A BoringSSL-based rustls crypto provider.
Built on boring v5 and rustls 0.23.
Version 5 was the first release of this crate, version-matched to boring v5.
Going forward, major versions track rustls breaking changes rather than
boring versions:
boring-rustls-provider |
rustls |
boring / boring-sys |
Branch |
|---|---|---|---|
| v5 | 0.23 | v5 | v5 |
| v6 | 0.24 | v5 | main |
All versions continue to depend on boring v5 / boring-sys v5 unless those
crates themselves introduce a breaking change.
mainalways tracks the latest (or next) major version.- When work on a new major version begins, a maintenance branch (e.g.,
v5) is created frommainfor the prior release series. - Bugfixes for older versions go to their maintenance branch and are released as patch versions.
No features are enabled by default. The provider ships with TLS 1.3 support out of the box; additional capabilities are opt-in.
| Feature | Description |
|---|---|
fips |
Build against FIPS-validated BoringSSL and restrict the provider to FIPS-approved algorithms only (SP 800-52r2). Implies mlkem. See FIPS mode below. |
fips-precompiled |
Deprecated alias for fips. Matches the boring crate's feature name. |
mlkem |
Enable the X25519MLKEM768 post-quantum hybrid key exchange group (draft-ietf-tls-ecdhe-mlkem-00). Uses ML-KEM-768 (FIPS 203) combined with X25519. See Post-quantum key exchange. |
tls12 |
Enable TLS 1.2 cipher suites (ECDHE-ECDSA and ECDHE-RSA with AES-GCM and ChaCha20-Poly1305). Without this only TLS 1.3 is available. |
logging |
Enable debug logging of BoringSSL errors and provider internals via the log crate. |
TLS 1.3 (always available):
AES_128_GCM_SHA256
AES_256_GCM_SHA384
CHACHA20_POLY1305_SHA256
TLS 1.2 (requires tls12 feature):
ECDHE_ECDSA_AES128_GCM_SHA256
ECDHE_RSA_AES128_GCM_SHA256
ECDHE_ECDSA_AES256_GCM_SHA384
ECDHE_RSA_AES256_GCM_SHA384
ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Matches boring's default supported group list:
X25519MLKEM768 (0x11ec, requires mlkem feature, TLS 1.3 only)
X25519
secp256r1 (P-256)
secp384r1 (P-384)
When mlkem is enabled, X25519MLKEM768 is the preferred (first) group in both
FIPS and non-FIPS configurations.
RSA_PKCS1_SHA256
RSA_PKCS1_SHA384
RSA_PKCS1_SHA512
RSA_PSS_SHA256
RSA_PSS_SHA384
RSA_PSS_SHA512
ECDSA_NISTP256_SHA256
ECDSA_NISTP384_SHA384
ECDSA_NISTP521_SHA512
ED25519
ED448
The mlkem feature enables the X25519MLKEM768 hybrid key exchange group
per draft-ietf-tls-ecdhe-mlkem-00. This combines classical X25519
Diffie-Hellman with ML-KEM-768 (FIPS 203) post-quantum key encapsulation,
ensuring that connections are secure against both classical and quantum
adversaries.
The fips feature implies mlkem, so X25519MLKEM768 is always available
in FIPS mode.
Wire format (ML-KEM component first in all encodings):
- Client key share:
mlkem_pk(1184) || x25519_pk(32)= 1216 bytes - Server key share:
mlkem_ct(1088) || x25519_pk(32)= 1120 bytes - Shared secret:
mlkem_ss(32) || x25519_ss(32)= 64 bytes
Interoperability has been verified against Cloudflare's PQ endpoints
(pq.cloudflareresearch.com).
When the fips feature is enabled the provider builds against a FIPS-validated
version of BoringSSL and restricts all algorithm selections to those approved
under SP 800-52r2, aligned with
boring's fips202205 compliance policy:
- Cipher suites: AES-GCM only (no ChaCha20-Poly1305).
- Key exchange groups: X25519MLKEM768 (preferred), P-256, and P-384 only (no standalone X25519).
- Signature algorithms: RSA PKCS#1 / PSS and ECDSA with P-256 or P-384 only (no P-521, Ed25519, or Ed448).
MIT
