Offer rustls as an optional TLS engine

[sagebind]

It would be a large benefit to the Rust community if the curl crate could have an opt-in rustls feature that, when building the bundled libcurl, allows you to use rustls as a TLS backend.

This is possible to do by implementing a compatibility layer between libcurl and rustls by implementing libcurl's internal vtls interface -- rustls does not need to behave like OpenSSL or anything else, it only needs to perform the functions required by the vtls interface.

This compatibility layer could then be exposed as unmangled symbol names for libcurl to reference, which is legal since only one version of the curl crate can exist in a binary per Cargo's linking rules. To actually get libcurl to use the rustls backend, we could either:

1. Apply a small patch to the libcurl source code that adds the rustls-vtls symbols as an additional (and the selected) backend.
2. Have the rustls-vtls symbols impersonate a different, existing backend, and don't include the real backend's .c file when we compile.

I've done some investigation and experimentation into this concept myself and it seems feasible.

[alexcrichton]

IIRC I think the mesalink feature was started to support this, but it may not be quite as buttery-smooth of an integration that would be great to have.

[sagebind]

Yeah, MesaLink was looked to with promise, as it even made its way into libcurl officially. Unfortunately MesaLink does not support ALPN and cannot be used for HTTP/2 connections, and development seems to have been stalled with no communication for a while, unfortunately. We can still leave the door open for MesaLink as a viable solution if the developers come back.

[sagebind]

Interesting update here: It looks like ISRG might be working on adding rustls as an official TLS engine to curl proper: https://www.abetterinternet.org/post/memory-safe-curl/. Of course, if that happens it should be relatively easy for us to adopt it.

[sagebind]

Initial PR to add Rustls as an official opt-in backend upstream here: curl/curl#6350. Once Rustls is released upstream, we can add a new crate feature here to opt-in to the Rustls backend. Unclear as of yet whether we will be able to pull in Rustls C bindings via Crates.io or we'll need to submodule, we'll have to wait and see.

[sagebind]

This has now been merged in and will be exposed as the rustls crate feature in the next release. Since the curl integration with rustls isn't fully stable yet we won't offer any sort of stability or reliability guarantees with the rustls feature for now, but at least people will be able to start using it.

[sagebind]

This is now available in the 0.4.42 release.