OpenSSL API Compatibility Layer about rustls-openssl-compat HOT 9 OPEN

@djc , my use case is quite generic and very broad. I want to be able to replace the libssl.so.3 and associated headers on Linux (I generally use an OpenWrt-based system) with a rustls implementation to allow for use of rustls without changing every application that may use OpenSSL. For me, the aim is to reduce potential CVEs on customer equipment that are often appearing from OpenSSL and C-based TLS implementations.

For example, add support for curl/ wget/ mosquitto/ any higher level TLS application without having to change the code AT ALL from the OpenSSL implementations. It should be zero effort for the maintainers of other packages to use rustls once it is used in the distro they are building for.

It becomes more complicated when other engines are used (like pkcs#11 or whatver) in OpenSSL though, but TLS for curl-like tools without additional application development would be ideal.

from rustls-openssl-compat.

Work has already started on this -- in private for now. Will discuss if/when we can open it up.

Note that we do already have the rustls-ffi crate that offers a C API for rustls.

from rustls-openssl-compat.

Good question! We have two initial targets: curl and nginx (both unmodified binaries, from ubuntu 22.04 packages). curl works in a basic sense (the dynamic linker is happy and it can fetch google.com); nginx is still in progress.

from rustls-openssl-compat.

Good to hear @djc . Propose we leave this open for comment etc when that is opened up. Certainly I'm keen to help on that if I can.

from rustls-openssl-compat.

@djc great to hear! Yes please open this up. Exactly when - decision use yours.

from rustls-openssl-compat.

@SimonTate @mouse07410 can you talk a bit about your respective use cases (assuming they're not the same)? This will help us prioritize our work and consider your perspectives.

from rustls-openssl-compat.

(FWIW, are you aware that curl already allows compilation with rustls via rustls-ffi? This has been experimental because there are a few open issues -- if you're interested in that would be a great way to contribute.)

from rustls-openssl-compat.

@djc , yeah I'm aware of that and will take more of a look at the issues. Thanks for the reminder 😄

For this - are you/ people working on this starting with a specific application linking with a rustls based .so? Would be great to build up the functionality of the compatibility layer by enabling applications of increasing complexity (imo).

from rustls-openssl-compat.

cpu transferred this issue from rustls/rustls now

The compat repository is now public, so I've moved this issue over here.

from rustls-openssl-compat.