I've been working on alt-tls. I have a lot of commits that haven't been pushed, which will push once I finish and test all the algorithms.
Why? I want these things:
1) I want a pure-rust solution because that will compile everywhere that rust compiles without system library version issues, people filing bugs related to linking shit that I don't care about. A pure rust solution will be a bit slower but that is OK by me.
2) I want QUIC support
3) I want to hack the CertificateVerifier to simply verify that the public key is exactly as the library consumer expects it to be, rather than trusting CAs and DN namespaces.
4) I wanted a blake3 variant cipher suite (because IMHO blake3 is just better).
A while back I created alt-tls and did (3) cert verifier and (4) blake3 cipher suite. It also satisifed (1) pure rust.
But it didn't have (2) quic support.
Surveying all the providers I could find yielded this:
Provider Quic Support
rustls internal: ring Ring Yes
rustls internal: aws_lc AWS LC Yes
boring-rustls-provider Boring Yes
rustls-graviola Graviola No
rustls-openssl OpenSSL Yes
rustls-rustcrypto Rust Crypto No (barely started and stalled)
rustls-mbedtls-provider mbedtls No
rustls-symcrypt Microsoft SymCrypt No
rustls-wolfcrypt-provider wolfcrypt No
I currently have full quic support working and tested against RFC 9001 appendix test vectors for :
TLS13_CHACHA20_POLY1305_BLAKE3 (non-standard)
TLS13_CHACHA20_POLY1305_SHA256
What is left to complete is:
TLS13_AES_128_GCM_SHA256
TLS13_AES_256_GCM_SHA384
It is the smaller keysize of AES 128 that requires the next refactor.
Why? I want these things:
1) I want a pure-rust solution because that will compile everywhere that rust compiles without system library version issues, people filing bugs related to linking shit that I don't care about. A pure rust solution will be a bit slower but that is OK by me.
2) I want QUIC support
3) I want to hack the CertificateVerifier to simply verify that the public key is exactly as the library consumer expects it to be, rather than trusting CAs and DN namespaces.
4) I wanted a blake3 variant cipher suite (because IMHO blake3 is just better).
A while back I created alt-tls and did (3) cert verifier and (4) blake3 cipher suite. It also satisifed (1) pure rust.
But it didn't have (2) quic support.
Surveying all the providers I could find yielded this:
Provider Quic Support
rustls internal: ring Ring Yes
rustls internal: aws_lc AWS LC Yes
boring-rustls-provider Boring Yes
rustls-graviola Graviola No
rustls-openssl OpenSSL Yes
rustls-rustcrypto Rust Crypto No (barely started and stalled)
rustls-mbedtls-provider mbedtls No
rustls-symcrypt Microsoft SymCrypt No
rustls-wolfcrypt-provider wolfcrypt No
I currently have full quic support working and tested against RFC 9001 appendix test vectors for :
TLS13_CHACHA20_POLY1305_BLAKE3 (non-standard)
TLS13_CHACHA20_POLY1305_SHA256
What is left to complete is:
TLS13_AES_128_GCM_SHA256
TLS13_AES_256_GCM_SHA384
It is the smaller keysize of AES 128 that requires the next refactor.
4
