# Rustls

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Rustls
> Markdown URL: https://mediated.wiki/source/Rustls.md
> Source: https://en.wikipedia.org/wiki/Rustls
> Source revision: 1343739285
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

{{Use mdy dates|date=August 2024}}
{{Short description|Implementation of TLS in Rust}}
{{Infobox software
| name = Rustls
| logo = Rustls logo.png
| logo size = 
| screenshot = 
| caption = 
| developer = Joe Birr-Pixton, Dirkjan Ochtman, Daniel McCarney, Josh Aas<ref name="readme"/>
| released = 2016
| author = 
| operating_system = [Cross-platform](/source/Cross-platform)
| programming_language = [Rust](/source/Rust_(programming_language))
| genre = [Security library](/source/Library_(computer_science))
| license = [Apache 2.0](/source/Apache_License_2.0), [MIT](/source/MIT_License), [ISC](/source/ISC_license)<ref name="readme" />
| website = {{URL|https://rustls.dev/}}
| latest release version = 0.23.37
| latest release date = 
}}

'''Rustls''' (pronounced "rustles"<ref name=":4">{{Cite web |last=Edge |first=Jake |date=May 4, 2021 |title=Rustls: memory safety for TLS |url=https://lwn.net/Articles/853712/ |access-date=2024-08-20 |website=[LWN.net](/source/LWN.net)}}</ref>) is an [open-source](/source/Open_source) implementation of the [Transport Layer Security](/source/Transport_Layer_Security) (TLS) [cryptographic protocol](/source/cryptographic_protocol) written in the [Rust programming language](/source/Rust_(programming_language)). TLS is essential to [internet security](/source/internet_security), and Rustls aims to enable [secure](/source/Secure_communication), [fast](/source/Network_performance) TLS connections. Rustls uses Rust's enforcement of [memory safety](/source/memory_safety) to reduce the risk of [security vulnerabilities](/source/Vulnerability_(computer_security)). It is part of efforts to improve internet security by replacing memory-unsafe [software libraries](/source/Library_(computing)), such as [OpenSSL](/source/OpenSSL), with memory-safe alternatives. 

== Team and funding ==
Joe Birr-Pixton started Rustls in 2016 and remains the lead developer as of 2024.<ref name="readme">{{Cite web |date=July 30, 2024 |title=Rustls README |url=https://github.com/rustls/rustls/blob/main/README.md |access-date=2024-08-20 |website=[GitHub](/source/GitHub) |language=en}}</ref> The [Internet Security Research Group](/source/Internet_Security_Research_Group) (ISRG), a [nonprofit organization](/source/501(c)(3)_organization) based in the United States, has sponsored the project since 2021 as part of its Prossimo initiative.<ref name=":3">{{Cite web |last=Melanson |first=Mike |date=2021-04-23 |title=Rustls Looks to Provide a Memory-Safe Replacement for OpenSSL |url=https://thenewstack.io/rustls-looks-to-provide-a-memory-safe-replacement-for-openssl/ |access-date=2024-08-20 |website=The New Stack |publisher=[Insight Partners](/source/Insight_Partners) |language=en-US}}</ref><ref>{{Cite web |last=Aas |first=Josh |date=2021-04-20 |title=Preparing Rustls for Wider Adoption |url=https://www.memorysafety.org/blog/preparing-rustls-for-wider-adoption/ |access-date=2024-08-20 |website=Prossimo |publisher=Internet Safety Research Group}}</ref> ISRG aims to make Rustls a viable alternative to [OpenSSL](/source/OpenSSL), which is widely used by [internet](/source/internet) [servers](/source/server_(computing)) but difficult to use correctly and has had [security bugs](/source/Security_bug), such as [Heartbleed](/source/Heartbleed), caused by memory-unsafe code.<ref name=":3" /><ref name=":5">{{Cite web |last=Vaughan-Nichols |first=Steven J. |date=2021-11-02 |title=Prossimo: Making the Internet Memory Safe |url=https://thenewstack.io/prossimo-making-the-internet-memory-safe/ |access-date=2024-08-20 |website=The New Stack |publisher=[Insight Partners](/source/Insight_Partners) |language=en-US}}</ref>

ISRG has paid several [programmers](/source/Programmer) to work on Rustls, including Birr-Pixton, Daniel McCarney, and Dirkjan Ochtman, using money contributed by [Google](/source/Google) and other companies and organizations.<ref name=":3" /><ref>{{Cite web |last= |first= |title=Rustls |url=https://www.memorysafety.org/initiative/rustls/ |access-date=2024-08-21 |website=Prossimo |publisher=Internet Safety Research Group}}</ref> In 2023, the [Open Source Security Foundation](/source/Open_Source_Security_Foundation)'s Alpha-Omega initiative gave ISRG $530,000 for development of the option to use different cryptographic backends and for the separate project [Rust for Linux](/source/Rust_for_Linux).<ref>{{Cite web |last=Gran |first=Sarah |date=September 18, 2023 |title=Advancing Rustls and Rust for Linux with OpenSSF Support |url=https://openssf.org/blog/2023/09/18/advancing-rustls-and-rust-for-linux-with-openssf-support/ |access-date=2024-08-20 |website=Open Source Security Foundation (OpenSSF) |publisher=[Linux Foundation](/source/Linux_Foundation) |language=en-US}}</ref><ref>{{Cite web |last= |first= |date=2023-09-18 |title=OpenSSF Welcomes New Members in Support of Securing Open Source Software |url=https://itsecuritywire.com/news/openssf-welcomes-new-members-in-support-of-securing-open-source-software/ |access-date=2024-09-03 |website=ITSecurityWire |language=en-US}}</ref> That money came from Google, [Amazon Web Services](/source/Amazon_Web_Services), and [Microsoft](/source/Microsoft).<ref>{{Cite web |date=2023-11-08 |title=Comment from Amazon Web Services (Re: Open-Source Software Security RFI Response, Amazon Web Services) |url=https://www.regulations.gov/comment/ONCD-2023-0002-0082 |access-date=2024-08-22 |website=Regulations.gov}}</ref> Amazon Web Services also gave ISRG $1 million in 2023 for memory-safety projects including Rustls.<ref>{{Cite web |last=Aas |first=Josh |date=2023-05-11 |title=AWS commits $1M to bring memory safety to critical parts of the Web |url=https://www.memorysafety.org/blog/aws-funding/ |access-date=2024-08-22 |website=Prossimo |publisher=Internet Safety Research Group}}</ref> The [Sovereign Tech Fund](/source/Sovereign_Tech_Fund), supported by the German government, gave $1.5 million to ISRG in 2023 for work on Rustls and other projects that provide memory-safe versions of open source tools critical to internet security.<ref>{{Cite web |last=Gran |first=Sarah |date=2023-07-11 |title=$1.5M from Sovereign Tech Fund to Fuel Memory Safety |url=https://www.abetterinternet.org/post/1.5m-for-memory-safety/ |access-date=2024-08-20 |website=Internet Security Research Group}}</ref><ref>{{Cite web |last=Tarakiyee |first=Tara |date=2024-05-22 |title=On Rust, Memory Safety, and Open Source Infrastructure |url=https://www.sovereigntechfund.de/news/on-rust-memory-safety-open-source-infrastructure |access-date=2024-08-20 |website=Sovereign Tech Fund |language=en}}</ref> [Craig Newmark Philanthropies](/source/Craig_Newmark) granted $100,000 to ISRG for memory safety projects in 2024.<ref>{{Cite web |last=Gran |first=Sarah |date=2024-03-12 |title=White House, Craig Newmark Support Memory Safe Software |url=https://www.abetterinternet.org/post/growing-support/ |access-date=2024-09-03 |website=Internet Security Research Group}}</ref> Additional funding has come from Fly.io,<ref name=":1">{{Cite web |last=Aas |first=Josh |date=2024-05-08 |title=Rustls Gains OpenSSL and Nginx Compatibility |url=https://www.memorysafety.org/blog/rustls-nginx-compatibility-layer/ |access-date=2024-08-20 |website=Prossimo |publisher=Internet Security Research Group}}</ref> a [cloud platform](/source/Cloud_computing) that uses Rustls.<ref>{{Cite web |title=Healthcare apps on Fly |url=https://fly.io/docs/about/healthcare/ |access-date=2024-08-22 |website=Fly |language=en-US}}</ref>

The United States [Office of the National Cyber Director](/source/Office_of_the_National_Cyber_Director) has encouraged work on memory-safe security software<ref>{{Cite web |last1=Wang |first1=Dana |last2=Arasaratnam |first2=Omkhar |date=February 26, 2024 |title=OpenSSF Supports White House's Efforts to Build More Secure and Measurable Software |url=https://openssf.org/blog/2024/02/26/openssf-supports-efforts-to-build-more-secure-and-measurable-software/ |access-date=2024-08-22 |website=Open Source Security Foundation (OpenSSF) |publisher=[Linux Foundation](/source/Linux_Foundation) |language=en-US}}</ref> and complimented the Rustls team.<ref name=":1" /> Google awarded Open Source Peer Bonuses to Birr-Pixton and Ochtman for their work on Rustls.<ref>{{Cite web |last=Tabak |first=Maria |date=March 22, 2022 |title=Rewarding Rust contributors with Peer Bonuses |url=https://opensource.googleblog.com/2022/03/Rewarding-Rust-contributors-with-Google-Open-Source-Peer-Bonuses.html |access-date=2024-08-22 |website=Google Open Source Blog}}</ref>

== Architecture and features ==
Rustls is a [low-level](/source/High-_and_low-level) software [library](/source/Library_(computing)) focused on [TLS](/source/Transport_Layer_Security) implementation.<ref name=":6" /> This means it does not support other [internet protocols](/source/Internet_protocol_suite) by itself, such as [HTTPS](/source/HTTPS), but software that implements other protocols may use Rustls as a component.<ref name=":6">{{Cite web |title=Crate rustls |url=https://docs.rs/rustls/latest/rustls/ |access-date=2024-08-21 |website=Docs.rs}}</ref>

By default Rustls uses [cryptographic primitives](/source/Cryptographic_primitive) from Amazon Web Services Libcrypto for Rust (''aws-lc-rs''), which supports [Federal Information Processing Standards (FIPS)](/source/FIPS_140).<ref name=":0" /> Rustls allows using alternative cryptographic libraries instead of ''aws-lc-rs'', such as ''ring''.<ref name=":0">{{Cite web |last=Aas |first=Josh |date=2024-02-29 |title=Rustls Now Using AWS Libcrypto for Rust, Gains FIPS Support |url=https://www.memorysafety.org/blog/rustls-with-aws-crypto-back-end-and-fips/ |access-date=2024-08-20 |website=Prossimo |publisher=Internet Security Research Group}}</ref> The project has experimental support for [post-quantum cryptography](/source/post-quantum_cryptography): a [key exchange](/source/key_exchange) method with a special [key encapsulation mechanism](/source/key_encapsulation_mechanism) ([Kyber](/source/Kyber)).<ref>{{Cite web |last=Aas |first=Josh |date=2024-03-26 |title=The Rustls TLS Library Adds Post-Quantum Key Exchange Support |url=https://www.memorysafety.org/blog/pq-key-exchange/ |access-date=2024-08-21 |website=Prossimo |publisher=Internet Security Research Group}}</ref>

Rustls uses its own [fork](/source/Fork_(software_development)) of the ''webpki'' library to verify [public key infrastructure](/source/public_key_infrastructure) [certificates](/source/Transport_Layer_Security), a step in the [TLS handshake](/source/Transport_Layer_Security).<ref name=":4" /><ref>{{Cite web |date=2023-09-18 |title=Rustls webpki README |url=https://github.com/rustls/webpki/blob/main/README.md |access-date=2024-08-22 |website=GitHub}}</ref> Rustls supports [Server Name Indication](/source/Server_Name_Indication) (SNI), which allows a [web server](/source/web_server) to serve multiple HTTPS websites at the same [IP address](/source/IP_address) with different certificates.<ref>{{Cite web |title=ServerName in rustls::pki_types |url=https://docs.rs/rustls/latest/rustls/pki_types/enum.ServerName.html |access-date=2024-08-21 |website=Docs.rs}}</ref> It also supports TLS certificates that contain IP addresses instead of [domain names](/source/Domain_name).<ref>{{Cite web |last=Aas |first=Josh |date=2023-03-29 |title=Rustls 0.21.0 Released With Exciting New Features |url=https://www.memorysafety.org/blog/rustls-new-features/ |access-date=2024-08-22 |website=Prossimo |publisher=Internet Security Research Group}}</ref>

[C programs](/source/C_(programming_language)) can use Rustls through a [foreign function interface](/source/foreign_function_interface) [API](/source/API), ''rustls-ffi''.<ref name=":4" /><ref name=":5" /> For example, [cURL](/source/cURL) is a popular tool written in C, and it allows using Rustls through ''rustls-ffi''.<ref>{{Cite web |last=Stenberg |first=Daniel |author-link=Daniel Stenberg |date=2021-02-09 |title=curl supports rustls |url=https://daniel.haxx.se/blog/2021/02/09/curl-supports-rustls/ |access-date=2024-08-21 |website=daniel.haxx.se |language=en-US}}</ref><ref>{{Cite web |title=TLS libraries |url=https://everything.curl.dev/build/tls.html |access-date=2024-08-22 |website=everything curl}}</ref> Rustls also has an OpenSSL [compatibility layer](/source/compatibility_layer) that allows configuring the widely-used [Nginx](/source/Nginx) web server to use Rustls instead of OpenSSL.<ref name=":1" /><ref>{{Cite web |last=Larabel |first=Michael |date=2024-05-11 |title=Rustls Can Now Work With Nginx Via New OpenSSL Compatibility Layer |url=https://www.phoronix.com/news/Rustls-With-Nginx |access-date=2024-08-21 |website=[Phoronix](/source/Phoronix) |language=en}}</ref>

Rustls is available under multiple [free software licenses](/source/Free-software_license): [Apache 2.0](/source/Apache_License_2.0), [MIT](/source/MIT_License), and [ISC](/source/ISC_license).<ref name="readme" />

=== Evaluations ===
In 2020, the [Cloud Native Computing Foundation](/source/Cloud_Native_Computing_Foundation) funded a [security audit](/source/Information_security_audit) of Rustls and two Rust libraries it used, ''ring'' and ''webpki'', with positive results.<ref>{{Cite web |last=Birr-Pixton |first=Joseph |date=2010-06-14 |title=Third-party audit of rustls |url=https://jbp.io/2020/06/14/rustls-audit.html |access-date=2024-08-22 |website=jbp.io}}</ref>

In 2019, [benchmarks](/source/Benchmark_(computing)) carried out by the Rustls developer showed better [performance](/source/Computer_performance) than [OpenSSL](/source/OpenSSL).<ref>{{Cite web |last=Cimpanu |first=Catalin |date=July 19, 2019 |title=A Rust-based TLS library outperformed OpenSSL in almost every category |url=https://www.zdnet.com/article/a-rust-based-tls-library-outperformed-openssl-in-almost-every-category/ |access-date=2024-08-20 |website=ZDNET |language=en}}</ref> In 2024 the project conducted new performance comparisons with the latest version of OpenSSL, which showed some scenarios where Rustls was faster or more efficient and some where OpenSSL performed better.<ref>{{Cite web |last=Ochagavía |first=Adolfo |date=2024-01-04 |title=Securing the Web: Rustls on track to outperform OpenSSL |url=https://www.memorysafety.org/blog/rustls-performance/ |access-date=2024-08-20 |website=Prossimo |publisher=Internet Security Research Group}}</ref>

== Uses ==
Like other TLS implementations, a [computer user](/source/User_(computing)) may use Rustls without being aware of it, as an underlying part of an application or website. A programmer can use Rustls directly or by configuring a higher-level library or tool to use it. In particular, Rustls is used by some projects that want to ensure they have a secure [software supply chain](/source/software_supply_chain).<ref>{{Cite web |last1=Lorenc |first1=Dan |last2=Conill |first2=Ariadne |date=January 24, 2023 |title=Building the first memory safe distro |url=https://www.chainguard.dev/unchained/building-the-first-memory-safe-distro |access-date=2024-08-20 |website=Chainguard |language=en}}</ref> The US [Cybersecurity and Infrastructure Security Agency](/source/Cybersecurity_and_Infrastructure_Security_Agency) has recommended using products in memory safe languages as part of its "Secure by Design" initiative.<ref>{{Cite web |last=Moore |first=Matt |date=May 8, 2024 |title=Signing CISA's Secure by Design pledge |url=https://www.chainguard.dev/unchained/signing-cisas-secure-by-design-pledge |access-date=2024-09-03 |website=Chainguard |language=en}}</ref>

Some libraries support Rustls as one of several choices for TLS implementations. The ''reqwest'' [HTTP](/source/HTTP) client library offers the option to use Rustls for TLS instead of the system's default TLS library (for example, on [Windows](/source/Microsoft_Windows) the default is the [Security Support Provider Interface](/source/Security_Support_Provider_Interface)).<ref>{{Cite book |last=Palmieri |first=Luca |url=https://books.google.com/books?id=x7C4EAAAQBAJ&pg=PA214 |title=Zero to Production In Rust: An introduction to backend development in Rust |date=2022-03-14 |publisher=Luca Palmieri |isbn=979-8-8472-1143-7 |pages=214 |language=en}}</ref><ref>{{Cite web |title=RustLS |url=https://book.goose.rs/config/rustls.html |access-date=2024-08-21 |website=The Goose Book}}</ref> In 2020 an ISRG software engineer enabled using Rustls as a TLS backend for [cURL](/source/cURL).<ref>{{Cite web |last=Aas |first=Josh |date=2020-10-09 |title=Memory Safe 'curl' for a More Secure Internet |url=https://www.abetterinternet.org/post/memory-safe-curl/ |access-date=2024-08-20 |website=Internet Security Research Group}}</ref><ref>{{Cite web |last=De Simone |first=Sergio |date=October 25, 2020 |title=Rust Hyper HTTP Library Will Contribute to Make Curl Safer |url=https://www.infoq.com/news/2020/10/memory-safe-curl-rust/ |access-date=2024-08-20 |website=InfoQ |language=en}}</ref> ''s2n-quic,'' an implementation of the [QUIC](/source/QUIC) [network protocol](/source/Communication_protocol) in Rust, supports both Rustls and [''s2n-tls''](/source/S2n) for TLS.<ref>{{Cite web |last=Kampanakis |first=Panos |date=2022-02-17 |title=Introducing s2n-quic, a new open-source QUIC protocol implementation in Rust |url=https://aws.amazon.com/blogs/security/introducing-s2n-quic-open-source-protocol-rust/ |access-date=2024-08-22 |website=AWS Security Blog |language=en-US}}</ref>

In 2021 [Google](/source/Google) funded the creation of ''mod_tls'', a new TLS [module](/source/Modular_programming) for [Apache HTTP Server](/source/Apache_HTTP_Server) using Rustls.<ref name=":2">{{Cite web |last=Cimpanu |first=Catalin |date=February 2, 2021 |title=Google funds project to secure Apache web server with new Rust component |url=https://www.zdnet.com/article/google-funds-project-to-secure-apache-web-server-project-with-new-rust-component/ |access-date=2024-08-20 |website=ZDNET |language=en}}</ref><ref name=":7">{{Cite web |last=Eissing |first=Stefan |date=2022-03-01 |title=Bringing Memory Safe TLS to Apache httpd |url=https://www.memorysafety.org/blog/memory-safe-httpd/ |access-date=2024-08-20 |website=Prossimo |publisher=Internet Security Research Group}}</ref> The new module is intended to be a successor to the ''[mod_ssl](/source/mod_ssl)'' module that uses OpenSSL, as a more secure default.<ref name=":2" /><ref>{{Cite web |last=Claburn |first=Thomas |date=2021-02-02 |title=In Rust we trust: Shoring up Apache, ISRG ditches C, turns to wunderkind lang for new TLS crypto module |url=https://www.theregister.com/2021/02/02/patching_apache_rust/ |access-date=September 2, 2024 |website=[The Register](/source/The_Register)}}</ref> As of August 2024, ''mod_tls'' is available in the latest version of Apache but still marked as experimental.<ref>{{Cite web |title=Apache HTTP Server Version 2.4: Apache Module mod_tls |url=https://httpd.apache.org/docs/current/mod/mod_tls.html |access-date=August 22, 2024 |website=Apache HTTP Server Project |publisher=[Apache Software Foundation](/source/Apache_Software_Foundation)}}</ref> The [Internet Society](/source/Internet_Society), a nonprofit that advocates for an open and secure [internet](/source/internet), suggests that organizations use this module as a step toward increasing memory safety.<ref>{{Cite web |date=2023-10-10 |title=How to Talk to Your Manager About Memory Safety |url=https://www.internetsociety.org/resources/doc/2023/how-to-talk-to-your-manager-about-memory-safety/ |access-date=2024-08-22 |website=[Internet Society](/source/Internet_Society) |language=en-US}}</ref>

Rustls is the default TLS implementation in some applications. The utility program ''cargo_audit,'' which checks Rust project dependencies for security vulnerabilities, uses Rustls.<ref>{{Cite web |last=Davidoff |first=Sergey "Shnatsel" |date=September 4, 2023 |title=Keeping Rust projects secure with cargo-audit 0.18: performance, compatibility and security improvements |url=https://blog.rust-lang.org/inside-rust/2023/09/04/keeping-secure-with-cargo-audit-0.18.html |access-date=2024-08-21 |website=Inside Rust Blog |language=en}}</ref> [Linkerd](/source/Linkerd), which "adds security, [observability](/source/Observability_(software)), and reliability to any [Kubernetes](/source/Kubernetes) cluster", includes a [proxy server](/source/proxy_server) built with Rustls.<ref>{{Cite web |last=Weisman |first=Eliza |date=July 23, 2020 |title=Under the hood of Linkerd's state-of-the-art Rust proxy, Linkerd2-proxy |url=https://linkerd.io/2020/07/23/under-the-hood-of-linkerds-state-of-the-art-rust-proxy-linkerd2-proxy/ |access-date=2024-08-20 |website=Linkerd |publisher=[Cloud Native Computing Foundation](/source/Cloud_Native_Computing_Foundation) |language=en}}</ref> Wolfi, a tool for making memory-safe [Linux](/source/Linux) [containers](/source/OS-level_virtualization), uses Rustls.<ref>{{Cite web |last=Lewkowicz |first=Jakub |date=2023-09-29 |title=SD Times Open-Source Project of the Week: Wolfi |url=https://sdtimes.com/open-source/sd-times-open-source-project-of-the-week-wolfi/ |access-date=2024-08-20 |website=SD Times |language=en-US}}</ref><ref>{{Cite news |last=Claburn |first=Thomas |date=2023-01-26 |title=Memory safety is the new black, fashionable and fit for any occasion: Calls to avoid C/C++ and embrace Rust grow louder |url=https://www.theregister.com/2023/01/26/memory_safety_mainstream/ |access-date=2024-08-20 |work=[The Register](/source/The_Register)}}</ref> In 2024, ISRG announced plans to start replacing OpenSSL with Rustls in [Let's Encrypt](/source/Let's_Encrypt), their free [certificate authority](/source/certificate_authority) used by hundreds of millions of websites.<ref name=":1" /><ref>{{Cite web |last=Aas |first=Josh |date=June 24, 2024 |title=More Memory Safety for Let's Encrypt: Deploying ntpd-rs |url=https://letsencrypt.org/2024/06/24/ntpd-rs-deployment.html |access-date=2024-08-21 |website=Let's Encrypt |publisher=Internet Security Research Group |language=en-US}}</ref>

== See also ==

{{Portal|Free and open-source software}}

* [Comparison of TLS implementations](/source/Comparison_of_TLS_implementations)

== References ==

{{Reflist}}

== External links ==

* [https://www.memorysafety.org/initiative/rustls/ Rustls initiative] at [Prossimo](/source/Prossimo)

{{TLS/SSL}}

Category:Free security software
Category:Free software programmed in Rust
Category:Transport Layer Security implementation
Category:Software using the Apache license
Category:Software using the MIT license
Category:Software using the ISC license

---
Adapted from the Wikipedia article [Rustls](https://en.wikipedia.org/wiki/Rustls) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Rustls?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.
