A Rainy Train Trip with Rustls and TryTLS
Wrote my first Rust program. It was for testing Rustls with TryTLS. Rustls did well. Had fun.
Update: There’s a sequel to this post. Spoilers: The tests themselves needed fixing, and now Rustls passes all of them.
During the past summer I got to work on a tool called TryTLS, a tool for testing how libraries use TLS. The idea is to use your language/library-combo of choice to write a tiny program, a stub, which TryTLS runs repeatedly against different settings for an overview how good or bad the stub’s TLS implementation is.
While all that was going on a new Rust-based TLS library, Rustls, entered the scene. Aiming to provide a good level of cryptographic security by default without unsafe features or obsolete cryptography, it looks like a great project. Special kudos for not offering any way to disable certificate verification!
I’ve been eagerly following the development of Rust (the programming language, not the game) for a couple of years or so. Along with the project’s goals I appreciate the general groove of the community and have yearned to actually implement something Any Day Soon Now™. Through Rustls a perfect opportunity revealed itself.
Now, one autumny Oulu-Helsinki train trip later, there’s a rudimentary Rustls stub available at the HowNetWorks/trytls-rustls-stub GitHub repository. Yes, I am very proud of my imaginative repo names. Running cargo build churns out a compiled (and unoptimized) binary, however in the instructions I went with cargo run --quiet just to minimize the needed steps. The whole TryTLS incantation then becomes trytls https cargo run --quiet and prints out the following results:
All in all looking good. There are 4 fails, but just because those tests offer certificates with no subjectAltNames, only with Common Names. Rustls depends on the webpki library for certificate validation and webpki very consciously doesn’t support such scenarios. In fact I think TryTLS probably, maybe, perhaps shouldn’t require passing those tests either. There’s now an issue about that.
I must say that getting the ball rolling on this little experiment was quite effortless: Install the Rust toolchain; Run cargo new --bin to initialize a new project; Bibbidi-bobbidi-boo, off you go. The linter-rust package for Atom also smoothed out the learning curve considerably. I’m kinda liking this.
The relevant software versions were Rust 1.11.0, Rustls 0.1.2, webpki 0.3.0 and TryTLS 0.3.5.
