Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

Rustls

From Wikipedia, the free encyclopedia

Open-source implementation of TLS in Rust
Rustls
Developer(s)Joe Birr-Pixton, Dirkjan Ochtman, Daniel McCarney, Josh Aas[1]
Initial release2016
Stable releasev0.23.25 (March 17, 2025; 33 days ago (2025-03-17)[2]) [±]
Repository
Written inRust
Operating systemCross-platform
TypeSecurity library
LicenseApache 2.0,MIT,ISC[1]
Websitegithub.com/rustls

Rustls (pronounced "rustles"[3]) is anopen-source implementation of theTransport Layer Security (TLS)cryptographic protocol written in theRust programming language. TLS is essential tointernet security, and Rustls aims to enablesecure,fast TLS connections. Rustls uses Rust's enforcement ofmemory safety to reduce the risk ofsecurity vulnerabilities. It is part of efforts to improve internet security by replacing memory-unsafesoftware libraries, such asOpenSSL, with memory-safe alternatives.

Team and funding

[edit]

Joe Birr-Pixton started Rustls in 2016 and remains the lead developer as of 2024.[1] TheInternet Security Research Group (ISRG), anonprofit organization based in the United States, has sponsored the project since 2021 as part of its Prossimo initiative.[4][5] ISRG aims to make Rustls a viable alternative toOpenSSL, which is widely used byinternetservers but difficult to use correctly and has hadsecurity bugs, such asHeartbleed, caused by memory-unsafe code.[4][6]

ISRG has paid severalprogrammers to work on Rustls, including Birr-Pixton, Daniel McCarney, and Dirkjan Ochtman, using money contributed byGoogle and other companies and organizations.[4][7] In 2023, theOpen Source Security Foundation's Alpha-Omega initiative gave ISRG $530,000 for development of the option to use different cryptographic backends and for the separate projectRust for Linux.[8][9] That money came from Google,Amazon Web Services, andMicrosoft.[10] Amazon Web Services also gave ISRG $1 million in 2023 for memory-safety projects including Rustls.[11] TheSovereign Tech Fund, supported by the German government, gave $1.5 million to ISRG in 2023 for work on Rustls and other projects that provide memory-safe versions of open source tools critical to internet security.[12][13]Craig Newmark Philanthropies granted $100,000 to ISRG for memory safety projects in 2024.[14] Additional funding has come from Fly.io,[15] acloud platform that uses Rustls.[16]

The United StatesOffice of the National Cyber Director has encouraged work on memory-safe security software[17] and complimented the Rustls team.[15] Google awarded Open Source Peer Bonuses to Birr-Pixton and Ochtman for their work on Rustls.[18]

Architecture and features

[edit]

Rustls is alow-level softwarelibrary focused onTLS implementation.[19] This means it does not support otherinternet protocols by itself, such asHTTPS, but software that implements other protocols may use Rustls as a component.[19]

By default Rustls usescryptographic primitives from Amazon Web Services Libcrypto for Rust (aws-lc-rs), which supportsFederal Information Processing Standards (FIPS).[20] Rustls allows using alternative cryptographic libraries instead ofaws-lc-rs, such asring.[20] The project has experimental support forpost-quantum cryptography: akey exchange method with a specialkey encapsulation mechanism (Kyber).[21]

Rustls uses its ownfork of thewebpki library to verifypublic key infrastructurecertificates, a step in theTLS handshake.[3][22] Rustls supportsServer Name Indication (SNI), which allows aweb server to serve multiple HTTPS websites at the sameIP address with different certificates.[23] It also supports TLS certificates that contain IP addresses instead ofdomain names.[24]

C programs can use Rustls through aforeign function interfaceAPI,rustls-ffi.[3][6] For example,cURL is a popular tool written in C, and it allows using Rustls throughrustls-ffi.[25][26] Rustls also has an OpenSSLcompatibility layer that allows configuring the widely-usedNginx web server to use Rustls instead of OpenSSL.[15][27]

Rustls is available under multiplefree software licenses:Apache 2.0,MIT, andISC.[1]

Evaluations

[edit]

In 2020, theCloud Native Computing Foundation funded asecurity audit of Rustls and two Rust libraries it used,ring andwebpki, with positive results.[28]

In 2019,benchmarks carried out by the Rustls developer showed betterperformance thanOpenSSL.[29] In 2024 the project conducted new performance comparisons with the latest version of OpenSSL, which showed some scenarios where Rustls was faster or more efficient and some where OpenSSL performed better.[30]

Uses

[edit]

Like other TLS implementations, acomputer user may use Rustls without being aware of it, as an underlying part of an application or website. A programmer can use Rustls directly or by configuring a higher-level library or tool to use it. In particular, Rustls is used by some projects that want to ensure they have a securesoftware supply chain.[31] The USCybersecurity and Infrastructure Security Agency has recommended using products in memory safe languages as part of its "Secure by Design" initiative.[32]

Some libraries support Rustls as one of several choices for TLS implementations. ThereqwestHTTP client library offers the option to use Rustls for TLS instead of the system's default TLS library (for example, onWindows the default is theSecurity Support Provider Interface).[33][34] In 2020 an ISRG software engineer enabled using Rustls as a TLS backend forcURL.[35][36]s2n-quic, an implementation of theQUICnetwork protocol in Rust, supports both Rustls ands2n-tls for TLS.[37]

In 2021Google funded the creation ofmod_tls, a new TLSmodule forApache HTTP Server using Rustls.[38][39] The new module is intended to be a successor to themod_ssl module that uses OpenSSL, as a more secure default.[38][40] As of August 2024,mod_tls is available in the latest version of Apache but still marked as experimental.[41] TheInternet Society, a nonprofit that advocates for an open and secureinternet, suggests that organizations use this module as a step toward increasing memory safety.[42]

Rustls is the default TLS implementation in some applications. The utility programcargo_audit, which checks Rust project dependencies for security vulnerabilities, uses Rustls.[43]Linkerd, which "adds security,observability, and reliability to anyKubernetes cluster", includes aproxy server built with Rustls.[44] Wolfi, a tool for making memory-safeLinuxcontainers, uses Rustls.[45][46] In 2024, ISRG announced plans to start replacing OpenSSL with Rustls inLet's Encrypt, their freecertificate authority used by hundreds of millions of websites.[15][47]

See also

[edit]

External links

[edit]

References

[edit]
  1. ^abcd"Rustls README".GitHub. July 30, 2024. RetrievedAugust 20, 2024.
  2. ^"rustls/rustls releases".Github. RetrievedApril 1, 2025.
  3. ^abcEdge, Jake (May 4, 2021)."Rustls: memory safety for TLS".LWN.net. RetrievedAugust 20, 2024.
  4. ^abcMelanson, Mike (April 23, 2021)."Rustls Looks to Provide a Memory-Safe Replacement for OpenSSL".The New Stack.Insight Partners. RetrievedAugust 20, 2024.
  5. ^Aas, Josh (April 20, 2021)."Preparing Rustls for Wider Adoption".Prossimo. Internet Safety Research Group. RetrievedAugust 20, 2024.
  6. ^abVaughan-Nichols, Steven J. (November 2, 2021)."Prossimo: Making the Internet Memory Safe".The New Stack.Insight Partners. RetrievedAugust 20, 2024.
  7. ^"Rustls".Prossimo. Internet Safety Research Group. RetrievedAugust 21, 2024.
  8. ^Gran, Sarah (September 18, 2023)."Advancing Rustls and Rust for Linux with OpenSSF Support".Open Source Security Foundation (OpenSSF).Linux Foundation. RetrievedAugust 20, 2024.
  9. ^"OpenSSF Welcomes New Members in Support of Securing Open Source Software".ITSecurityWire. September 18, 2023. RetrievedSeptember 3, 2024.
  10. ^"Comment from Amazon Web Services (Re: Open-Source Software Security RFI Response, Amazon Web Services)".Regulations.gov. November 8, 2023. RetrievedAugust 22, 2024.
  11. ^Aas, Josh (May 11, 2023)."AWS commits $1M to bring memory safety to critical parts of the Web".Prossimo. Internet Safety Research Group. RetrievedAugust 22, 2024.
  12. ^Gran, Sarah (July 11, 2023)."$1.5M from Sovereign Tech Fund to Fuel Memory Safety".Internet Security Research Group. RetrievedAugust 20, 2024.
  13. ^Tarakiyee, Tara (May 22, 2024)."On Rust, Memory Safety, and Open Source Infrastructure".Sovereign Tech Fund. RetrievedAugust 20, 2024.
  14. ^Gran, Sarah (March 12, 2024)."White House, Craig Newmark Support Memory Safe Software".Internet Security Research Group. RetrievedSeptember 3, 2024.
  15. ^abcdAas, Josh (May 8, 2024)."Rustls Gains OpenSSL and Nginx Compatibility".Prossimo. Internet Security Research Group. RetrievedAugust 20, 2024.
  16. ^"Healthcare apps on Fly".Fly. RetrievedAugust 22, 2024.
  17. ^Wang, Dana; Arasaratnam, Omkhar (February 26, 2024)."OpenSSF Supports White House's Efforts to Build More Secure and Measurable Software".Open Source Security Foundation (OpenSSF).Linux Foundation. RetrievedAugust 22, 2024.
  18. ^Tabak, Maria (March 22, 2022)."Rewarding Rust contributors with Peer Bonuses".Google Open Source Blog. RetrievedAugust 22, 2024.
  19. ^ab"Crate rustls".Docs.rs. RetrievedAugust 21, 2024.
  20. ^abAas, Josh (February 29, 2024)."Rustls Now Using AWS Libcrypto for Rust, Gains FIPS Support".Prossimo. Internet Security Research Group. RetrievedAugust 20, 2024.
  21. ^Aas, Josh (March 26, 2024)."The Rustls TLS Library Adds Post-Quantum Key Exchange Support".Prossimo. Internet Security Research Group. RetrievedAugust 21, 2024.
  22. ^"Rustls webpki README".GitHub. September 18, 2023. RetrievedAugust 22, 2024.
  23. ^"ServerName in rustls::pki_types".Docs.rs. RetrievedAugust 21, 2024.
  24. ^Aas, Josh (March 29, 2023)."Rustls 0.21.0 Released With Exciting New Features".Prossimo. Internet Security Research Group. RetrievedAugust 22, 2024.
  25. ^Stenberg, Daniel (February 9, 2021)."curl supports rustls".daniel.haxx.se. RetrievedAugust 21, 2024.
  26. ^"TLS libraries".everything curl. RetrievedAugust 22, 2024.
  27. ^Larabel, Michael (May 11, 2024)."Rustls Can Now Work With Nginx Via New OpenSSL Compatibility Layer".Phoronix. RetrievedAugust 21, 2024.
  28. ^Birr-Pixton, Joseph (June 14, 2010)."Third-party audit of rustls".jbp.io. RetrievedAugust 22, 2024.
  29. ^Cimpanu, Catalin (July 19, 2019)."A Rust-based TLS library outperformed OpenSSL in almost every category".ZDNET. RetrievedAugust 20, 2024.
  30. ^Ochagavía, Adolfo (January 4, 2024)."Securing the Web: Rustls on track to outperform OpenSSL".Prossimo. Internet Security Research Group. RetrievedAugust 20, 2024.
  31. ^Lorenc, Dan; Conill, Ariadne (January 24, 2023)."Building the first memory safe distro".Chainguard. RetrievedAugust 20, 2024.
  32. ^Moore, Matt (May 8, 2024)."Signing CISA's Secure by Design pledge".Chainguard. RetrievedSeptember 3, 2024.
  33. ^Palmieri, Luca (March 14, 2022).Zero to Production In Rust: An introduction to backend development in Rust. Luca Palmieri. p. 214.ISBN 979-8-8472-1143-7.
  34. ^"RustLS".The Goose Book. RetrievedAugust 21, 2024.
  35. ^Aas, Josh (October 9, 2020)."Memory Safe 'curl' for a More Secure Internet".Internet Security Research Group. RetrievedAugust 20, 2024.
  36. ^De Simone, Sergio (October 25, 2020)."Rust Hyper HTTP Library Will Contribute to Make Curl Safer".InfoQ. RetrievedAugust 20, 2024.
  37. ^Kampanakis, Panos (February 17, 2022)."Introducing s2n-quic, a new open-source QUIC protocol implementation in Rust".AWS Security Blog. RetrievedAugust 22, 2024.
  38. ^abCimpanu, Catalin (February 2, 2021)."Google funds project to secure Apache web server with new Rust component".ZDNET. RetrievedAugust 20, 2024.
  39. ^Eissing, Stefan (March 1, 2022)."Bringing Memory Safe TLS to Apache httpd".Prossimo. Internet Security Research Group. RetrievedAugust 20, 2024.
  40. ^Claburn, Thomas (February 2, 2021)."In Rust we trust: Shoring up Apache, ISRG ditches C, turns to wunderkind lang for new TLS crypto module".The Register. RetrievedSeptember 2, 2024.
  41. ^"Apache HTTP Server Version 2.4: Apache Module mod_tls".Apache HTTP Server Project.Apache Software Foundation. RetrievedAugust 22, 2024.
  42. ^"How to Talk to Your Manager About Memory Safety".Internet Society. October 10, 2023. RetrievedAugust 22, 2024.
  43. ^Davidoff, Sergey "Shnatsel" (September 4, 2023)."Keeping Rust projects secure with cargo-audit 0.18: performance, compatibility and security improvements".Inside Rust Blog. RetrievedAugust 21, 2024.
  44. ^Weisman, Eliza (July 23, 2020)."Under the hood of Linkerd's state-of-the-art Rust proxy, Linkerd2-proxy".Linkerd.Cloud Native Computing Foundation. RetrievedAugust 20, 2024.
  45. ^Lewkowicz, Jakub (September 29, 2023)."SD Times Open-Source Project of the Week: Wolfi".SD Times. RetrievedAugust 20, 2024.
  46. ^Claburn, Thomas (January 26, 2023)."Memory safety is the new black, fashionable and fit for any occasion: Calls to avoid C/C++ and embrace Rust grow louder".The Register. RetrievedAugust 20, 2024.
  47. ^Aas, Josh (June 24, 2024)."More Memory Safety for Let's Encrypt: Deploying ntpd-rs".Let's Encrypt. Internet Security Research Group. RetrievedAugust 21, 2024.
Protocols and technologies
Public-key infrastructure
See also
History
Implementations
Notaries
Vulnerabilities
Theory
Cipher
Protocol
Implementation
Retrieved from "https://en.wikipedia.org/w/index.php?title=Rustls&oldid=1263244178"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2025 Movatter.jp