Loading openssl/src/ssl/connector.rs +17 −0 Original line number Diff line number Diff line Loading @@ -61,6 +61,7 @@ impl SslConnectorBuilder { try!(ctx.set_cipher_list("ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:\ DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:\ RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES")); ctx.set_verify(SSL_VERIFY_PEER); Ok(SslConnectorBuilder(ctx)) } Loading Loading @@ -103,6 +104,22 @@ impl SslConnector { ssl.connect(stream) } /// Initiates a client-side TLS session on a stream without performing hostname verification. /// /// The verification configuration of the connector's `SslContext` is not overridden. /// /// # Warning /// /// You should think very carefully before you use this method. If hostname verification is not /// used, *any* valid certificate for *any* site will be trusted for use from any other. This /// introduces a significant vulnerability to man-in-the-middle attacks. pub fn connect_without_providing_domain_for_certificate_verification_and_server_name_indication<S>( &self, stream: S) -> Result<SslStream<S>, HandshakeError<S>> where S: Read + Write { try!(Ssl::new(&self.0)).connect(stream) } } /// A builder for `SslAcceptor`s. Loading openssl/src/ssl/tests/mod.rs +32 −4 Original line number Diff line number Diff line Loading @@ -17,10 +17,8 @@ use tempdir::TempDir; use dh::Dh; use hash::MessageDigest; use ssl; use ssl::SSL_VERIFY_PEER; use ssl::{SslMethod, HandshakeError}; use ssl::{SslContext, SslStream, Ssl, ShutdownResult, SslConnectorBuilder, SslAcceptorBuilder, Error}; use ssl::{SslMethod, HandshakeError, SslContext, SslStream, Ssl, ShutdownResult, SslConnectorBuilder, SslAcceptorBuilder, Error, SSL_VERIFY_PEER, SSL_VERIFY_NONE}; use x509::{X509StoreContext, X509, X509Name, X509_FILETYPE_PEM}; #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; Loading Loading @@ -1090,6 +1088,36 @@ fn connector_invalid_hostname() { assert!(connector.connect("foobar.com", s).is_err()); } #[test] fn connector_invalid_no_hostname_verification() { let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build(); let s = TcpStream::connect("google.com:443").unwrap(); connector.connect_without_providing_domain_for_certificate_verification_and_server_name_indication(s) .unwrap(); } #[test] fn connector_no_hostname_still_verifies() { let (_s, tcp) = Server::new(); let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build(); assert!(connector.connect_without_providing_domain_for_certificate_verification_and_server_name_indication(tcp) .is_err()); } #[test] fn connector_no_hostname_can_disable_verify() { let (_s, tcp) = Server::new(); let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap(); connector.builder_mut().set_verify(SSL_VERIFY_NONE); let connector = connector.build(); connector.connect_without_providing_domain_for_certificate_verification_and_server_name_indication(tcp).unwrap(); } #[test] fn connector_client_server_mozilla_intermediate() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); Loading Loading
openssl/src/ssl/connector.rs +17 −0 Original line number Diff line number Diff line Loading @@ -61,6 +61,7 @@ impl SslConnectorBuilder { try!(ctx.set_cipher_list("ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:\ DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:\ RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES")); ctx.set_verify(SSL_VERIFY_PEER); Ok(SslConnectorBuilder(ctx)) } Loading Loading @@ -103,6 +104,22 @@ impl SslConnector { ssl.connect(stream) } /// Initiates a client-side TLS session on a stream without performing hostname verification. /// /// The verification configuration of the connector's `SslContext` is not overridden. /// /// # Warning /// /// You should think very carefully before you use this method. If hostname verification is not /// used, *any* valid certificate for *any* site will be trusted for use from any other. This /// introduces a significant vulnerability to man-in-the-middle attacks. pub fn connect_without_providing_domain_for_certificate_verification_and_server_name_indication<S>( &self, stream: S) -> Result<SslStream<S>, HandshakeError<S>> where S: Read + Write { try!(Ssl::new(&self.0)).connect(stream) } } /// A builder for `SslAcceptor`s. Loading
openssl/src/ssl/tests/mod.rs +32 −4 Original line number Diff line number Diff line Loading @@ -17,10 +17,8 @@ use tempdir::TempDir; use dh::Dh; use hash::MessageDigest; use ssl; use ssl::SSL_VERIFY_PEER; use ssl::{SslMethod, HandshakeError}; use ssl::{SslContext, SslStream, Ssl, ShutdownResult, SslConnectorBuilder, SslAcceptorBuilder, Error}; use ssl::{SslMethod, HandshakeError, SslContext, SslStream, Ssl, ShutdownResult, SslConnectorBuilder, SslAcceptorBuilder, Error, SSL_VERIFY_PEER, SSL_VERIFY_NONE}; use x509::{X509StoreContext, X509, X509Name, X509_FILETYPE_PEM}; #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; Loading Loading @@ -1090,6 +1088,36 @@ fn connector_invalid_hostname() { assert!(connector.connect("foobar.com", s).is_err()); } #[test] fn connector_invalid_no_hostname_verification() { let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build(); let s = TcpStream::connect("google.com:443").unwrap(); connector.connect_without_providing_domain_for_certificate_verification_and_server_name_indication(s) .unwrap(); } #[test] fn connector_no_hostname_still_verifies() { let (_s, tcp) = Server::new(); let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build(); assert!(connector.connect_without_providing_domain_for_certificate_verification_and_server_name_indication(tcp) .is_err()); } #[test] fn connector_no_hostname_can_disable_verify() { let (_s, tcp) = Server::new(); let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap(); connector.builder_mut().set_verify(SSL_VERIFY_NONE); let connector = connector.build(); connector.connect_without_providing_domain_for_certificate_verification_and_server_name_indication(tcp).unwrap(); } #[test] fn connector_client_server_mozilla_intermediate() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); Loading
