1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5 use hosts::replace_host;
6 use hyper::client::Pool;
7 use hyper::error::{Result as HyperResult, Error as HyperError};
8 use hyper::net::{NetworkConnector, HttpsStream, HttpStream, SslClient};
9 use hyper_openssl::OpensslClient;
10 use openssl::ssl::{SSL_OP_NO_COMPRESSION, SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3};
11 use openssl::ssl::{SslConnectorBuilder, SslMethod};
12 use std::io;
13 use std::net::TcpStream;
14 use std::path::PathBuf;
15
16 pub struct HttpsConnector {
17 ssl: OpensslClient,
18 }
19
20 impl HttpsConnector {
new(ssl: OpensslClient) -> HttpsConnector21 fn new(ssl: OpensslClient) -> HttpsConnector {
22 HttpsConnector {
23 ssl: ssl,
24 }
25 }
26 }
27
28 impl NetworkConnector for HttpsConnector {
29 type Stream = HttpsStream<<OpensslClient as SslClient>::Stream>;
30
connect(&self, host: &str, port: u16, scheme: &str) -> HyperResult<Self::Stream>31 fn connect(&self, host: &str, port: u16, scheme: &str) -> HyperResult<Self::Stream> {
32 if scheme != "http" && scheme != "https" {
33 return Err(HyperError::Io(io::Error::new(io::ErrorKind::InvalidInput,
34 "Invalid scheme for Http")));
35 }
36
37 // Perform host replacement when making the actual TCP connection.
38 let addr = &(&*replace_host(host), port);
39 let stream = HttpStream(TcpStream::connect(addr)?);
40
41 if scheme == "http" {
42 Ok(HttpsStream::Http(stream))
43 } else {
44 // Do not perform host replacement on the host that is used
45 // for verifying any SSL certificate encountered.
46 self.ssl.wrap_client(stream, host).map(HttpsStream::Https)
47 }
48 }
49 }
50
51 pub type Connector = HttpsConnector;
52
create_ssl_client(ca_file: &PathBuf) -> OpensslClient53 pub fn create_ssl_client(ca_file: &PathBuf) -> OpensslClient {
54 let mut ssl_connector_builder = SslConnectorBuilder::new(SslMethod::tls()).unwrap();
55 {
56 let context = ssl_connector_builder.builder_mut();
57 context.set_ca_file(ca_file).expect("could not set CA file");
58 context.set_cipher_list(DEFAULT_CIPHERS).expect("could not set ciphers");
59 context.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3 | SSL_OP_NO_COMPRESSION);
60 }
61 let ssl_connector = ssl_connector_builder.build();
62 OpensslClient::from(ssl_connector)
63 }
64
create_http_connector(ssl_client: OpensslClient) -> Pool<Connector>65 pub fn create_http_connector(ssl_client: OpensslClient) -> Pool<Connector> {
66 let https_connector = HttpsConnector::new(ssl_client);
67 Pool::with_connector(Default::default(), https_connector)
68 }
69
70 // The basic logic here is to prefer ciphers with ECDSA certificates, Forward
71 // Secrecy, AES GCM ciphers, AES ciphers, and finally 3DES ciphers.
72 // A complete discussion of the issues involved in TLS configuration can be found here:
73 // https://wiki.mozilla.org/Security/Server_Side_TLS
74 const DEFAULT_CIPHERS: &'static str = concat!(
75 "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:",
76 "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:",
77 "DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:",
78 "ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:",
79 "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:",
80 "ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:",
81 "DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:",
82 "ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:",
83 "AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
84 );
85