Crate native_tls [−] [src]
An abstraction over platform-specific TLS implementations.
Many applications require TLS/SSL communication in one form or another as part of their implementation, but finding a library for this isn't always trivial! The purpose of this crate is to provide a seamless integration experience on all platforms with a cross-platform API that deals with all the underlying details for you.
# Cargo.toml
[dependencies]
native-tls = "0.1"
How is this implemented?
This crate uses SChannel on Windows (via the schannel crate), Secure
Transport on OSX (via the security-framework crate), and OpenSSL (via the
openssl crate) on all other platforms. Future futures may also enable
other TLS frameworks as well, but these initial libraries are likely to
remain as the defaults.
If you know you're on a particular platform then you can use the platform-specific extension traits in this crate to configure the underlying details of that platform. For example OpenSSL may have more options for configuration than Secure Transport. By default, though, the API of this crate works across all platforms.
Note that this crate also strives to be secure-by-default. For example when using OpenSSL it will configure validation callbacks to ensure that hostnames match certificates, use strong ciphers, etc. This implies that this crate is not just a thin abstraction around the underlying libraries, but also an implementation that strives to strike reasonable defaults.
Supported features
This crate supports the following features out of the box:
- TLS/SSL client communication
- TLS/SSL server communication
- PKCS#12 encoded server identities
- Secure-by-default for client and server
- Includes hostname verification for clients
- Supports asynchronous I/O for both the server and the client
Each implementation may support more features which can be accessed through
the extension traits in the backend module.
Examples
To connect as a client to a remote server:
use native_tls::TlsConnector; use std::io::{Read, Write}; use std::net::TcpStream; let connector = TlsConnector::builder().unwrap().build().unwrap(); let stream = TcpStream::connect("google.com:443").unwrap(); let mut stream = connector.connect("google.com", stream).unwrap(); stream.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap(); let mut res = vec![]; stream.read_to_end(&mut res).unwrap(); println!("{}", String::from_utf8_lossy(&res));
To accept connections as a server from remote clients:
use native_tls::{Pkcs12, TlsAcceptor, TlsStream}; use std::fs::File; use std::io::{Read}; use std::net::{TcpListener, TcpStream}; use std::sync::Arc; use std::thread; let mut file = File::open("identity.pfx").unwrap(); let mut pkcs12 = vec![]; file.read_to_end(&mut pkcs12).unwrap(); let pkcs12 = Pkcs12::from_der(&pkcs12, "hunter2").unwrap(); let listener = TcpListener::bind("0.0.0.0:8443").unwrap(); let acceptor = TlsAcceptor::builder(pkcs12).unwrap().build().unwrap(); let acceptor = Arc::new(acceptor); fn handle_client(stream: TlsStream<TcpStream>) { // ... } for stream in listener.incoming() { match stream { Ok(stream) => { let acceptor = acceptor.clone(); thread::spawn(move || { let stream = acceptor.accept(stream).unwrap(); handle_client(stream); }); } Err(e) => { /* connection failed */ } } }
Modules
| backend |
TLS backend-specific functionality. |
Structs
| Certificate |
An X509 certificate. |
| Error |
An error returned from the TLS implementation. |
| MidHandshakeTlsStream |
A TLS stream which has been interrupted midway through the handshake process. |
| Pkcs12 |
A PKCS #12 archive. |
| TlsAcceptor |
A builder for server-side TLS connections. |
| TlsAcceptorBuilder |
A builder for |
| TlsConnector |
A builder for client-side TLS connections. |
| TlsConnectorBuilder |
A builder for |
| TlsStream |
A stream managing a TLS session. |
Enums
| HandshakeError |
An error returned from |
| Protocol |
SSL/TLS protocol versions. |
Type Definitions
| Result |
A typedef of the result-type returned by many methods. |