Module rustls::manual::_04_features

source ·
Expand description

This section documents rustls itself: what protocol features are and are not implemented.

The below list reflects the support provided with the default crate features. Items marked with an asterisk * can be extended or altered via public APIs (CryptoProvider for example).

§Current features

  • TLS1.2 and TLS1.3
  • ECDSA, Ed25519 or RSA server authentication by clients *
  • ECDSA, Ed25519 or RSA server authentication by servers *
  • Forward secrecy using ECDHE; with curve25519, nistp256 or nistp384 curves *
  • AES128-GCM and AES256-GCM bulk encryption, with safe nonces *
  • ChaCha20-Poly1305 bulk encryption (RFC7905) *
  • ALPN support
  • SNI support
  • Tunable fragment size to make TLS messages match size of underlying transport
  • Optional use of vectored IO to minimise system calls
  • TLS1.2 session resumption
  • TLS1.2 resumption via tickets (RFC5077)
  • TLS1.3 resumption via tickets or session storage
  • TLS1.3 0-RTT data
  • Server and optional client authentication
  • Extended master secret support (RFC7627)
  • Exporters (RFC5705)
  • OCSP stapling by servers
  • RFC8879 certificate compression by clients and servers *

§Non-features

For reasons explained in the other sections of this manual, rustls does not and will not support:

  • SSL1, SSL2, SSL3, TLS1 or TLS1.1
  • RC4
  • DES or triple DES
  • EXPORT ciphersuites
  • MAC-then-encrypt ciphersuites
  • Ciphersuites without forward secrecy
  • Renegotiation
  • Kerberos
  • TLS 1.2 protocol compression
  • Discrete-log Diffie-Hellman *
  • Automatic protocol version downgrade
  • Using CA certificates directly to authenticate a server/client (often called “self-signed certificates”). Rustls’ default certificate verifier does not support using a trust anchor as both a CA certificate and an end-entity certificate in order to limit complexity and risk in path building. While dangerous, all authentication can be turned off if required – see the example code *