History

Alessandro Ghedini 4cb7e260a8 Clean-up legacy FIPS options Per BoringSSL's FIPS policy, its `main` branch is the "update branch" for FedRAMP compliance's purposes. This means that we can stop using a specific BoringSSL branch when enabling FIPS, as well as a number of hacks that allowed us to build more recent BoringSSL versions with an older pre-compiled FIPS modules. This also required slightly updating the main BoringSSL submodule, as the previous version had an issue when building with the FIPS option enabled. This is turn required some changes to the PQ patch as well as some APIs that don't seem to be exposed publicly, as well as changing some paths in the other patches. In order to allow a smooth upgrade of internal projects, the `fips-compat` feature is reduced in scope and renamed to `legacy-compat-deprecated` so that we can incrementally upgrade internal BoringSSL forks. In practice this shouldn't really be something anyone else would need, since in order to work it requires a specific mix of BoringSSL version and backported patches.		2025-09-26 17:12:23 +01:00
..
examples	Update documentation for tokio-boring	2021-07-29 11:28:43 -04:00
src	Style nits	2025-09-26 13:33:19 +01:00
tests	Fix clippy lints	2024-03-24 10:52:05 -07:00
CHANGELOG.md	Add/update changelogs	2021-12-16 13:52:38 -06:00
Cargo.toml	Clean-up legacy FIPS options	2025-09-26 17:12:23 +01:00
LICENSE-APACHE	Add tokio-boring	2020-11-11 19:26:22 +00:00
LICENSE-MIT	Add hyper-boring	2020-11-11 20:29:54 +00:00
README.md	Update documentation for tokio-boring	2021-07-29 11:28:43 -04:00

README.md

tokio-boring

An implementation of SSL streams for Tokio built on top of the BoringSSL.

Documentation

Usage

First, add this to your Cargo.toml:

[dependencies]
tokio-boring = "1.0.0"

Then, use either accept or connect as appropriate.

use boring::ssl;
use tokio::net::TcpListener;

#[tokio::main]
async fn main() -> anyhow::Result<()> {
    let listener = TcpListener::bind("127.0.0.1:8080").await?;
    let (tcp_stream, _addr) = listener.accept().await?;

    let server = ssl::SslMethod::tls_server();
    let mut ssl_builder = boring::ssl::SslAcceptor::mozilla_modern(server)?;
    ssl_builder.set_default_verify_paths()?;
    ssl_builder.set_verify(ssl::SslVerifyMode::PEER);
    let acceptor = ssl_builder.build();
    let _ssl_stream = tokio_boring::accept(&acceptor, tcp_stream).await?;
    Ok(())
}

This library is an implementation of TLS streams using BoringSSL for negotiating the connection. Each TLS stream implements the Read and Write traits to interact and interoperate with the rest of the futures I/O ecosystem. Client connections initiated from this crate verify hostnames automatically and by default.

tokio-boring exports this ability through [accept] and [connect]. accept should be used by servers, and connect by clients. These augment the functionality provided by the [boring] crate, on which this crate is built. Configuration of TLS parameters is still primarily done through the [boring] crate.

License

This project is licensed under either of

Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in Serde by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Accolades

The project is based on a fork of tokio-openssl.