Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-09-29 16:19:14 +01:00
Code Issues Projects Releases Packages Wiki Activity

Switch to rustls and webpki-roots (#30025)

Browse source 
This change replaces OpenSSL with rustls and also the manually curated
CA certs file with webpki-roots (effectively the same thing, but as a
crate).

Generally speaking the design of the network stack is the same. Changes:

- Code around certificate overrides needed to be refactored to work with
  rustls so the various thread-safe list of certificates is refactored
  into `CertificateErrorOverrideManager`
- hyper-rustls takes care of setting ALPN protocols for HTTP requests,
  so for WebSockets this is moved to the WebSocket code.
- The safe set of cypher suites is chosen, which seem to correspond to
  the "Modern" configuration from [1]. This can be adjusted later.
- Instead of passing a string of PEM CA certificates around, an enum is
  used that includes parsed Certificates (or the default which reads
  them from webpki-roots).
- Code for starting up an SSL server for testing is cleaned up a little,
  due to the fact that the certificates need to be overriden explicitly
  now. This is due to the fact that the `webpki` crate is more stringent
  with self-signed certificates than SSL (CA certificates cannot used as
  end-entity certificates). [2]

1. https://wiki.mozilla.org/Security/Server_Side_TLS
2. https://github.com/briansmith/webpki/issues/114

Fixes #7888.
Fixes #13749.
Fixes #26835.
Fixes #29291.
This commit is contained in:
Martin Robinson 2023-08-08 16:00:10 +02:00 committed by GitHub
parent ab0f48f8e8
commit bce7622cde
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
31 changed files with 575 additions and 4399 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Cargo.toml
View file

@ -12,6 +12,7 @@ exclude = [".cargo"]
[workspace.dependencies]
accountable-refcell = "0.2.0"
app_units = "0.7"
async-tungstenite = { version = "0.22", features = ["tokio-rustls-webpki-roots"] }
atomic_refcell = "0.1.6"
arrayvec = "0.7"
backtrace = "0.3"
@ -35,6 +36,7 @@ headers = "0.3"
html5ever = "0.26"
http = "0.2"
hyper = "0.14"
hyper-rustls = { version = "0.24", default-features = false, features = ["webpki-tokio", "http1", "http2", "tls12", "logging", "acceptor"] }
hyper_serde = "0.13"
image = "0.24"
indexmap = { version = "1.0.2", features = ["std"] }
@ -57,6 +59,8 @@ quote = "1"
rand = "0.7"
rayon = "1"
regex = "1.1"
rustls = { version = "0.21.5", features = ["dangerous_configuration"] }
rustls-pemfile = "1.0.3"
serde = "1.0.60"
serde_bytes = "0.11"
serde_json = "1.0"
@ -73,11 +77,15 @@ surfman-chains-api = "0.2"
thin-slice = "0.1.0"
time = "0.1.41"
tokio = "1"
tokio-rustls = "0.24"
tungstenite = "0.19"
unicode-bidi = "0.3.4"
unicode-script = "0.5"
url = "2.0"
uuid = { version = "1.3.4", features = ["v4"] }
webdriver = "0.48.0"
webpki-roots = "0.23"
webpki = "0.22"
webrender = { git = "https://github.com/servo/webrender", features = ["capture"] }
webrender_api = { git = "https://github.com/servo/webrender" }
winapi = "0.3"