pingora icon indicating copy to clipboard operation
pingora copied to clipboard
verified publisher icon cloudflare

[ feature request ] Use rustls

Open yonas opened this issue 1 year ago • 8 comments

What is the problem your feature solves, or the need it fulfills?

Use rustls instead of OpenSSL.

Describe the solution you'd like

Either fully replace OpenSSl dependency with rustls (my preference) or publish a new feature that would substitute OpenSSL with rustls.

Describe alternatives you've considered

N/A.

yonas avatar Feb 29 '24 06:02 yonas

this would also allow KTLS support https://github.com/rustls/rustls/issues/198

LessThanGreaterThan avatar Mar 03 '24 13:03 LessThanGreaterThan

This is currently rather complicated because Pingora is using OpenSSL APIs directly, almost without any intermediate layer. So doing this would require implementing OpenSSL APIs on top of rustls. My work in #277 at least shows which parts need to be implemented as OpenSSL is rather massive.

palant avatar Jun 14 '24 05:06 palant

This is currently rather complicated because Pingora is using OpenSSL APIs directly, almost without any intermediate layer. So doing this would require implementing OpenSSL APIs on top of rustls. My work in #277 at least shows which parts need to be implemented as OpenSSL is rather massive.

Am I missing something here? Wouldn't the rustls implementation make OpenSSL obsolete? Of course Pingora has to re-implement everything to be compatible with rustls. But isn't that the general goal of the request?

Fexiven avatar Jul 12 '24 09:07 Fexiven

Wouldn't the rustls implementation make OpenSSL obsolete?

I suspect that Pingora will want to keep OpenSSL and BoringSSL support around rather than throw it all out for rustls. And while it’s possible to use BoringSSL via rustls (though I’m not sure how reliable boring-rustls-provider is), there is currently nothing comparable for OpenSSL.

palant avatar Jul 12 '24 10:07 palant

there is currently nothing comparable for OpenSSL.

There is a compatibility layer that can be used to replace OpenSSL's libssl.so with Rustls subject to many caveats w.r.t supported APIs. However, in general I think that's not a very appealing integration route for green-field software written in Rust. I think abstracting over the choice of TLS implementation and then natively integrating with Rustls' rust API is the best route.

cpu avatar Jul 12 '24 13:07 cpu

The choice of supporting OpenSSL and BoringSSL is for compliance reasons.

Even with rustls got FIPS certifications recently, switching from one crypto to another could cause millions of dollars and years to audit and certify for large organizations. Therefore, OpenSSL/BoringSSL is unlikely to be replaced.

That being said, rustls is a good addition.

eaufavor avatar Jul 12 '24 21:07 eaufavor

We know that it's a pain but we really need rustls re-implemented version or optional rustls feature support. We need both speed, security, modern features and rusty.

Walker-00 avatar Jul 13 '24 09:07 Walker-00