min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add a mozilla modern profile

This commit is contained in:
Steven Fackler 2016-10-30 14:57:22 -07:00
parent 7d13176cd1
commit 52f288e090
2 changed files with 66 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
openssl/src/ssl/connector.rs
View File

@ -101,8 +101,8 @@ pub struct ServerConnectorBuilder(SslContextBuilder);
impl ServerConnectorBuilder {
/// Creates a new builder for server-side TLS connections.
///
/// The default configuration is based off of the intermediate profile of Mozilla's server side
/// TLS configuration recommendations, and is subject to change.
/// The configuration is based off of the intermediate profile of Mozilla's server side
/// TLS configuration recommendations.
pub fn mozilla_intermediate<I>(method: SslMethod,
private_key: &PKeyRef,
certificate: &X509Ref,
@ -128,6 +128,37 @@ impl ServerConnectorBuilder {
DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:\
AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"));
ServerConnectorBuilder::finish_setup(ctx, private_key, certificate, chain)
}
pub fn mozilla_modern<I>(method: SslMethod,
private_key: &PKeyRef,
certificate: &X509Ref,
chain: I)
-> Result<ServerConnectorBuilder, ErrorStack>
where I: IntoIterator,
I::Item: AsRef<X509Ref>
{
let mut ctx = try!(ctx(method));
ctx.set_options(ssl::SSL_OP_SINGLE_ECDH_USE | ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
try!(setup_curves(&mut ctx));
try!(ctx.set_cipher_list(
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:\
ECDHE-RSA-AES128-SHA256"));
ServerConnectorBuilder::finish_setup(ctx, private_key, certificate, chain)
}
fn finish_setup<I>(mut ctx: SslContextBuilder,
private_key: &PKeyRef,
certificate: &X509Ref,
chain: I)
-> Result<ServerConnectorBuilder, ErrorStack>
where I: IntoIterator,
I::Item: AsRef<X509Ref>
{
try!(ctx.set_private_key(private_key));
try!(ctx.set_certificate(certificate));
try!(ctx.check_private_key());

34
openssl/src/ssl/tests/mod.rs
View File

@ -1105,7 +1105,7 @@ fn connector_invalid_hostname() {
}
#[test]
fn connector_client_server() {
fn connector_client_server_mozilla_intermediate() {
let listener = TcpListener::bind("127.0.0.1:0").unwrap();
let port = listener.local_addr().unwrap().port();
@ -1136,6 +1136,38 @@ fn connector_client_server() {
t.join().unwrap();
}
#[test]
fn connector_client_server_mozilla_modern() {
let listener = TcpListener::bind("127.0.0.1:0").unwrap();
let port = listener.local_addr().unwrap().port();
let t = thread::spawn(move || {
let key = PKey::private_key_from_pem(KEY).unwrap();
let cert = X509::from_pem(CERT).unwrap();
let connector = ServerConnectorBuilder::mozilla_modern(
SslMethod::tls(), &key, &cert, None::<X509>)
.unwrap()
.build();
let stream = listener.accept().unwrap().0;
let mut stream = connector.connect(stream).unwrap();
stream.write_all(b"hello").unwrap();
});
let mut connector = ClientConnectorBuilder::new(SslMethod::tls()).unwrap();
connector.context_mut().set_CA_file("test/root-ca.pem").unwrap();
let connector = connector.build();
let stream = TcpStream::connect(("127.0.0.1", port)).unwrap();
let mut stream = connector.connect("foobar.com", stream).unwrap();
let mut buf = [0; 5];
stream.read_exact(&mut buf).unwrap();
assert_eq!(b"hello", &buf);
t.join().unwrap();
}
#[test]
fn shutdown() {
let listener = TcpListener::bind("127.0.0.1:0").unwrap();