • TLS13-CHACHA20-POLY1305-SHA256
  • TLS13-AES-256-GCM-SHA384
  • TLS13-AES-128-GCM_SHA256
  • TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
  • TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
  • TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
  • TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
  • TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
  • TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

Building instructions for Autotools

$ sudo apt-get install m4 autoconf automake libtool make gcc curl
$ curl https://sh.rustup.rs -sSf | sh

$ git clone https://github.com/mesalock-linux/mesalink.git
$ ./autogen.sh --enable-examples
$ make

Building instructions for CMake

$ sudo apt-get install cmake make gcc curl
$ curl https://sh.rustup.rs -sSf | sh

$ git clone https://github.com/mesalock-linux/mesalink.git
$ mkdir build && cd build
$ cmake ..
$ cmake --build .

Examples

MesaLink comes with two examples that demonstrate a TLS client and a TLS server. Both of them are located at examples/.

The client example connects to a remote HTTPS server and prints the server's response.

$ ./examples/client/client api.ipify.org
[+] Negotiated ciphersuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, enc_length=16, version=TLS1.2
[+] Subject name: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.ipify.org
[+] Subject alternative names:*.ipify.org ipify.org
[+] Sent 85 bytes

GET / HTTP/1.0
Host: api.ipify.org
Connection: close
Accept-Encoding: identity


HTTP/1.1 200 OK
Server: Cowboy
Connection: close
Content-Type: text/plain
Vary: Origin
Date: Thu, 09 Aug 2018 21:44:35 GMT
Content-Length: 10
Via: 1.1 vegur

1.2.3.4
[+] TLS protocol version: TLS1.2

[+] Received 177 bytes

The server example comes with a pair of certificate and private key. The certificate file is in the PEM format and contains a chain of certificates from the server's certificate to the root CA certificate. The private key file contains a PKCS8-encoded private key in the PEM format. Once the server is up and running, open https://127.0.0.1:8443 and expect to see the hello message.

$ ./examples/server/server
Usage: ./examples/server/server <portnum> <cert_file> <private_key_file>
$ cd examples/server/server
$ ./server 8443 certificates private_key
[+] Listening at 0.0.0.0:8443
[+] Negotiated ciphersuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, enc_length=16, version=TLS1.2
[+] Received:
GET / HTTP/1.1
Host: 127.0.0.1:8443
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Unit tests

MesaLink uses cargo for unit tests. Simply run cargo test.

$ cargo test

BoringSSL SSL tests

BoGo is BoringSSL's protocol level test suite. We have ported BoGo for testing the functionality and compatibility of MesaLink. To run BoGo test cases, run the following:

$ cd bogo && ./runme

Maintainer

License

MesaLink is provided under the 3-Clause BSD license. For a copy, see the LICENSE file.

Comments
  • Publishing on Crates.io?

    Publishing on Crates.io?

    This is more of a question than a feature request. Currently MesaLink is not available on crates.io, which makes it difficult to use within a Rust application. I know that native Rust code is better to use Rustls directly, but I'm in a bit of a unique situation.

    I am interested in adding to the curl-sys crate on crates.io the ability to statically link to MesaLink as the TLS implementation; this would allow Rust applications to use a statically linked libcurl that in turn uses a statically linked MesaLink for its TLS implementation. This would be a pretty big win for Rust applications that make use of curl (including cargo itself) as it eliminates the OpenSSL dependency and gains the safety of MesaLink + Rustls.

    Doing this as-is is a challenge for several reasons:

    • curl-sys cannot be published to crates.io if it depends on crates that are not also on crates.io
    • We need to be careful to ensure that libraries are not duplicated (like libstd) when linking to MesaLink. Having Cargo aware of the mesalink crate is the best way to avoid this.

    I see only a few ways of making this possible:

    • Publish mesalink to crates.io along with its forked dependencies (as mesalink-rustlsand so on).
    • Absorb all of mesalink's forked dependencies inside the mesalink crate (under modules or something) and publish that.
    • Pre-compile MesaLink without libstd for every platform, and ship that as a wrapper crate. (yuck)
    • Create a mesalink-sys crate that builds MesaLink inside a build script. (Awkward running Cargo inside a build script inside Cargo...)
    • Fork MesaLink and do one of the above.

    I am interested to hear of better solutions, or if there is any interest in publishing to crates.io.

    opened by sagebind 13
  • What is the different between mesalink and intel sgx secret provisioning?

    What is the different between mesalink and intel sgx secret provisioning?

    Hi, I'm a new learner of mesatee. I read something about intel sgx secret provisioning and mesalink from github and intel official guide, and that confuses me. Because I dont understand why u guys write another TLS library. For my perspective, intel already shows us a way to send secrets into enclave, which is secret provisioning, so we should not have to make another one. Looking forward to any relay. Thx.

    opened by czzmmc 7
  • Bump rustls to 0.20.0

    Bump rustls to 0.20.0

    Bump rustls to 0.20.0, as well as ring and webpki. I'm wondering that GitHub Dependabot might be very helpful in updating these dependencies. Sadly I failed to file a PR for this as I have mere experience in rust :-(

    opened by IceCodeNew 6
  • can't make

    can't make

    when I use make It show cd . && \ cargo rustc \ --release --no-default-features --features " client_apis server_apis error_strings aesgcm chachapoly tls13 x25519 ecdh ecdsa verifier" -- -C overflow-checks=yes -C link-args=-Wl,--gc-sections -C opt-level=z Updating git repositoryhttps://github.com/mesalock-linux/rustlserror: failed to load source for a dependency onrustls`

    Caused by: Unable to update https://github.com/mesalock-linux/rustls?branch=mesalink#12dd7e88

    Caused by: revspec '12dd7e883e3c5a8ca782ff90e2046ae760e39161' not found; class=Reference (4); code=NotFound (-3)`

    Is network error?

    opened by z2665 6
  • Problem with cmake rust detection

    Problem with cmake rust detection 

    -- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Cargo Home: /home/chaz/.cargo
-- Rust Compiler Version: rustc 1.33.0
CMake Error at CMakeLists.txt:26 (message):
  Rust is too old, please install at least 1.31 to support the Rust 2018
  edition

    The host is running linux 3.10.0-957.5.1.el7.x86_64.

    opened by Chaz6 5
  • support Windows?

    support Windows?

    From the build instructions:

    MesaLink currently supports Linux, Android and macOS. We will introduce support for other platforms in future releases.

    When is Windows support expected?

    Note that rust-native-tls supports the following:

    Specifically, this crate uses SChannel on Windows (via the schannel crate), Secure Transport on OSX (via the security-framework crate), and OpenSSL (via the openssl crate) on all other platforms.

    opened by crusty-dave 5
  • support Freebsd

    support Freebsd

    Hello,

    i tried mesalink on freebsd. the only thing that needs to change is to include netinet/in.h in server.c.

    This does not break compile on linux, through I dont know about Mac. If wanted I'll create a pull request.

    good first issue 
    opened by fneddy 4
  • Cannot install mesalink under CentOS6

    Cannot install mesalink under CentOS6

    System:CentOS6.9 x86_64 The error message is as follows:

    aclocal: --install should copy macros in the directory indicated by the
aclocal: first -I option, but no -I was supplied.

    How should I solve it? I did not find a solution on the network Thank you.

    opened by haima2 3
  • Use mesalink as drop-in replacement for OpenSSL

    Use mesalink as drop-in replacement for OpenSSL

    Since mesalink aims to be compatible to OpenSSL, I'd like to ask if it is already possible to use it as a drop-in replacement for the former mentioned library? So would it be possible to link e.g. a nginx web server against mesalink instead of OpenSSL?

    opened by vbrandl 3
  • Fix failed MinGW CI builds

    Fix failed MinGW CI builds

    The rust toolchain has changed the file extension for static libs on MinGW cross builds. This CL fixes cmake/CmakeCargo.cmake and replaces mesalink.lib with libmesalink.a

    PS: first commit from Ryzen 3600 + WSL2 PS2: AMD YES

    opened by ymjing 2
  • Test suite failures in network-restricted environments

    Test suite failures in network-restricted environments

    Under Gentoo's build tooling, network IO can be inhibited/restricted, because its generally viewed dimly that any build-time process can "phone home".

    Its also in general bad practice to rely on the availability of network IO, because it makes assertions about your expectations about the build environment ( eg: it could be running on a firewalled / airgapped host ).

    The recommendation is to first ascertain if network IO in the general sense can be expected to work, before executing tests that inherently require it to give valid output.

    test libssl::ssl::tests::dummy_openssl_compatible_apis_always_return_success ... ok
test libssl::ssl::tests::get_ssl_fd ... FAILED
test libssl::ssl::tests::get_and_set_ssl_ctx ... ok
test libssl::ssl::tests::invalid_private_key ... ok
test libssl::ssl::tests::legacy_tls_versions_not_supported ... ok
test libssl::ssl::tests::load_verify_locations ... ok
test libssl::ssl::tests::mesalink_ssl_ctx_session_cache_mode_and_size ... ok
test libssl::ssl::tests::mesalink_ssl_set_good_host_name ... ok
test libssl::ssl::tests::mesalink_ssl_set_invalid_host_name ... ok
test libssl::ssl::tests::mesalink_ssl_set_null_host_name ... ok
test libssl::ssl::tests::private_key_not_found ... ok
test libssl::ssl::tests::ssl_ctx_is_not_null ... ok
test libssl::ssl::tests::invalid_certificate ... ok
test libssl::ssl::tests::ssl_ctx_is_thread_safe ... ok
test libssl::ssl::tests::ssl_ctx_load_certificate_and_private_key_asn1 ... ok
test libssl::ssl::tests::ssl_io_on_bad_file_descriptor ... ok
test libssl::ssl::tests::ssl_is_not_null ... ok
test libssl::ssl::tests::ssl_is_thread_safe ... ok
test libssl::ssl::tests::ssl_load_certificate_and_private_key_asn1 ... ok
test libssl::ssl::tests::supported_tls_versions ... ok
test libssl::ssl::tests::test_io_before_full_handshake ... ok
test libssl::ssl::tests::test_null_pointers_as_arguments ... ok
test libssl::ssl::tests::verify_certificate_and_key ... ok
test libssl::ssl::tests::verify_key_and_certificate_1 ... ok
test libssl::ssl::tests::verify_key_and_certificate_2 ... ok
test libssl::x509::tests::x509_null_pointer ... ok
test libssl::ssl::tests::ssl_on_nonblocking_socket ... FAILED
test libssl::ssl::tests::early_data_to_mesalink_io ... FAILED
test libssl::ssl::tests::cross_version_tests ... ok

failures:
---- libssl::ssl::tests::get_ssl_fd stdout ----
thread 'libssl::ssl::tests::get_ssl_fd' panicked at 'Connect error: Os { code: 101, kind: Other, message: "Network is unreachable" }', src/libcore/result.rs:1084:5
stack backtrace:
   0:     0x55813a931de1 - std::sys_common::backtrace::print::hba9498aea52b0a4c
   1:     0x55813a936a12 - std::panicking::default_hook::{{closure}}::h28904950cd69f5ae
   2:     0x55813a93675c - std::panicking::default_hook::h37de51f3afebd886
   3:     0x55813a9370fd - std::panicking::rust_panic_with_hook::hc888d5b8ee53f3c2
   4:     0x55813a936c92 - std::panicking::continue_panic_fmt::h4994c8523413f426
   5:     0x55813a936b76 - rust_begin_unwind
   6:     0x55813a947f7d - core::panicking::panic_fmt::h0f33ccf7fc2a1201
   7:     0x55813a94b627 - core::result::unwrap_failed::h5f2f3948a0c719bd
   8:     0x55813a82d4eb - core::result::Result<T,E>::expect::h6e0dc25503701241
                               at /var/tmp/portage/dev-lang/rust-1.38.0/work/rustc-1.38.0-src/src/libcore/result.rs:879
   9:     0x55813a82d4eb - mesalink::libssl::ssl::tests::get_ssl_fd::h0c0f21d37a37c246
                               at src/libssl/ssl.rs:3381
  10:     0x55813a853c2f - <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once::h8e266f4baa94b6a7
  11:     0x55813a93794a - __rust_maybe_catch_panic
  12:     0x55813a85f26d - std::sys_common::backtrace::__rust_begin_short_backtrace::h7eec479e3b313f58
  13:     0x55813a8605b5 - std::panicking::try::do_call::h9921ee074f4070c3
  14:     0x55813a93794a - __rust_maybe_catch_panic
  15:     0x55813a865cd2 - core::ops::function::FnOnce::call_once{{vtable.shim}}::hf525dbe56a508edf
  16:     0x55813a93451f - <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once::h4c1084bf7672115a
  17:     0x55813a9377a0 - std::sys::unix::thread::Thread::new::thread_start::h9505cc4fd13f1815
  18:     0x7f36abd683a7 - start_thread
                               at /var/tmp/portage/sys-libs/glibc-2.29-r5/work/glibc-2.29/nptl/pthread_create.c:486
  19:     0x7f36abc7d0ff - __clone
  20:                0x0 - <unknown>

---- libssl::ssl::tests::early_data_to_mesalink_io stdout ----
thread 'libssl::ssl::tests::early_data_to_mesalink_io' panicked at 'Failed to connect: Custom { kind: Other, error: "failed to lookup address information: Temporary failure in name resolution" }', src/libcore/result.rs:1084:5
stack backtrace:
   0:     0x55813a931de1 - std::sys_common::backtrace::print::hba9498aea52b0a4c
   1:     0x55813a936a12 - std::panicking::default_hook::{{closure}}::h28904950cd69f5ae
   2:     0x55813a93675c - std::panicking::default_hook::h37de51f3afebd886
   3:     0x55813a9370fd - std::panicking::rust_panic_with_hook::hc888d5b8ee53f3c2
   4:     0x55813a936c92 - std::panicking::continue_panic_fmt::h4994c8523413f426
   5:     0x55813a936b76 - rust_begin_unwind
   6:     0x55813a947f7d - core::panicking::panic_fmt::h0f33ccf7fc2a1201
   7:     0x55813a94b627 - core::result::unwrap_failed::h5f2f3948a0c719bd
   8:     0x55813a82eead - core::result::Result<T,E>::expect::h6e0dc25503701241
                               at /var/tmp/portage/dev-lang/rust-1.38.0/work/rustc-1.38.0-src/src/libcore/result.rs:879
   9:     0x55813a82eead - mesalink::libssl::ssl::tests::early_data_to_mesalink_io::h348b7703c02fa9aa
                               at src/libssl/ssl.rs:3550
  10:     0x55813a853c2f - <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once::h8e266f4baa94b6a7
  11:     0x55813a93794a - __rust_maybe_catch_panic
  12:     0x55813a85f26d - std::sys_common::backtrace::__rust_begin_short_backtrace::h7eec479e3b313f58
  13:     0x55813a8605b5 - std::panicking::try::do_call::h9921ee074f4070c3
  14:     0x55813a93794a - __rust_maybe_catch_panic
  15:     0x55813a865cd2 - core::ops::function::FnOnce::call_once{{vtable.shim}}::hf525dbe56a508edf
  16:     0x55813a93451f - <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once::h4c1084bf7672115a
  17:     0x55813a9377a0 - std::sys::unix::thread::Thread::new::thread_start::h9505cc4fd13f1815
  18:     0x7f36abd683a7 - start_thread
                               at /var/tmp/portage/sys-libs/glibc-2.29-r5/work/glibc-2.29/nptl/pthread_create.c:486
  19:     0x7f36abc7d0ff - __clone
  20:                0x0 - <unknown>

---- libssl::ssl::tests::ssl_on_nonblocking_socket stdout ----
thread 'libssl::ssl::tests::ssl_on_nonblocking_socket' panicked at 'Conenction failed: Custom { kind: Other, error: "failed to lookup address information: Temporary failure in name resolution" }', src/libcore/result.rs:1084:5
stack backtrace:
   0:     0x55813a931de1 - std::sys_common::backtrace::print::hba9498aea52b0a4c
   1:     0x55813a936a12 - std::panicking::default_hook::{{closure}}::h28904950cd69f5ae
   2:     0x55813a93675c - std::panicking::default_hook::h37de51f3afebd886
   3:     0x55813a9370fd - std::panicking::rust_panic_with_hook::hc888d5b8ee53f3c2
   4:     0x55813a936c92 - std::panicking::continue_panic_fmt::h4994c8523413f426
   5:     0x55813a936b76 - rust_begin_unwind
   6:     0x55813a947f7d - core::panicking::panic_fmt::h0f33ccf7fc2a1201
   7:     0x55813a94b627 - core::result::unwrap_failed::h5f2f3948a0c719bd
   8:     0x55813a82ba26 - core::result::Result<T,E>::expect::h6e0dc25503701241
                               at /var/tmp/portage/dev-lang/rust-1.38.0/work/rustc-1.38.0-src/src/libcore/result.rs:879
   9:     0x55813a82ba26 - mesalink::libssl::ssl::tests::ssl_on_nonblocking_socket::h1483b5459a0c207e
                               at src/libssl/ssl.rs:3037
  10:     0x55813a853c2f - <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once::h8e266f4baa94b6a7
  11:     0x55813a93794a - __rust_maybe_catch_panic
  12:     0x55813a85f26d - std::sys_common::backtrace::__rust_begin_short_backtrace::h7eec479e3b313f58
  13:     0x55813a8605b5 - std::panicking::try::do_call::h9921ee074f4070c3
  14:     0x55813a93794a - __rust_maybe_catch_panic
  15:     0x55813a865cd2 - core::ops::function::FnOnce::call_once{{vtable.shim}}::hf525dbe56a508edf
  16:     0x55813a93451f - <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once::h4c1084bf7672115a
  17:     0x55813a9377a0 - std::sys::unix::thread::Thread::new::thread_start::h9505cc4fd13f1815
  18:     0x7f36abd683a7 - start_thread
                               at /var/tmp/portage/sys-libs/glibc-2.29-r5/work/glibc-2.29/nptl/pthread_create.c:486
  19:     0x7f36abc7d0ff - __clone
  20:                0x0 - <unknown>


failures:
    libssl::ssl::tests::early_data_to_mesalink_io
    libssl::ssl::tests::get_ssl_fd
    libssl::ssl::tests::ssl_on_nonblocking_socket

test result: FAILED. 61 passed; 3 failed; 0 ignored; 0 measured; 0 filtered out
    opened by kentfredric 2
  • Building mesalink as drop-in replacement for nginx

    Building mesalink as drop-in replacement for nginx

    Hi, I'm trying to compile nginx using mesalink as the replacement for OpenSSL.

    I've compiled mesalink using the following:

    mkdir out
./autogen.sh --prefix=$(pwd)/out
make && make install

    Then compile nginx (sources available at github.com/nginx/nginx) with the following options:

    ./auto/configure --with-http_ssl_module \
    --with-cc-opt="-I/path/to/mesalock-linux/mesalink/out/include/mesalink -I/path/to/mesalock-linux/mesalink/out/include" \
    --with-ld-opt="-L/path/to/mesalock-linux/mesalink/out/lib"

    I get the following error:

    ./auto/configure: error: SSL modules require the OpenSSL library.
You can either do not enable the modules, or install the OpenSSL library
into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl=<path> option.

    If you read through objs/autoconf.err you get:

    checking for OpenSSL library in /usr/local/

objs/autotest.c:7:5: error: implicit declaration of function 'SSL_CTX_set_options' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
    SSL_CTX_set_options(NULL, 0);
    ^
1 error generated.
----------

#include <sys/types.h>
#include <unistd.h>
#include <openssl/ssl.h>

int main(void) {
    SSL_CTX_set_options(NULL, 0);
    return 0;
}

----------
cc -pipe -I/path/to/mesalock-linux/mesalink/out/include/mesalink -I/path/to/mesalock-linux/mesalink/out/include -D__APPLE_USE_RFC_3542 -I /usr/local/include -o objs/autotest objs/autotest.c -L/path/to/mesalock-linux/mesalink/out/lib -L/usr/local/lib -lssl -lcrypto

    I searched for SSL_CTX_set_options in mesalink source code and issues, but I couldn't find anything. Any idea how to get past this? Do I need to define a shim .h file or something?

    Updates #12.

    opened by kevinburke1 2
  • Mesalink interface deviates from OpenSSL (SSL_CTX_use_certificate_chain_file, SSL_CTX_use_certificate_file)

    Mesalink interface deviates from OpenSSL (SSL_CTX_use_certificate_chain_file, SSL_CTX_use_certificate_file)

    Mesalink doesn't provide an equivalent interface to SSL_CTX_use_certificate_file. Furthermore, the function mesalink_SSL_CTX_use_certificate_chain_file takes these arguments:

    • MESALINK_CTX *
    • const char *
    • int

    Whereas the analogous OpenSSL function SSL_CTX_use_certificate_chain_file only takes two arguments:

    • SSL_CTX *ctx
    • const char *file

    See the OpenSSL docs: https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_use_certificate_chain_file.html

    opened by rjw245 1
  • ALPN and SNI support

    ALPN and SNI support

    Are ALPN and SNI still supported? I noticed that they were removed from the "Feature Highlights" list, and HTTP/2 over TLS doesn't work when using mesalink with isahc + curl-rust.

    opened by kathampy 1
  • [rustls] simplify feature selection for rustls

    [rustls] simplify feature selection for rustls

    I am opening this issue here, since has no option to open issues in the mesalock-linux/rustls repository.

    Looking at the first commit on the rustls fork that adds feature flags (currently fed32702b8d7afaec1271ef8494188d4f8ae688b), I can see there are some areas that can be simplified, and the feature selection can be performed with less code and more clearly.

    As an example, in impl SupportedGroups for NamedGroups, there can be a single supported method, and each item in the vector can be conditioned directly on the related feature, which would make it much easier to see exactly what NamedGroups are included for which feature.

    I would like to open a PR with these simplifications, and I would like to ask how do you think this should be handled: would you apply commits on top of the mesalink branch of the rustls fork, or would you apply it directly op top of fed32702b8d7afaec1271ef8494188d4f8ae688b and rebase on top of that ?

    enhancement 
    opened by alexmaco 1
Releases(v1.0.0)
Owner
MesaLock Linux
A Memory-Safe Linux Distribution
MesaLock Linux
GitHub https://mesalink.io
OpenSSL bindings for Rust

rust-openssl OpenSSL bindings for the Rust programming language. Documentation. Release Support The current supported release of openssl is 0.10 and o

Steven Fackler 1k Jan 7, 2023
SHA1: Rust vs. OpenSSL performance

SHA1: Rust vs. OpenSSL On an AMD Ryzen 7 3700X 8-Core Processor. Archlinux x86_64. Linux 5.15.5-arch1-1. Short = 8 bytes, long = 64 bytes and huge = 5

Fred Morcos 1 Dec 4, 2021
As part of the IOP Stack™ Morpheus is a toolset to have gatekeeper-free identity management and verifiable claims as a 2nd layer on top of a blockchain

Internet of People Internet of People (IoP) is a software project creating a decentralized software stack that provides the building blocks and tools

We are building a complete decentralized ecosystem with the IOP Stack™ 9 Nov 4, 2022
A Boring(SSL)-compatible API abstraction for Rust cryptographic implementations.

A Boring(SSL)-compatible API abstraction for Rust cryptographic implementations. What is Superboring? Superboring hides the complexity, diversity and

Frank Denis 7 Dec 29, 2023
A tool to identify related SSL keys, CSRs, and certificates.

⛓ sslchains A tool to identify related SSL keys, CSRs, and certificates. Usage Default Display Mode Run with any number of path arguments to define th

Gary Locke 1 Apr 2, 2022
A modern TLS library in Rust

Rustls is a modern TLS library written in Rust. It's pronounced 'rustles'. It uses ring for cryptography and libwebpki for certificate verification. S

ctz 4k Jan 9, 2023
[INACTIVE] TLS 1.2 implementation in Rust

suruga is Rust implementation of TLS 1.2. It currently implements some core parts of TLS 1.2, NIST P-256 ECDHE and chacha20-poly1305. Usage extern cra

klutzy/defunct 123 Dec 27, 2022
A Rust implementation of Trojan with QUIC tunnel, Lite-TLS and more.

Trojan-Oxide A Rust implementation of Trojan with QUIC tunnel, Lite-TLS and more. Overview Full support for the original Trojan Protocol, including TC

null 13 Oct 17, 2022
A modern TLS library in Rust

Rustls is a modern TLS library written in Rust. It uses ring for cryptography and libwebpki for certificate verification. Status Rustls is ready for u

null 4k Jan 9, 2023
A no-std / no-alloc TLS 1.3 client

puny-tls - no-std/no-alloc TLS 1.3 client This is an improvement over tiny-tls-rs to make it more useable. However the only reason this exists is to r

Björn Quentin 2 Aug 22, 2022
A Rust implementation of the Message Layer Security group messaging protocol

Molasses An extremely early implementation of the Message Layer Security group messaging protocol. This repo is based on draft 4 of the MLS protocol s

Trail of Bits 109 Dec 13, 2022
The Nervos CKB is a public permissionless blockchain, and the layer 1 of Nervos network.

Nervos CKB - The Common Knowledge Base master develop About CKB CKB is the layer 1 of Nervos Network, a public/permissionless blockchain. CKB uses Pro

Nervos Network 1k Dec 30, 2022
Official implementation of the YeeCo Root Chain (Layer 1)

yeeroot Official implementation of the YeeCo Root Chain (Layer 1) YeeCo is a permissionless, secure, high performance and scalable public blockchain p

YeeCo 29 Sep 20, 2022
Dione is an anonymize and encrypted messaging system build on top on a peer to peer layer.

Secure and Anonymous Messaging WARNING: Currently Dione is not ready to be used nor does it fulfill its goal of being an anonymous messenger. In order

Dione 41 Jan 5, 2023
Aptos-core strives towards being the safest and most scalable layer one blockchain solution.

Aptos-core strives towards being the safest and most scalable layer one blockchain solution. Today, this powers the Aptos Devnet, tomorrow Mainnet in order to create universal and fair access to decentralized assets for billions of people.

Aptos Labs 4.7k Jan 6, 2023
Koofr Vault is an open-source, client-side encrypted folder for your Koofr cloud storage offering an extra layer of security for your most sensitive files.

Koofr Vault https://vault.koofr.net Koofr Vault is an open-source, client-side encrypted folder for your Koofr cloud storage offering an extra layer o

Koofr 12 Dec 30, 2022
Consensus layer peer-to-peer connection setup

Consensus Layer P2P This project is a basic setup for a consensus layer peer-to-peer connection, as specified in the consensus layer specifications of

Brechy 11 Dec 31, 2022
Tiny CLI for submitting large calldata transactions to EVM networks to stress test the networking layer. Main motivation: EIP4844blobs.

stress4844 Tiny CLI for submitting large calldata transactions to EVM networks to stress test the networking layer. Main motivation: EIP4844 blobs. ca

Paradigm 50 Jan 4, 2023
Tiny CLI for submitting large calldata transactions to EVM networks to stress test the networking layer

Tiny CLI for submitting large calldata transactions to EVM networks to stress test the networking layer. Main motivation: EIP4844blobs.

Paradigm 50 Jan 4, 2023