[ feature request ] Use rustls

[yonas]

What is the problem your feature solves, or the need it fulfills?

Use rustls instead of OpenSSL.

Describe the solution you'd like

Either fully replace OpenSSl dependency with rustls (my preference) or publish a new feature that would substitute OpenSSL with rustls.

Describe alternatives you've considered

N/A.

[LessThanGreaterThan]

this would also allow KTLS support https://github.com/rustls/rustls/issues/198

[palant]

This is currently rather complicated because Pingora is using OpenSSL APIs directly, almost without any intermediate layer. So doing this would require implementing OpenSSL APIs on top of rustls. My work in #277 at least shows which parts need to be implemented as OpenSSL is rather massive.

[Fexiven]

This is currently rather complicated because Pingora is using OpenSSL APIs directly, almost without any intermediate layer. So doing this would require implementing OpenSSL APIs on top of rustls. My work in #277 at least shows which parts need to be implemented as OpenSSL is rather massive.

Am I missing something here? Wouldn't the rustls implementation make OpenSSL obsolete? Of course Pingora has to re-implement everything to be compatible with rustls. But isn't that the general goal of the request?

[palant]

Wouldn't the rustls implementation make OpenSSL obsolete?

I suspect that Pingora will want to keep OpenSSL and BoringSSL support around rather than throw it all out for rustls. And while it’s possible to use BoringSSL via rustls (though I’m not sure how reliable boring-rustls-provider is), there is currently nothing comparable for OpenSSL.

[cpu]

there is currently nothing comparable for OpenSSL.

There is a compatibility layer that can be used to replace OpenSSL's libssl.so with Rustls subject to many caveats w.r.t supported APIs. However, in general I think that's not a very appealing integration route for green-field software written in Rust. I think abstracting over the choice of TLS implementation and then natively integrating with Rustls' rust API is the best route.

[eaufavor]

The choice of supporting OpenSSL and BoringSSL is for compliance reasons.

Even with rustls got FIPS certifications recently, switching from one crypto to another could cause millions of dollars and years to audit and certify for large organizations. Therefore, OpenSSL/BoringSSL is unlikely to be replaced.

That being said, rustls is a good addition.

[Walker-00]

We know that it's a pain but we really need rustls re-implemented version or optional rustls feature support. We need both speed, security, modern features and rusty.