rust-openssl VS rustls

I also studied this question on FFI several weeks ago in terms of "rewrite part of the system in Rust". Unexpected results could be semantic issues (e.g., different error handling methods) or security issues (FFI could be a soundness hole). I suggest going through the issues of libraries that have started rewriting work such as rust-openssl or rustls (This is the one trying to rewrite in whole rust rather than using FFI; however, you will not be able to find the mapping function in the C version and compare them). I hope this helps!

error: failed to run custom build command for `openssl-sys v0.9.76` Caused by: process didn't exit successfully: `/target/debug/build/openssl-sys-eaac1108fdec7ae2/build-script-main` (exit status: 101) --- stdout cargo:rustc-cfg=const_fn cargo:rustc-cfg=openssl cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=OPENSSL_LIB_DIR OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=OPENSSL_INCLUDE_DIR OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_DIR OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_NO_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=SYSROOT cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rustc-link-search=native=/usr/lib/aarch64-linux-gnu cargo:rustc-link-lib=ssl cargo:rustc-link-lib=crypto cargo:rerun-if-env-changed=PKG_CONFIG_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-changed=build/expando.c OPT_LEVEL = Some("0") TARGET = Some("x86_64-unknown-linux-gnu") HOST = Some("x86_64-unknown-linux-gnu") CC_x86_64-unknown-linux-gnu = None CC_x86_64_unknown_linux_gnu = None HOST_CC = None CC = None CFLAGS_x86_64-unknown-linux-gnu = None CFLAGS_x86_64_unknown_linux_gnu = None HOST_CFLAGS = None CFLAGS = None CRATE_CC_NO_DEFAULTS = None DEBUG = Some("true") CARGO_CFG_TARGET_FEATURE = Some("fxsr,sse,sse2") running: "cc" "-O0" "-ffunction-sections" "-fdata-sections" "-fPIC" "-g" "-fno-omit-frame-pointer" "-m64" "-I" "/usr/include" "-Wall" "-Wextra" "-E" "build/expando.c" cargo:warning=build/expando.c:2:33: fatal error: openssl/opensslconf.h: No such file or directory cargo:warning=compilation terminated. exit status: 1 --- stderr thread 'main' panicked at ' Header expansion error: Error { kind: ToolExecError, message: "Command \"cc\" \"-O0\" \"-ffunction-sections\" \"-fdata-sections\" \"-fPIC\" \"-g\" \"-fno-omit-frame-pointer\" \"-m64\" \"-I\" \"/usr/include\" \"-Wall\" \"-Wextra\" \"-E\" \"build/expando.c\" with args \"cc\" did not execute successfully (status code exit status: 1)." } Failed to find OpenSSL development headers. You can try fixing this setting the `OPENSSL_DIR` environment variable pointing to your OpenSSL installation or installing OpenSSL headers package specific to your distribution: # On Ubuntu sudo apt-get install libssl-dev # On Arch Linux sudo pacman -S openssl # On Fedora sudo dnf install openssl-devel # On Alpine Linux apk add openssl-dev See rust-openssl README for more information: https://github.com/sfackler/rust-openssl#linux ', /cargo/registry/src/github.com-1ecc6299db9ec823/openssl-sys-0.9.76/build/main.rs:185:13 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace warning: build failed, waiting for other jobs to finish...

There is also https://github.com/sfackler/rust-openssl but not sure should I use it or not.

If you're in a situation where you think the directory should be found automatically, please open a bug at https://github.com/sfackler/rust-openssl and include information about your system as well as this message.

Failed to find OpenSSL development headers. You can try fixing this setting the `OPENSSL_DIR` environment variable pointing to your OpenSSL installation or installing OpenSSL headers package specific to your distribution: # On Ubuntu sudo apt-get install libssl-dev # On Arch Linux sudo pacman -S openssl # On Fedora sudo dnf install openssl-devel See rust-openssl README for more information: https://github.com/sfackler/rust-openssl#linux

$ cargo install rates Updating crates.io index Downloaded rates v0.2.0 Downloaded 1 crate (11.8 KB) in 0.70s Installing rates v0.2.0 Downloaded chrono v0.4.19 Downloaded futures-io v0.3.13 Downloaded futures-sink v0.3.13 Downloaded directories v3.0.1 Downloaded futures-channel v0.3.13 Downloaded futures-task v0.3.13 Downloaded futures-util v0.3.13 Downloaded hashbrown v0.9.1 Downloaded http-body v0.4.0 Downloaded httpdate v0.3.2 Downloaded httparse v1.3.5 Downloaded http v0.2.3 Downloaded hyper v0.14.4 Downloaded indexmap v1.6.1 Downloaded form_urlencoded v1.0.1 Downloaded h2 v0.3.1 Downloaded log v0.4.14 Downloaded num-traits v0.2.14 Downloaded openssl v0.10.32 Downloaded pin-utils v0.1.0 Downloaded openssl-sys v0.9.60 Downloaded pin-project-internal v1.0.5 Downloaded reqwest v0.11.1 Downloaded serde v1.0.123 Downloaded serde_urlencoded v0.7.0 Downloaded tinyvec_macros v0.1.0 Downloaded tinyvec v1.1.1 Downloaded tokio-native-tls v0.3.0 Downloaded syn v1.0.60 Downloaded url v2.2.1 Downloaded bytes v1.0.1 Downloaded tower-service v0.3.1 Downloaded tokio-util v0.6.3 Downloaded ipnet v2.3.0 Downloaded socket2 v0.3.19 Downloaded base64 v0.13.0 Downloaded want v0.3.0 Downloaded cc v1.0.67 Downloaded unicode-normalization v0.1.17 Downloaded mio v0.7.9 Downloaded tracing-core v0.1.17 Downloaded quote v1.0.9 Downloaded pin-project v1.0.5 Downloaded pin-project-lite v0.2.4 Downloaded try-lock v0.2.3 Downloaded serde_json v1.0.64 Downloaded native-tls v0.2.7 Downloaded num-integer v0.1.44 Downloaded hyper-tls v0.5.0 Downloaded futures-core v0.3.13 Downloaded tracing v0.1.25 Downloaded tokio v1.2.0 Downloaded idna v0.2.2 Downloaded libc v0.2.86 Downloaded encoding_rs v0.8.28 Downloaded 55 crates (5.4 MB) in 1.77s (largest was `encoding_rs` at 1.4 MB) Compiling autocfg v1.0.1 Compiling libc v0.2.86 Compiling cfg-if v1.0.0 Compiling log v0.4.14 Compiling pkg-config v0.3.19 Compiling cc v1.0.67 Compiling memchr v2.3.4 Compiling pin-project-lite v0.2.4 Compiling proc-macro2 v1.0.24 Compiling lazy_static v1.4.0 Compiling bytes v1.0.1 Compiling itoa v0.4.7 Compiling bitflags v1.2.1 Compiling unicode-xid v0.2.1 Compiling syn v1.0.60 Compiling futures-core v0.3.13 Compiling foreign-types-shared v0.1.1 Compiling fnv v1.0.7 Compiling openssl v0.10.32 Compiling matches v0.1.8 Compiling tinyvec_macros v0.1.0 Compiling hashbrown v0.9.1 Compiling futures-task v0.3.13 Compiling native-tls v0.2.7 Compiling slab v0.4.2 Compiling pin-utils v0.1.0 Compiling serde v1.0.123 Compiling ryu v1.0.5 Compiling futures-sink v0.3.13 Compiling futures-io v0.3.13 Compiling httparse v1.3.5 Compiling percent-encoding v2.1.0 Compiling try-lock v0.2.3 Compiling openssl-probe v0.1.2 Compiling httpdate v0.3.2 Compiling serde_json v1.0.64 Compiling encoding_rs v0.8.28 Compiling tower-service v0.3.1 Compiling unicode-width v0.1.8 Compiling strsim v0.8.0 Compiling base64 v0.13.0 Compiling vec_map v0.8.2 Compiling ipnet v2.3.0 Compiling mime v0.3.16 Compiling ansi_term v0.11.0 Compiling tokio v1.2.0 Compiling indexmap v1.6.1 Compiling num-traits v0.2.14 Compiling num-integer v0.1.44 Compiling tracing-core v0.1.17 Compiling futures-channel v0.3.13 Compiling foreign-types v0.3.2 Compiling http v0.2.3 Compiling unicode-bidi v0.3.4 Compiling tinyvec v1.1.1 Compiling openssl-sys v0.9.60 Compiling form_urlencoded v1.0.1 Compiling textwrap v0.11.0 Compiling tracing v0.1.25 Compiling http-body v0.4.0 Compiling unicode-normalization v0.1.17 Compiling num_cpus v1.13.0 Compiling socket2 v0.3.19 Compiling atty v0.2.14 Compiling dirs-sys v0.3.5 Compiling time v0.1.43 Compiling mio v0.7.9 Compiling want v0.3.0 error: failed to run custom build command for `openssl-sys v0.9.60` Caused by: process didn't exit successfully: `/tmp/cargo-installbxN90K/release/build/openssl-sys-704dca09387a20ed/build-script-main` (exit code: 101) --- stdout cargo:rustc-cfg=const_fn cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=OPENSSL_LIB_DIR OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=OPENSSL_INCLUDE_DIR OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_DIR OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_NO_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR run pkg_config fail: "`\"pkg-config\" \"--libs\" \"--cflags\" \"openssl\"` did not exit successfully: exit code: 1\n--- stderr\nPackage openssl was not found in the pkg-config search path.\nPerhaps you should add the directory containing `openssl.pc\'\nto the PKG_CONFIG_PATH environment variable\nNo package \'openssl\' found\n" --- stderr thread 'main' panicked at ' Could not find directory of OpenSSL installation, and this `-sys` crate cannot proceed without this knowledge. If OpenSSL is installed and this crate had trouble finding it, you can set the `OPENSSL_DIR` environment variable for the compilation process. Make sure you also have the development packages of openssl installed. For example, `libssl-dev` on Ubuntu or `openssl-devel` on Fedora. If you're in a situation where you think the directory *should* be found automatically, please open a bug at https://github.com/sfackler/rust-openssl and include information about your system as well as this message. $HOST = x86_64-unknown-linux-gnu $TARGET = x86_64-unknown-linux-gnu openssl-sys = 0.9.60 ', /home/myusr/.cargo/registry/src/github.com-1ecc6299db9ec823/openssl-sys-0.9.60/build/find_normal.rs:173:5 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace warning: build failed, waiting for other jobs to finish... error: failed to compile `rates v0.2.0`, intermediate artifacts can be found at `/tmp/cargo-installbxN90K` Caused by: build failed

Second, https://github.com/sfackler/rust-openssl/issues/987 was solved over 2 years ago, and the fix was released in openssl v0.10. Since reqwest uses openssl v0.10.x, it definitely includes this fix.

The RustTLS project is currently setting up their own CI benchmarking workflow, so I think that you could find some inspiration there: https://github.com/rustls/rustls/issues/1385 and https://github.com/rustls/rustls/issues/1205.

I also studied this question on FFI several weeks ago in terms of "rewrite part of the system in Rust". Unexpected results could be semantic issues (e.g., different error handling methods) or security issues (FFI could be a soundness hole). I suggest going through the issues of libraries that have started rewriting work such as rust-openssl or rustls (This is the one trying to rewrite in whole rust rather than using FFI; however, you will not be able to find the mapping function in the C version and compare them). I hope this helps!

Now for rust implementation of tls. Certificates can be loaded in two ways. * Finds and loads certificates using OS specific tools3 * Uses a rust implementation of webpki4 for loading with certificates5

> Ring is mostly C/Assembly

Crypto needs to be written in Assembly to ensure that operations take a constant time, regardless of input. Writing it in a high level language like C or Rust opens you up to the compiler "optimising" routines and making them no longer constant time.

But you already knew this. And you also knew that the security audit (https://github.com/rustls/rustls/blob/master/audit/TLS-01-re...) of ring was favourable

> No issues were found with regards to the cryptographic engineering of rustls or its underlying ring library. A recommendation is provided in TLS-01-001 to optionally supplement the already solid cryptographic library with another cryptographic provider (EverCrypt) with an added benefit of formally verified cryptographic primitives. Overall, it is very clear that the developers of rustls have an extensive knowledge on how to correctly implement the TLS stack whilst avoiding the common pitfalls that surround the TLS ecosystem. This knowledge has translated reliably into an implementation of exceptional quality.

You said

> a standard library with feature flags and editions would make rust ridiculously much more productive

What's the difference between opting into a library with a feature flag and opting in with a line in Cargo.toml? Let's say you want to use the de-facto regex library. Would it really be ridiculously productive if you said you wanted the "regex" feature flag instead of the "regex" crate?

I do agree that the standard library does need a versioning story so they can remove long deprecated functions. Where it gets complicated is if a new method is reintroduced using the same name in a later edition.

I used the commands listed in the .sh file here: https://github.com/rustls/rustls/tree/main/test-ca to generate keys/certs for a server and a client (with IP.1 records for SANs). I have added the local root CA to the trust store of each VM.

This is great news, this was our single biggest annoyance with rustls. One of our cloud providers choses to issue their hosted postgres instances with TLS certificates with IP addresses. Unusual, but valid per the spec, so why not. Apparently a practise that's also popular in kubernetes settings, so I'm somewhat surprised it took 5 years to close the issue, but now I can finally recommend people to use rustls without mentioning any gotchas.

I believe it is more relevant than you think: servers running in containers, web assembler tasks running in browsers, embedded devices and kernels with total control of the system, all have the ability to do something more sensible than plain out SIGABRT or similar, and in many the case is not that the complete system is falling down. For example RustTLS is looking into allowing fallible allocators and as a pretty general-purpose library that seems like a nice feature. I do wish ulimit -v worked in a sensible manner with applications.