Releases: rustls/rustls
Releases · rustls/rustls
0.22.0
New features
- Configurable cryptography providers. The cryptography used by rustls is represented by the
CryptoProvidertrait. ring is now optional, but remains the default provider. - Certificate revocation list (CRL) support. The default certificate verifier used in rustls can now be configured with CRLs to control revocation of client and server certificates.
- Optional support for cryptography from aws-lc-rs. Once the certification process completes , we will support FIPS mode using aws-lc-rs.
- Separate configuration of root hints in client certificate verifier. To deal with cross-signed client certificate topologies, the list of hints sent to a client can now be configured. The default behaviour remains to send the names of the configured root certificates.
Related libraries
There are some related libraries in the rustls ecosystem. If you depend on these libraries, you'll need at least these versions to be compatible with rustls 0.22:
rustls-pki-types = { version = "1" }
webpki-roots = { version = "0.26" }
rustls-webpki = { version = "0.102" }
rustls-pemfile = { version = "2" }
rustls-native-certs = { version = "0.7"}
Breaking changes
- Remove support for SCTs provided via TLS extension. Ecosystem support for this is rare compared to inclusion of SCTs in certificates.
- Rename
WebPkiVerifiertoWebPkiServerVerifierand addWebPkiClientVerifier. - Remove default trait implementations in
ServerCertVerifier/ClientCertVerifierso the trait doesn't depend on webpki. Instead the previous implementations are exposed asrustls::crypto::verify_tls12_signature,rustls::crypto::verify_tls13_signatureand$PROVIDER.signature_verification_algorithms.supported_schemes(), using the crypto provider of your choice. See tlsclient-mio for an example verifier that has been updated for 0.22. - Rework certificate auth verifiers construction into a builder. This covers both server and client certificate verifiers: call
WebPkiServerVerifier::builder()andWebPkiClientVerifier::builder(). - Removed the crate features
dangerous_configuration,secret_extractionandquic. The API features those previously gated are now available without a crate feature. Types previously gated on thedangerous_configurationfeature now appear indangermodules in the same place. - New types for keys and certificates.
rustls::Certificatehas been replaced withCertificateDerfrom the new rustls-pki-types crate. Likewise,rustls::PrivateKeyhas been replaced withrustls_pki_types::PrivateKeyDer. These types come in both owned and borrowed variants, likestd::borrow::Cow, but some uses, likerustls::RootCertStore, required the owned (<'static>) variant. RootCertStoreis now passed around wrapped in anArc, to improve efficiency when creating a different verifier for different servers/clients but with the same roots.RootCertStore::add_parsable_certificatesnow takes aimpl IntoIterator<Item = impl AsRef<[u8]>>.RootCertStore::add_server_trust_anchorsbecameRootCertStore::extend.- Traits exposed by rustls now require a
Debugbound. Please exercise caution in using#[derive(Debug)]on types that contain secret data. - The deprecated
ConfigBuilder<ClientConfig, WantsClientCert>::with_single_certfn was removed in favour ofwith_client_auth_cert(42cda46) - Some types and values have moved to accommodate cryptography provider work:
| Old | New |
|---|---|
rustls::CipherSuiteCommon |
rustls::crypto::CipherSuiteCommon |
rustls::SupportedKxGroup |
rustls::crypto::SupportedKxGroup |
rustls::cipher_suite::* |
rustls::crypto::ring::cipher_suite::* |
rustls::Ticketer |
rustls::crypto::ring::Ticketer |
rustls::ALL_KX_GROUPS |
rustls::crypto::ring::ALL_KX_GROUPS |
rustls::ALL_CIPHER_SUITES |
rustls::crypto::ring::ALL_CIPHER_SUITES |
rustls::DEFAULT_CIPHER_SUITES |
rustls::crypto::ring::DEFAULT_CIPHER_SUITES |
rustls::kx_group::* |
rustls::crypto::ring::kx_group::* |
rustls::sign::any_ecdsa_type |
rustls::crypto::ring::sign::any_ecdsa_type |
rustls::sign::any_eddsa_type |
rustls::crypto::ring::sign::any_eddsa_type |
rustls::sign::any_supported_type |
rustls::crypto::ring::sign::any_supported_type |
Moved/renamed/new items
Moved
ALL_CIPHER_SUITES(crypto providers)ALL_KX_GROUPS(crypto providers)DEFAULT_CIPHER_SUITES(crypto providers)SECP256R1(crypto providers)SECP384R1(crypto providers)any_ecdsa_type(crypto providers)any_eddsa_type(crypto providers)any_supported_type(crypto providers)CipherSuiteCommon(crypto)ClientCertVerified(server::danger)ClientCertVerifier(server::danger)DangerousClientConfig(client::danger)HandshakeSignatureValid(client::danger)ServerCertVerified(client::danger)ServerCertVerifier(client::danger)SupportedKxGroup(crypto)Ticketer(crypto providers)TLS13_AES_128_GCM_SHA256(crypto providers)TLS13_AES_256_GCM_SHA384(crypto providers)TLS13_CHACHA20_POLY1305_SHA256(crypto providers)TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(crypto providers)TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(crypto providers)TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(crypto providers)TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(crypto providers)TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(crypto providers)TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(crypto providers)X25519(crypto providers)
Renamed
WebPkiVerifier(client::WebPkiServerVerifier)Certificate(rustls_pki_types::CertificateDer)PrivateKey(rustls_pki_types::PrivateKeyDer)SignError(crypto::ring::sign::InvalidKeyError)
Added
ActiveKeyExchange(crypto)AeadKey(crypto::cipher)Algorithm(quic)ClientCertVerifierBuilder(server)DangerousClientConfigBuilder(client::danger)expand(crypto::tls13)OkmBlock(crypto::tls13)OutputLengthError(crypto::tls13)ServerCertVerifierBuilder(client)TicketSwitcher(ticketer)WebPkiClientVerifier(server)
Added (crypto provider extensibility)
default_provider()(crypto::ring)default_provider()(crypto::aws_lc_rs)HashAlgorithm(crypto::hash)Hash(crypto::hash)Hkdf(crypto::tls13)HkdfExpander(crypto::tls13)HkdfExpanderUsingHmac(crypto::tls13)HkdfUsingHmac(crypto::tls13)Hmac(crypto::hmac)Iv(crypto::cipher)KeyBlockShape(crypto::cipher)Key(crypto::hmac)KeyExchangeAlgorithm(crypto)make_tls12_aad(crypto::cipher)make_tls13_aad(crypto::cipher)MessageDecrypter(crypto::cipher)MessageEncrypter(crypto::cipher)Nonce(crypto::cipher)Nonce(crypto::cipher)OpaqueMessage(crypto::cipher)Output(crypto::hash)PlainMessage(crypto::cipher)Prf(crypto::tls12)PrfUsingHmac(crypto::tls12)SharedSecret(crypto)Tag(crypto::hmac)Tls12AeadAlgorithm(crypto::cipher)UnsupportedOperationError(crypto::cipher)WebPkiSupportedAlgorithms(crypto)
Added (error types)
GetRandomFailed(crypto)OtherError(top level)UnsupportedOperationError(crypto::cipher)VerifierBuilderError(client)VerifierBuilderError(server)
Removed
AllowAnyAnonymousOrAuthenticatedClientAllowAnyAuthenticatedClientBulkAlgorithmCertificateTransparencyPolicysupported_sign_tls13WantsTransparencyPolicyOrClientCertOwnedTrustAnchor- userustls_pki_types::TrustAnchorinstead, and replacefrom_subject_spki_name_constraintswith direct assignment to the struct fields.ConfigBuilder::with_safe_defaults- calls to this can simply be deleted since safe defaults are now implicit.
Changed
SystemTime- certificate verification traits used to reference this type, but now referencerustls_pki_types::UnixTimeinstead.
What's Changed
- v0.21.3 release prep by @cpu in #1341
- Improve coverage of ip address names by @ctz in #1338
- Take
Iteratorinadd_parsable_certificates()by @daxpedda in #1339 - CI: add 32bit cross compilation target. by @cpu in #1342
- build(deps): update webpki-roots requirement from 0.23 to 0.24 by @dependabot in #1346
- Prep next release by @ctz in #1344
- lib: export CertRevocationListError enum. by @cpu in #1347
- ci: add merge_group trigger to ci tasks. by @cpu in #1349
- client:
with_single_cert->with_client_auth_certby @cpu in #1345 - ci: add a cargo-semver-checks action. by @cpu in #1354
- client::builder: fix PhantomData clippy lint by @ctz in https://github.com/rustls/...
Contributors
bdaehlie, djc, and 15 other contributors
Assets 2
0.21.9
- Fixes using the (non-default)
read_buffeature with Rust nightly newer thannightly-2023-11-01by opting in to thecore_io_borrowed_buffeature and updatedBorrowedBuf,BorrowedCursortypes.
What's Changed
- Fix build: new feature needed for std::io::BorrowedBuf et al. by @ctz in #1582
- v0.21.9 preparation by @cpu in #1592
Full Changelog: v/0.21.8...v/0.21.9
Contributors
cpu and ctz
Assets 2
0.21.8
- Fixes
ConnectionCommon::complete_io()to flush writers before potentially expecting a response. - Upgrades
*ring*to 0.17 - Note:*ring*0.17 when built withgccwill experience slower X25519 and Ed25519 operations compared to previous releases. - Upgrades
rustls-webpkito 0.101.7 to match*ring*0.17 dependency Tls12CipherSuite::hash_algorithm()andTls13CipherSuite::hash_algorithm()are now crate-internal. This is a small breaking change to remove unintended exposure of underlying*ring*types in the public API.
What's Changed
- fuzz: remove unused webpki dependency by @ctz in #1523
- Fix nightly clippy warning by @djc in #1443
- Upgrade to ring 0.17 by @djc in #1508
- Bump MSRV to 1.61 by @djc in #1516
- docs: adjust ring platform compatibility by @cpu in #1532
- Fix: flush writers before potentially expecting a response by @robsdedude in #1542
- v0.21.8 preparation by @cpu in #1525
Full Changelog: v/0.21.7...v/0.21.8
Contributors
djc, cpu, and 2 other contributors
Assets 2
0.21.7
- Fixes interoperability bug where Rustls servers would not properly echo the
session_idinHelloRetryRequestmessages as was done forServerHellomessages. WebPkiVerifiernow stores anArc<RootCertStore>.- Documentation for the computational expense required to build client and server configurations has been clarified to emphasize this is cheap with the exception of gathering certificates from a platform trust root store.
What's Changed
- Backport Arc server roots + non-expensive configs to rel-0.21 by @djc in #1416
- Backport Echo session_id in HRR by @cpu, @ctz in #1425
- rustls v0.21.7 release prep by @cpu in #1425
Full Changelog: v/0.21.6...v/0.21.7
Contributors
djc, cpu, and ctz
Assets 2
v/0.20.9
- Fixes interoperability bug where Rustls servers would not properly echo the session_id in HelloRetryRequest messages as was done for ServerHello messages.
What's Changed
Full Changelog: v/0.20.8...v/0.20.9
Contributors
cpu and ctz
Assets 2
v/0.21.6
- Deprecated
RootCertStore.add_server_trust_anchors, useRootCertStore.add_trust_anchorsinstead. - Updated webpki-roots to 0.25.
- Updated webpki to 0.101.2
What's Changed
- ci: cross compile and cargo semver checks. by @cpu in #1355
- client::builder: fix PhantomData clippy lint by @ctz in #1383
- Correct/allow unnecessarily &mut function args by @ctz in #1383
- Fix up nightly clippy issue with incorrect comment by @djc in #1383
- anchors: deprecate add_server_trust_anchors by @cpu in #1383
- verify: avoid deprecated webpki methods by @cpu in #1383
- deps: update to webpki-roots 0.25, fix deprecations by @cpu in #1383
- Cargo: bump version 0.21.5 -> 0.21.6 by @cpu in #1383
- v0.21.6 preparation by @cpu in #1383
Full Changelog: v/0.21.5...v/0.21.6
Contributors
djc, cpu, and ctz
Assets 2
v/0.21.5
- Reverted "RootCertStore::add_parsable_certificates now takes a impl IntoIterator<Item = impl AsRef<[u8]>>".
What's Changed
- v0.21.5 maintenance release prep by @cpu in #1353
- Reverted RootCertStore::add_parsable_certificates now takes a impl IntoIterator<Item = impl AsRef<[u8]>> by @cpu in #1353
Full Changelog: v/0.21.4...v/0.21.5
v/0.21.4
- ClientConfig.with_single_cert is now deprecated, prefer with_client_auth_cert instead.
- Error::CertRevocationListError enum is now exported.
- RootCertStore::add_parsable_certificates now takes a impl IntoIterator<Item = impl AsRef<[u8]>>.
What's Changed
- v0.21.4 maintenance release prep by @cpu in #1348
- lib: export CertRevocationListError enum. by @cpu in #1347
- error: use automatic link for RFC 5280 ref. by @cpu in #1347
- deps: update webpki-roots 0.23.0 -> 0.24.0 by @cpu in #1348
- client: with_single_cert -> with_client_auth_cert by @cpu in #1345
- Take IntoIterator in add_parsable_certificates() by @daxpedda in #1339
- RELEASING.md: restructure, use github releases by @ctz in #1344
- Prepare to move release notes to github releases by @ctz in #1344
Full Changelog: v/0.21.3...v/0.21.4
Contributors
cpu, ctz, and daxpedda
Assets 2
v/0.21.3
- Added
with_crlsfunction toAllowAnyAuthenticatedClientand
AllowAnyAnonymousOrAuthenticatedClientclient certificate verifiers to
support revocation checking of client certificates using certificate
revocation lists (CRLs). - Exposed
verify_signed_by_trust_anchorandverify_server_namecertificate
validation helper functions when using the "dangerous_configuration"
feature.
What's Changed
- Localise DnsName types by @ctz in #1321
- Import DnsName types directly by @djc in #1323
- Fix connect-tests for 1000-sans.badssl.com by @ctz in #1324
- Moved to a working host by @xuganyu96 in #1328
- simple_0rtt_client: fix it and clarify what it is demonstrating by @ctz in #1330
- ci: run client examples in CI connect tests. by @cpu in #1331
- enums: clarify NamedCurve isn't supported curves. by @cpu in #1333
- Remove support for SCT stapling by @ctz in #1329
- Limit scope of security support based on time by @djc in #1315
- Enable unit-test-like benchmarks by @ctz in #1334
- expose verify helper functions by @Fritiofhedstrom in #1325
- Revert "Remove support for SCT stapling" by @ctz in #1340
- client certificate revocation checking support. by @cpu in #1326
New Contributors
- @xuganyu96 made their first contribution in #1328
- @Fritiofhedstrom made their first contribution in #1325
Full Changelog: v/0.21.2...v/0.21.3
Contributors
djc, cpu, and 3 other contributors
Assets 2
v/0.21.2
- Bump MSRV to 1.60 to track similar change in dependencies.
- Differentiate between unexpected and expected EOF in
StreamandOwnedStream. RootCertStore::add_parsable_certificatesnow takes a&[impl AsRef<[u8]>].- Add QUIC V2 support.
What's Changed
- Lint: remove calls to PhantomData::default by @Smaug123 in #1296
- Only check library against MSRV by @djc in #1302
- expand documentation for Certificate and PrivateKey by @folkertdev in #1301
- stream: avoid swallowing unexpected eof condition. by @cpu in #1299
- Take
&[u8]inRootCertStore::add_parsable_certificates()by @daxpedda in #1305 - Implement QUIC V2 by @Ralith in #1057
- tests: start on de-duplicating stream API tests. by @cpu in #1306
- Move MSRV to 1.60 by @ctz in #1312
- Take latest bogo test suite by @ctz in #1314
- docs: add help for diagnosing BoGo failures. by @cpu in #1316
- Fix typo in
ConfigBuilder::with_root_certificates()by @daxpedda in #1317 - Prepare 0.21.2 by @daxpedda in #1318
New Contributors
- @Smaug123 made their first contribution in #1296
- @folkertdev made their first contribution in #1301
Full Changelog: v/0.21.1...v/0.21.2
Contributors
Ralith, djc, and 5 other contributors