Nostr Web Client

I've been working on alt-tls. I have a lot of commits that haven't been pushed, which will push once I finish and test all the algorithms.

Why? I want these things:

1) I want a pure-rust solution because that will compile everywhere that rust compiles without system library version issues, people filing bugs related to linking shit that I don't care about. A pure rust solution will be a bit slower but that is OK by me.

2) I want QUIC support

3) I want to hack the CertificateVerifier to simply verify that the public key is exactly as the library consumer expects it to be, rather than trusting CAs and DN namespaces.

4) I wanted a blake3 variant cipher suite (because IMHO blake3 is just better).

A while back I created alt-tls and did (3) cert verifier and (4) blake3 cipher suite. It also satisifed (1) pure rust.

But it didn't have (2) quic support.

Surveying all the providers I could find yielded this:

Provider Quic Support

rustls internal: ring Ring Yes

rustls internal: aws_lc AWS LC Yes

boring-rustls-provider Boring Yes

rustls-graviola Graviola No

rustls-openssl OpenSSL Yes

rustls-rustcrypto Rust Crypto No (barely started and stalled)

rustls-mbedtls-provider mbedtls No

rustls-symcrypt Microsoft SymCrypt No

rustls-wolfcrypt-provider wolfcrypt No

I currently have full quic support working and tested against RFC 9001 appendix test vectors for :

TLS13_CHACHA20_POLY1305_BLAKE3 (non-standard)

TLS13_CHACHA20_POLY1305_SHA256

What is left to complete is:

TLS13_AES_128_GCM_SHA256

TLS13_AES_256_GCM_SHA384

It is the smaller keysize of AES 128 that requires the next refactor.

Reply to this note

Please Login to reply.

Discussion

sister_sam 6mo ago

I thought people did Rust, which has some challenges, principally for speed and for low level security. I had no idea that it was used for stable build environment. I am surprised. But if a stable build is wanted what is wrong with, I don't know, Java or maybe python.

Mike Dilger ☑️ 6mo ago

I program almost exclusively in rust. I like the low-level access, the low-level performance, and the security. Things that compile very often just work the first time. But I've also come to appreciate that things that compile on my machine compile on everybody else's machine too.

However, I dread linking to system libraries and fighting the bugs around version differences. Some things only work in linux... some things work in linux/windows/mac but not in WASM in the browser. And not on riscv machines. But pure-rust works everywhere: WASM, riscv, etc.

In gossip, you can include ffmpeg and have video playing inside the client. But it' a pain to maintain when ffmpeg updates and to maintain it working for all older versions. I had similar issues with OpenSSL. This is because I'm linking to a system library under usually /usr/lib which may not be the right version and may not compile.

RustCrypto is not as fast as ring (rust, but not as portable), or openssl, or boringssl. But it is not at all slow. And I haven't tested the performance. In any case, I could now go off and tweak the boringssl backend to my liking and get higher performance. It's just not what I plan to do next.

Hunter ₿eaṩt 6mo ago

Java and Python both have portability issues. Ever build Sparrow or Electrum from source?

Mike Dilger ☑️ 6mo ago

Also, from rust I can build interfaces for other languages like python, java, go, javascript, etc.

I started coding in rust in 2014 or something like that, back around version 0.6 (I dabbled around version 0.4) and helped when they were defining the language for 1.0 release.

Rust does have some challenges still. But fewer as time goes on.

Mike Dilger ☑️ 6mo ago

It is working now. I probably should test end-to-end all cipher suites one at a time with a sample client and server. https//github.com/mikedilger/alt-tls