rustls · ctz · Feb 12, 2024 · Feb 9, 2024 · Feb 9, 2024 · Feb 9, 2024
diff --git a/README.md b/README.md
@@ -86,33 +86,34 @@ need them.
 
 ### Platform support
 
-While Rustls itself is platform independent, by default it uses [`ring`] for implementing
-the cryptography in TLS. As a result, rustls only runs on platforms
-supported by `ring`. At the time of writing, this means 32-bit ARM, Aarch64 (64-bit ARM),
-x86, x86-64, LoongArch64, 32-bit & 64-bit Little Endian MIPS, 32-bit PowerPC (Big Endian),
-64-bit PowerPC (Big and Little Endian), 64-bit RISC-V, and s390x. We do not presently
-support WebAssembly.
-For more information, see [the supported `ring` target platforms][ring-target-platforms].
+While Rustls itself is platform independent, by default it uses [`aws-lc-rs`] for implementing
+the cryptography in TLS.  See [the aws-lc-rs FAQ][aws-lc-rs-platforms-faq] for more details of the
+platform/architecture support constraints in aws-lc-rs.
+
+[`ring`] is also available via the `ring` crate feature: see
+[the supported `ring` target platforms][ring-target-platforms].
 
 By providing a custom instance of the [`crypto::CryptoProvider`] struct, you
 can replace all cryptography dependencies of rustls.  This is a route to being portable
 to a wider set of architectures and environments, or compliance requirements.  See the
 [`crypto::CryptoProvider`] documentation for more details.
 
 Specifying `default-features = false` when depending on rustls will remove the
-dependency on *ring*.
+dependency on aws-lc-rs.
 
 Rustls requires Rust 1.61 or later.
 
 [ring-target-platforms]: https://github.com/briansmith/ring/blob/2e8363b433fa3b3962c877d9ed2e9145612f3160/include/ring-core/target.h#L18-L64
 [`crypto::CryptoProvider`]: https://docs.rs/rustls/latest/rustls/crypto/trait.CryptoProvider.html
 [`ring`]: https://crates.io/crates/ring
+[aws-lc-rs-platforms-faq]: https://aws.github.io/aws-lc-rs/faq.html#can-i-run-aws-lc-rs-on-x-platform-or-architecture
+[`aws-lc-rs`]: https://crates.io/crates/aws-lc-rs
 
 ### Cryptography providers
 
 Since Rustls 0.22 it has been possible to choose the provider of the cryptographic primitives
 that Rustls uses. This may be appealing if you have specific platform, compliance or feature
-requirements that aren't met by the default provider, [`ring`].
+requirements that aren't met by the default provider, [`aws-lc-rs`].
 
 Users that wish to customize the provider in use can do so when constructing `ClientConfig`
 and `ServerConfig` instances using the `with_crypto_provider` method on the respective config
@@ -122,11 +123,11 @@ builder types. See the [`crypto::CryptoProvider`] documentation for more details
 
 Rustls ships with two built-in providers controlled with associated feature flags:
 
-* [`ring`] - enabled by default, available with the `ring` feature flag enabled. This
-provider is used by default when an explicit provider is not specified.
-* [`aws-lc-rs`] - available with the `aws_lc_rs` feature flag enabled.
+* [`aws-lc-rs`] - enabled by default, available with the `aws_lc_rs` feature flag enabled.
+* [`ring`] - available with the `ring` feature flag enabled.
 
-[`aws-lc-rs`]: https://github.com/aws/aws-lc-rs
+See the documentation for [`crypto::CryptoProvider`] for details on how providers are
+selected.
 
 #### Third-party providers
 

diff --git a/examples/src/bin/limitedclient.rs b/examples/src/bin/limitedclient.rs
@@ -2,7 +2,7 @@
 //! so that unused cryptography in rustls can be discarded by the linker.  You can
 //! observe using `nm` that the binary of this program does not contain any AES code.
 
-use rustls::crypto::{ring, CryptoProvider};
+use rustls::crypto::{aws_lc_rs as provider, CryptoProvider};
 use std::io::{stdout, Read, Write};
 use std::net::TcpStream;
 use std::sync::Arc;
@@ -16,9 +16,9 @@ fn main() {
 
     let config = rustls::ClientConfig::builder_with_provider(
         CryptoProvider {
-            cipher_suites: vec![ring::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256],
-            kx_groups: vec![ring::kx_group::X25519],
-            ..ring::default_provider()
+            cipher_suites: vec![provider::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256],
+            kx_groups: vec![provider::kx_group::X25519],
+            ..provider::default_provider()
         }
         .into(),
     )

diff --git a/examples/src/bin/tlsclient-mio.rs b/examples/src/bin/tlsclient-mio.rs
@@ -28,7 +28,7 @@ use docopt::Docopt;
 use mio::net::TcpStream;
 use serde::Deserialize;
 
-use rustls::crypto::CryptoProvider;
+use rustls::crypto::{aws_lc_rs as provider, CryptoProvider};
 use rustls::pki_types::{CertificateDer, PrivateKeyDer, ServerName};
 use rustls::RootCertStore;
 
@@ -258,7 +258,7 @@ struct Args {
 
 /// Find a ciphersuite with the given name
 fn find_suite(name: &str) -> Option<rustls::SupportedCipherSuite> {
-    for suite in rustls::crypto::ring::ALL_CIPHER_SUITES {
+    for suite in provider::ALL_CIPHER_SUITES {
         let sname = format!("{:?}", suite.suite()).to_lowercase();
 
         if sname == name.to_string().to_lowercase() {
@@ -417,7 +417,7 @@ fn make_config(args: &Args) -> Arc<rustls::ClientConfig> {
     let suites = if !args.flag_suite.is_empty() {
         lookup_suites(&args.flag_suite)
     } else {
-        rustls::crypto::ring::DEFAULT_CIPHER_SUITES.to_vec()
+        provider::DEFAULT_CIPHER_SUITES.to_vec()
     };
 
     let versions = if !args.flag_protover.is_empty() {
@@ -429,7 +429,7 @@ fn make_config(args: &Args) -> Arc<rustls::ClientConfig> {
     let config = rustls::ClientConfig::builder_with_provider(
         CryptoProvider {
             cipher_suites: suites,
-            ..rustls::crypto::ring::default_provider()
+            ..provider::default_provider()
         }
         .into(),
     )
@@ -474,7 +474,7 @@ fn make_config(args: &Args) -> Arc<rustls::ClientConfig> {
         config
             .dangerous()
             .set_certificate_verifier(Arc::new(danger::NoCertificateVerification::new(
-                rustls::crypto::ring::default_provider(),
+                provider::default_provider(),
             )));
     }
 

diff --git a/examples/src/bin/tlsserver-mio.rs b/examples/src/bin/tlsserver-mio.rs
@@ -29,7 +29,7 @@ use log::{debug, error};
 use mio::net::{TcpListener, TcpStream};
 use serde::Deserialize;
 
-use rustls::crypto::{ring, CryptoProvider};
+use rustls::crypto::{aws_lc_rs as provider, CryptoProvider};
 use rustls::pki_types::{CertificateDer, CertificateRevocationListDer, PrivateKeyDer};
 use rustls::server::WebPkiClientVerifier;
 use rustls::{self, RootCertStore};
@@ -479,7 +479,7 @@ struct Args {
 }
 
 fn find_suite(name: &str) -> Option<rustls::SupportedCipherSuite> {
-    for suite in rustls::crypto::ring::ALL_CIPHER_SUITES {
+    for suite in provider::ALL_CIPHER_SUITES {
         let sname = format!("{:?}", suite.suite()).to_lowercase();
 
         if sname == name.to_string().to_lowercase() {
@@ -605,7 +605,7 @@ fn make_config(args: &Args) -> Arc<rustls::ServerConfig> {
     let suites = if !args.flag_suite.is_empty() {
         lookup_suites(&args.flag_suite)
     } else {
-        rustls::crypto::ring::ALL_CIPHER_SUITES.to_vec()
+        provider::ALL_CIPHER_SUITES.to_vec()
     };
 
     let versions = if !args.flag_protover.is_empty() {
@@ -629,7 +629,7 @@ fn make_config(args: &Args) -> Arc<rustls::ServerConfig> {
     let mut config = rustls::ServerConfig::builder_with_provider(
         CryptoProvider {
             cipher_suites: suites,
-            ..ring::default_provider()
+            ..provider::default_provider()
         }
         .into(),
     )
@@ -646,7 +646,7 @@ fn make_config(args: &Args) -> Arc<rustls::ServerConfig> {
     }
 
     if args.flag_tickets {
-        config.ticketer = rustls::crypto::ring::Ticketer::new().unwrap();
+        config.ticketer = provider::Ticketer::new().unwrap();
     }
 
     config.alpn_protocols = args