ISRG (Internet Security Research Group), the founder of the Let’s Encrypt project aimed at enhancing Internet security, made an announcement regarding the release of the layer rustls-opensl-compat. This layer allows the rustls library to function as a seamless replacement for openssl. The project has already introduced the implementation of rustls-libssl to ensure compatibility with Libssl, with plans for implementing Libcrypto in the future.
The functionality provided by this layer is sufficient to ensure the functionality of Nginx based on Rustls. Transitioning Nginx to Rustls requires a simple replacement of libraries without the need for rebuilding or altering Nginx itself. The Rustls project aims to optimize performance where Rustls currently lags behind OpenSSL, and aims to support RFC 8879 for certificate compression. Additionally, plans were mentioned to transition the Let’s Encrypt certificate authority’s infrastructure elements from OpenSSL to Rustls.
Rustls is responsible for developing client and server implementations of TLS1.2 and TLS1.3 protocols for Rust applications. Unlike providing its own cryptographic primitives, Rustls utilizes connected providers for cryptographic functions such as ECDSA algorithms, ED25519, RSA, Chacha20-Poly1305, AES128-GCM, and AES256-GCM. By default, Rustls uses the AWS-LC-RS library based on the Amazon Library and is built on Boringssl Code from Google Openssl. The library can also function as a crypto provider with ring, which includes code from assembler, C++, and Rust.
It is worth mentioning that Nginx has native support for BoringSSL assembly, allowing direct usage of this library without additional layers. Apart from the built-in AWS-LC-RS and Ring libraries in Rustls, several third-party crypto providers are developing libraries like mbedTLS