►
Description
If crypto stuff you want to know
just listen to this guy called Joe
who knows Rustls
for securing access
so let's look at what he's gonna show
rustls is an open-source Transport Level Security (TLS) stack written in safe Rust. This talk reviews the current state of TLS support in the Rust ecosystem, and the design choices taken in rustls.
(Limerick by @llogiq)
https://paris.rustfest.eu/sessions/rustls-modern-faster-safer-tls
A
B
B
B
Yeah
so
TLS
first
of
all,
is
transport
layer,
security.
It's
not
a
thread:
local
storage,
if
you're
here
for
third
local
storage
talk
I'm,
sorry,
but
but
it's
also
known
as
SSL
and
an
in
common
usage
SSL
is
actually
more
more
common.
It's
like
the
s
in
HTTP.
It's
your
it's
your
padlock
in
your
browser,
which
is
very,
very
common.
It's
like
more
XP
s
now
is
more
common
than
HTTP,
which
is
awesome
very
good,
indeed,
very
happy
with
that.
B
So
we
can
talk
about
goals.
What
was
what's
the
point
of
this
thing
in
really
high
level
terms,
not
very
low
level
technical
detail,
a
bit
about
history
and
then
a
bit
about
kind
of
the
security
history,
because
it
has
a
long
and
kind
of
checkered
history
when
it
comes
to
actually
achieving
those
goals.
B
B
B
Alex
wants
to
know
that
she's
actually
talking
to
Bob
and
not
Mallory
in
the
center,
who
suspiciously
looks
like
a
lot
like
Eve.
In
that
case,
maybe
she's
the
same
person
Els,
also
as
a
kind
of
secondary,
but
not
commonly
used
option
allows
Bob
to
authenticate
Alice
as
well,
not
not
very
common
news
but
used
in
enterprise
settings,
but
not
only,
and
the
last
one
which
is
kind
related
to
authenticity
is
like
integrity,
so
not
just
integrity
in
terms
of
bits
and
bytes
going
over
the
wire
but
integrity
of
the
whole
communication.
B
B
There's
also
a
kind
of
belated
thing
which
doesn't
really
work
in
practice,
which
is
like
truncation
resistance,
which
is
kind
of
like
similar
to
the
reef,
a
problem,
but
at
the
end
of
the
communication,
and
the
reason
that
doesn't
work
is
because
in
general
people
are
people
aren't
willing
to
treat
TCP
closures
of
the
TLS
channel
as
a
security
problem.
It's
just
like
earth.
The
connection
went
away,
I,
don't
know
whether
that
you
know
because
it's
the
internet
or
because
there's
someone
trying
to
attack
me
so
watch
out
for
that.
B
B
B
Ssl
also
quite
bad
as
self
three
was
the
first
one
which
was
actually
designed
by
like
cryptographer,
and
that
worked
really
well,
but
they
they
only
gave
the
chap
two
weeks
to
do
it
so
yeah
and
then
it
kind
of
changed
name.
But
you
shouldn't
think
that
s
self
three
until
s1
are
really
that
different
they're
really
really
close
protocol
wise,
and
that
was
because
it
transfers
from
Netscape
to
wait.
Yes,
but
yeah.
You
can
really
think
of
SSL
three
TLS
1.2
as
being
really
the
same
family
of
protocol.
B
B
Disagreement
in
the
TLS
working
group
about
whether
tearless
1.3
was
the
right
name
for
it,
whether
it
should
be
to
you
later
2.0,
1.3
kind
of
one
out,
because
it
had
already
been
used
and
talked
about,
and
there
was
lots
of
security
papers
like
security
result
saying.
Yes,
we
prove
this
is
you're
talking
about
here,
that's
1.3!
They
want
to
avoid
that.
B
This
is
how
its
deployed,
so
the
important
thing
to
know
is
like
well,
these
percentages
don't
add
up
and
the
reason
they
don't
add
up
is
because
a
given
server
can
support
more
mana
at
a
time.
So
really
you
should
interpret.
This
is
like
if
I
go
to
any
of
these
servers
in
this
data,
set
the
probability
of
them
supporting
TLS
1.2
for
a
given
random
server.
There
is
like
90
of
them,
and
the
direction
is
nice.
B
1.2
has
some
good
options,
but
also
inherits
most
of
the
stuff
from
before,
so
you
have
to
kind
of
pay
attention
to
it
that
your
parameter
choices
until
this
one
point
TLS
1.3
is
very
new.
It's
not
even
standardized.
It
will
be
in
like
a
matter
of
weeks,
but
it
throws
away
all
the
old
stuff
which
is
nice,
so
I
want
to
spend
a
little
bit
of
time
on
this
slide
and
talking
about
these
countermeasures.
B
So
these
are
all
implementation
strategies
for
dealing
with
kind
of
design
faults
really
but
came
in
around
1996
and
haven't
been
removed,
as
I
said
until
like
today,
and
people
will
go
well.
Why
don't
you
just
implement
the
countermeasures?
It'll
be
fine.
There's
some
problems
with
that.
One.
Is
that
the
aims
of
the
countermeasures
and
how
to
do
them
isn't
documented
anywhere.
B
For
example,
the
ITF
doesn't
publish
or
hasn't
published
any
implementation
guidance
saying
this
is
what
we're
trying
to
do,
and
this
is
how
you
might
do
it
and,
as
a
result,
they're
quite
under
tested
and
difficult
to
unconvincing
they're,
also
sometimes
quite
uncommon.
For
example,
them
go
Lang's,
TLS
library,
which
is
really
really
good,
started
off
its
life.
B
Without
any
of
these
countermeasures,
and
even
now
has
fewer
countermeasures
in
the
same
like
countermeasures
for
the
same
bug,
then
I've
necessarly,
so
you're
kind
of
reduced
to
thinking
like
just
worrying
about
this,
like
do
I
need
all
these
things.
Do
I,
not
the
other
thing
which
is
slightly
more
serious,
is
in
2013,
Agnes
Cell
implemented
one
of
these
countermeasures
and
it
had
a
bug
in
here
and
that
bug
stayed
there
until
2016
and
the
bug
was
worse
than
the
bug
that
they
were
writing
the
countermeasure.
B
So
there's
also
this
like
modern
TLS
terminology,
I
use
in
the
title
of
this.
This
talk
and
I'm
not
just
making
stuff
up.
It's
like
I'm,
quite
commonly
talked
about
I.
Think
Zillow
really
bought
in
this
is
from
their
wiki
page
about
configuring
servers
to
have
good
TLS
cloud
fare.
Has
it
has
it
as
an
option?
B
This
is
like
the
diagrams
I'm
going
to
use.
Orange
boxes
are
crate
gray
box.
Isn't
not
a
crate
is
like
another
library.
White
arrow
is
a
useful,
rust,
API
and
yeah.
So
we've
got
open
cell
s,
challenge
guilty
framework
and
SS
bindings
I'm
missing
out
of
these.
This
crazier,
because
they're
kind
of
just
consider
them
they're
part
of
that
line.
Right
and
then
we've
got
some
implementations.
There's
my
one
there's
another
one,
which
is
a
B
TLS,
which
is
very
interesting.
B
It's
not
on
waste.
It
is
written
mostly
in
rust,
and
then
we've
got
some
abstractions
like
so
native
TLS
is
really
really
common.
Very
widely
used,
probably
the
most
widely
used
way
of
doing
TLS
in
rust,
right
now
and
yeah.
So
it's
basically,
we
have
these
these
bindings.
Let's
choose
one
based
on:
what's
the
most
convenient
for
the
platform
I'm
running
on,
and
that
really
works
very
well
and
it's
whoops,
it's
very
low
friction.
So
if
that's
what
you
want,
this
is
a
good
choice.
B
There's
also
this
moment.
I
really
do
like
so
there's
TLS
API,
which
is
just
like
a
collection
of
traits
and
then
these
intermediate
ones,
TLS
API,
open-cell,
etc,
which
provide
implementations
of
those
crates.
So
if
you're
writing
a
library
and
you're
not
quite
sure
what
TLS
library,
you're
kind
of
application
level
consumer
wants
to
to
use,
you
can
just
and
make
your
library
generic
on
those
traits
and
then
your
application
at
the
top
just
passes
in
one
of
these
choices
and
that
that
works
really
well.
B
It
did
come
after
native
TLS,
though,
and
if
you
kind
of
in
your
mind,
pick
out
a
native
CLS,
it's
kind
of
doing
the
same
job
twice.
One
is
providing
a
generic
abstraction
over
TLS
and
then
native
TLS
is
doing
the
same
thing,
but
a
different
level,
and
so
that
would
be
good
to
fix.
Although
I'm
not
sure
it's
really
worth
fixing
at
this
point,
because
there's
a
lot
of
users.
B
So
this
project
is
an
implementation
of
of
1.2
and
1.3
and
when
I
say
1.2,
just
the
good
bits
right
and
in
general,
just
the
good
bits.
Not
it's
not
comprehensive,
like
I've
necessaries,
so
I've
got
quite
a
background
in
kind
of
security,
oriented
software
development
and
I've
written
a
couple
of
TLS
libraries,
proprietary
ones
in
the
past,
so
I've
been
studying
this.
This
kind
of
area
for
well
really
most
of
my
career.
So
yeah,
that's
that's!
This
is
like
the
whole
the
aims
of
project
this
kind
of
came
after
I
started
started.
B
Writing
it.
So
it's
a
bit
post
hoc,
but
the
reading
of
the
point
is
only
good
stuff.
Try
and
talk
to
about
95%
of
other
things,
as
you
can
see
from
the
earlier
things
almost
there
not
quite
and
I'm
kind
of
like
aiming
where
things
are
going
rather
than
where
they
are
no
unsafe
for
us.
So
there's
no
unsafe
blocks
in
in
this
grade.
It
does
depend
on
others,
which
obviously
have
unsafe,
behavior.
B
Well,
no
unsafe
behavior
but
unsafe
blocks,
let's
say
and
trying
to
present
a
really
simple
API,
which
kind
of
just
looks
like
a
pipe
right.
So
you
you
put
your
bytes
in
here.
Maybe
it's
a
HTTP
request.
You
get
TLS
out
and
likewise
from
the
other
end,
you
put
to
your
lesson
and
you
get
your
how
to
be
response
back
so
yeah
and
it's
it's
almost
two
years
old
now
like
tomorrow.
It
will
be
like
properly
two
years
old,
because
the
first
mate
doesn't
really
care.
B
I'm
not
gonna
in
the
coffee
break.
I
will
happily
tell
you
a
anecdote
about
my
interaction
with
reporting,
a
moderate
level,
security,
vulnerability
to
open
SSL
and
the
testing
that
happened
around
that,
but
not
here.
So
we've
got
quite
a
lot
of
tests
and
97%
line
coverage
and
that's
of
like
68,
sorry
68
hundred
lines
of
of
off
code
in
comparison,
open,
SSL's.
B
There
there's
there's
blog
posts
which
are
kind
of
expand
on
this
section.
So
if
you
really
want
to
look
at
the
details
where
we
produce
the
results,
then
go
there,
but
just
to
say
that
that
a
TLS
connection
kind
of
starts
with
a
handshake
which
involves
lots
of
public
key
crypto,
which
is
quite
expensive,
and
then
it
goes
into
a
data
transfer
stage
where
there's
no
public
key
crypto.
B
B
B
B
B
What
precisely
is
doing
so.
Take
that
with
a
little
bit
pinch
of
salt
and
the
full
handshake
performance
is
a
little
bit
work.
Well,
quite
a
lot
worse
for
Russells,
but
there
are
coming
improvements
in
ring,
so
it
should
make
it
roughly
the
same
like
1.7,
1.6,
slower
and
then
once
we're
there.
We
can
we're
going
to
have
a
look,
I
think
making
that
equal,
and
you
may
think,
oh
1600.
B
So
now,
I
wanna
talk
to
talk
about
a
fairly
famous
infamous
security
failure
in
Apple's,
homegrown,
pls
library
called
to
your
transport,
and
you
might
have
noticed
earlier.
There
was
some
bindings
to
this.
It
is
today
and
quite
well-regarded-
so
don't
worry
but
the
interesting
thing
about
this.
Is
they
it's
kind
of
open
source,
but
they
don't
develop
it
in
the
open,
so
they
just
drop
source
for
every
release
and
someone
noticed
or
maybe
through
testing
I,
don't
know
that
between
two
releases,
this
line
just
appeared.
B
There
were
other
changes
in
the
file
between
this
this
release
and
that
one
so
I
think
the
current
thinking
is
it's
like
a
merge
hazard.
That's
happened
where
someone's
screwed
up
emerge
and
duplicate
this
line.
Unfortunately,
that
go-to
is
executed
unconditionally
right,
because
this
isn't-
and
so
it
skips
over
this
SSL
raw
verify
and
you
may
think
OS
or
verify.
Is
that
important?
Yes,
it
is
that's
the
authenticity
thing
that
we
were
talking
about
earlier,
so
for
quite
a
while
it
just
that
whole
like
we
had
no
authenticity
checks
whatsoever,
really,
which
is
a
shame.
B
So
IIIi
thought
about
you
know:
let's
take
that
as
a
problem
like
the
problem
is
I
I
use,
BIM
and
it's
chaos,
and
maybe
I'll
make
an
error
like
this
one
day
and
well.
First
of
all,
I'd
like
you
not
to
compile
really
we're
failing
that.
Can
I
make
it.
You
know
what
can
I
do?
What
can
we
do
right
and
I
came
up
with
the
the
conclusion
that
really
the
problem
in
this
code
is.
B
Ignore
the
fact
that,
obviously,
there's
there's
a
lack
of
testing
here,
the
problem
in
this
code
is
that
there's
nothing
positive
coming
out
of
this.
This
function,
it's
just
like
the
the
return
value
from
this
function
is
zero.
If
there's
no
error
or
an
error
code
in
practice,
all
error
codes
are
treated
the
same
they're
like
you're
being
attached,
so
returning
zero
is
not
actually
very
helpful
when
there's
all
these
possible
possibilities
of
returning
zero.
B
Let's
take
it
from
up
here
where
the
verification
happens
and
we've
that
type
into
the
whole
rest
of
the
session.
So
you
can't
get
down
here
in
the
important
bit
of
the
session
without
having
been
up
here
and
made
this
type.
Having
done
this
verification
and
that's
cool
right
isn't
awesome.
So
this
is
what
this
is.
What
it
looks
like.
So
this
is
a
particular
verification.
It's
not
exactly
the
same.
B
B
Incrementally
that's
really
interesting,
like
incremental
approach
to
like
you
could
either
be
right,
the
world
or
you
could
start
being
right
in
the
welding
little
bit
and
I.
Think
that's
really
cool,
so
I'm
very
have
to
do
that.
I
had
no
idea
that
was
happening,
and
it's
just
like.
Oh
I,
think
amazing.
B
B
So
you
know,
if
you're
not
covering
the
lines,
then
you
definitely
don't
have
good
tests,
but
verification
is
a
whole
lot
stronger.
It's
like
we
have
this
abstract
description
of
what
the
protocol
should
be.
Does
that
match
the
concrete
description
in
the
code
of
what
we're
doing?
If
they
do,
then
that's
excellent?
If
they
don't,
if
they
differ,
that's
probably
a
bug,
and
it
means
that
Russells
is
implementing
a
protocol
which
isn't,
strictly
speaking
TLS.
B
This
has
been
done
so
I'm
planning
to
reuse
some
of
the
work
from
estuary,
which
is
Amazon's
in-house
proprietary,
right,
trees,
open-source
TLS
library,
but
yeah
they've
done
this
verification
on
their
implementation,
and
it's
it's
quite
simple,
but
it's
a
start.
It's
like
what
that
is
is
going.
Then
it
should
be
possible
to
write.
You
know
automated
verifications
for
things
like
replace,
replace
the
code
review
step
in
the
previous
slide.
Just
make
sure
that
this
function
produces
this
type
and
then
let
the
compiler
deal
with
all
the
the
rest
of
it.
C
D
B
One
of
the
the
scope
of
Russell's
is
kind
of
like
the
protocol,
and
that
does
have
some
steps
which
needs
to
be
done
in
constant
time.
But
really
the
most
important
bits
which
need
to
be
done
in
constant
time
are
done
in
the
crypto
library
in
ring.
I,
definitely
trust
the
Brian
Smith
to
go
right
and
and
some
extent
the
to
a
great
extent
the
boring
Excel
people
as
well,
which
is
like
the
ultimate
source
of
quite
a
lot
of
the
code
in
ring.
B
B
B
B
It's
like
the
golang
TLS
library,
but
really
evil,
so
it
it
like,
connects
you
and
then
sends
the
wrong
message
and
then
connects
to
you
and
then
sends
a
different
wrong
message
in
a
very
targeted
way,
so
that
that
was
really
really
awesome
in
order
to
actually
test
the
library,
without
that,
I
probably
would
have
had
to
write
something
equivalent
myself
and
that's
just
no
fun
at
all
so
and
that
that's
that's.
That
gives
me
like
a
lot
more
happiness
about
the
state
of
it
because
it's
being
tested
like.
B
Work,
obviously,
with
the
open,
SSL
API
is
an
interesting
API
and
it's
probably
not
if
you
would,
if
you
were
looking
for
like
a
safety
oriented,
C,
API,
50
LS,
it's
probably
not
what
you'd
write
there
are
better
C
api's
like
the
one
and
that
Lieber
SSL
came
up
with
called
Lib
TLS.
That's
probably
what
most
people
would
come
up
with
if
they
were
writing
a
TLS
API
to
see,
but
no
yeah
I'm,
not
aware
of
any
any
projects
like
that.