The ISRG (Internet Security Research Group) organization, which is the founder of the Let's Encrypt project and promotes the development of technologies to improve the security of the Internet, announced about the publication of the layer rustls-openssl-compatallowing you to use the library Rustls as a transparent replacement for OpenSSL. Currently the project has provided implementation rustls-libsslproviding compatibility with libssl, and a libcrypto implementation is in development.
Functionality present in the layer enough to enable nginx to run on Rustls. To migrate nginx to Rustls, you just need to replace the libraries, without the need to rebuild or change nginx. Rustls' immediate development plans include performance optimizations in areas where Rustls still lags behind OpenSSL, and support for RFC 8879 for certificate compression. In addition, the announcement mentions a plan to transfer elements of the Let's Encrypt certification center infrastructure from OpenSSL to Rustls.
Advertisement
The Rustls project develops client and server implementations of the TLS1.2 and TLS1.3 protocols for use in Rust applications. Rustls does not provide its own implementation of cryptographic primitives, but uses pluggable cryptographic function providers (ECDSA, Ed25519, RSA, ChaCha20-Poly1305, AES128-GCM and AES256-GCM algorithms are supported). By default, Rustls uses a crypto provider based on the aws-lc-rs library, which is developed by Amazon and is based on the C++ code of BoringSSL, followed by the Google fork of OpenSSL. The library can also be used as a crypto provider ringbased in part on BoringSSL and combining assembly, C++ and Rust code.
It is noteworthy that nginx has built-in support for building with BoringSSL, which allows you to use this library directly without unnecessary layers. Moreover, in addition to the built-in Rustls support for the aws-lc-rs and ring libraries, based on the BoringSSL code, several third-party crypto providers are also being developed for Rustls, allowing the use of libraries mbedtls (C code), BoringSSL (C++) and RustCrypto (Rust).
Thanks for reading: