Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-10-01 17:19:16 +01:00
Code Issues Projects Releases Packages Wiki Activity

Auto merge of #24976 - Darkspirit:openssl, r=avadacatavra

Browse source 
Add ALPN and signature algorithms to OpenSSL config

* Updated http crate from 0.1.17 [to 0.1.20](https://github.com/hyperium/http/blob/master/CHANGELOG.md#0120-november-26-2019).
* Updated hyper from 0.12.33 [to 0.12.35](https://github.com/hyperium/hyper/compare/v0.12.33...v0.12.35).
* Updated hyper-openssl from 0.7.0 [to 0.7.1](https://github.com/sfackler/hyper-openssl/blob/master/CHANGELOG.md#v071---2019-03-01).
* Updated openssl crate from 0.10.11 [to 0.10.26](https://github.com/sfackler/rust-openssl/blob/master/openssl/CHANGELOG.md#v01026---2019-11-22).
  * Set ALPN to h2+http/1.1 for https (Enabled HTTP2) and http/1.1 for websockets.
  * Restricted signature algorithms to the same list across platforms: EdDSA at first, then ECDSA certificates, then TLS 1.3's RSA(-PSS), then classic RSA (PKCS 1.5).
Thereby we disabled the [following](https://www.ssllabs.com/ssltest/viewClient.html?name=OpenSSL&version=1.1.1c&key=165) non-web-standard signature algorithms: SHA512/ECDSA, SHA224/ECDSA, SHA1/ECDSA, SHA224/RSA, SHA224/DSA, SHA1/DSA, SHA256/DSA, SHA384/DSA, SHA512/DSA. [SHA1/RSA](https://tools.ietf.org/html/draft-ietf-tls-md5-sha1-deprecate-00) is almost dead and now only used by a few old and broken F5 load balancers: Like TLS 1.0 deprecation, we can again deprecate this some months earlier than other browsers.
  * Added Chacha20 to TLS 1.2 ciphersuite list and preferred it like Firefox and [Rustls](4b13a322c0/rustls/src/suites.rs (L377)). Removed legacy and privacy-hostile plain RSA (AES256-SHA, AES128-SHA).
Compared to [Mozilla intermediate v5](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29) we keep ECDHE-RSA-AES256-SHA and ECDHE-RSA-AES128-SHA for now, but won't reintroduce deprecated DHE.
  * Switched server-side to [Mozilla intermediate v5](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29) in components/net/tests/main.rs. (The new `modern` would have been TLSv1.3-only, therefore only worked with OpenSSL 1.1.1 which is unfortunately not yet used on every target.)
  * Renamed `ssl_connector_builder(certs)` to the more neutral and long-term better fitting `create_tls_config(certs, alpn)` as it was done in #24764.

---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: -->
- [x] `./mach build -d` does not report any errors
- [x] `./mach test-tidy` does not report any errors
This commit is contained in:
bors-servo 2019-12-09 19:21:43 -05:00 committed by GitHub
commit 1974c875a1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 74 additions and 66 deletions
Download patch file Download diff file Expand all files Collapse all files

27
Cargo.lock generated
View file

@ -169,6 +169,12 @@ dependencies = [
"winapi",
]
[[package]]
name = "autocfg"
version = "0.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1d49d90015b3c36167a20fe2810c5cd875ad504b39cff3d4eae7977e6b7c1cb2"
[[package]]
name = "azure"
version = "0.37.0"
@ -2354,9 +2360,9 @@ dependencies = [
[[package]]
name = "http"
version = "0.1.17"
version = "0.1.20"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "eed324f0f0daf6ec10c474f150505af2c143f251722bf9dbd1261bd1f2ee2c1a"
checksum = "2790658cddc82e82b08e25176c431d7015a0adeb1718498715cbd20138a0bf68"
dependencies = [
"bytes",
"fnv",
@ -2392,9 +2398,9 @@ dependencies = [
[[package]]
name = "hyper"
version = "0.12.33"
version = "0.12.35"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7cb44cbce9d8ee4fb36e4c0ad7b794ac44ebaad924b9c8291a63215bb44c2c8f"
checksum = "9dbe6ed1438e1f8ad955a4701e9a944938e9519f6888d12d8558b645e247d5f6"
dependencies = [
"bytes",
"futures",
@ -2422,9 +2428,9 @@ dependencies = [
[[package]]
name = "hyper-openssl"
version = "0.7.0"
version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "06a137dee5fc025f1afdd4f9d1eb6405689e4c687d07b687ba287adb7d55f791"
checksum = "f52657b5cdb2a8067efd29a02e011b7cf656b473ec8a5c34e86645e85d763006"
dependencies = [
"antidote",
"bytes",
@ -3685,9 +3691,9 @@ checksum = "51ecbcb821e1bd256d456fe858aaa7f380b63863eab2eb86eee1bd9f33dd6682"
[[package]]
name = "openssl"
version = "0.10.11"
version = "0.10.26"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6c24d3508b4fb6da175c10baac54c578b33f09c89ae90c6fe9788b3b4768efdc"
checksum = "3a3cc5799d98e1088141b8e01ff760112bbd9f19d850c124500566ca6901a585"
dependencies = [
"bitflags",
"cfg-if",
@ -3705,10 +3711,11 @@ checksum = "77af24da69f9d9341038eba93a073b1fdaaa1b788221b00a69bce9e762cb32de"
[[package]]
name = "openssl-sys"
version = "0.9.35"
version = "0.9.53"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "912f301a749394e1025d9dcddef6106ddee9252620e6d0a0e5f8d0681de9b129"
checksum = "465d16ae7fc0e313318f7de5cecf57b2fbe7511fd213978b457e1c96ff46736f"
dependencies = [
"autocfg",
"cc",
"libc",
"pkg-config",