feat(ssl): enable hostname verification by default for OpenSSL
Additionally disables SSLv2 and SSLv3, as those are universally considered unsafe. Closes #472
This commit is contained in:
Sean McArthur
@@ -32,6 +32,10 @@ default-features = false
|
|||||||
version = "0.7"
|
version = "0.7"
|
||||||
optional = true
|
optional = true
|
||||||
|
|
||||||
|
[dependencies.openssl-verify]
|
||||||
|
version = "0.1"
|
||||||
|
optional = true
|
||||||
|
|
||||||
[dependencies.security-framework]
|
[dependencies.security-framework]
|
||||||
version = "0.1.4"
|
version = "0.1.4"
|
||||||
optional = true
|
optional = true
|
||||||
@@ -49,6 +53,6 @@ env_logger = "0.3"
|
|||||||
|
|
||||||
[features]
|
[features]
|
||||||
default = ["ssl"]
|
default = ["ssl"]
|
||||||
ssl = ["openssl", "cookie/secure"]
|
ssl = ["openssl", "openssl-verify", "cookie/secure"]
|
||||||
serde-serialization = ["serde", "mime/serde"]
|
serde-serialization = ["serde", "mime/serde"]
|
||||||
nightly = []
|
nightly = []
|
||||||
|
|||||||
@@ -133,6 +133,8 @@ extern crate time;
|
|||||||
#[macro_use] extern crate url;
|
#[macro_use] extern crate url;
|
||||||
#[cfg(feature = "openssl")]
|
#[cfg(feature = "openssl")]
|
||||||
extern crate openssl;
|
extern crate openssl;
|
||||||
|
#[cfg(feature = "openssl-verify")]
|
||||||
|
extern crate openssl_verify;
|
||||||
#[cfg(feature = "security-framework")]
|
#[cfg(feature = "security-framework")]
|
||||||
extern crate security_framework;
|
extern crate security_framework;
|
||||||
#[cfg(feature = "serde-serialization")]
|
#[cfg(feature = "serde-serialization")]
|
||||||
|
|||||||
15
src/net.rs
15
src/net.rs
@@ -619,7 +619,7 @@ mod openssl {
|
|||||||
use std::sync::Arc;
|
use std::sync::Arc;
|
||||||
use std::time::Duration;
|
use std::time::Duration;
|
||||||
|
|
||||||
use openssl::ssl::{Ssl, SslContext, SslStream, SslMethod, SSL_VERIFY_NONE};
|
use openssl::ssl::{Ssl, SslContext, SslStream, SslMethod, SSL_VERIFY_NONE, SSL_VERIFY_PEER, SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3};
|
||||||
use openssl::ssl::error::StreamError as SslIoError;
|
use openssl::ssl::error::StreamError as SslIoError;
|
||||||
use openssl::ssl::error::SslError;
|
use openssl::ssl::error::SslError;
|
||||||
use openssl::x509::X509FileType;
|
use openssl::x509::X509FileType;
|
||||||
@@ -651,11 +651,10 @@ mod openssl {
|
|||||||
|
|
||||||
impl Default for OpensslClient {
|
impl Default for OpensslClient {
|
||||||
fn default() -> OpensslClient {
|
fn default() -> OpensslClient {
|
||||||
OpensslClient(SslContext::new(SslMethod::Sslv23).unwrap_or_else(|e| {
|
let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap();
|
||||||
// if we cannot create a SslContext, that's because of a
|
ctx.set_default_verify_paths().unwrap();
|
||||||
// serious problem. just crash.
|
ctx.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3);
|
||||||
panic!("{}", e)
|
OpensslClient(ctx)
|
||||||
}))
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -664,8 +663,10 @@ mod openssl {
|
|||||||
type Stream = SslStream<T>;
|
type Stream = SslStream<T>;
|
||||||
|
|
||||||
fn wrap_client(&self, stream: T, host: &str) -> ::Result<Self::Stream> {
|
fn wrap_client(&self, stream: T, host: &str) -> ::Result<Self::Stream> {
|
||||||
let ssl = try!(Ssl::new(&self.0));
|
let mut ssl = try!(Ssl::new(&self.0));
|
||||||
try!(ssl.set_hostname(host));
|
try!(ssl.set_hostname(host));
|
||||||
|
let host = host.to_owned();
|
||||||
|
ssl.set_verify_callback(SSL_VERIFY_PEER, move |p, x| ::openssl_verify::verify_callback(&host, p, x));
|
||||||
SslStream::connect(ssl, stream).map_err(From::from)
|
SslStream::connect(ssl, stream).map_err(From::from)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user