Skip to content

Commit

Permalink
feat(ssl): enable hostname verification by default for OpenSSL
Browse files Browse the repository at this point in the history 
Additionally disables SSLv2 and SSLv3, as those are universally considered
unsafe.

Closes hyperium#472
  • Loading branch information
@seanmonstar
seanmonstar committed May 8, 2016
1 parent eab289b commit 01160ab
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 8 deletions.
6 changes: 5 additions & 1 deletion Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ default-features = false
version = "0.7"
optional = true

[dependencies.openssl-verify]
version = "0.1"
optional = true

[dependencies.security-framework]
version = "0.1.4"
optional = true
Expand All @@ -49,6 +53,6 @@ env_logger = "0.3"

[features]
default = ["ssl"]
ssl = ["openssl", "cookie/secure"]
ssl = ["openssl", "openssl-verify", "cookie/secure"]
serde-serialization = ["serde", "mime/serde"]
nightly = []
2 changes: 2 additions & 0 deletions src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,8 @@ extern crate time;
#[macro_use] extern crate url;
#[cfg(feature = "openssl")]
extern crate openssl;
#[cfg(feature = "openssl-verify")]
extern crate openssl_verify;
#[cfg(feature = "security-framework")]
extern crate security_framework;
#[cfg(feature = "serde-serialization")]
Expand Down
15 changes: 8 additions & 7 deletions src/net.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -619,7 +619,7 @@ mod openssl {
use std::sync::Arc;
use std::time::Duration;

use openssl::ssl::{Ssl, SslContext, SslStream, SslMethod, SSL_VERIFY_NONE};
use openssl::ssl::{Ssl, SslContext, SslStream, SslMethod, SSL_VERIFY_NONE, SSL_VERIFY_PEER, SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3};
use openssl::ssl::error::StreamError as SslIoError;
use openssl::ssl::error::SslError;
use openssl::x509::X509FileType;
Expand Down Expand Up @@ -651,11 +651,10 @@ mod openssl {

impl Default for OpensslClient {
fn default() -> OpensslClient {
OpensslClient(SslContext::new(SslMethod::Sslv23).unwrap_or_else(|e| {
// if we cannot create a SslContext, that's because of a
// serious problem. just crash.
panic!("{}", e)
}))
let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap();
ctx.set_default_verify_paths().unwrap();
ctx.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3);
OpensslClient(ctx)
}
}

Expand All @@ -664,8 +663,10 @@ mod openssl {
type Stream = SslStream<T>;

fn wrap_client(&self, stream: T, host: &str) -> ::Result<Self::Stream> {
let ssl = try!(Ssl::new(&self.0));
let mut ssl = try!(Ssl::new(&self.0));
try!(ssl.set_hostname(host));
let host = host.to_owned();
ssl.set_verify_callback(SSL_VERIFY_PEER, move |p, x| ::openssl_verify::verify_callback(&host, p, x));
SslStream::connect(ssl, stream).map_err(From::from)
}
}
Expand Down

0 comments on commit 01160ab

Please sign in to comment.