GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → rustls → rustls-native-certs

rustls / rustls-native-certs

Licence: Unknown and 3 other licenses found Licenses found Unknown LICENSE Apache-2.0 LICENSE-APACHE ISC LICENSE-ISC MIT LICENSE-MIT
Integration with OS certificate stores for rustls

Programming Languages

rust
11053 projects
shell
77523 projects

Labels

tls

Projects that are alternatives of or similar to rustls-native-certs

SSL-TLS-ECDSA-timing-attack
Timing Attack on TLS' ECDSA signature
Stars: ✭ 41 (-66.67%)
Mutual labels:  tls
XAsyncSockets
XAsyncSockets is an efficient Python/MicroPython library of managed asynchronous sockets.
Stars: ✭ 28 (-77.24%)
Mutual labels:  tls
OrigamiSMTP
A TLS Enabled Fake SMTP Server for Development
Stars: ✭ 16 (-86.99%)
Mutual labels:  tls
crlite
WebPKI-level Certificate Revocation via Multi-Level Bloom Filter Cascade
Stars: ✭ 52 (-57.72%)
Mutual labels:  tls
tlssocks
secure socks5 over tls / tcp
Stars: ✭ 24 (-80.49%)
Mutual labels:  tls
go-http-dialer
Go net.Dialer for HTTP(S) CONNECT Tunneling.
Stars: ✭ 55 (-55.28%)
Mutual labels:  tls
utls
Fork of the Go standard library with unsafe extensions, for expert clients with unusual needs.
Stars: ✭ 19 (-84.55%)
Mutual labels:  tls
ptw
Pooling TLS Wrapper
Stars: ✭ 20 (-83.74%)
Mutual labels:  tls
cert-sync
Dynamic provision for istio ingressgateway certificates.
Stars: ✭ 22 (-82.11%)
Mutual labels:  tls
swarm-router
Scalable stateless «zero config» service-name ingress for docker swarm mode with a fresh more secure approach
Stars: ✭ 58 (-52.85%)
Mutual labels:  tls
Artalk.Xmpp
This repository contains an easy-to-use and well-documented .NET (Framework and Core 3.1, .Net 5 and .Net 6) assembly for communicating with an XMPP server. It supports basic Instant Messaging and Presence funtionality as well as a variety of XMPP extensions.
Stars: ✭ 42 (-65.85%)
Mutual labels:  tls
CycleTLS
Spoof TLS/JA3 fingerprints in GO and Javascript
Stars: ✭ 362 (+194.31%)
Mutual labels:  tls
Lauschgeraet
Gets in the way of your victim's traffic and out of yours
Stars: ✭ 25 (-79.67%)
Mutual labels:  tls
p3y
A single binary reverse proxy written in go. It was developed for use in Kubernetes, to wrap services like Prometheus with simple BasicAuth and TLS encryption.
Stars: ✭ 15 (-87.8%)
Mutual labels:  tls
terraform-aws-acm-request-certificate
Terraform module to request an ACM certificate for a domain name and create a CNAME record in the DNS zone to complete certificate validation
Stars: ✭ 83 (-32.52%)
Mutual labels:  tls
mos-tls-tunnel
Archived. Check this out https://github.com/IrineSistiana/simple-tls
Stars: ✭ 21 (-82.93%)
Mutual labels:  tls
jruby-openssl
JRuby's OpenSSL gem
Stars: ✭ 39 (-68.29%)
Mutual labels:  tls
boost-wintls
Native Windows TLS stream wrapper for use with boost::asio
Stars: ✭ 24 (-80.49%)
Mutual labels:  tls
sieve-connect
A client for the MANAGESIEVE Protocol
Stars: ✭ 60 (-51.22%)
Mutual labels:  tls
Swiddler
TCP/UDP debugging tool.
Stars: ✭ 56 (-54.47%)
Mutual labels:  tls
View All Similar Projects ➔

Logo

rustls-native-certs allows rustls to use the platform's native certificate store when operating as a TLS client.

This is supported on Windows, macOS and Linux:

  • On all platforms, the SSL_CERT_FILE environment variable is checked first. If that's set, certificates are loaded from the path specified by that variable, or an error is returned if certificates cannot be loaded from the given path. If it's not set, then the platform-specific certificate source is used.
  • On Windows, certificates are loaded from the system certificate store. The schannel crate is used to access the Windows certificate store APIs.
  • On macOS, certificates are loaded from the keychain. The user, admin and system trust settings are merged together as documented by Apple. The security-framework crate is used to access the keystore APIs.
  • On Linux and other UNIX-like operating systems, the openssl-probe crate is used to discover the filename of the system CA bundle.

Status

rustls-native-certs is currently in development.

If you'd like to help out, please see CONTRIBUTING.md.

rustls Documentation

Release history:

  • 0.6.2 (2022-04-14):
    • Update dependencies.
  • 0.6.1 (2021-10-25):
    • Allow overrides using SSL_CERT_FILE on all platforms.
  • 0.6.0 (2021-10-24):
    • Remove rustls dependency entirely.
  • 0.5.0 (2020-11-22):
    • Update dependencies.
    • Make rustls dependency optional, for use with reqwest's certificate types. Thanks to @est31.
  • 0.4.0 (2020-07-05):
    • Update dependencies.
  • 0.3.0 (2020-02-24):
    • Support wider range of UNIX platforms.
    • Update dependencies.
  • 0.2.0 (2020-01-26):
    • Return valid certificates even in the presence of invalid ones. This allows callers to opt-in to "best effort" behaviour.
  • 0.1.0 (2019-11-04):
    • Initial release.

API

This library exposes a single function with this signature:

pub fn load_native_certs() -> Result<Vec<Certificate>, std::io::Error>

On success, this returns a Vec<Certificate> loaded with a snapshot of the root certificates found on this platform. This function fails in a platform-specific way, expressed in a std::io::Error.

This function can be expensive: on some platforms it involves loading and parsing a ~300KB disk file. It's therefore prudent to call this sparingly.

Worked example

See examples/google.rs.

Should I use this or webpki-roots?

(Background: webpki-roots is a crate that compiles-in Mozilla's set of root certificates.)

This crate is preferable in many ways to webpki-roots. To sum up the pros and cons:

Pros:

  • This crate respects local configuration of root certificates: both removal of roots that the user finds untrustworthy, and addition of locally-trusted roots. The latter case is exceedingly important if your application is required to work in enterprise environments with "transparent" TLS-terminating middleboxes.
  • This crate instantaneously reflects underlying system configuration. Since webpki-roots compiles in root certificates, getting an update to these requires taking regular updates to this crate, plus recompilation and redeployment of the application. This is a long-winded process that may become a liability in the event of a severe misissuance.
  • This crate is compatible with developer aids such as mkcert.

Cons:

  • Use of the OS certificate store is not the same as relying on OS trust verification because platform verifiers might impose additional criteria before deciding whether to trust a root ostensibly included in the OS certificate store (for example, an expiration date).
  • The OS certificate store is occasionally "attacked" by malware or just bad software.
  • The OS update system may, in fact, be quite poor at keeping the root certificates up-to-date if it is disabled or out-of-support.
  • The quality of the ca-certificates package on debian-based Linux distributions is poor. At the time of writing, this ships many certificates not included in the Mozilla set, either because they failed an audit and were withdrawn or were removed for mississuance.
  • You may prefer to insulate yourself against local configuration for support or (perhaps inadvisable) security reasons.

License

rustls-native-certs is distributed under the following three licenses:

  • Apache License version 2.0.
  • MIT license.
  • ISC license.

These are included as LICENSE-APACHE, LICENSE-MIT and LICENSE-ISC respectively. You may use this software under the terms of any of these licenses, at your option.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].