runtime
Ruslan
rustc
+Rustls
rustls
Sagula
SanDisk
# HAVE_OPENSSL_SRP: `SSL_CTX_set_srp_username` present in OpenSSL/wolfSSL
# HAVE_GNUTLS_SRP: `gnutls_srp_verifier` present in GnuTLS
# HAVE_SSL_CTX_SET_QUIC_METHOD: `SSL_CTX_set_quic_method` present in OpenSSL/wolfSSL
-# HAVE_QUICHE_CONN_SET_QLOG_FD: `quiche_conn_set_qlog_fd` present in QUICHE
+# HAVE_QUICHE_CONN_SET_QLOG_FD: `quiche_conn_set_qlog_fd` present in quiche
# HAVE_ECH: ECH API checks for OpenSSL, BoringSSL or wolfSSL
#
# For each of the above variables, if the variable is DEFINED (either
cmake_dependent_option(CURL_USE_BEARSSL "Enable BearSSL for SSL/TLS" OFF CURL_ENABLE_SSL OFF)
cmake_dependent_option(CURL_USE_WOLFSSL "Enable wolfSSL for SSL/TLS" OFF CURL_ENABLE_SSL OFF)
cmake_dependent_option(CURL_USE_GNUTLS "Enable GnuTLS for SSL/TLS" OFF CURL_ENABLE_SSL OFF)
-cmake_dependent_option(CURL_USE_RUSTLS "Enable rustls for SSL/TLS" OFF CURL_ENABLE_SSL OFF)
+cmake_dependent_option(CURL_USE_RUSTLS "Enable Rustls for SSL/TLS" OFF CURL_ENABLE_SSL OFF)
set(_openssl_default ON)
if(WIN32 OR CURL_USE_SECTRANSP OR CURL_USE_SCHANNEL OR CURL_USE_MBEDTLS OR CURL_USE_WOLFSSL)
OPT_RUSTLS=no
AC_ARG_WITH(rustls,dnl
-AS_HELP_STRING([--with-rustls=PATH],[where to look for rustls, PATH points to the installation root]),[
+AS_HELP_STRING([--with-rustls=PATH],[where to look for Rustls, PATH points to the installation root]),[
OPT_RUSTLS=$withval
if test X"$withval" != Xno; then
TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }rustls"
- Using HTTP/3 with the given build should perform without risking busy-loops
-### The rustls backend
+### The Rustls backend
Graduation requirements:
February 3: curl 7.75.0 ships with support for Hyper as an HTTP backend
- March 31: curl 7.76.0 ships with support for rustls
+ March 31: curl 7.76.0 ships with support for Rustls
July: HSTS is supported
1.5 Expect-100 meets 417
2. TLS
- 2.1 IMAPS connection fails with rustls error
+ 2.1 IMAPS connection fails with Rustls error
2.3 Unable to use PKCS12 certificate with Secure Transport
2.4 Secure Transport does not import PKCS#12 client certificates without a password
2.5 Client cert handling with Issuer DN differs between backends
2. TLS
-2.1 IMAPS connection fails with rustls error
+2.1 IMAPS connection fails with Rustls error
https://github.com/curl/curl/issues/10457
the [rustls-ffi C bindings](https://github.com/rustls/rustls-ffi/). This
version of curl depends on version v0.13.0 of rustls-ffi.
-# Building with rustls
+# Building with Rustls
First, [install Rust](https://rustup.rs/).
% make
% make DESTDIR=${HOME}/rustls-ffi-built/ install
-Now configure and build curl with rustls:
+Now configure and build curl with Rustls:
% git clone https://github.com/curl/curl
% cd curl
part. e.g. socks5h://localhost/path/to/socket.sock
HTTPS proxy support works set with the https:// protocol prefix for OpenSSL
-and GnuTLS (added in 7.52.0). It also works for BearSSL, mbedTLS, rustls,
+and GnuTLS (added in 7.52.0). It also works for BearSSL, mbedTLS, Rustls,
Schannel, Secure Transport and wolfSSL (added in 7.87.0).
Unrecognized and unsupported proxy protocols cause an error (added in 7.52.0).
alternative makes libcurl stay with the default.
SSL backend names (case-insensitive): BearSSL, GnuTLS, mbedTLS,
-nss, OpenSSL, rustls, Schannel, Secure-Transport, wolfSSL
+nss, OpenSSL, Rustls, Schannel, Secure-Transport, wolfSSL
## `HOME`
# HISTORY
This option is supported by the BearSSL (since 7.79.0), mbedTLS (since
-7.81.0), rustls (since 7.82.0), wolfSSL (since 8.2.0), OpenSSL, Secure
+7.81.0), Rustls (since 7.82.0), wolfSSL (since 8.2.0), OpenSSL, Secure
Transport and Schannel backends.
# %AVAILABILITY%
## https://
HTTPS Proxy. (Added in 7.52.0 for OpenSSL and GnuTLS Since 7.87.0, it
-also works for BearSSL, mbedTLS, rustls, Schannel, Secure Transport and
+also works for BearSSL, mbedTLS, Rustls, Schannel, Secure Transport and
wolfSSL.)
This uses HTTP/1 by default. Setting CURLOPT_PROXYTYPE(3) to
## CURLPROXY_HTTPS
HTTPS Proxy using HTTP/1. (Added in 7.52.0 for OpenSSL and GnuTLS. Since
-7.87.0, it also works for BearSSL, mbedTLS, rustls, Schannel, Secure Transport
+7.87.0, it also works for BearSSL, mbedTLS, Rustls, Schannel, Secure Transport
and wolfSSL.)
## CURLPROXY_HTTPS2
OpenSSL support added in 7.52.0.
wolfSSL, Schannel, Secure Transport, and BearSSL support added in 7.87.0
mbedTLS support added in 8.8.0.
-rustls support added in 8.10.0.
+Rustls support added in 8.10.0.
Since curl 8.10.0 returns CURLE_NOT_BUILT_IN when not supported.
LibreSSL support added in 8.3.0, available when built with LibreSSL \>= 3.4.1.
wolfSSL support added in 8.10.0.
mbedTLS support added in 8.10.0, available when built with mbedTLS \>= 3.6.0.
-rustls support added in 8.10.0.
+Rustls support added in 8.10.0.
Before curl 8.10.0 with mbedTLS or wolfSSL, TLS 1.3 cipher suites where set
by using the CURLOPT_PROXY_SSL_CIPHER_LIST(3) option.
supported with wolfSSL and the other macros did not set a minimum, but
restricted the TLS version to only the specified one.
-rustls support added in 8.10.0.
+Rustls support added in 8.10.0.
# %AVAILABILITY%
Secure Transport support added in 7.77.0.
BearSSL support added in 7.83.0.
mbedTLS support added in 8.8.0.
-rustls support added in 8.10.0.
+Rustls support added in 8.10.0.
Since curl 8.10.0 returns CURLE_NOT_BUILT_IN when not supported.
LibreSSL support added in 8.3.0, available when built with LibreSSL \>= 3.4.1.
wolfSSL support added in 8.10.0.
mbedTLS support added in 8.10.0, available when built with mbedTLS \>= 3.6.0.
-rustls support added in 8.10.0.
+Rustls support added in 8.10.0.
Before curl 8.10.0 with mbedTLS or wolfSSL, TLS 1.3 cipher suites where set
by using the CURLOPT_SSL_CIPHER_LIST(3) option.
/* Define if you have the ANSI C header files. */
#define STDC_HEADERS
-/* Define to enable HTTP3 support (experimental, requires NGTCP2, QUICHE or
+/* Define to enable HTTP3 support (experimental, requires NGTCP2, quiche or
MSH3) */
#undef USE_HTTP3
/* if BearSSL is enabled */
#cmakedefine USE_BEARSSL 1
-/* if rustls is enabled */
+/* if Rustls is enabled */
#cmakedefine USE_RUSTLS 1
/* if wolfSSL is enabled */
* * SecureTransport (Darwin)
* * mbedTLS
* * BearSSL
- * * rustls
+ * * Rustls
* Skip the backend if it does not support the required algorithm */
#if defined(USE_OPENSSL)
* 'rnd' points to.
*
* If libcurl is built without TLS support or with a TLS backend that lacks a
- * proper random API (rustls or mbedTLS), this function will use "weak"
+ * proper random API (Rustls or mbedTLS), this function will use "weak"
* random.
*
* When built *with* TLS support and a backend that offers strong random, it
/*
* On each run:
- * - Read a chunk of bytes from the socket into rustls' TLS input buffer.
- * - Tell rustls to process any new packets.
- * - Read out as many plaintext bytes from rustls as possible, until hitting
+ * - Read a chunk of bytes from the socket into Rustls' TLS input buffer.
+ * - Tell Rustls to process any new packets.
+ * - Read out as many plaintext bytes from Rustls as possible, until hitting
* error, EOF, or EAGAIN/EWOULDBLOCK, or plainbuf/plainlen is filled up.
*
* it is okay to call this function with plainbuf == NULL and plainlen == 0. In
- * that case, it will copy bytes from the socket into rustls' TLS input
- * buffer, and process packets, but will not consume bytes from rustls'
+ * that case, it will copy bytes from the socket into Rustls' TLS input
+ * buffer, and process packets, but will not consume bytes from Rustls'
* plaintext output buffer.
*/
static ssize_t
/*
* On each call:
- * - Copy `plainlen` bytes into rustls' plaintext input buffer (if > 0).
- * - Fully drain rustls' plaintext output buffer into the socket until
+ * - Copy `plainlen` bytes into Rustls' plaintext input buffer (if > 0).
+ * - Fully drain Rustls' plaintext output buffer into the socket until
* we get either an error or EAGAIN/EWOULDBLOCK.
*
* it is okay to call this function with plainbuf == NULL and plainlen == 0.
- * In that case, it will not read anything into rustls' plaintext input buffer.
- * It will only drain rustls' plaintext output buffer into the socket.
+ * In that case, it will not read anything into Rustls' plaintext input buffer.
+ * It will only drain Rustls' plaintext output buffer into the socket.
*/
static ssize_t
cr_send(struct Curl_cfilter *cf, struct Curl_easy *data,
}
if(blen > 0) {
- CURL_TRC_CF(data, cf, "cf_send: adding %zu plain bytes to rustls", blen);
+ CURL_TRC_CF(data, cf, "cf_send: adding %zu plain bytes to Rustls", blen);
rresult = rustls_connection_write(rconn, buf, blen, &plainwritten);
if(rresult != RUSTLS_RESULT_OK) {
rustls_error(rresult, errorbuf, sizeof(errorbuf), &errorlen);
if(*err) {
if(CURLE_AGAIN == *err) {
/* The TLS bytes may have been partially written, but we fail the
- * complete send() and remember how much we already added to rustls. */
+ * complete send() and remember how much we already added to Rustls. */
CURL_TRC_CF(data, cf, "cf_send: EAGAIN, remember we added %zu plain"
- " bytes already to rustls", blen);
+ " bytes already to Rustls", blen);
backend->plain_out_buffered = plainwritten;
if(nwritten) {
*err = CURLE_OK;
return nwritten;
}
-/* A server certificate verify callback for rustls that always returns
+/* A server certificate verify callback for Rustls that always returns
RUSTLS_RESULT_OK, or in other words disable certificate verification. */
static uint32_t
cr_verify_none(void *userdata UNUSED_PARAM,
/* Read/write data until the handshake is done or the socket would block. */
for(;;) {
/*
- * Connection has been established according to rustls. Set send/recv
+ * Connection has been established according to Rustls. Set send/recv
* handlers, and update the state machine.
*/
connssl->io_need = CURL_SSL_IO_NEED_NONE;
if(!rustls_connection_is_handshaking(rconn)) {
- /* rustls claims it is no longer handshaking *before* it has
+ /* Rustls claims it is no longer handshaking *before* it has
* send its FINISHED message off. We attempt to let it write
* one more time. Oh my.
*/
return CURLE_SSL_CONNECT_ERROR;
}
if(blocking && 0 == what) {
- failf(data, "rustls connection timeout after %"
+ failf(data, "rustls: connection timeout after %"
CURL_FORMAT_TIMEDIFF_T " ms", socket_check_timeout);
return CURLE_OPERATION_TIMEDOUT;
}
#include "sectransp.h" /* SecureTransport (Darwin) version */
#include "mbedtls.h" /* mbedTLS versions */
#include "bearssl.h" /* BearSSL versions */
-#include "rustls.h" /* rustls versions */
+#include "rustls.h" /* Rustls versions */
#endif /* USE_SSL */
AC_DEFUN([CURL_WITH_RUSTLS], [
dnl ----------------------------------------------------
-dnl check for rustls
+dnl check for Rustls
dnl ----------------------------------------------------
if test "x$OPT_RUSTLS" != xno; then
AC_CHECK_LIB(rustls, rustls_connection_read,
[
- AC_DEFINE(USE_RUSTLS, 1, [if rustls is enabled])
+ AC_DEFINE(USE_RUSTLS, 1, [if Rustls is enabled])
AC_SUBST(USE_RUSTLS, [1])
RUSTLS_ENABLED=1
USE_RUSTLS="yes"
ssl_msg="rustls"
test rustls != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
],
- AC_MSG_ERROR([--with-rustls was specified but could not find rustls.]),
+ AC_MSG_ERROR([--with-rustls was specified but could not find Rustls.]),
-lpthread -ldl -lm)
LIB_RUSTLS="$PREFIX_RUSTLS/lib$libsuff"
dnl don't need any.
LIBS="$SSL_LIBS $LIBS"
ssl_msg="rustls"
- AC_DEFINE(USE_RUSTLS, 1, [if rustls is enabled])
+ AC_DEFINE(USE_RUSTLS, 1, [if Rustls is enabled])
AC_SUBST(USE_RUSTLS, [1])
USE_RUSTLS="yes"
RUSTLS_ENABLED=1
test rustls != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
else
- AC_MSG_ERROR([pkg-config: Could not find rustls])
+ AC_MSG_ERROR([pkg-config: Could not find Rustls])
fi
else
dnl we did not use pkg-config, so we need to add the
- dnl rustls lib to LIBS
+ dnl Rustls lib to LIBS
LIBS="-lrustls -lpthread -ldl -lm $LIBS"
fi
LDFLAGS="$CLAN_LDFLAGS $SSL_LDFLAGS"
if test "x$USE_RUSTLS" = "xyes"; then
- AC_MSG_NOTICE([detected rustls])
+ AC_MSG_NOTICE([detected Rustls])
check_for_ca_bundle=1
if test -n "$LIB_RUSTLS"; then
if tls_max == '1.3':
exp_resumed = 'Initial' # 1.2 works in wolfSSL, but 1.3 does not, TODO
if env.curl_uses_lib('rustls-ffi'):
- exp_resumed = 'Initial' # rustls does not support sessions, TODO
+ exp_resumed = 'Initial' # Rustls does not support sessions, TODO
if env.curl_uses_lib('bearssl') and tls_max == '1.3':
pytest.skip('BearSSL does not support TLSv1.3')
if env.curl_uses_lib('mbedtls') and tls_max == '1.3':
if proto != 'h3': # we proxy h3
assert r.json['SSL_TLS_SNI'] == env.domain1, f'{r.json}'
assert False, f'should not have succeeded: {r.json}'
- # 7 - rustls rejects a servername with .. during setup
+ # 7 - Rustls rejects a servername with .. during setup
# 35 - LibreSSL rejects setting an SNI name with trailing dot
# 60 - peer name matching failed against certificate
assert r.exit_code in [7, 35, 60], f'{r}'
projects / thirdparty / curl.git / commitdiff
