Auto merge of #16230 - nox:ssl, r=jdm

Introduce create_ssl_client

<!-- Reviewable:start -->
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/16230)
<!-- Reviewable:end -->

3 files changed, 36 insertions, 28 deletions

diff --git a/components/net/connector.rs b/components/net/connector.rs
index 4d9ddcdab11..3f0dc0e12a9 100644
--- a/components/net/connector.rs
+++ b/components/net/connector.rs
@@ -2,33 +2,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-use hyper;
 use hyper::client::Pool;
-use hyper_openssl;
+use hyper::net::HttpsConnector;
+use hyper_openssl::OpensslClient;
 use openssl::ssl::{SSL_OP_NO_COMPRESSION, SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3};
 use openssl::ssl::{SslConnectorBuilder, SslMethod};
 use servo_config::resource_files::resources_dir_path;
 use std::sync::Arc;
 
-pub type Connector = hyper::net::HttpsConnector<hyper_openssl::OpensslClient>;
+pub type Connector = HttpsConnector<OpensslClient>;
 
-// The basic logic here is to prefer ciphers with ECDSA certificates, Forward
-// Secrecy, AES GCM ciphers, AES ciphers, and finally 3DES ciphers.
-// A complete discussion of the issues involved in TLS configuration can be found here:
-// https://wiki.mozilla.org/Security/Server_Side_TLS
-const DEFAULT_CIPHERS: &'static str = concat!(
-    "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:",
-    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:",
-    "DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:",
-    "ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:",
-    "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:",
-    "ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:",
-    "DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:",
-    "ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:",
-    "AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
-);
-
-pub fn create_http_connector(certificate_file: &str) -> Arc<Pool<Connector>> {
+pub fn create_ssl_client(certificate_file: &str) -> OpensslClient {
     let ca_file = &resources_dir_path()
         .expect("Need certificate file to make network requests")
         .join(certificate_file);
@@ -41,8 +25,26 @@ pub fn create_http_connector(certificate_file: &str) -> Arc<Pool<Connector>> {
         context.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3 | SSL_OP_NO_COMPRESSION);
     }
     let ssl_connector = ssl_connector_builder.build();
-    let ssl_client = hyper_openssl::OpensslClient::from(ssl_connector);
-    let https_connector = hyper::net::HttpsConnector::new(ssl_client);
+    OpensslClient::from(ssl_connector)
+}
 
+pub fn create_http_connector(ssl_client: OpensslClient) -> Arc<Pool<Connector>> {
+    let https_connector = HttpsConnector::new(ssl_client);
     Arc::new(Pool::with_connector(Default::default(), https_connector))
 }
+
+// The basic logic here is to prefer ciphers with ECDSA certificates, Forward
+// Secrecy, AES GCM ciphers, AES ciphers, and finally 3DES ciphers.
+// A complete discussion of the issues involved in TLS configuration can be found here:
+// https://wiki.mozilla.org/Security/Server_Side_TLS
+const DEFAULT_CIPHERS: &'static str = concat!(
+    "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:",
+    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:",
+    "DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:",
+    "ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:",
+    "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:",
+    "ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:",
+    "DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:",
+    "ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:",
+    "AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
+);
diff --git a/components/net/http_loader.rs b/components/net/http_loader.rs
index 3d61d741efc..f99e4306137 100644
--- a/components/net/http_loader.rs
+++ b/components/net/http_loader.rs
@@ -3,7 +3,7 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 use brotli::Decompressor;
-use connector::{Connector, create_http_connector};
+use connector::{Connector, create_http_connector, create_ssl_client};
 use cookie;
 use cookie_storage::CookieStorage;
 use devtools_traits::{ChromeToDevtoolsControlMsg, DevtoolsControlMsg, HttpRequest as DevtoolsHttpRequest};
@@ -75,11 +75,12 @@ pub struct HttpState {
 
 impl HttpState {
     pub fn new(certificate_path: &str) -> HttpState {
+        let ssl_client = create_ssl_client(certificate_path);
         HttpState {
             hsts_list: Arc::new(RwLock::new(HstsList::new())),
             cookie_jar: Arc::new(RwLock::new(CookieStorage::new(150))),
             auth_cache: Arc::new(RwLock::new(AuthCache::new())),
-            connector_pool: create_http_connector(certificate_path),
+            connector_pool: create_http_connector(ssl_client),
         }
     }
 }
diff --git a/components/net/resource_thread.rs b/components/net/resource_thread.rs
index 46f3c9d53a2..acf1d1e80da 100644
--- a/components/net/resource_thread.rs
+++ b/components/net/resource_thread.rs
@@ -3,7 +3,7 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 //! A thread that takes a URL and streams back the binary data.
-use connector::{Connector, create_http_connector};
+use connector::{Connector, create_http_connector, create_ssl_client};
 use cookie;
 use cookie_rs;
 use cookie_storage::CookieStorage;
@@ -13,6 +13,7 @@ use filemanager_thread::{FileManager, TFDProvider};
 use hsts::HstsList;
 use http_loader::HttpState;
 use hyper::client::pool::Pool;
+use hyper_openssl::OpensslClient;
 use hyper_serde::Serde;
 use ipc_channel::ipc::{self, IpcReceiver, IpcReceiverSet, IpcSender};
 use net_traits::{CookieSource, CoreResourceThread};
@@ -46,6 +47,7 @@ pub struct ResourceGroup {
     cookie_jar: Arc<RwLock<CookieStorage>>,
     auth_cache: Arc<RwLock<AuthCache>>,
     hsts_list: Arc<RwLock<HstsList>>,
+    ssl_client: OpensslClient,
     connector: Arc<Pool<Connector>>,
 }
 
@@ -104,17 +106,20 @@ fn create_resource_groups(config_dir: Option<&Path>)
         read_json_from_file(&mut hsts_list, config_dir, "hsts_list.json");
         read_json_from_file(&mut cookie_jar, config_dir, "cookie_jar.json");
     }
+    let ssl_client = create_ssl_client("certs");
     let resource_group = ResourceGroup {
         cookie_jar: Arc::new(RwLock::new(cookie_jar)),
         auth_cache: Arc::new(RwLock::new(auth_cache)),
         hsts_list: Arc::new(RwLock::new(hsts_list.clone())),
-        connector: create_http_connector("certs"),
+        ssl_client: ssl_client.clone(),
+        connector: create_http_connector(ssl_client.clone()),
     };
     let private_resource_group = ResourceGroup {
         cookie_jar: Arc::new(RwLock::new(CookieStorage::new(150))),
         auth_cache: Arc::new(RwLock::new(AuthCache::new())),
         hsts_list: Arc::new(RwLock::new(HstsList::new())),
-        connector: create_http_connector("certs"),
+        ssl_client: ssl_client.clone(),
+        connector: create_http_connector(ssl_client),
     };
     (resource_group, private_resource_group)
 }
@@ -327,7 +332,7 @@ impl CoreResourceManager {
             cookie_jar: group.cookie_jar.clone(),
             auth_cache: group.auth_cache.clone(),
             // FIXME(#15694): use group.connector.clone() instead.
-            connector_pool: create_http_connector("certs"),
+            connector_pool: create_http_connector(group.ssl_client.clone()),
         };
         let ua = self.user_agent.clone();
         let dc = self.devtools_chan.clone();