Auto merge of #8611 - alex:default-ciphers, r=jvehent

Fixed #8594 -- use a more modern default cipher suite list by default Fixes #8594.  [<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/8611)
2025-08-05 21:50:18 +01:00 · 2015-11-21 20:42:11 +05:30 · 2015-11-21 20:42:11 +05:30 · ec3437f4e3
commit ec3437f4e3
parent f2fe1171d2 008d99663f
1 changed files with 17 additions and 0 deletions
--- a/components/net/http_loader.rs
+++ b/components/net/http_loader.rs
@ -44,10 +44,27 @@ use uuid;

 pub type Connector = HttpsConnector<Openssl>;

+// The basic logic here is to prefer ciphers with ECDSA certificates, Forward
+// Secrecy, AES GCM ciphers, AES ciphers, and finally 3DES ciphers.
+// A complete discussion of the issues involved in TLS configuration can be found here:
+// https://wiki.mozilla.org/Security/Server_Side_TLS
+const DEFAULT_CIPHERS: &'static str = concat!(
+    "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:",
+    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:",
+    "DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:",
+    "ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:",
+    "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:",
+    "ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:",
+    "DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:",
+    "ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:",
+    "AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
+);
+
 pub fn create_http_connector() -> Arc<Pool<Connector>> {
    let mut context = SslContext::new(SslMethod::Sslv23).unwrap();
    context.set_verify(SSL_VERIFY_PEER, None);
    context.set_CA_file(&resources_dir_path().join("certs")).unwrap();
+    context.set_cipher_list(DEFAULT_CIPHERS).unwrap();
    let connector = HttpsConnector::new(Openssl {
        context: Arc::new(context)
    });