mirror of
https://github.com/servo/servo.git
synced 2025-08-13 01:15:34 +01:00
Auto merge of #11115 - mbrubeck:openssl-verify, r=jdm
Use openssl-verify to check certificate + hostname Fixes #4954. r? @jdm This is based on hyperium/hyper#472, though it doesn't re-use that code directly because Servo configures its own OpenSSL context. <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="35" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/11115) <!-- Reviewable:end -->
This commit is contained in:
bors-servo
commit
40be84df26
9 changed files with 94 additions and 36 deletions
|
|
@ -28,6 +28,7 @@ matches = "0.1"
|
|||
mime = "0.2.0"
|
||||
mime_guess = "1.6.0"
|
||||
openssl = "0.7.6"
|
||||
openssl-verify = "0.1"
|
||||
rustc-serialize = "0.3"
|
||||
threadpool = "1.0"
|
||||
time = "0.1.17"
|
||||
|
|
|
|||
58
components/net/connector.rs
Normal file
58
components/net/connector.rs
Normal file
|
|
@ -0,0 +1,58 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
use hyper::client::Pool;
|
||||
use hyper::net::{HttpStream, HttpsConnector, SslClient};
|
||||
use openssl::ssl::{SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3, SSL_VERIFY_PEER};
|
||||
use openssl::ssl::{Ssl, SslContext, SslMethod, SslStream};
|
||||
use std::sync::Arc;
|
||||
use util::resource_files::resources_dir_path;
|
||||
|
||||
pub type Connector = HttpsConnector<ServoSslClient>;
|
||||
|
||||
// The basic logic here is to prefer ciphers with ECDSA certificates, Forward
|
||||
// Secrecy, AES GCM ciphers, AES ciphers, and finally 3DES ciphers.
|
||||
// A complete discussion of the issues involved in TLS configuration can be found here:
|
||||
// https://wiki.mozilla.org/Security/Server_Side_TLS
|
||||
const DEFAULT_CIPHERS: &'static str = concat!(
|
||||
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:",
|
||||
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:",
|
||||
"DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:",
|
||||
"ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:",
|
||||
"ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:",
|
||||
"ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:",
|
||||
"DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:",
|
||||
"ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:",
|
||||
"AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
|
||||
);
|
||||
|
||||
pub fn create_http_connector() -> Arc<Pool<Connector>> {
|
||||
let mut context = SslContext::new(SslMethod::Sslv23).unwrap();
|
||||
context.set_CA_file(&resources_dir_path().join("certs")).unwrap();
|
||||
context.set_cipher_list(DEFAULT_CIPHERS).unwrap();
|
||||
context.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3);
|
||||
let connector = HttpsConnector::new(ServoSslClient {
|
||||
context: Arc::new(context)
|
||||
});
|
||||
|
||||
Arc::new(Pool::with_connector(Default::default(), connector))
|
||||
}
|
||||
|
||||
pub struct ServoSslClient {
|
||||
context: Arc<SslContext>,
|
||||
}
|
||||
|
||||
impl SslClient for ServoSslClient {
|
||||
type Stream = SslStream<HttpStream>;
|
||||
|
||||
fn wrap_client(&self, stream: HttpStream, host: &str) -> Result<Self::Stream, ::hyper::Error> {
|
||||
let mut ssl = try!(Ssl::new(&self.context));
|
||||
try!(ssl.set_hostname(host));
|
||||
let host = host.to_owned();
|
||||
ssl.set_verify_callback(SSL_VERIFY_PEER, move |p, x| {
|
||||
::openssl_verify::verify_callback(&host, p, x)
|
||||
});
|
||||
SslStream::connect(ssl, stream).map_err(From::from)
|
||||
}
|
||||
}
|
||||
|
|
@ -2,9 +2,10 @@
|
|||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
use connector::create_http_connector;
|
||||
use data_loader::decode;
|
||||
use fetch::cors_cache::CORSCache;
|
||||
use http_loader::{NetworkHttpRequestFactory, create_http_connector, obtain_response};
|
||||
use http_loader::{NetworkHttpRequestFactory, obtain_response};
|
||||
use hyper::header::{Accept, AcceptLanguage, Authorization, AccessControlAllowCredentials};
|
||||
use hyper::header::{AccessControlAllowOrigin, AccessControlAllowHeaders, AccessControlAllowMethods};
|
||||
use hyper::header::{AccessControlRequestHeaders, AccessControlMaxAge, AccessControlRequestMethod, Basic};
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@
|
|||
|
||||
|
||||
use brotli::Decompressor;
|
||||
use connector::Connector;
|
||||
use cookie;
|
||||
use cookie_storage::CookieStorage;
|
||||
use devtools_traits::{ChromeToDevtoolsControlMsg, DevtoolsControlMsg, HttpRequest as DevtoolsHttpRequest};
|
||||
|
|
@ -19,7 +20,7 @@ use hyper::header::{Location, SetCookie, StrictTransportSecurity, UserAgent, qit
|
|||
use hyper::http::RawStatus;
|
||||
use hyper::method::Method;
|
||||
use hyper::mime::{Mime, SubLevel, TopLevel};
|
||||
use hyper::net::{Fresh, HttpsConnector, Openssl};
|
||||
use hyper::net::Fresh;
|
||||
use hyper::status::{StatusClass, StatusCode};
|
||||
use log;
|
||||
use mime_classifier::MIMEClassifier;
|
||||
|
|
@ -30,7 +31,6 @@ use net_traits::response::HttpsState;
|
|||
use net_traits::{CookieSource, IncludeSubdomains, LoadConsumer, LoadContext, LoadData};
|
||||
use net_traits::{Metadata, NetworkError};
|
||||
use openssl::ssl::error::{SslError, OpensslError};
|
||||
use openssl::ssl::{SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3, SSL_VERIFY_PEER, SslContext, SslMethod};
|
||||
use resource_thread::{CancellationListener, send_error, start_sending_sniffed_opt, AuthCache, AuthCacheEntry};
|
||||
use std::borrow::ToOwned;
|
||||
use std::boxed::FnBox;
|
||||
|
|
@ -46,41 +46,9 @@ use time::Tm;
|
|||
use tinyfiledialogs;
|
||||
use url::{Url, Position};
|
||||
use util::prefs;
|
||||
use util::resource_files::resources_dir_path;
|
||||
use util::thread::spawn_named;
|
||||
use uuid;
|
||||
|
||||
pub type Connector = HttpsConnector<Openssl>;
|
||||
|
||||
// The basic logic here is to prefer ciphers with ECDSA certificates, Forward
|
||||
// Secrecy, AES GCM ciphers, AES ciphers, and finally 3DES ciphers.
|
||||
// A complete discussion of the issues involved in TLS configuration can be found here:
|
||||
// https://wiki.mozilla.org/Security/Server_Side_TLS
|
||||
const DEFAULT_CIPHERS: &'static str = concat!(
|
||||
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:",
|
||||
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:",
|
||||
"DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:",
|
||||
"ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:",
|
||||
"ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:",
|
||||
"ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:",
|
||||
"DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:",
|
||||
"ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:",
|
||||
"AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
|
||||
);
|
||||
|
||||
pub fn create_http_connector() -> Arc<Pool<Connector>> {
|
||||
let mut context = SslContext::new(SslMethod::Sslv23).unwrap();
|
||||
context.set_verify(SSL_VERIFY_PEER, None);
|
||||
context.set_CA_file(&resources_dir_path().join("certs")).unwrap();
|
||||
context.set_cipher_list(DEFAULT_CIPHERS).unwrap();
|
||||
context.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3);
|
||||
let connector = HttpsConnector::new(Openssl {
|
||||
context: Arc::new(context)
|
||||
});
|
||||
|
||||
Arc::new(Pool::with_connector(Default::default(), connector))
|
||||
}
|
||||
|
||||
pub fn factory(user_agent: String,
|
||||
http_state: HttpState,
|
||||
devtools_chan: Option<Sender<DevtoolsControlMsg>>,
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@ extern crate mime_guess;
|
|||
extern crate msg;
|
||||
extern crate net_traits;
|
||||
extern crate openssl;
|
||||
extern crate openssl_verify;
|
||||
extern crate rustc_serialize;
|
||||
extern crate threadpool;
|
||||
extern crate time;
|
||||
|
|
@ -44,6 +45,7 @@ extern crate websocket;
|
|||
pub mod about_loader;
|
||||
pub mod bluetooth_thread;
|
||||
pub mod chrome_loader;
|
||||
pub mod connector;
|
||||
pub mod cookie;
|
||||
pub mod cookie_storage;
|
||||
pub mod data_loader;
|
||||
|
|
|
|||
|
|
@ -5,13 +5,14 @@
|
|||
//! A thread that takes a URL and streams back the binary data.
|
||||
use about_loader;
|
||||
use chrome_loader;
|
||||
use connector::{Connector, create_http_connector};
|
||||
use cookie;
|
||||
use cookie_storage::CookieStorage;
|
||||
use data_loader;
|
||||
use devtools_traits::{DevtoolsControlMsg};
|
||||
use file_loader;
|
||||
use hsts::HstsList;
|
||||
use http_loader::{self, Connector, create_http_connector, HttpState};
|
||||
use http_loader::{self, HttpState};
|
||||
use hyper::client::pool::Pool;
|
||||
use hyper::header::{ContentType, Header, SetCookie};
|
||||
use hyper::mime::{Mime, SubLevel, TopLevel};
|
||||
|
|
|
|||
9
components/servo/Cargo.lock
generated
9
components/servo/Cargo.lock
generated
|
|
@ -1346,6 +1346,7 @@ dependencies = [
|
|||
"msg 0.0.1",
|
||||
"net_traits 0.0.1",
|
||||
"openssl 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"openssl-verify 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"plugins 0.0.1",
|
||||
"rustc-serialize 0.3.19 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"threadpool 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
|
|
@ -1581,6 +1582,14 @@ dependencies = [
|
|||
"openssl-sys 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "openssl-verify"
|
||||
version = "0.1.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
dependencies = [
|
||||
"openssl 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "osmesa-sys"
|
||||
version = "0.0.5"
|
||||
|
|
|
|||
9
ports/cef/Cargo.lock
generated
9
ports/cef/Cargo.lock
generated
|
|
@ -1260,6 +1260,7 @@ dependencies = [
|
|||
"msg 0.0.1",
|
||||
"net_traits 0.0.1",
|
||||
"openssl 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"openssl-verify 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"plugins 0.0.1",
|
||||
"rustc-serialize 0.3.19 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"threadpool 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
|
|
@ -1469,6 +1470,14 @@ dependencies = [
|
|||
"openssl-sys 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "openssl-verify"
|
||||
version = "0.1.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
dependencies = [
|
||||
"openssl 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "osmesa-sys"
|
||||
version = "0.0.5"
|
||||
|
|
|
|||
9
ports/gonk/Cargo.lock
generated
9
ports/gonk/Cargo.lock
generated
|
|
@ -1243,6 +1243,7 @@ dependencies = [
|
|||
"msg 0.0.1",
|
||||
"net_traits 0.0.1",
|
||||
"openssl 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"openssl-verify 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"plugins 0.0.1",
|
||||
"rustc-serialize 0.3.19 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"threadpool 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
|
|
@ -1452,6 +1453,14 @@ dependencies = [
|
|||
"openssl-sys 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "openssl-verify"
|
||||
version = "0.1.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
dependencies = [
|
||||
"openssl 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "osmesa-sys"
|
||||
version = "0.0.5"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue