Auto merge of #25736 - Darkspirit:ossl, r=jdm

Add OpenSSL 1.1.1 build check, Update HSTS Preload list

* This variant also works with cross-compilation. PR should fail in CI on Android at first:
  The net crate successfully compiled after switching to OpenSSL 1.1.1 on Android. It seemed openssl.sh doesn't need any changes.(?)
* Updated HSTS preload list and public suffix list.
* Configured OpenSSL [SECLEVEL=2](https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html) like [Debian](https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1) Stable:
  > As a result RSA, DSA and DH keys shorter than [2048 bits](16a5a9bb78/docs/BR.md (6153-subscriber-certificates)) and ECC keys shorter than 224 bits are prohibited.
* Although all other crates compile I generally get a `libscript-fe019dd3e0a4e06d.rlib: bad extended name index at 8` error on simpleservo_jniapi, I guess Debian Testing is too new and I just haven't found the right steps so far.
./mach build -d --android
```
  = note: /home/darkspirit/github/servo/android-toolchains/ndk/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/lib/gcc/arm-linux-androideabi/4.9.x/../../../../arm-linux-androideabi/bin/ld.gold: error: /home/darkspirit/github/servo/target/android/armv7-linux-androideabi/debug/deps/libscript-fe019dd3e0a4e06d.rlib: bad extended name index at 8
          clang: error: linker command failed with exit code 1 (use -v to see invocation)
          toolchain: /home/darkspirit/github/servo/android-toolchains/ndk/toolchains/llvm/prebuilt/linux-x86_64/bin
          libs dir: /home/darkspirit/github/servo/android-toolchains/ndk/sources/cxx-stl/llvm-libc++/libs/armeabi-v7a
          sysroot: /home/darkspirit/github/servo/android-toolchains/ndk/platforms/android-21/arch-arm
          targetdir: /home/darkspirit/github/servo/target/android/armv7-linux-androideabi/debug/build/simpleservo_jniapi-26ef18debb5b3630/out/../../..
```

- [x] `./mach build -d` does not report any errors
- [x] `./mach test-tidy` does not report any errors
- [x] These changes fix #25708, fix #25619.

components/net/Cargo.toml

@@ -6,6 +6,7 @@ license = "MPL-2.0"
 edition = "2018"
 publish = false
 autotests = false  # Inhibit lookup for tests/*.rs without [[test]] sections
+build = "build.rs"
 
 [lib]
 name = "net"
@@ -43,6 +44,7 @@ mime_guess = "2.0.0-alpha.6"
 msg = {path = "../msg"}
 net_traits = {path = "../net_traits"}
 openssl = "0.10"
+openssl-sys = "0.9"
 percent-encoding = "2.0"
 pixels = {path = "../pixels"}
 profile_traits = {path = "../profile_traits"}

components/net/build.rs

@@ -0,0 +1,16 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+fn main() {
+    let version =
+        std::env::var("DEP_OPENSSL_VERSION_NUMBER").expect("missing DEP_OPENSSL_VERSION_NUMBER");
+    let actual = u64::from_str_radix(&version, 16).unwrap();
+    let minimum = 0x10101000;
+    if actual < minimum {
+        panic!(
+            "Your OpenSSL version is older than 1.1.1 ({:x}), you have: {:x}",
+            minimum, actual
+        );
+    }
+}

components/net/connector.rs

@@ -21,7 +21,7 @@ const TLS1_2_CIPHERSUITES: &'static str = concat!(
     "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:",
     "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:",
     "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:",
-    "ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA"
+    "ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA@SECLEVEL=2"
 );
 const SIGNATURE_ALGORITHMS: &'static str = concat!(
     "ed448:ed25519:",