A wrapper over a platform's native TLS implementation

Rust 100%

Find a file

Repository files (latest commit first)
Filename	Latest commit message	Latest commit date
Reynard User a113ee42fb Some checks failed CI / test-macos-latest (push) Has been cancelled Details CI / test-ubuntu-latest (push) Has been cancelled Details CI / test-windows-latest (push) Has been cancelled Details CI / check-only (push) Has been cancelled Details CI / package-test (push) Has been cancelled Details CI / android-test (push) Has been cancelled Details Update dependencies to use git.sly.so repositories instead of local paths		2026-05-12 17:42:00 +02:00
.github	Cache Android builds	2026-02-18 18:37:09 +00:00
examples	Clippy	2026-02-12 20:43:57 +00:00
src	fix clippy errors	2026-02-18 18:37:09 +00:00
.gitignore	Upgrade to security-framework 0.2	2018-03-24 16:34:48 +00:00
build.rs	TLS 1.3 min/max fallback for old OpenSSL versions	2026-02-18 17:44:15 +00:00
Cargo.toml	Update dependencies to use git.sly.so repositories instead of local paths	2026-05-12 17:42:00 +02:00
CHANGELOG.md	TLS 1.3 min/max fallback for old OpenSSL versions	2026-02-18 17:44:15 +00:00
LICENSE-APACHE	Add license, readme, etc	2016-08-13 23:14:40 -07:00
LICENSE-MIT	Add license, readme, etc	2016-08-13 23:14:40 -07:00
README.md	Crate metadata	2026-02-15 18:07:40 +00:00

README.md

native-tls crate

Documentation

An abstraction over platform-specific TLS implementations.

Specifically, this crate uses SChannel on Windows (via the schannel crate), Secure Transport on macOS (via the security-framework crate), and OpenSSL (via the openssl crate) on all other platforms.

Using platform-native TLS library can reduce binary sizes, compilation times, and improve compatibility with system-wide proxies and CA certificate stores.

Installation

cargo add native-tls or

# Cargo.toml
[dependencies]
native-tls = "0.2"

Usage

An example client looks like:

use native_tls::TlsConnector;
use std::io::{Read, Write};
use std::net::TcpStream;

fn main() {
    let connector = TlsConnector::new().unwrap();

    let stream = TcpStream::connect("google.com:443").unwrap();
    let mut stream = connector.connect("google.com", stream).unwrap();

    stream.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
    let mut res = vec![];
    stream.read_to_end(&mut res).unwrap();
    println!("{}", String::from_utf8_lossy(&res));
}

To accept connections as a server from remote clients:

use native_tls::{Identity, TlsAcceptor, TlsStream};
use std::fs::File;
use std::io::{Read};
use std::net::{TcpListener, TcpStream};
use std::sync::Arc;
use std::thread;

fn main() {
    let mut file = File::open("identity.pfx").unwrap();
    let mut identity = vec![];
    file.read_to_end(&mut identity).unwrap();
    let identity = Identity::from_pkcs12(&identity, "hunter2").unwrap();

    let acceptor = TlsAcceptor::new(identity).unwrap();
    let acceptor = Arc::new(acceptor);

    let listener = TcpListener::bind("0.0.0.0:8443").unwrap();

    fn handle_client(stream: TlsStream<TcpStream>) {
        // ...
    }

    for stream in listener.incoming() {
        match stream {
            Ok(stream) => {
                let acceptor = acceptor.clone();
                thread::spawn(move || {
                    let stream = acceptor.accept(stream).unwrap();
                    handle_client(stream);
                });
            }
            Err(e) => { /* connection failed */ }
        }
    }
}

Supported features

This crate supports the following features out of the box:

TLS/SSL client communication
TLS/SSL server communication
PKCS#12 encoded identities
X.509/PKCS#8 encoded identities
Secure-by-default for client and server
- Includes hostname verification for clients
Supports asynchronous I/O for both the server and the client

License

native-tls is primarily distributed under the terms of both the MIT license and the Apache License (Version 2.0), with portions covered by various BSD-like licenses.

See LICENSE-APACHE, and LICENSE-MIT for details.