Lib.rs

Network programming | Cryptography
#tls #secure-transport #abstraction #platform

native-tls

A wrapper over a platform's native TLS implementation

by Steven Fackler, Kornel and 43 contributors

25 releases

new 0.2.18 Feb 18, 2026
0.2.14 Feb 19, 2025
0.2.12 May 27, 2024
0.2.11 Nov 1, 2022
0.1.0 Nov 9, 2016

#18 in Network programming

Download history 2056399/week @ 2025-10-30 2130710/week @ 2025-11-06 2115700/week @ 2025-11-13 2290361/week @ 2025-11-20 1920459/week @ 2025-11-27 2219506/week @ 2025-12-04 2168455/week @ 2025-12-11 1761730/week @ 2025-12-18 1200742/week @ 2025-12-25 1641956/week @ 2026-01-01 2261428/week @ 2026-01-08 2191875/week @ 2026-01-15 2410429/week @ 2026-01-22 2518561/week @ 2026-01-29 2652966/week @ 2026-02-05 2697383/week @ 2026-02-12

10,705,681 downloads per month
Used in 5,636 crates (677 directly)

MIT/Apache

110KB
2.5K SLoC

native-tls crate

Documentation

An abstraction over platform-specific TLS implementations.

Specifically, this crate uses SChannel on Windows (via the schannel crate), Secure Transport on macOS (via the security-framework crate), and OpenSSL (via the openssl crate) on all other platforms.

Using platform-native TLS library can reduce binary sizes, compilation times, and improve compatibility with system-wide proxies and CA certificate stores.

Installation

cargo add native-tls or

# Cargo.toml
[dependencies]
native-tls = "0.2"

Usage

An example client looks like:

use native_tls::TlsConnector;
use std::io::{Read, Write};
use std::net::TcpStream;

fn main() {
    let connector = TlsConnector::new().unwrap();

    let stream = TcpStream::connect("google.com:443").unwrap();
    let mut stream = connector.connect("google.com", stream).unwrap();

    stream.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
    let mut res = vec![];
    stream.read_to_end(&mut res).unwrap();
    println!("{}", String::from_utf8_lossy(&res));
}

To accept connections as a server from remote clients:

use native_tls::{Identity, TlsAcceptor, TlsStream};
use std::fs::File;
use std::io::{Read};
use std::net::{TcpListener, TcpStream};
use std::sync::Arc;
use std::thread;

fn main() {
    let mut file = File::open("identity.pfx").unwrap();
    let mut identity = vec![];
    file.read_to_end(&mut identity).unwrap();
    let identity = Identity::from_pkcs12(&identity, "hunter2").unwrap();

    let acceptor = TlsAcceptor::new(identity).unwrap();
    let acceptor = Arc::new(acceptor);

    let listener = TcpListener::bind("0.0.0.0:8443").unwrap();

    fn handle_client(stream: TlsStream<TcpStream>) {
        // ...
    }

    for stream in listener.incoming() {
        match stream {
            Ok(stream) => {
                let acceptor = acceptor.clone();
                thread::spawn(move || {
                    let stream = acceptor.accept(stream).unwrap();
                    handle_client(stream);
                });
            }
            Err(e) => { /* connection failed */ }
        }
    }
}

Supported features

This crate supports the following features out of the box:

  • TLS/SSL client communication
  • TLS/SSL server communication
  • PKCS#12 encoded identities
  • X.509/PKCS#8 encoded identities
  • Secure-by-default for client and server
    • Includes hostname verification for clients
  • Supports asynchronous I/O for both the server and the client

License

native-tls is primarily distributed under the terms of both the MIT license and the Apache License (Version 2.0), with portions covered by various BSD-like licenses.

See LICENSE-APACHE, and LICENSE-MIT for details.

Dependencies

~0–6.5MB
~146K SLoC