Switch to rustls and webpki-roots (#30025)

This change replaces OpenSSL with rustls and also the manually curated
CA certs file with webpki-roots (effectively the same thing, but as a
crate).

Generally speaking the design of the network stack is the same. Changes:

- Code around certificate overrides needed to be refactored to work with
  rustls so the various thread-safe list of certificates is refactored
  into `CertificateErrorOverrideManager`
- hyper-rustls takes care of setting ALPN protocols for HTTP requests,
  so for WebSockets this is moved to the WebSocket code.
- The safe set of cypher suites is chosen, which seem to correspond to
  the "Modern" configuration from [1]. This can be adjusted later.
- Instead of passing a string of PEM CA certificates around, an enum is
  used that includes parsed Certificates (or the default which reads
  them from webpki-roots).
- Code for starting up an SSL server for testing is cleaned up a little,
  due to the fact that the certificates need to be overriden explicitly
  now. This is due to the fact that the `webpki` crate is more stringent
  with self-signed certificates than SSL (CA certificates cannot used as
  end-entity certificates). [2]

1. https://wiki.mozilla.org/Security/Server_Side_TLS
2. https://github.com/briansmith/webpki/issues/114

Fixes #7888.
Fixes #13749.
Fixes #26835.
Fixes #29291.

components/config/opts.rs

@@ -113,9 +113,14 @@ pub struct Opts {
     /// Print the version and exit.
     pub is_printing_version: bool,
 
-    /// Path to SSL certificates.
+    /// Path to PEM encoded SSL CA certificate store.
     pub certificate_path: Option<String>,
 
+    /// Whether or not to completely ignore SSL certificate validation errors.
+    /// TODO: We should see if we can eliminate the need for this by fixing
+    /// https://github.com/servo/servo/issues/30080.
+    pub ignore_certificate_errors: bool,
+
     /// Unminify Javascript.
     pub unminify_js: bool,
 
@@ -408,6 +413,7 @@ pub fn default_opts() -> Opts {
         is_printing_version: false,
         shaders_dir: None,
         certificate_path: None,
+        ignore_certificate_errors: false,
         unminify_js: false,
         local_script_source: None,
         print_pwm: false,
@@ -524,6 +530,11 @@ pub fn from_cmdline_args(mut opts: Options, args: &[String]) -> ArgumentParsingR
         "Path to find SSL certificates",
         "/home/servo/resources/certs",
     );
+    opts.optflag(
+        "",
+        "ignore-certificate-errors",
+        "Whether or not to completely ignore certificate errors",
+    );
     opts.optopt(
         "",
         "content-process",
@@ -767,6 +778,7 @@ pub fn from_cmdline_args(mut opts: Options, args: &[String]) -> ArgumentParsingR
         is_printing_version,
         shaders_dir: opt_match.opt_str("shaders").map(Into::into),
         certificate_path: opt_match.opt_str("certificate-path"),
+        ignore_certificate_errors: opt_match.opt_present("ignore-certificate-errors"),
         unminify_js: opt_match.opt_present("unminify-js"),
         local_script_source: opt_match.opt_str("local-script-source"),
         print_pwm: opt_match.opt_present("print-pwm"),