I've been working on alt-tls. I have a lot of commits that haven't been pushed, which will push once I finish and test all the algorithms.

Why? I want these things:

1) I want a pure-rust solution because that will compile everywhere that rust compiles without system library version issues, people filing bugs related to linking shit that I don't care about. A pure rust solution will be a bit slower but that is OK by me.

2) I want QUIC support

3) I want to hack the CertificateVerifier to simply verify that the public key is exactly as the library consumer expects it to be, rather than trusting CAs and DN namespaces.

4) I wanted a blake3 variant cipher suite (because IMHO blake3 is just better).

A while back I created alt-tls and did (3) cert verifier and (4) blake3 cipher suite. It also satisifed (1) pure rust.

But it didn't have (2) quic support.

Surveying all the providers I could find yielded this:

Provider Quic Support

rustls internal: ring Ring Yes

rustls internal: aws_lc AWS LC Yes

boring-rustls-provider Boring Yes

rustls-graviola Graviola No

rustls-openssl OpenSSL Yes

rustls-rustcrypto Rust Crypto No (barely started and stalled)

rustls-mbedtls-provider mbedtls No

rustls-symcrypt Microsoft SymCrypt No

rustls-wolfcrypt-provider wolfcrypt No

I currently have full quic support working and tested against RFC 9001 appendix test vectors for :

TLS13_CHACHA20_POLY1305_BLAKE3 (non-standard)

TLS13_CHACHA20_POLY1305_SHA256

What is left to complete is:

TLS13_AES_128_GCM_SHA256

TLS13_AES_256_GCM_SHA384

It is the smaller keysize of AES 128 that requires the next refactor.