Any reasons to prefer native-tls over rustls?

Assuming all the features and libraries I need (tokio bridge etc.) are available for both, are there any reasons to prefer native-tls over rustls?

Main advantage of rustls is that I don't need to install headers or runtime libraries, and it's easier to make a statically linked executable.

Only advantage of native-tls over rustls that I'm aware of is slightly smaller binaries (probably because the TLS code is dynamically linked).

Context: we recently added rustls support in a project of mine, and I'm considering making it the default as the project is easier to build with rustls (no need for libssl headers or dynamic libraries).

Thanks.

1 Like

The biggest benefit of using the system TLS library is that it will get updated through your OS/distribution. You are not forced to rebuild and redistribute your application in case a vulnerability is detected,.

4 Likes

rustls supports a modern subset of TLS ciphers and protocols. For example, it only implements AES-GCM and ChaCha20-Poly1305 ciphers and ECDHE key exchange. If you're talking to systems that you control or more generally know to be relatively modern that's fine (and probably preferrable!), but if you're not, there's a good chunk of the internet rustls won't connect to.

6 Likes

To add to the info already provided, rustls is also still awaiting security audits. This may or may not be a dealbreaker, depending on your specific regulation compliance needs.

3 Likes

I suspect the benefit my be OS integration, especially on macOS and Windows, which have their own implementations, rather than just being a different flavor of OpenSSL.

I couldn't find where does rusttls get trusted CAs from, but native-tls would certainly use OS's own certificate store.

6 Likes

The application author provides the root certs: https://docs.rs/rustls/0.16.0/rustls/#rustls-takes-care-of-server-certificate-verification

Next we load some root certificates. These are used to authenticate the server. The recommended way is to depend on the webpki_roots crate which contains the Mozilla set of root certificates.

2 Likes

It supports both. I discuss the tradeoffs in this decision here: https://github.com/ctz/rustls-native-certs#should-i-use-this-or-webpki-roots

3 Likes

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.