diff options
| author | Martin Robinson <mrobinson@igalia.com> | 2023-08-08 16:00:10 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-08-08 14:00:10 +0000 |
| commit | bce7622cde4cd10f6b3edf852d97ae9a540a0076 (patch) | |
| tree | e8c09178e875b63e64b32a290840c6ff80d2c4e0 /python/servo/build_commands.py | |
| parent | ab0f48f8e8a72542269c9e563fad4fa03273d2f3 (diff) | |
| download | servo-bce7622cde4cd10f6b3edf852d97ae9a540a0076.tar.gz servo-bce7622cde4cd10f6b3edf852d97ae9a540a0076.zip | |
Switch to rustls and webpki-roots (#30025)
This change replaces OpenSSL with rustls and also the manually curated
CA certs file with webpki-roots (effectively the same thing, but as a
crate).
Generally speaking the design of the network stack is the same. Changes:
- Code around certificate overrides needed to be refactored to work with
rustls so the various thread-safe list of certificates is refactored
into `CertificateErrorOverrideManager`
- hyper-rustls takes care of setting ALPN protocols for HTTP requests,
so for WebSockets this is moved to the WebSocket code.
- The safe set of cypher suites is chosen, which seem to correspond to
the "Modern" configuration from [1]. This can be adjusted later.
- Instead of passing a string of PEM CA certificates around, an enum is
used that includes parsed Certificates (or the default which reads
them from webpki-roots).
- Code for starting up an SSL server for testing is cleaned up a little,
due to the fact that the certificates need to be overriden explicitly
now. This is due to the fact that the `webpki` crate is more stringent
with self-signed certificates than SSL (CA certificates cannot used as
end-entity certificates). [2]
1. https://wiki.mozilla.org/Security/Server_Side_TLS
2. https://github.com/briansmith/webpki/issues/114
Fixes #7888.
Fixes #13749.
Fixes #26835.
Fixes #29291.
Diffstat (limited to 'python/servo/build_commands.py')
| -rw-r--r-- | python/servo/build_commands.py | 17 |
1 files changed, 1 insertions, 16 deletions
diff --git a/python/servo/build_commands.py b/python/servo/build_commands.py index 4497e16e849..212b17f5c9d 100644 --- a/python/servo/build_commands.py +++ b/python/servo/build_commands.py @@ -188,15 +188,10 @@ class MachCommands(CommandBase): ) assert os.path.exists(servo_exe_dir) - # on msvc, we need to copy in some DLLs in to the servo.exe dir and the directory for unit tests. - for ssl_lib in ["libssl.dll", "libcrypto.dll"]: - ssl_path = path.join(env['OPENSSL_LIB_DIR'], "../bin", ssl_lib) - shutil.copy(ssl_path, servo_exe_dir) - shutil.copy(ssl_path, path.join(servo_exe_dir, "deps")) - build_path = path.join(servo_exe_dir, "build") assert os.path.exists(build_path) + # on msvc, we need to copy in some DLLs in to the servo.exe dir and the directory for unit tests. def package_generated_shared_libraries(libs, build_path, servo_exe_dir): for root, dirs, files in os.walk(build_path): remaining_libs = list(libs) @@ -265,16 +260,6 @@ class MachCommands(CommandBase): if not self.is_android_build: return - openssl_dir = os.path.join(self.target_path, "native", "openssl") - if not os.path.exists(openssl_dir): - os.makedirs(openssl_dir) - shutil.copy(os.path.join(self.android_support_dir(), "openssl.makefile"), openssl_dir) - shutil.copy(os.path.join(self.android_support_dir(), "openssl.sh"), openssl_dir) - - status = call(["make", "-f", "openssl.makefile"], env=env, cwd=openssl_dir) - if status: - return status - # Build the name of the package containing all GStreamer dependencies # according to the build target. android_lib = self.config["android"]["lib"] |