diff options
| author | Martin Robinson <mrobinson@igalia.com> | 2023-08-08 16:00:10 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-08-08 14:00:10 +0000 |
| commit | bce7622cde4cd10f6b3edf852d97ae9a540a0076 (patch) | |
| tree | e8c09178e875b63e64b32a290840c6ff80d2c4e0 /python/servo/platform | |
| parent | ab0f48f8e8a72542269c9e563fad4fa03273d2f3 (diff) | |
| download | servo-bce7622cde4cd10f6b3edf852d97ae9a540a0076.tar.gz servo-bce7622cde4cd10f6b3edf852d97ae9a540a0076.zip | |
Switch to rustls and webpki-roots (#30025)
This change replaces OpenSSL with rustls and also the manually curated
CA certs file with webpki-roots (effectively the same thing, but as a
crate).
Generally speaking the design of the network stack is the same. Changes:
- Code around certificate overrides needed to be refactored to work with
rustls so the various thread-safe list of certificates is refactored
into `CertificateErrorOverrideManager`
- hyper-rustls takes care of setting ALPN protocols for HTTP requests,
so for WebSockets this is moved to the WebSocket code.
- The safe set of cypher suites is chosen, which seem to correspond to
the "Modern" configuration from [1]. This can be adjusted later.
- Instead of passing a string of PEM CA certificates around, an enum is
used that includes parsed Certificates (or the default which reads
them from webpki-roots).
- Code for starting up an SSL server for testing is cleaned up a little,
due to the fact that the certificates need to be overriden explicitly
now. This is due to the fact that the `webpki` crate is more stringent
with self-signed certificates than SSL (CA certificates cannot used as
end-entity certificates). [2]
1. https://wiki.mozilla.org/Security/Server_Side_TLS
2. https://github.com/briansmith/webpki/issues/114
Fixes #7888.
Fixes #13749.
Fixes #26835.
Fixes #29291.
Diffstat (limited to 'python/servo/platform')
| -rw-r--r-- | python/servo/platform/linux.py | 6 | ||||
| -rw-r--r-- | python/servo/platform/windows.py | 1 |
2 files changed, 2 insertions, 5 deletions
diff --git a/python/servo/platform/linux.py b/python/servo/platform/linux.py index 516b7448686..e49154d8ff2 100644 --- a/python/servo/platform/linux.py +++ b/python/servo/platform/linux.py @@ -19,8 +19,7 @@ from .base import Base # Please keep these in sync with the packages in README.md APT_PKGS = ['git', 'curl', 'autoconf', 'libx11-dev', 'libfreetype6-dev', 'libgl1-mesa-dri', 'libglib2.0-dev', 'xorg-dev', 'gperf', 'g++', - 'build-essential', 'cmake', 'libssl-dev', - 'liblzma-dev', 'libxmu6', 'libxmu-dev', + 'build-essential', 'cmake', 'liblzma-dev', 'libxmu6', 'libxmu-dev', "libxcb-render0-dev", "libxcb-shape0-dev", "libxcb-xfixes0-dev", 'libgles2-mesa-dev', 'libegl1-mesa-dev', 'libdbus-1-dev', 'libharfbuzz-dev', 'ccache', 'clang', 'libunwind-dev', @@ -31,8 +30,7 @@ DNF_PKGS = ['libtool', 'gcc-c++', 'libXi-devel', 'freetype-devel', 'libunwind-devel', 'mesa-libGL-devel', 'mesa-libEGL-devel', 'glib2-devel', 'libX11-devel', 'libXrandr-devel', 'gperf', 'fontconfig-devel', 'cabextract', 'ttmkfdir', 'expat-devel', - 'rpm-build', 'openssl-devel', 'cmake', - 'libXcursor-devel', 'libXmu-devel', + 'rpm-build', 'cmake', 'libXcursor-devel', 'libXmu-devel', 'dbus-devel', 'ncurses-devel', 'harfbuzz-devel', 'ccache', 'clang', 'clang-libs', 'llvm', 'autoconf213', 'python3-devel', 'gstreamer1-devel', 'gstreamer1-plugins-base-devel', diff --git a/python/servo/platform/windows.py b/python/servo/platform/windows.py index ddd283db72d..02d013bafc6 100644 --- a/python/servo/platform/windows.py +++ b/python/servo/platform/windows.py @@ -21,7 +21,6 @@ DEPS_URL = "https://github.com/servo/servo-build-deps/releases/download/msvc-dep DEPENDENCIES = { "llvm": "15.0.5", "moztools": "3.2", - "openssl": "111.3.0+1.1.1c-vs2017-2019-09-18", } URL_BASE = "https://gstreamer.freedesktop.org/data/pkg/windows/1.16.0/" |