rust-openssl VS Ockam

I also studied this question on FFI several weeks ago in terms of "rewrite part of the system in Rust". Unexpected results could be semantic issues (e.g., different error handling methods) or security issues (FFI could be a soundness hole). I suggest going through the issues of libraries that have started rewriting work such as rust-openssl or rustls (This is the one trying to rewrite in whole rust rather than using FFI; however, you will not be able to find the mapping function in the C version and compare them). I hope this helps!

error: failed to run custom build command for `openssl-sys v0.9.76` Caused by: process didn't exit successfully: `/target/debug/build/openssl-sys-eaac1108fdec7ae2/build-script-main` (exit status: 101) --- stdout cargo:rustc-cfg=const_fn cargo:rustc-cfg=openssl cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=OPENSSL_LIB_DIR OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=OPENSSL_INCLUDE_DIR OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_DIR OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_NO_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=SYSROOT cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rustc-link-search=native=/usr/lib/aarch64-linux-gnu cargo:rustc-link-lib=ssl cargo:rustc-link-lib=crypto cargo:rerun-if-env-changed=PKG_CONFIG_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-changed=build/expando.c OPT_LEVEL = Some("0") TARGET = Some("x86_64-unknown-linux-gnu") HOST = Some("x86_64-unknown-linux-gnu") CC_x86_64-unknown-linux-gnu = None CC_x86_64_unknown_linux_gnu = None HOST_CC = None CC = None CFLAGS_x86_64-unknown-linux-gnu = None CFLAGS_x86_64_unknown_linux_gnu = None HOST_CFLAGS = None CFLAGS = None CRATE_CC_NO_DEFAULTS = None DEBUG = Some("true") CARGO_CFG_TARGET_FEATURE = Some("fxsr,sse,sse2") running: "cc" "-O0" "-ffunction-sections" "-fdata-sections" "-fPIC" "-g" "-fno-omit-frame-pointer" "-m64" "-I" "/usr/include" "-Wall" "-Wextra" "-E" "build/expando.c" cargo:warning=build/expando.c:2:33: fatal error: openssl/opensslconf.h: No such file or directory cargo:warning=compilation terminated. exit status: 1 --- stderr thread 'main' panicked at ' Header expansion error: Error { kind: ToolExecError, message: "Command \"cc\" \"-O0\" \"-ffunction-sections\" \"-fdata-sections\" \"-fPIC\" \"-g\" \"-fno-omit-frame-pointer\" \"-m64\" \"-I\" \"/usr/include\" \"-Wall\" \"-Wextra\" \"-E\" \"build/expando.c\" with args \"cc\" did not execute successfully (status code exit status: 1)." } Failed to find OpenSSL development headers. You can try fixing this setting the `OPENSSL_DIR` environment variable pointing to your OpenSSL installation or installing OpenSSL headers package specific to your distribution: # On Ubuntu sudo apt-get install libssl-dev # On Arch Linux sudo pacman -S openssl # On Fedora sudo dnf install openssl-devel # On Alpine Linux apk add openssl-dev See rust-openssl README for more information: https://github.com/sfackler/rust-openssl#linux ', /cargo/registry/src/github.com-1ecc6299db9ec823/openssl-sys-0.9.76/build/main.rs:185:13 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace warning: build failed, waiting for other jobs to finish...

There is also https://github.com/sfackler/rust-openssl but not sure should I use it or not.

If you're in a situation where you think the directory should be found automatically, please open a bug at https://github.com/sfackler/rust-openssl and include information about your system as well as this message.

Failed to find OpenSSL development headers. You can try fixing this setting the `OPENSSL_DIR` environment variable pointing to your OpenSSL installation or installing OpenSSL headers package specific to your distribution: # On Ubuntu sudo apt-get install libssl-dev # On Arch Linux sudo pacman -S openssl # On Fedora sudo dnf install openssl-devel See rust-openssl README for more information: https://github.com/sfackler/rust-openssl#linux

$ cargo install rates Updating crates.io index Downloaded rates v0.2.0 Downloaded 1 crate (11.8 KB) in 0.70s Installing rates v0.2.0 Downloaded chrono v0.4.19 Downloaded futures-io v0.3.13 Downloaded futures-sink v0.3.13 Downloaded directories v3.0.1 Downloaded futures-channel v0.3.13 Downloaded futures-task v0.3.13 Downloaded futures-util v0.3.13 Downloaded hashbrown v0.9.1 Downloaded http-body v0.4.0 Downloaded httpdate v0.3.2 Downloaded httparse v1.3.5 Downloaded http v0.2.3 Downloaded hyper v0.14.4 Downloaded indexmap v1.6.1 Downloaded form_urlencoded v1.0.1 Downloaded h2 v0.3.1 Downloaded log v0.4.14 Downloaded num-traits v0.2.14 Downloaded openssl v0.10.32 Downloaded pin-utils v0.1.0 Downloaded openssl-sys v0.9.60 Downloaded pin-project-internal v1.0.5 Downloaded reqwest v0.11.1 Downloaded serde v1.0.123 Downloaded serde_urlencoded v0.7.0 Downloaded tinyvec_macros v0.1.0 Downloaded tinyvec v1.1.1 Downloaded tokio-native-tls v0.3.0 Downloaded syn v1.0.60 Downloaded url v2.2.1 Downloaded bytes v1.0.1 Downloaded tower-service v0.3.1 Downloaded tokio-util v0.6.3 Downloaded ipnet v2.3.0 Downloaded socket2 v0.3.19 Downloaded base64 v0.13.0 Downloaded want v0.3.0 Downloaded cc v1.0.67 Downloaded unicode-normalization v0.1.17 Downloaded mio v0.7.9 Downloaded tracing-core v0.1.17 Downloaded quote v1.0.9 Downloaded pin-project v1.0.5 Downloaded pin-project-lite v0.2.4 Downloaded try-lock v0.2.3 Downloaded serde_json v1.0.64 Downloaded native-tls v0.2.7 Downloaded num-integer v0.1.44 Downloaded hyper-tls v0.5.0 Downloaded futures-core v0.3.13 Downloaded tracing v0.1.25 Downloaded tokio v1.2.0 Downloaded idna v0.2.2 Downloaded libc v0.2.86 Downloaded encoding_rs v0.8.28 Downloaded 55 crates (5.4 MB) in 1.77s (largest was `encoding_rs` at 1.4 MB) Compiling autocfg v1.0.1 Compiling libc v0.2.86 Compiling cfg-if v1.0.0 Compiling log v0.4.14 Compiling pkg-config v0.3.19 Compiling cc v1.0.67 Compiling memchr v2.3.4 Compiling pin-project-lite v0.2.4 Compiling proc-macro2 v1.0.24 Compiling lazy_static v1.4.0 Compiling bytes v1.0.1 Compiling itoa v0.4.7 Compiling bitflags v1.2.1 Compiling unicode-xid v0.2.1 Compiling syn v1.0.60 Compiling futures-core v0.3.13 Compiling foreign-types-shared v0.1.1 Compiling fnv v1.0.7 Compiling openssl v0.10.32 Compiling matches v0.1.8 Compiling tinyvec_macros v0.1.0 Compiling hashbrown v0.9.1 Compiling futures-task v0.3.13 Compiling native-tls v0.2.7 Compiling slab v0.4.2 Compiling pin-utils v0.1.0 Compiling serde v1.0.123 Compiling ryu v1.0.5 Compiling futures-sink v0.3.13 Compiling futures-io v0.3.13 Compiling httparse v1.3.5 Compiling percent-encoding v2.1.0 Compiling try-lock v0.2.3 Compiling openssl-probe v0.1.2 Compiling httpdate v0.3.2 Compiling serde_json v1.0.64 Compiling encoding_rs v0.8.28 Compiling tower-service v0.3.1 Compiling unicode-width v0.1.8 Compiling strsim v0.8.0 Compiling base64 v0.13.0 Compiling vec_map v0.8.2 Compiling ipnet v2.3.0 Compiling mime v0.3.16 Compiling ansi_term v0.11.0 Compiling tokio v1.2.0 Compiling indexmap v1.6.1 Compiling num-traits v0.2.14 Compiling num-integer v0.1.44 Compiling tracing-core v0.1.17 Compiling futures-channel v0.3.13 Compiling foreign-types v0.3.2 Compiling http v0.2.3 Compiling unicode-bidi v0.3.4 Compiling tinyvec v1.1.1 Compiling openssl-sys v0.9.60 Compiling form_urlencoded v1.0.1 Compiling textwrap v0.11.0 Compiling tracing v0.1.25 Compiling http-body v0.4.0 Compiling unicode-normalization v0.1.17 Compiling num_cpus v1.13.0 Compiling socket2 v0.3.19 Compiling atty v0.2.14 Compiling dirs-sys v0.3.5 Compiling time v0.1.43 Compiling mio v0.7.9 Compiling want v0.3.0 error: failed to run custom build command for `openssl-sys v0.9.60` Caused by: process didn't exit successfully: `/tmp/cargo-installbxN90K/release/build/openssl-sys-704dca09387a20ed/build-script-main` (exit code: 101) --- stdout cargo:rustc-cfg=const_fn cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=OPENSSL_LIB_DIR OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=OPENSSL_INCLUDE_DIR OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_DIR OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_NO_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR run pkg_config fail: "`\"pkg-config\" \"--libs\" \"--cflags\" \"openssl\"` did not exit successfully: exit code: 1\n--- stderr\nPackage openssl was not found in the pkg-config search path.\nPerhaps you should add the directory containing `openssl.pc\'\nto the PKG_CONFIG_PATH environment variable\nNo package \'openssl\' found\n" --- stderr thread 'main' panicked at ' Could not find directory of OpenSSL installation, and this `-sys` crate cannot proceed without this knowledge. If OpenSSL is installed and this crate had trouble finding it, you can set the `OPENSSL_DIR` environment variable for the compilation process. Make sure you also have the development packages of openssl installed. For example, `libssl-dev` on Ubuntu or `openssl-devel` on Fedora. If you're in a situation where you think the directory *should* be found automatically, please open a bug at https://github.com/sfackler/rust-openssl and include information about your system as well as this message. $HOST = x86_64-unknown-linux-gnu $TARGET = x86_64-unknown-linux-gnu openssl-sys = 0.9.60 ', /home/myusr/.cargo/registry/src/github.com-1ecc6299db9ec823/openssl-sys-0.9.60/build/find_normal.rs:173:5 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace warning: build failed, waiting for other jobs to finish... error: failed to compile `rates v0.2.0`, intermediate artifacts can be found at `/tmp/cargo-installbxN90K` Caused by: build failed

Second, https://github.com/sfackler/rust-openssl/issues/987 was solved over 2 years ago, and the fix was released in openssl v0.10. Since reqwest uses openssl v0.10.x, it definitely includes this fix.

disclosure: I work at Ockam.

The Portals for Mac app is an example of the type of thing you could build using the open source stack of protocols. The README (linked by parent) links out to all of the relevant parts of the protocol documentation to explain how these work together. The NAT Traversal (https://github.com/build-trust/ockam/blob/develop/examples/a...) part of the README is probably the best explanation of why the free relay you get via Ockam Orchestrator is a useful part of this demo.

As for why would anyone trust this: The protocols are designed so you absolutely don't have to trust the relay. Trust is pushed out to the edges that you control and so you're not susceptible to a MITM attack if something like a relay is compromised. The protocol design for all of this is open and documented, and was independently audited by (IMO) some of the best in the business, Trail of Bits: https://docs.ockam.io/reference/protocols.

🚀 Portals for Mac – A macOS app built in Swift that uses the Ockam Rust library to privately share a service on your Mac with anyone, anywhere. The service is shared securely over an end-to-end encrypted and mutually authenticated Ockam Portal. Your friends will have access to it on their localhost! This app is a great example of the kinds of things you can build with Ockam 👉

Ockam is a suite of programming libraries, command line tools, and managed cloud services to orchestrate end-to-end encryption, mutual authentication, key management, credential management, and authorization policy enforcement — all at massive scale. Ockam's end-to-end secure channels guarantee authenticity, integrity, and confidentiality of all data-in-motion at the application layer.

We’ve been working on something (https://github.com/build-trust/ockam) that enables exactly this, among a whole host of other use cases. If you check out some of the code examples in the docs you’ll see how to setup a tunnel using the CLI.

For other use cases there’s also the programming libraries (only Rust atm, though I was spiking a TypeScript/Node PoC this week) which might provide more flexibility. Personally I’m excited by the idea of being able to move this kind of secure by design connectivity all the way into the application layer though.

If you're not already an active contributor to an open source project or two it can seem very daunting. You don't want to do the wrong thing and embarrass yourself. Remove that anxiety for people by giving them an easy way to do something low risk. Matt did that a couple of years ago by creating a long-lived issue for people to simply say hello. That's it. Say hi, introduce yourself. It's a safe place to make a first step.