Hyper sync rustls 0.6.1

components/net/Cargo.toml

@@ -30,6 +30,7 @@ net_traits = {path = "../net_traits"}
 openssl = "0.9"
 parse-hosts = "0.4.0"
 profile_traits = {path = "../profile_traits"}
+rustls = "0.9.0"
 serde = "1.0"
 serde_json = "1.0"
 servo_config = {path = "../config"}
@@ -41,6 +42,7 @@ unicase = "1.4.0"
 url = {version = "1.2", features = ["heap_size"]}
 uuid = {version = "0.5", features = ["v4"]}
 webrender_api = {git = "https://github.com/servo/webrender", features = ["ipc"]}
+hyper-sync-rustls = {git = "https://github.com/SergioBenitez/hyper-sync-rustls.git"}
 
 [target.'cfg(any(target_os = "macos", target_os = "linux", target_os = "windows"))'.dependencies]
 tinyfiledialogs = "2.5.9"

components/net/connector.rs

@@ -6,27 +6,27 @@ use hosts::replace_host;
 use hyper::client::Pool;
 use hyper::error::{Result as HyperResult, Error as HyperError};
 use hyper::net::{NetworkConnector, HttpsStream, HttpStream, SslClient};
-use hyper_openssl::OpensslClient;
-use openssl::ssl::{SSL_OP_NO_COMPRESSION, SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3};
-use openssl::ssl::{SslConnectorBuilder, SslMethod};
-use std::io;
+use hyper_sync_rustls::TlsClient;
+use rustls;
+use std::{io, fs};
 use std::net::TcpStream;
 use std::path::PathBuf;
+use std::sync::Arc;
 
 pub struct HttpsConnector {
-    ssl: OpensslClient,
+    ssl: TlsClient,
 }
 
 impl HttpsConnector {
-    fn new(ssl: OpensslClient) -> HttpsConnector {
+    fn new(ssl: TlsClient) -> HttpsConnector {
         HttpsConnector {
             ssl: ssl,
         }
     }
 }
 
 impl NetworkConnector for HttpsConnector {
-    type Stream = HttpsStream<<OpensslClient as SslClient>::Stream>;
+    type Stream = HttpsStream<<TlsClient as SslClient>::Stream>;
 
     fn connect(&self, host: &str, port: u16, scheme: &str) -> HyperResult<Self::Stream> {
         if scheme != "http" && scheme != "https" {
@@ -50,35 +50,17 @@ impl NetworkConnector for HttpsConnector {
 
 pub type Connector = HttpsConnector;
 
-pub fn create_ssl_client(ca_file: &PathBuf) -> OpensslClient {
-    let mut ssl_connector_builder = SslConnectorBuilder::new(SslMethod::tls()).unwrap();
-    {
-        let context = ssl_connector_builder.builder_mut();
-        context.set_ca_file(ca_file).expect("could not set CA file");
-        context.set_cipher_list(DEFAULT_CIPHERS).expect("could not set ciphers");
-        context.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3 | SSL_OP_NO_COMPRESSION);
-    }
-    let ssl_connector = ssl_connector_builder.build();
-    OpensslClient::from(ssl_connector)
+pub fn create_ssl_client(ca_file: &PathBuf) -> TlsClient {
+    let mut ca = {
+        let f = fs::File::open(ca_file).expect("cannot open CA file");
+        io::BufReader::new(f)
+    };
+    let mut tls = rustls::ClientConfig::new();
+    tls.root_store.add_pem_file(&mut ca).unwrap();
+    TlsClient { cfg: Arc::new(tls) }
 }
 
-pub fn create_http_connector(ssl_client: OpensslClient) -> Pool<Connector> {
+pub fn create_http_connector(ssl_client: TlsClient ) -> Pool<Connector> {
     let https_connector = HttpsConnector::new(ssl_client);
     Pool::with_connector(Default::default(), https_connector)
 }
-
-// The basic logic here is to prefer ciphers with ECDSA certificates, Forward
-// Secrecy, AES GCM ciphers, AES ciphers, and finally 3DES ciphers.
-// A complete discussion of the issues involved in TLS configuration can be found here:
-// https://wiki.mozilla.org/Security/Server_Side_TLS
-const DEFAULT_CIPHERS: &'static str = concat!(
-    "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:",
-    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:",
-    "DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:",
-    "ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:",
-    "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:",
-    "ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:",
-    "DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:",
-    "ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:",
-    "AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
-);

components/net/http_loader.rs

@@ -27,8 +27,8 @@ use hyper::header::{Pragma, Quality, QualityItem, Referer, SetCookie};
 use hyper::header::{UserAgent, q, qitem};
 use hyper::method::Method;
 use hyper::status::StatusCode;
-use hyper_openssl::OpensslClient;
 use hyper_serde::Serde;
+use hyper_sync_rustls::TlsClient;
 use log;
 use msg::constellation_msg::PipelineId;
 use net_traits::{CookieSource, FetchMetadata, NetworkError, ReferrerPolicy};
@@ -69,12 +69,12 @@ pub struct HttpState {
     pub hsts_list: RwLock<HstsList>,
     pub cookie_jar: RwLock<CookieStorage>,
     pub auth_cache: RwLock<AuthCache>,
-    pub ssl_client: OpensslClient,
+    pub ssl_client: TlsClient,
     pub connector: Pool<Connector>,
 }
 
 impl HttpState {
-    pub fn new(ssl_client: OpensslClient) -> HttpState {
+    pub fn new(ssl_client: TlsClient) -> HttpState {
         HttpState {
             hsts_list: RwLock::new(HstsList::new()),
             cookie_jar: RwLock::new(CookieStorage::new(150)),

components/net/lib.rs

@@ -12,8 +12,8 @@ extern crate cookie as cookie_rs;
 extern crate devtools_traits;
 extern crate flate2;
 extern crate hyper;
-extern crate hyper_openssl;
 extern crate hyper_serde;
+extern crate hyper_sync_rustls;
 extern crate immeta;
 extern crate ipc_channel;
 #[macro_use]
@@ -28,6 +28,7 @@ extern crate net_traits;
 extern crate openssl;
 extern crate parse_hosts;
 extern crate profile_traits;
+extern crate rustls;
 #[macro_use] extern crate serde;
 extern crate serde_json;
 extern crate servo_config;

servo-tidy.toml

@@ -36,6 +36,8 @@ packages = [
   "error-chain",
   "bitflags",
   "libloading", # Conflicting version is only used at build-time by geckolib.
+  "base64", # Conflicting version is used for ring
+  "rayon", # Conflicting version is used for rustls
 ]
 # Files that are ignored for all tidy and lint checks.
 files = [