crates.io: Rust Package Registry

I wrote a blog post for the Alpha Omega Foundation on the work I did to surface RustSec advisories on crates.io:

alpha-omega.dev/blog/surfaci...

@filippo.abyssdomain.expert plugs Wycheproof test vectors github.com/C2SP/wychepr...

#realworldcrypto

did something very silly, may have some at gophercon this year if you ever sent us a vulnerability report or contributed to Go crypto (or are just nice to me)

thanks to @ljamesart.bsky.social who did the great art!

TIL "fly-tip"

make sure you stay sub'd to openssl-project so you don't miss important messages like sign up codes for internal accounts

(groups.google.com/a/openssl.or... , groups.google.com/a/openssl.or... , etc )

I've used github.com/testssl/test... as a replacement for SSLLabs in the past with pretty good results.

Rustls Shortlisted for Two 2025 OpenUK Awards - The Rust Foundation The Rust Foundation is delighted to congratulate Rustls for being shortlisted in the Open Source Software and Security categories of the OpenUK Awards 2025 — and Joe Birr-Pixton, Rustls Creator, for…

With the @openuk.bsky.social Awards coming up, we’re excited that Rustls — a memory-safe TLS library — is shortlisted in two categories, and Creator Joe Birr-Pixton is also recognized individually.

The Rust Foundation is proud to support Rustls through the Rust Innovation Lab 🧡

The 2025 Go Cryptography State of the Union I delivered my traditional Go Cryptography State of the Union talk at GopherCon US 2025 in New York. It goes into everything that happened at the intersection of Go and cryptography over the last…

In August I delivered my traditional Go Cryptography State of the Union talk at @gophercon.com in New York.

It goes into everything at the intersection of Go and cryptography from the last year. (Also, bragging t-shirts!)

Watch the video or read the transcript of my performance review!

Netstack.FM — A Podcast About Networking and Rust Interviews, monologues, and deep dives into Rust and modern networking systems.

Maintaining #Rustls isn’t just code — it’s choices. Dirkjan shared how OSS maintainers balance safety vs. niche flexibility and why API instability or incompatibility can ripple across the ecosystem. Full story at netstack.fm/#episode-7

Congrats!!!!! 😍😍😍😍

I keep this post around so I can RT it every time this technique saves my butt and it's Too Often ™

hachyderm.io/@cpu/1125942...

We have a little blog post about this rustls.dev/blog/2025-09...

GitHub - letsencrypt/boulder: An ACME-based certificate authority, written in Go. An ACME-based certificate authority, written in Go. - GitHub - letsencrypt/boulder: An ACME-based certificate authority, written in Go.

Hello!

🤔 I'm biased, but github.com/letsencrypt/boulder is a good place to start (especially w.r.t code review). github.com/FiloSottile/... and the std lib tls package are also great (though you'd have to look at Gerrit for the latter since the Go project doesn't use GitHub for code review).

we lived

PowerDNS Recursor 5.3.0 has a nice note in the changelog:

> The embedded webserver used to display the status page and process REST API calls has been rewritten in Rust and now supports multiple listen addresses and TLS.

The new code is powered by Hyper+Rustls+Ring 🦀 🔒

(h/t Stefan Schmidt)

TIL the B root servers have deployed experimental DoT support for TLS on the recursor -> auth. server leg: b.root-servers.org/research/tls...

A document announcing the "Fourth ITU-T X.509 Day (2025) event" on September 5, 2025, from 13:00 to 16:00 (Geneva time). It details ITU-T X.509 as a foundational standard for public key infrastructure and digital certificates, outlining its history and applications. The event's objectives include reviewing X.509 progress, assessing post-quantum cryptography readiness, exploring decentralized PKI, discussing cross-border digital identity, strengthening AI trust, showcasing real-world adoption, and identifying future directions.

TIL that the ITU has an annual "X.509 Day", wheeee www.itu.int/md/T25-TSB-C...

The FIPS 140-3 Go Cryptographic Module Go now has a built-in, native FIPS 140-3 compliant mode.

We announced the new native Go FIPS 140-3 mode today!

FIPS 140, like it or not, is often a requirement, and I was increasingly sad about large deployments replacing the Go crypto packages with non-memory safe cgo bindings.

Go is now one of the easiest and most secure ways to build under FIPS 140.

crates.io: Rust Package Registry

Today we released rustls 0.23.29 crates.io/crates/rustl... -- highlights are better error reporting for unsupported signature algorithms in certificates, and quite a few performance improvements (via a set of changes that started almost 2 years ago!)

Release 0.8.0 · djc/instant-acme The 0.8 release contains substantial changes to make the API more modular. It integrates full support for ACME Renewal Information (ARI, recently standardized as RFC 9773). Since the 0.7.2 release,...

Pretty excited about the release of instant-acme 0.8, with lots of work from @cpu.xkeyscore.club (who joined as a maintainer) on ARI, profiles, integration testing and a much improved API.

github.com/djc/instant-...

I suspect the rustls-ffi numbers would look even better using curl w/ --ca-native on MacOS/Windows/etc where we can lean on rustls-platform-verifier to avoid all the PEM parsing & trust anchor construction for the big pile of system roots needed at startup on Linux.

Tested on Linux, with curl 8.14.1 and OpenSSL 3.4.1 (latest in nixpkgs) vs rustls-ffi 0.15.0

Full disclosure: bagder's measurements w/ the newer OpenSSL 3.5.1 show an improvement. It"only" performs 54,000 allocations....

Nerd-sniped by bagder into looking at how rustls-ffi stacks up against OpenSSL on memory allocations/peak heap usage when plugged in as a curl vTLS backend.

Headlines:
* with rustls-ffi 0.15.0: 2,176 allocations. peak heap of 394kB.
* with openssl 3.4.1: 308,132 allocations (!). peak heap of 2.1MB

Track two new CVE's of ogsudo by squell · Pull Request #1173 · trifectatechfoundation/sudo-rs Two new CVE's were disclosed yesterday in ogsudo which do not apply to sudo-rs since they pertain to functionality we chose not to support.

You love to see it.

🔥Keynote Speaker Announcement We are delighted to announce that Roland Shoemaker will be a key note speaker at this year's #gopherconuk. Roland leads the Go Security team at Google, working on cryptography, transport security, vulnerability triage, and generally keeping Go secure. Before working on the Go team, he worked on the Let's Encrypt project building the certificate authority software which now issues millions of certificates each day. Despite its 15 year history, Go has had a rather uneventful security history. In his keynote, Roland will talk about why that is, some of the mistakes made, and what they learnt. Along with what he's working on now, and what’s on the horizon to make Go an even better, safer language for the next 15 years. Buy your tickets over on our website & join Roland as he opens Day 1 of our conference on 13th August 2025. 🎟️ https://buff.ly/Azghzwp

I don't think they post here, but excited to be talking about what the Go Security team does, and why (hopefully) you don't hear much about us, at GopherCon UK in August.

IP address certificate subjects are coming to Let's Encrypt SOON™: community.letsencrypt.org/t/getting-re...

The groundwork for this was started ~2020 so it's extremely cool to see it coming to fruition !

A screenshot of a GitHub warning banner with the text: "Your blame took too long to compute."

Harsh but fair

Wrote some notes on self-hosting an Atuin sync server and getting to it via Tailscale hackd.net/posts/atuin-...

‪*slaps roof of libcrypto* this bad boy can fit so much global mutable state inside it!‬

Had a gig wrap up a little earlier than expected, I should have availability starting July or so.

As always: if you need help with Embedded, Rust, or similar things, shoot me a message!

If you're a user of postcard, p-rpc, or are interested in the more experimental new ergot: shoot me a message!