min-sized-rust VS rustls

This is a good guide on building small Rust binaries: https://github.com/johnthagen/min-sized-rust

This talks about going to extreme lengths on making the smallest Rust binary possible, 400 bytes when it was written, https://darkcoding.net/software/a-very-small-rust-binary-ind...

The thing is, you lose a lot of nice features when you do this, like panic unwinding, debug symbols, stdlib… for kernel and some embedded development it’s definitely important, but for most use cases, does it matter?

Oh it was 137, haha. I will link you to this older comment of mine: https://news.ycombinator.com/item?id=29408906

See also https://github.com/johnthagen/min-sized-rust

Are you sure? If so then this is awesome news, but I'm a bit confused; the commit in that min-sized-rust repo adding `build-std` to the README was merged in August 2021: https://github.com/johnthagen/min-sized-rust/pull/30

Are you saying that at that point the feature still hadn't "landed in Rust nightly" until recently? If so then what's the difference between a feature just being available in Rust nightly, vs having "landed"?

Rust binaries are by default nowhere close to 500MB. If they are not small enough for you, you can try https://github.com/johnthagen/min-sized-rust. By avoiding the formatting machinery and using `panic_immediate_abort` you can get about the size of C binaries.

A useful reference: https://github.com/johnthagen/min-sized-rust

That must be without stripping. Also there are ways to reduce binary size. See e.g. [min-sized-rust](https://github.com/johnthagen/min-sized-rust). I've gotten stripped binaries of small cli utils less than 400KiB without doing anything special, less than 150 KiB by customizing profile settings and compressing with upx, and less than 30 KiB by replacing the std with the libc as the link shows. Haven't tried with fltk though...

This document provides my intention of enum_builder! macro in rustls crate.

As a library vying to replace OpenSSL, the same set of suites as OpenSSL.

I'm no longer blocked on this particular issue that I filed on behalf of my work at Deno, but they aren't interested in adding less-secure suites that may be required by certain server configurations, but still appropriate for traffic that isn't general web-use.

https://github.com/rustls/rustls/issues/1607

At some point I had a list of suites required to connect to some older versions of MySQL/Microsoft SQL Server, but again, no longer blocked.

For server-to-server use where I don't control one end of the equation, I stick with the OpenSSL crate. If there's potentially older servers in the mix, I'm OK with using rustls as a backend for things like reqwest, but it'll be openssl for servers for now.

I understand the philosophy, but rustls is never going to be an OpenSSL drop-in until this approach changes.

Interesting that it relies on OpenSSL, either dynamically from the OS or vendored at compile time. I wonder what the implications would be for using something like rustls. You’d get TLS batteries included and kill a large external dependency… but possibly introduce behavior changes to low-level cryptographic operations, which is scary.

Still, the maintainers stated that they don’t plan to implement Python’s readline module because they already have a rust implementation of readline. A similar argument could apply here - use native rust implementations of dependencies and expose them via the expected Python APIs. This would break some ambitious Python programs, but those probably wouldn’t consider alternative runtimes anyway.

https://github.com/rustls/rustls

> memory safe openssl

This is closer to done than not done. Rustls (https://www.memorysafety.org/initiative/rustls/) is a memory safe TLS library that is compatible with OpenSSL in API and has comparable performance. It has also passed security audits (https://github.com/rustls/rustls/blob/main/audit/TLS-01-repo...)

But your point stands. Rustls wouldn’t have been possible without open source funding.

The RustTLS project is currently setting up their own CI benchmarking workflow, so I think that you could find some inspiration there: https://github.com/rustls/rustls/issues/1385 and https://github.com/rustls/rustls/issues/1205.

I also studied this question on FFI several weeks ago in terms of "rewrite part of the system in Rust". Unexpected results could be semantic issues (e.g., different error handling methods) or security issues (FFI could be a soundness hole). I suggest going through the issues of libraries that have started rewriting work such as rust-openssl or rustls (This is the one trying to rewrite in whole rust rather than using FFI; however, you will not be able to find the mapping function in the C version and compare them). I hope this helps!

Now for rust implementation of tls. Certificates can be loaded in two ways. * Finds and loads certificates using OS specific tools3 * Uses a rust implementation of webpki4 for loading with certificates5