Skip to content

v0.15.0

Latest
Latest
Compare
Choose a tag to compare
@cpu cpu released this 25 Mar 15:26
· 23 commits to main since this release
v0.15.0
This tag was signed with the committer’s verified signature.
cpu Daniel McCarney
GPG key ID: 08FB2BFC470E75B4
Verified
Learn about vigilant mode.
cfbe105

This release updates to Rustls 0.23.25 and increases the project minimum supported rust version (MSRV) from 1.71 to 1.74 to avoid a Rust compiler bug provoked by the ECH support in Rustls.

Added

  • Binary releases:

    • Starting with the 0.15.0 release we now publish pre-built .zips for: Windows (x86_64 MSVC), Linux (x86_64 GNU libc), and Apple (ARM64 and x86_64) and a .deb for Debian/Ubuntu x86_64. These can be used to build software using rustls-ffi without needing cargo/cargo-c/rustc.

  • API documentation is now available online at https://ffi.rustls.dev

  • Post-quantum key exchange with X25519MLKEM768.

    • Enabled by default at a low priority. See the prefer-post-quantum feature flag to change this behavior.

  • New opt-in feature flags:

    • Optional support for making the post-quantum key exchange X25519MLKEM768 the most-preferred key exchange by enabling the prefer-post-quantum feature flag. Requires the aws-lc-rs crypto provider.
    • Optional support for RFC 8879 certificate compression by enabling the cert_compression feature when building rustls-ffi. When enabled connections will transparently use certificate compression with Brotli or ZLib based on peer compatibility.
    • Optional FIPS-140-3 support using the aws-lc-rs provider. Enabled with the fips feature when building rustls-ffi. When enabled the aws-lc-rs crypto provider is used in its FIPS compatible mode. See the Rustls project documentation for more information on FIPS status.

  • Encrypted Client Hello (ECH) support for client connections.

    • rustls_hpke struct for representing supported HPKE suites.
    • rustls_supported_hpke() function for returning a const pointer to a rustls_hpke instance if available. Only the aws-lc-rs backend returns a non-NULL value at this time.
    • rustls_client_config_builder_enable_ech_grease() client config builder function for configuring ECH GREASE using a rustls_hpke. This chooses a supported HPKE suite at random and is an anti-ossification measure clients may opt-in to when not performing "real" ECH.
    • rustls_client_config_builder_enable_ech() client config builder function for configuring ECH using a rustls_hpke and a TLS encoded ECH config list. The encoded ECH config list should be retrieved from DNS using a secure transport, such as DNS-over-HTTPS. See the librustls/tests/client.c example, and the ech-fetch.rs tool, for example usage.

  • Additional connection information APIs:

    • Negotiated key exchange group, using rustls_connection_get_negotiated_key_exchange_group() for the IANA registered identifier, and rustls_connection_get_negotiated_key_exchange_group_name() for the name as a rustls_str.
    • Determining whether the handshake was a full TLS handshake, a full TLS handshake with an extra hello retry request (HRR) round-trip, a resumed TLS or a handshake, using rustls_connection_handshake_kind(). This returns a rustls_handshake_kind enum variant, which can be translated to a rustls_str using rustls_handshake_kind_str().

  • Support for checking whether a rustls_certified_key's certificate matches the corresponding private key using rustls_certified_key_keys_match().

  • Support for queuing TLS 1.3 key updates using rustls_connection_refresh_traffic_keys().

  • Support for strict handling of CRL expiry using rustls_web_pki_server_cert_verifier_enforce_revocation_expiry() to customize a rustls_web_pki_server_cert_verifier_builder builder instance to reject CRLs with a next update in the past.

  • Support for building rustls-ffi without any built in cryptography providers. This is mainly helpful for users that don't intend to use aws-lc-rs or *ring* but instead will bring their own FFI-ready rustls_crypto_provider.

  • SSLKEYLOG support:

    • For simple logging to a file, use rustls_server_config_builder_set_key_log_file() or rustls_client_config_builder_set_key_log_file() with a client/server config builder to have the SSLKEYLOGFILE env var used to log an NSS formatted key log file appropriate for use with Wireshark and other tools.
    • For deeper integration, use rustls_server_config_builder_set_key_log() or rustls_client_config_builder_set_key_log() to configure C callbacks to be invoked to decide which secrets are logged and to do the logging.
    • See librustls/tests/client.c and librustls/tests/server.c for example usage.

  • FIPS-140-3 APIs:

    • rustls_default_fips_provider() for instantiating a FIPS compatible rustls_crypto_provider (requires "fips" feature enabled).
    • rustls_crypto_provider_fips() for determining if a rustls_crypto_provider is FIPS compatible or not.
    • rustls_client_config_fips() for determining if a rustls_client_config was built with a FIPS compatible rustls_crypto_provider.
    • rustls_server_config_fips() for determining if a rustls_server_config was built with a FIPS compatible rustls_crypto_provider.
    • rustls_connection_fips() for determining if a rustls_connection was created from a rustls_client_config or rustls_server_config that was built with a FIPS compatible rustls_crypto_provider.

  • Additional rustls_result error variants:

    • RUSTLS_RESULT_CERT_EXPIRED_REVOCATION_LIST, RUSTLS_RESULT_MESSAGE_CERTIFICATE_PAYLOAD_TOO_LARGE, RUSTLS_RESULT_INCONSISTENT_KEYS_KEYS_MISMATCH, RUSTLS_RESULT_INCONSISTENT_KEYS_UNKNOWN, RUSTLS_RESULT_INVALID_ENCRYPTED_CLIENT_HELLO_INVALID_CONFIG_LIST, RUSTLS_RESULT_INVALID_ENCRYPTED_CLIENT_HELLO_NO_COMPATIBLE_CONFIG, RUSTLS_RESULT_INVALID_ENCRYPTED_CLIENT_HELLO_SNI_REQUIRED.

Changed

  • Calling rustls_server_config_builder_build() with no certificate/key configured previously returned RUSTLS_RESULT_GENERAL, it now returns RUSTLS_RESULT_NO_CERT_RESOLVER.

  • The rustls_server_connection_get_server_name() function now returns a rustls_str instead of writing to a user provided buffer with out
    parameters.

  • The rustls_server_config_builder_set_persistence() function is now void instead of returning a rustls_error.

  • cargo-c is now the only supported method for building rustls-ffi. It supports building both static and shared libraries as well as making .pc pkg-config files per-platform. The pre-existing GNU Makefile has been removed in favour of cargo-c. See our README for more information.

  • Building the client/server examples now requires cmake. The GNU Makefile has been removed in favour of unifying the example build system with cmake. Users only interested in building rustls-ffi (not the example applications) do not require cmake unless it is a requirement of their chosen cryptography provider (e.g. aws-lc-rs in fips mode).

Removed

  • N/A

What's Changed

  • build(deps): bump libc from 0.2.158 to 0.2.159 by @dependabot in #466
  • client/server: support for KeyLog trait, SSLKEYLOGFILE by @cpu in #465
  • tests: fix clippy::zombie_processes finding by @cpu in #467
  • build(deps): bump rustls-pemfile from 2.1.3 to 2.2.0 by @dependabot in #469
  • server: specific err for config w/o cert resolver by @cpu in #472
  • error: sync with upstream Rustls error changes by @cpu in #471
  • fix needless lifetimes clippy findings by @cpu in #474
  • 0.23.x API gap reduction by @cpu in #470
  • Makefile: adjust default target, broaden all target by @cpu in #473
  • Migrate to pki-types PEM decoder by @cpu in #476
  • build(deps): bump libc from 0.2.159 to 0.2.161 by @dependabot in #477
  • update rustls 0.23.13 -> 0.23.15 by @cpu in #479
  • Cargo: update rustls 0.23.15 -> 0.23.16 by @cpu in #481
  • Add Windows ASAN testing by @cpu in #482
  • build(deps): bump rustls-platform-verifier from 0.3.4 to 0.4.0 by @dependabot in #483
  • build(deps): bump libc from 0.2.161 to 0.2.162 by @dependabot in #486
  • crypto_provider: fix clippy::question_mark finding by @cpu in #488
  • build(deps): bump libc from 0.2.162 to 0.2.164 by @dependabot in #487
  • 0.14.1 backports for main, rustls 0.23.18 by @cpu in #491
  • opt-in rustls-ffi FIPS support, Linux CI coverage by @cpu in #478
  • build(deps): bump libc from 0.2.164 to 0.2.165 by @dependabot in #492
  • build(deps): bump libc from 0.2.165 to 0.2.166 by @dependabot in #494
  • build(deps): bump libc from 0.2.166 to 0.2.167 by @dependabot in #495
  • build(deps): bump libc from 0.2.167 to 0.2.168 by @dependabot in #499
  • Standardize on cargo-c for building rustls-ffi, CMake for building test programs by @cpu in #493
  • docs: fix cargo c links in README by @cpu in #500
  • client-side encrypted client hello (ECH) support by @cpu in #485
  • build(deps): bump tokio from 1.41.1 to 1.42.0 by @dependabot in #501
  • build(deps): bump hickory-resolver from 0.25.0-alpha.3 to 0.25.0-alpha.4 by @dependabot in #502
  • tests: support multiple HTTPS RRs for ECH configs by @cpu in #504
  • Split up modules, support no built-in providers, small tidying by @cpu in #505
  • build(deps): bump rustls-platform-verifier from 0.4.0 to 0.5.0 by @dependabot in #508
  • rework example C test code by @cpu in #497
  • build(deps): bump libc from 0.2.168 to 0.2.169 by @dependabot in #511
  • Switch to workspace, move ech-fetch to separate crate, add ECH CI coverage by @cpu in #509
  • docs: touch up README for workspace change by @cpu in #512
  • license: Fix missed LICENSE-ISC link by @yedayak in #515
  • ci: build binary artifacts for pushes/PRs by @cpu in #506
  • ci: separate out a daily-tests workflow by @cpu in #517
  • Two small breaking API changes before next release by @cpu in #516
  • Parse rustls.h to generate an API docs website by @cpu in #510
  • build(deps): bump tokio from 1.42.0 to 1.43.0 by @dependabot in #521
  • build(deps): bump serde_json from 1.0.133 to 1.0.135 by @dependabot in #522
  • build(deps): bump serde from 1.0.216 to 1.0.217 by @dependabot in #523
  • build(deps): bump serde_json from 1.0.135 to 1.0.137 by @dependabot in #527
  • crypto_provider: avoid rand dep for GREASE HPKE by @cpu in #530
  • Add a compatibility Makefile stub by @cpu in #531
  • build(deps): bump serde_json from 1.0.137 to 1.0.138 by @dependabot in #533
  • acceptor: fix nightly doc_overindented_list_items warns by @cpu in #534
  • ci: include LICENSE files in artifact zips/deb by @cpu in #535
  • rustls 0.23.22, opt-in prefer-post-quantum feature flag by @cpu in #520
  • Small CMake related tweaks by @cpu in #532
  • build(deps): bump serde_json from 1.0.138 to 1.0.139 by @dependabot in #536
  • build(deps): bump serde from 1.0.217 to 1.0.218 by @dependabot in #537
  • rustfmt: style_edition 2024, small CI tweaks by @cpu in #538
  • build(deps): bump serde from 1.0.218 to 1.0.219 by @dependabot in #542
  • build(deps): bump tokio from 1.43.0 to 1.44.0 by @dependabot in #543
  • build(deps): bump libc from 0.2.169 to 0.2.170 by @dependabot in #540
  • build(deps): bump serde_json from 1.0.139 to 1.0.140 by @dependabot in #541
  • build(deps): bump libc from 0.2.170 to 0.2.171 by @dependabot in #544
  • Cargo: update semver compat deps by @cpu in #546
  • error: map InvalidEncryptedClientHello errors by @cpu in #547
  • Cargo: rustls .22 -> .25, webpki 0.102.8 -> 0.103, rustls-platform-verifier 0.5 -> 0.5.1 by @cpu in #548
  • Cargo: hickory-resolver 0.25.0-alpha.4 -> 0.25 by @cpu in #550
  • rustls_error: correct output buffer length handling by @ctz in #551
  • 0.15.0 release preparation by @cpu in #518

New Contributors

Full Changelog: v0.14.0...v0.15.0

Contributors

cpu, ctz, and 2 other contributors
Assets 7
Loading