Bump openssl to 0.10.55

[nibon7]

Description

cargo audit reported a vulnerability found in the openssl crate.

Crate:     openssl
Version:   0.10.52
Title:     `openssl` `X509VerifyParamRef::set_host` buffer over-read
Date:      2023-06-20
ID:        RUSTSEC-2023-0044
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0044
Solution:  Upgrade to >=0.10.55
Dependency tree:
openssl 0.10.52
├── nu 0.81.1
└── native-tls 0.2.11
    ├── ureq 2.6.2
    │   └── nu-command 0.81.1
    │       ├── nu-cli 0.81.1
    │       │   └── nu 0.81.1
    │       └── nu 0.81.1
    └── nu-command 0.81.1

User-Facing Changes

Tests + Formatting

After Submitting

[sholderbach]

Thank you for the quick patch and cargo auditing our codebase.

Should we force the version to be at least ^0.10.55 by also specifying 0.10.55 in the Cargo.toml even though we do not directly depend on it? Currently we only specify 0.10 in case you choose to vendor the C side of openssl.

From an impact assessment point of view, I am not sure to which extent we are affected by this. Sadly the disclosure only describes the direct function. But from reading the reporting issue sfackler/rust-openssl#1965 it seems to set up a separate domain with the empty string for creating the failing TLS cert validation. We only setup the native_tls::TlsConnector and hand it over to ureq. So any exposure would be from how things might get handled there.