Skip to content

Commit

Permalink
Switch to rustls and webpki-roots (servo#30025)
Browse files Browse the repository at this point in the history 
This change replaces OpenSSL with rustls and also the manually curated
CA certs file with webpki-roots (effectively the same thing, but as a
crate).

Generally speaking the design of the network stack is the same. Changes:

- Code around certificate overrides needed to be refactored to work with
  rustls so the various thread-safe list of certificates is refactored
  into `CertificateErrorOverrideManager`
- hyper-rustls takes care of setting ALPN protocols for HTTP requests,
  so for WebSockets this is moved to the WebSocket code.
- The safe set of cypher suites is chosen, which seem to correspond to
  the "Modern" configuration from [1]. This can be adjusted later.
- Instead of passing a string of PEM CA certificates around, an enum is
  used that includes parsed Certificates (or the default which reads
  them from webpki-roots).
- Code for starting up an SSL server for testing is cleaned up a little,
  due to the fact that the certificates need to be overriden explicitly
  now. This is due to the fact that the `webpki` crate is more stringent
  with self-signed certificates than SSL (CA certificates cannot used as
  end-entity certificates). [2]

1. https://wiki.mozilla.org/Security/Server_Side_TLS
2. briansmith/webpki#114

Fixes servo#7888.
Fixes servo#13749.
Fixes servo#26835.
Fixes servo#29291.
  • Loading branch information
@mrobinson
mrobinson authored Aug 8, 2023
1 parent ab0f48f commit bce7622
Show file tree
Hide file tree
Showing 31 changed files with 574 additions and 4,398 deletions.
197 changes: 113 additions & 84 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ exclude = [".cargo"]
[workspace.dependencies]
accountable-refcell = "0.2.0"
app_units = "0.7"
async-tungstenite = { version = "0.22", features = ["tokio-rustls-webpki-roots"] }
atomic_refcell = "0.1.6"
arrayvec = "0.7"
backtrace = "0.3"
Expand All @@ -35,6 +36,7 @@ headers = "0.3"
html5ever = "0.26"
http = "0.2"
hyper = "0.14"
hyper-rustls = { version = "0.24", default-features = false, features = ["webpki-tokio", "http1", "http2", "tls12", "logging", "acceptor"] }
hyper_serde = "0.13"
image = "0.24"
indexmap = { version = "1.0.2", features = ["std"] }
Expand All @@ -57,6 +59,8 @@ quote = "1"
rand = "0.7"
rayon = "1"
regex = "1.1"
rustls = { version = "0.21.5", features = ["dangerous_configuration"] }
rustls-pemfile = "1.0.3"
serde = "1.0.60"
serde_bytes = "0.11"
serde_json = "1.0"
Expand All @@ -73,11 +77,15 @@ surfman-chains-api = "0.2"
thin-slice = "0.1.0"
time = "0.1.41"
tokio = "1"
tokio-rustls = "0.24"
tungstenite = "0.19"
unicode-bidi = "0.3.4"
unicode-script = "0.5"
url = "2.0"
uuid = { version = "1.3.4", features = ["v4"] }
webdriver = "0.48.0"
webpki-roots = "0.23"
webpki = "0.22"
webrender = { git = "https://github.com/servo/webrender", features = ["capture"] }
webrender_api = { git = "https://github.com/servo/webrender" }
winapi = "0.3"
Expand Down
Loading

0 comments on commit bce7622

Please sign in to comment.