Pure Rust implementation? #33
Comments
|
Hi! Well, the choice of a cryptographic library it's not an easy subject. ACMEd uses cryptography in several places and I want only one cryptographic library for all those usages. The most important ones are:
And there is an additional difficulty: the TLS stack must also be used within a decent HTTP client library that does not come with too much dependencies. The cryptographic libraries I have looked for are :
As you can see, right now OpenSSL is the only choice. Botan is seriously considered to be its successor, but it still requires some work. By the way, the crate you quoted uses Ring in addition to an RSA library that has not been audited. Considering the very high complexity of correct RSA implementation, I worry much more about such a crate than I do about OpenSSL. Yes, I also yell in pain when I have to deal with the OpenSS-HELL API and I also have been marked by heartbleed. However, RSA being a real mine field, I would rather stick with a well known and audited library like OpenSSL, even though it's painful, rather than use the first one that looks cool. |
|
@breard-r thanks for the insightful comment! (Also, was interesting to read it and some of the articles.) Feel free to close the issue if deemed more proper |
Hi. Is it possible to provide a pure Rust-based generation of certificates (that avoids openssl)? There seem to be libraries/apps that generate certificates using Rust already: https://crates.io/crates/certainly
Avoiding openssl makes sense for users who are worried about openssl vulnerabilities and [unnecessary] complexity.
Using the pure-rust implementation could then be hidden under a feature flag if openssl is desired to be used by default.
The text was updated successfully, but these errors were encountered: