7ee98f663e
* RTG-3333 Support X25519MLKEM768 by default, but don't sent it as client X25519MLKEM768 is the standardised successor of the preliminary X25519Kyber768Draft00. Latest browsers have switched to X25519MLKEM768. Cloudflare supports both on the edge. We've had support for X25519MLKEM768 in this crate for a while, but didn't enable by default. We're now enabling serverside support by default. We also let clients advertise support when set to kx-client-pq-supported. We don't enable support by default yet for clients set to kx-client-pq-preferred, as that would cause an extra round-trip due to HelloRetryRequest if the server doesn't support X25519MLKEM768 yet. BoringSSL against which we build must support X25519MLKEM768, otherwise this will fail. * replace once_cell with LazyLock We can drop the once_cell dependency since the same functionality is implemented in std now. Requires bumping MSRV to 1.80. * fix manual_c_str_literals clippy warning * chore: Fix docs on SslRef::replace_ex_data * Detailed error codes * Clean up boring_sys::init() We don't need the workaround that was initially introduced for a bug in openssl, and OPENSSL_init_ssl always calls into CRYPTO_library_init on boringssl, so just call it explicitly. * Expose EVP_HPKE_KEY * Expose client/server-side ECH Resolves https://github.com/cloudflare/boring/issues/282 * Clean up ECH tests * Expose SSL_set_enable_ech_grease * Use corresponds macro * build: Fix the build for 32-bit Linux platform (#312) build: Fix the build for 32-bit Linux platform * Set CMAKE_BUILD_PARALLEL_LEVEL to available_parallelism cmake-rs' jobserver doesn't work reliably, if at all. One workaround is to set CMAKE_BUILD_PARALLEL_LEVEL to available_parallelism(). On my machine it shaves ~35 seconds off of boring-sys builds. * Expose SSL_CTX_set1_ech_keys from SslContextRef We currently expose this method on `SslContextBuilder`, which is fine for bootstrapping an `SSL_CTX`, but subsequent attempts to set ECH keys (like during key rotation) can only happen via `SslContextRef`. Also update the method on the builder to take an immutable reference to self because the API is thread safe. * Bump cmake-rs to improve Mac OS build parallelism There's a bug on OSX that prevents the CMake jobserver from working properly, and so CMake defaults to a single-threaded build. It's not clear when this is actually going to get fixed, so recent versions of cmake-rs just disable the jobserver and have CMake fall back to the number of available cores: https://github.com/rust-lang/cmake-rs/pull/229 This means we don't need |
||
|---|---|---|
| .github/workflows | ||
| boring | ||
| boring-sys | ||
| scripts | ||
| tokio-boring | ||
| .gitignore | ||
| .gitmodules | ||
| .rusty-hook.toml | ||
| Cargo.toml | ||
| README.md | ||
| RELEASE_NOTES | ||
| THIRD_PARTY | ||
| cliff.toml | ||
README.md
boring2
BoringSSL bindings are available for the Rust programming language, and the HTTP Client is built on top of it.
Non-goals
This package only implements the TLS extensions spec and supports the original boring with the following features:
- Safari and Firefox required TLS extensions
kDHEandffdhe2048/ffdhe3072implementations- Removal of
RPKsupport
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed under the terms of both the Apache License, Version 2.0 and the MIT license without any additional terms or conditions.
Accolades
The project is based on a fork of boring.