luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f09adc3ad1
curl/docs/RUSTLS.md
Daniel McCarney f09adc3ad1
vtls/rustls: rustls-ffi 0.14.0 update 
* Documentation is updated to describe new required version, and to link
  to the upstream README about cryptography providers.
* GitHub workflow is updated to fetch 0.14.0.
* Breaking changes in`lib/vtls/rustls.c` are addressed:
  * The `rustls_client_config_builder_build()` function now uses an out
    parameter for the built config instead of returning it directly.
    This allows the building process to fail if the default crypto
    provider state isn't appropriate, or another error condition occurs.
  * Default ciphersuites are collected using renamed functions named to
    make it clear the ciphersuites are associated with the default
    crypto provider.
  * Customization of ciphersuites is now done via
    a `rustls_crypto_provider_builder` used to instantiate a
    `rustls_crypto_provider`. The customized provider can then can be
    used with `rustls_client_config_builder_new_custom` in place of
    providing ciphersuites directly.
  * `rustls_connection_get_negotiated_ciphersuite()` now returns the
    ciphersuite ID directly.

Closes #14889
2024-09-13 14:11:49 +02:00

1.5 KiB
Raw Blame History

Rustls

Rustls is a TLS backend written in Rust. Curl can be built to use it as an alternative to OpenSSL or other TLS backends. We use the rustls-ffi C bindings. This version of curl depends on version v0.14.0 of rustls-ffi.

Building with Rustls

First, install Rust.

Next, check out, build, and install the appropriate version of rustls-ffi:

% git clone https://github.com/rustls/rustls-ffi -b v0.14.0
% cd rustls-ffi
% make
% make DESTDIR=${HOME}/rustls-ffi-built/ install

Now configure and build curl with Rustls:

% git clone https://github.com/curl/curl
% cd curl
% autoreconf -fi
% ./configure --with-rustls=${HOME}/rustls-ffi-built
% make

See the rustls-ffi README for more information on cryptography providers and their build/platform requirements.

Randomness

Every TLS libcurl curl supports - except Rustls - provides a function for curl to extract cryptographically safe random numbers with.

When you build curl with Rustls, curl uses its own internal attempts to get a decent random value:

  1. Windows specific APIs
  2. arc4random

If neither of those are present, then curl using Rustls falls back to weak pseudo-random values, and thus weakening several curl authentication implementations.