diff options
| author | Martin Robinson <mrobinson@igalia.com> | 2023-08-08 16:00:10 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-08-08 14:00:10 +0000 |
| commit | bce7622cde4cd10f6b3edf852d97ae9a540a0076 (patch) | |
| tree | e8c09178e875b63e64b32a290840c6ff80d2c4e0 /python/servo/command_base.py | |
| parent | ab0f48f8e8a72542269c9e563fad4fa03273d2f3 (diff) | |
| download | servo-bce7622cde4cd10f6b3edf852d97ae9a540a0076.tar.gz servo-bce7622cde4cd10f6b3edf852d97ae9a540a0076.zip | |
Switch to rustls and webpki-roots (#30025)
This change replaces OpenSSL with rustls and also the manually curated
CA certs file with webpki-roots (effectively the same thing, but as a
crate).
Generally speaking the design of the network stack is the same. Changes:
- Code around certificate overrides needed to be refactored to work with
rustls so the various thread-safe list of certificates is refactored
into `CertificateErrorOverrideManager`
- hyper-rustls takes care of setting ALPN protocols for HTTP requests,
so for WebSockets this is moved to the WebSocket code.
- The safe set of cypher suites is chosen, which seem to correspond to
the "Modern" configuration from [1]. This can be adjusted later.
- Instead of passing a string of PEM CA certificates around, an enum is
used that includes parsed Certificates (or the default which reads
them from webpki-roots).
- Code for starting up an SSL server for testing is cleaned up a little,
due to the fact that the certificates need to be overriden explicitly
now. This is due to the fact that the `webpki` crate is more stringent
with self-signed certificates than SSL (CA certificates cannot used as
end-entity certificates). [2]
1. https://wiki.mozilla.org/Security/Server_Side_TLS
2. https://github.com/briansmith/webpki/issues/114
Fixes #7888.
Fixes #13749.
Fixes #26835.
Fixes #29291.
Diffstat (limited to 'python/servo/command_base.py')
| -rw-r--r-- | python/servo/command_base.py | 21 |
1 files changed, 0 insertions, 21 deletions
diff --git a/python/servo/command_base.py b/python/servo/command_base.py index 43d2e97d89c..8542abe55b7 100644 --- a/python/servo/command_base.py +++ b/python/servo/command_base.py @@ -500,19 +500,6 @@ class CommandBase(object): env.setdefault("CC", "clang-cl.exe") env.setdefault("CXX", "clang-cl.exe") - arch = effective_target.split('-')[0] - vcpkg_arch = { - "x86_64": "x64-windows", - "i686": "x86-windows", - "aarch64": "arm64-windows", - } - target_arch = vcpkg_arch[arch] - openssl_base_dir = path.join(self.msvc_package_dir("openssl"), target_arch) - - # Link openssl - env["OPENSSL_INCLUDE_DIR"] = path.join(openssl_base_dir, "include") - env["OPENSSL_LIB_DIR"] = path.join(openssl_base_dir, "lib") - env["OPENSSL_LIBS"] = "libssl:libcrypto" # Link moztools, used for building SpiderMonkey moztools_paths = [ path.join(self.msvc_package_dir("moztools"), "bin"), @@ -625,9 +612,6 @@ class CommandBase(object): android_lib = self.config["android"]["lib"] android_arch = self.config["android"]["arch"] - # Build OpenSSL for android - env["OPENSSL_VERSION"] = "1.1.1d" - # Check if the NDK version is 15 if not os.path.isfile(path.join(env["ANDROID_NDK"], 'source.properties')): print("ANDROID_NDK should have file `source.properties`.") @@ -639,11 +623,6 @@ class CommandBase(object): print("Currently only support NDK 15. Please re-run `./mach bootstrap-android`.") sys.exit(1) - openssl_dir = path.join( - self.target_path, "native", "openssl", "openssl-{}".format(env["OPENSSL_VERSION"])) - env['OPENSSL_LIB_DIR'] = openssl_dir - env['OPENSSL_INCLUDE_DIR'] = path.join(openssl_dir, "include") - env['OPENSSL_STATIC'] = 'TRUE' # Android builds also require having the gcc bits on the PATH and various INCLUDE # path munging if you do not want to install a standalone NDK. See: # https://dxr.mozilla.org/mozilla-central/source/build/autoconf/android.m4#139-161 |