Switch to rustls and webpki-roots (#30025)

This change replaces OpenSSL with rustls and also the manually curated CA certs file with webpki-roots (effectively the same thing, but as a crate). Generally speaking the design of the network stack is the same. Changes: - Code around certificate overrides needed to be refactored to work with rustls so the various thread-safe list of certificates is refactored into `CertificateErrorOverrideManager` - hyper-rustls takes care of setting ALPN protocols for HTTP requests, so for WebSockets this is moved to the WebSocket code. - The safe set of cypher suites is chosen, which seem to correspond to the "Modern" configuration from [1]. This can be adjusted later. - Instead of passing a string of PEM CA certificates around, an enum is used that includes parsed Certificates (or the default which reads them from webpki-roots). - Code for starting up an SSL server for testing is cleaned up a little, due to the fact that the certificates need to be overriden explicitly now. This is due to the fact that the `webpki` crate is more stringent with self-signed certificates than SSL (CA certificates cannot used as end-entity certificates). [2] 1. https://wiki.mozilla.org/Security/Server_Side_TLS 2. https://github.com/briansmith/webpki/issues/114 Fixes #7888. Fixes #13749. Fixes #26835. Fixes #29291.
2025-07-23 07:13:52 +01:00 · 2023-08-08 16:00:10 +02:00 · 2023-08-08 16:00:10 +02:00 · bce7622cde
commit bce7622cde
parent ab0f48f8e8
31 changed files with 575 additions and 4399 deletions
--- a/python/servo/build_commands.py
+++ b/python/servo/build_commands.py
@ -188,15 +188,10 @@ class MachCommands(CommandBase):
                )
                assert os.path.exists(servo_exe_dir)

-                # on msvc, we need to copy in some DLLs in to the servo.exe dir and the directory for unit tests.
-                for ssl_lib in ["libssl.dll", "libcrypto.dll"]:
-                    ssl_path = path.join(env['OPENSSL_LIB_DIR'], "../bin", ssl_lib)
-                    shutil.copy(ssl_path, servo_exe_dir)
-                    shutil.copy(ssl_path, path.join(servo_exe_dir, "deps"))
-
                build_path = path.join(servo_exe_dir, "build")
                assert os.path.exists(build_path)

+                # on msvc, we need to copy in some DLLs in to the servo.exe dir and the directory for unit tests.
                def package_generated_shared_libraries(libs, build_path, servo_exe_dir):
                    for root, dirs, files in os.walk(build_path):
                        remaining_libs = list(libs)
@ -265,16 +260,6 @@ class MachCommands(CommandBase):
        if not self.is_android_build:
            return

-        openssl_dir = os.path.join(self.target_path, "native", "openssl")
-        if not os.path.exists(openssl_dir):
-            os.makedirs(openssl_dir)
-        shutil.copy(os.path.join(self.android_support_dir(), "openssl.makefile"), openssl_dir)
-        shutil.copy(os.path.join(self.android_support_dir(), "openssl.sh"), openssl_dir)
-
-        status = call(["make", "-f", "openssl.makefile"], env=env, cwd=openssl_dir)
-        if status:
-            return status
-
        # Build the name of the package containing all GStreamer dependencies
        # according to the build target.
        android_lib = self.config["android"]["lib"]
--- a/python/servo/command_base.py
+++ b/python/servo/command_base.py
@ -500,19 +500,6 @@ class CommandBase(object):
            env.setdefault("CC", "clang-cl.exe")
            env.setdefault("CXX", "clang-cl.exe")

-            arch = effective_target.split('-')[0]
-            vcpkg_arch = {
-                "x86_64": "x64-windows",
-                "i686": "x86-windows",
-                "aarch64": "arm64-windows",
-            }
-            target_arch = vcpkg_arch[arch]
-            openssl_base_dir = path.join(self.msvc_package_dir("openssl"), target_arch)
-
-            # Link openssl
-            env["OPENSSL_INCLUDE_DIR"] = path.join(openssl_base_dir, "include")
-            env["OPENSSL_LIB_DIR"] = path.join(openssl_base_dir, "lib")
-            env["OPENSSL_LIBS"] = "libssl:libcrypto"
            # Link moztools, used for building SpiderMonkey
            moztools_paths = [
                path.join(self.msvc_package_dir("moztools"), "bin"),
@ -625,9 +612,6 @@ class CommandBase(object):
        android_lib = self.config["android"]["lib"]
        android_arch = self.config["android"]["arch"]

-        # Build OpenSSL for android
-        env["OPENSSL_VERSION"] = "1.1.1d"
-
        # Check if the NDK version is 15
        if not os.path.isfile(path.join(env["ANDROID_NDK"], 'source.properties')):
            print("ANDROID_NDK should have file `source.properties`.")
@ -639,11 +623,6 @@ class CommandBase(object):
                print("Currently only support NDK 15. Please re-run `./mach bootstrap-android`.")
                sys.exit(1)

-        openssl_dir = path.join(
-            self.target_path, "native", "openssl", "openssl-{}".format(env["OPENSSL_VERSION"]))
-        env['OPENSSL_LIB_DIR'] = openssl_dir
-        env['OPENSSL_INCLUDE_DIR'] = path.join(openssl_dir, "include")
-        env['OPENSSL_STATIC'] = 'TRUE'
        # Android builds also require having the gcc bits on the PATH and various INCLUDE
        # path munging if you do not want to install a standalone NDK. See:
        # https://dxr.mozilla.org/mozilla-central/source/build/autoconf/android.m4#139-161
--- a/python/servo/platform/linux.py
+++ b/python/servo/platform/linux.py
@ -19,8 +19,7 @@ from .base import Base
 # Please keep these in sync with the packages in README.md
 APT_PKGS = ['git', 'curl', 'autoconf', 'libx11-dev', 'libfreetype6-dev',
            'libgl1-mesa-dri', 'libglib2.0-dev', 'xorg-dev', 'gperf', 'g++',
-            'build-essential', 'cmake', 'libssl-dev',
-            'liblzma-dev', 'libxmu6', 'libxmu-dev',
+            'build-essential', 'cmake', 'liblzma-dev', 'libxmu6', 'libxmu-dev',
            "libxcb-render0-dev", "libxcb-shape0-dev", "libxcb-xfixes0-dev",
            'libgles2-mesa-dev', 'libegl1-mesa-dev', 'libdbus-1-dev',
            'libharfbuzz-dev', 'ccache', 'clang', 'libunwind-dev',
@ -31,8 +30,7 @@ DNF_PKGS = ['libtool', 'gcc-c++', 'libXi-devel', 'freetype-devel',
            'libunwind-devel', 'mesa-libGL-devel', 'mesa-libEGL-devel',
            'glib2-devel', 'libX11-devel', 'libXrandr-devel', 'gperf',
            'fontconfig-devel', 'cabextract', 'ttmkfdir', 'expat-devel',
-            'rpm-build', 'openssl-devel', 'cmake',
-            'libXcursor-devel', 'libXmu-devel',
+            'rpm-build', 'cmake', 'libXcursor-devel', 'libXmu-devel',
            'dbus-devel', 'ncurses-devel', 'harfbuzz-devel', 'ccache',
            'clang', 'clang-libs', 'llvm', 'autoconf213', 'python3-devel',
            'gstreamer1-devel', 'gstreamer1-plugins-base-devel',
--- a/python/servo/platform/windows.py
+++ b/python/servo/platform/windows.py
@ -21,7 +21,6 @@ DEPS_URL = "https://github.com/servo/servo-build-deps/releases/download/msvc-dep
 DEPENDENCIES = {
    "llvm": "15.0.5",
    "moztools": "3.2",
-    "openssl": "111.3.0+1.1.1c-vs2017-2019-09-18",
 }

 URL_BASE = "https://gstreamer.freedesktop.org/data/pkg/windows/1.16.0/"