From 4c7a5a418ee6a71f26fb6cc720a36b5bca6f3376 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sat, 29 Oct 2016 14:02:26 -0700
Subject: Implement client and server connectors

---
 openssl/src/ssl/connector.rs | 329 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 329 insertions(+)
 create mode 100644 openssl/src/ssl/connector.rs

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
new file mode 100644
index 00000000..aed01f8c
--- /dev/null
+++ b/openssl/src/ssl/connector.rs
@@ -0,0 +1,329 @@
+use std::io::{Read, Write};
+
+use dh::Dh;
+use error::ErrorStack;
+use ssl::{self, SslMethod, SslContextBuilder, SslContext, Ssl, SSL_VERIFY_PEER, SslStream,
+          HandshakeError};
+use pkey::PKey;
+use x509::X509Ref;
+
+// apps/dh2048.pem
+const DHPARAM_PEM: &'static str = r#"
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
+IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
+awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
+mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
+fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
+5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==
+-----END DH PARAMETERS-----
+
+These are the 2048-bit DH parameters from "More Modular Exponential
+(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
+https://tools.ietf.org/html/rfc3526
+
+See https://tools.ietf.org/html/rfc2412 for how they were generated."#;
+
+fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
+    let mut ctx = try!(SslContextBuilder::new(method));
+
+    // options to enable and cipher list lifted from libcurl
+    let mut opts = ssl::SSL_OP_ALL;
+    opts |= ssl::SSL_OP_NO_TICKET;
+    opts |= ssl::SSL_OP_NO_COMPRESSION;
+    opts &= !ssl::SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
+    opts &= !ssl::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+    opts |= ssl::SSL_OP_NO_SSLV2;
+    opts |= ssl::SSL_OP_NO_SSLV3;
+    ctx.set_options(opts);
+
+    Ok(ctx)
+}
+
+pub struct ClientConnectorBuilder(SslContextBuilder);
+
+impl ClientConnectorBuilder {
+    pub fn tls() -> Result<ClientConnectorBuilder, ErrorStack> {
+        ClientConnectorBuilder::new(SslMethod::tls())
+    }
+
+    fn new(method: SslMethod) -> Result<ClientConnectorBuilder, ErrorStack> {
+        let mut ctx = try!(ctx(method));
+        try!(ctx.set_default_verify_paths());
+        try!(ctx.set_cipher_list("ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"));
+
+        Ok(ClientConnectorBuilder(ctx))
+    }
+
+    pub fn context(&self) -> &SslContextBuilder {
+        &self.0
+    }
+
+    pub fn context_mut(&mut self) -> &mut SslContextBuilder {
+        &mut self.0
+    }
+
+    pub fn build(self) -> ClientConnector {
+        ClientConnector(self.0.build())
+    }
+}
+
+pub struct ClientConnector(SslContext);
+
+impl ClientConnector {
+    pub fn connect<S>(&self, domain: &str, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
+        where S: Read + Write
+    {
+        let mut ssl = try!(Ssl::new(&self.0));
+        try!(ssl.set_hostname(domain));
+        try!(setup_verify(&mut ssl, domain));
+
+        ssl.connect(stream)
+    }
+}
+
+pub struct ServerConnectorBuilder(SslContextBuilder);
+
+impl ServerConnectorBuilder {
+    pub fn tls<I, T>(private_key: &PKey,
+                     certificate: &X509Ref,
+                     chain: I)
+                     -> Result<ServerConnectorBuilder, ErrorStack>
+        where I: IntoIterator<Item = T>,
+              T: AsRef<X509Ref>
+    {
+        ServerConnectorBuilder::new(SslMethod::tls(), private_key, certificate, chain)
+    }
+
+    fn new<I, T>(method: SslMethod,
+                 private_key: &PKey,
+                 certificate: &X509Ref,
+                 chain: I)
+                 -> Result<ServerConnectorBuilder, ErrorStack>
+        where I: IntoIterator<Item = T>,
+              T: AsRef<X509Ref>
+    {
+        let mut ctx = try!(ctx(method));
+        ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
+        let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
+        try!(ctx.set_tmp_dh(&dh));
+        try!(ctx.set_cipher_list(
+            "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
+             ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
+             ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
+             DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:\
+             ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:\
+             ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:\
+             ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:\
+             DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
+             EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:\
+             AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"));
+        try!(ctx.set_private_key(private_key));
+        try!(ctx.set_certificate(certificate));
+        try!(ctx.check_private_key());
+        for cert in chain {
+            try!(ctx.add_extra_chain_cert(cert.as_ref().to_owned()));
+        }
+        Ok(ServerConnectorBuilder(ctx))
+    }
+
+    pub fn context(&self) -> &SslContextBuilder {
+        &self.0
+    }
+
+    pub fn context_mut(&mut self) -> &mut SslContextBuilder {
+        &mut self.0
+    }
+
+    pub fn build(self) -> ServerConnector {
+        ServerConnector(self.0.build())
+    }
+}
+
+pub struct ServerConnector(SslContext);
+
+impl ServerConnector {
+    pub fn connect<S>(&self, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
+        where S: Read + Write
+    {
+        let ssl = try!(Ssl::new(&self.0));
+        ssl.accept(stream)
+    }
+}
+
+#[cfg(any(ossl102, ossl110))]
+fn setup_verify(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
+    ssl.set_verify(SSL_VERIFY_PEER);
+    let param = ssl._param_mut();
+    param.set_hostflags(::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+    param.set_host(domain)
+}
+
+#[cfg(not(any(ossl102, ossl110)))]
+fn setup_verify(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
+    let domain = domain.to_owned();
+    ssl.set_verify_callback(SSL_VERIFY_PEER, move |p, x| verify::verify_callback(&domain, p, x));
+    Ok(())
+}
+
+#[cfg(not(any(ossl102, ossl110)))]
+mod verify {
+    use std::net::IpAddr;
+
+    use nid;
+    use x509::{X509StoreContextRef, X509Ref, GeneralNames, X509NameRef};
+
+    pub fn verify_callback(domain: &str,
+                           preverify_ok: bool,
+                           x509_ctx: &X509StoreContextRef)
+                           -> bool {
+        if !preverify_ok || x509_ctx.error_depth() != 0 {
+            return preverify_ok;
+        }
+
+        match x509_ctx.current_cert() {
+            Some(x509) => verify_hostname(domain, &x509),
+            None => true,
+        }
+    }
+
+    fn verify_hostname(domain: &str, cert: &X509Ref) -> bool {
+        match cert.subject_alt_names() {
+            Some(names) => verify_subject_alt_names(domain, &names),
+            None => verify_subject_name(domain, &cert.subject_name()),
+        }
+    }
+
+    fn verify_subject_alt_names(domain: &str, names: &GeneralNames) -> bool {
+        let ip = domain.parse();
+
+        for name in names {
+            match ip {
+                Ok(ip) => {
+                    if let Some(actual) = name.ipaddress() {
+                        if matches_ip(&ip, actual) {
+                            return true;
+                        }
+                    }
+                }
+                Err(_) => {
+                    if let Some(pattern) = name.dnsname() {
+                        if matches_dns(pattern, domain, false) {
+                            return true;
+                        }
+                    }
+                }
+            }
+        }
+
+        false
+    }
+
+    fn verify_subject_name(domain: &str, subject_name: &X509NameRef) -> bool {
+        if let Some(pattern) = subject_name.text_by_nid(nid::COMMONNAME) {
+            // Unlike with SANs, IP addresses in the subject name don't have a
+            // different encoding. We need to pass this down to matches_dns to
+            // disallow wildcard matches with bogus patterns like *.0.0.1
+            let is_ip = domain.parse::<IpAddr>().is_ok();
+
+            if matches_dns(&pattern, domain, is_ip) {
+                return true;
+            }
+        }
+
+        false
+    }
+
+    fn matches_dns(mut pattern: &str, mut hostname: &str, is_ip: bool) -> bool {
+        // first strip trailing . off of pattern and hostname to normalize
+        if pattern.ends_with('.') {
+            pattern = &pattern[..pattern.len() - 1];
+        }
+        if hostname.ends_with('.') {
+            hostname = &hostname[..hostname.len() - 1];
+        }
+
+        matches_wildcard(pattern, hostname, is_ip).unwrap_or_else(|| pattern == hostname)
+    }
+
+    fn matches_wildcard(pattern: &str, hostname: &str, is_ip: bool) -> Option<bool> {
+        // IP addresses and internationalized domains can't involved in wildcards
+        if is_ip || pattern.starts_with("xn--") {
+            return None;
+        }
+
+        let wildcard_location = match pattern.find('*') {
+            Some(l) => l,
+            None => return None,
+        };
+
+        let mut dot_idxs = pattern.match_indices('.').map(|(l, _)| l);
+        let wildcard_end = match dot_idxs.next() {
+            Some(l) => l,
+            None => return None,
+        };
+
+        // Never match wildcards if the pattern has less than 2 '.'s (no *.com)
+        //
+        // This is a bit dubious, as it doesn't disallow other TLDs like *.co.uk.
+        // Chrome has a black- and white-list for this, but Firefox (via NSS) does
+        // the same thing we do here.
+        //
+        // The Public Suffix (https://www.publicsuffix.org/) list could
+        // potentically be used here, but it's both huge and updated frequently
+        // enough that management would be a PITA.
+        if dot_idxs.next().is_none() {
+            return None;
+        }
+
+        // Wildcards can only be in the first component
+        if wildcard_location > wildcard_end {
+            return None;
+        }
+
+        let hostname_label_end = match hostname.find('.') {
+            Some(l) => l,
+            None => return None,
+        };
+
+        // check that the non-wildcard parts are identical
+        if pattern[wildcard_end..] != hostname[hostname_label_end..] {
+            return Some(false);
+        }
+
+        let wildcard_prefix = &pattern[..wildcard_location];
+        let wildcard_suffix = &pattern[wildcard_location + 1..wildcard_end];
+
+        let hostname_label = &hostname[..hostname_label_end];
+
+        // check the prefix of the first label
+        if !hostname_label.starts_with(wildcard_prefix) {
+            return Some(false);
+        }
+
+        // and the suffix
+        if !hostname_label[wildcard_prefix.len()..].ends_with(wildcard_suffix) {
+            return Some(false);
+        }
+
+        Some(true)
+    }
+
+    fn matches_ip(expected: &IpAddr, actual: &[u8]) -> bool {
+        match (expected, actual.len()) {
+            (&IpAddr::V4(ref addr), 4) => actual == addr.octets(),
+            (&IpAddr::V6(ref addr), 16) => {
+                let segments = [((actual[0] as u16) << 8) | actual[1] as u16,
+                                ((actual[2] as u16) << 8) | actual[3] as u16,
+                                ((actual[4] as u16) << 8) | actual[5] as u16,
+                                ((actual[6] as u16) << 8) | actual[7] as u16,
+                                ((actual[8] as u16) << 8) | actual[9] as u16,
+                                ((actual[10] as u16) << 8) | actual[11] as u16,
+                                ((actual[12] as u16) << 8) | actual[13] as u16,
+                                ((actual[14] as u16) << 8) | actual[15] as u16];
+                segments == addr.segments()
+            }
+            _ => false,
+        }
+    }
+}
-- 
cgit v1.2.3


From 57d10ebbc3c04d5089b034b9d88f40c302783c96 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sat, 29 Oct 2016 14:19:09 -0700
Subject: Add PKeyRef

---
 openssl/src/ssl/connector.rs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index aed01f8c..62f0a284 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -4,7 +4,7 @@ use dh::Dh;
 use error::ErrorStack;
 use ssl::{self, SslMethod, SslContextBuilder, SslContext, Ssl, SSL_VERIFY_PEER, SslStream,
           HandshakeError};
-use pkey::PKey;
+use pkey::PKeyRef;
 use x509::X509Ref;
 
 // apps/dh2048.pem
@@ -85,7 +85,7 @@ impl ClientConnector {
 pub struct ServerConnectorBuilder(SslContextBuilder);
 
 impl ServerConnectorBuilder {
-    pub fn tls<I, T>(private_key: &PKey,
+    pub fn tls<I, T>(private_key: &PKeyRef,
                      certificate: &X509Ref,
                      chain: I)
                      -> Result<ServerConnectorBuilder, ErrorStack>
@@ -96,7 +96,7 @@ impl ServerConnectorBuilder {
     }
 
     fn new<I, T>(method: SslMethod,
-                 private_key: &PKey,
+                 private_key: &PKeyRef,
                  certificate: &X509Ref,
                  chain: I)
                  -> Result<ServerConnectorBuilder, ErrorStack>
-- 
cgit v1.2.3


From e72533c058967f56b302e40c63175cb1b078d052 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sat, 29 Oct 2016 15:00:46 -0700
Subject: Docs for connectors

---
 openssl/src/ssl/connector.rs | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 62f0a284..da2c03df 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -40,9 +40,13 @@ fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
     Ok(ctx)
 }
 
+/// A builder for `ClientConnector`s.
 pub struct ClientConnectorBuilder(SslContextBuilder);
 
 impl ClientConnectorBuilder {
+    /// Creates a new builder for TLS connections.
+    ///
+    /// The default configuration is based off of libcurl's and is subject to change.
     pub fn tls() -> Result<ClientConnectorBuilder, ErrorStack> {
         ClientConnectorBuilder::new(SslMethod::tls())
     }
@@ -55,22 +59,35 @@ impl ClientConnectorBuilder {
         Ok(ClientConnectorBuilder(ctx))
     }
 
+    /// Returns a shared reference to the inner `SslContextBuilder`.
     pub fn context(&self) -> &SslContextBuilder {
         &self.0
     }
 
+    /// Returns a mutable reference to the inner `SslContextBuilder`.
     pub fn context_mut(&mut self) -> &mut SslContextBuilder {
         &mut self.0
     }
 
+    /// Consumes the builder, returning a `ClientConnector`.
     pub fn build(self) -> ClientConnector {
         ClientConnector(self.0.build())
     }
 }
 
+/// A type which wraps client-side streams in a TLS session.
+///
+/// OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL
+/// structures, configuring cipher suites, session options, hostname verification, and more.
+///
+/// OpenSSL's built in hostname verification is used when linking against OpenSSL 1.0.2 or 1.1.0,
+/// and a custom implementation is used when linking against OpenSSL 1.0.1.
 pub struct ClientConnector(SslContext);
 
 impl ClientConnector {
+    /// Initiates a client-side TLS session on a stream.
+    ///
+    /// The domain is used for SNI and hostname verification.
     pub fn connect<S>(&self, domain: &str, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
         where S: Read + Write
     {
@@ -82,9 +99,14 @@ impl ClientConnector {
     }
 }
 
+/// A builder for `ServerConnector`s.
 pub struct ServerConnectorBuilder(SslContextBuilder);
 
 impl ServerConnectorBuilder {
+    /// Creates a new builder for server-side TLS connections.
+    ///
+    /// The default configuration is based off of the intermediate profile of Mozilla's SSL
+    /// Configuration Generator, and is subject to change.
     pub fn tls<I, T>(private_key: &PKeyRef,
                      certificate: &X509Ref,
                      chain: I)
@@ -127,22 +149,30 @@ impl ServerConnectorBuilder {
         Ok(ServerConnectorBuilder(ctx))
     }
 
+    /// Returns a shared reference to the inner `SslContextBuilder`.
     pub fn context(&self) -> &SslContextBuilder {
         &self.0
     }
 
+    /// Returns a mutable reference to the inner `SslContextBuilder`.
     pub fn context_mut(&mut self) -> &mut SslContextBuilder {
         &mut self.0
     }
 
+    /// Consumes the builder, returning a `ServerConnector`.
     pub fn build(self) -> ServerConnector {
         ServerConnector(self.0.build())
     }
 }
 
+/// A type which wraps server-side streams in a TLS session.
+///
+/// OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL
+/// structures, configuring cipher suites, session options, and more.
 pub struct ServerConnector(SslContext);
 
 impl ServerConnector {
+    /// Initiates a server-side TLS session on a stream.
     pub fn connect<S>(&self, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
         where S: Read + Write
     {
-- 
cgit v1.2.3


From eb735f519aa1a5b7033b640ee6229efa5f98c19c Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 30 Oct 2016 11:05:29 -0700
Subject: Clean up generics a bit

---
 openssl/src/ssl/connector.rs | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index da2c03df..7d0bc4cd 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -105,25 +105,25 @@ pub struct ServerConnectorBuilder(SslContextBuilder);
 impl ServerConnectorBuilder {
     /// Creates a new builder for server-side TLS connections.
     ///
-    /// The default configuration is based off of the intermediate profile of Mozilla's SSL
-    /// Configuration Generator, and is subject to change.
-    pub fn tls<I, T>(private_key: &PKeyRef,
-                     certificate: &X509Ref,
-                     chain: I)
-                     -> Result<ServerConnectorBuilder, ErrorStack>
-        where I: IntoIterator<Item = T>,
-              T: AsRef<X509Ref>
+    /// The default configuration is based off of the intermediate profile of Mozilla's server side
+    /// TLS configuration recommendations, and is subject to change.
+    pub fn tls<I>(private_key: &PKeyRef,
+                  certificate: &X509Ref,
+                  chain: I)
+                  -> Result<ServerConnectorBuilder, ErrorStack>
+        where I: IntoIterator,
+              I::Item: AsRef<X509Ref>
     {
         ServerConnectorBuilder::new(SslMethod::tls(), private_key, certificate, chain)
     }
 
-    fn new<I, T>(method: SslMethod,
-                 private_key: &PKeyRef,
-                 certificate: &X509Ref,
-                 chain: I)
-                 -> Result<ServerConnectorBuilder, ErrorStack>
-        where I: IntoIterator<Item = T>,
-              T: AsRef<X509Ref>
+    fn new<I>(method: SslMethod,
+              private_key: &PKeyRef,
+              certificate: &X509Ref,
+              chain: I)
+              -> Result<ServerConnectorBuilder, ErrorStack>
+        where I: IntoIterator,
+              I::Item: AsRef<X509Ref>
     {
         let mut ctx = try!(ctx(method));
         ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
-- 
cgit v1.2.3


From 677718f8da0024248fb6dfaa8f201ee6a6b3a219 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 30 Oct 2016 13:38:09 -0700
Subject: Configure ECDH parameters in connector

---
 openssl/src/ssl/connector.rs | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 7d0bc4cd..625c37e8 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -129,6 +129,7 @@ impl ServerConnectorBuilder {
         ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
         let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
         try!(ctx.set_tmp_dh(&dh));
+        try!(setup_curves(&mut ctx));
         try!(ctx.set_cipher_list(
             "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
              ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
@@ -165,6 +166,22 @@ impl ServerConnectorBuilder {
     }
 }
 
+#[cfg(ossl101)]
+fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
+    let curve = try!(::ec_key::EcKey::new_by_curve_name(::nid::X9_62_PRIME256V1));
+    ctx.set_tmp_ecdh(&curve)
+}
+
+#[cfg(ossl102)]
+fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
+    ctx._set_ecdh_auto(true)
+}
+
+#[cfg(ossl110)]
+fn setup_curves(_: &mut SslContextBuilder) -> Result<(), ErrorStack> {
+    Ok(())
+}
+
 /// A type which wraps server-side streams in a TLS session.
 ///
 /// OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL
-- 
cgit v1.2.3


From ee79db61c23767f1c72ca70766b8dcda971cf5b9 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 30 Oct 2016 13:41:24 -0700
Subject: Enable single ECDH use

---
 openssl/src/ssl/connector.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 625c37e8..0ec6526e 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -126,7 +126,8 @@ impl ServerConnectorBuilder {
               I::Item: AsRef<X509Ref>
     {
         let mut ctx = try!(ctx(method));
-        ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
+        ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_SINGLE_ECDH_USE |
+            ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
         let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
         try!(ctx.set_tmp_dh(&dh));
         try!(setup_curves(&mut ctx));
-- 
cgit v1.2.3


From 43b430e5b0723784862fb090ef091bc404542989 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 30 Oct 2016 14:26:28 -0700
Subject: Pass SslMethod into constructors

---
 openssl/src/ssl/connector.rs | 20 +++-----------------
 1 file changed, 3 insertions(+), 17 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 0ec6526e..794523bb 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -47,11 +47,7 @@ impl ClientConnectorBuilder {
     /// Creates a new builder for TLS connections.
     ///
     /// The default configuration is based off of libcurl's and is subject to change.
-    pub fn tls() -> Result<ClientConnectorBuilder, ErrorStack> {
-        ClientConnectorBuilder::new(SslMethod::tls())
-    }
-
-    fn new(method: SslMethod) -> Result<ClientConnectorBuilder, ErrorStack> {
+    pub fn new(method: SslMethod) -> Result<ClientConnectorBuilder, ErrorStack> {
         let mut ctx = try!(ctx(method));
         try!(ctx.set_default_verify_paths());
         try!(ctx.set_cipher_list("ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"));
@@ -107,23 +103,13 @@ impl ServerConnectorBuilder {
     ///
     /// The default configuration is based off of the intermediate profile of Mozilla's server side
     /// TLS configuration recommendations, and is subject to change.
-    pub fn tls<I>(private_key: &PKeyRef,
+    pub fn new<I>(method: SslMethod,
+                  private_key: &PKeyRef,
                   certificate: &X509Ref,
                   chain: I)
                   -> Result<ServerConnectorBuilder, ErrorStack>
         where I: IntoIterator,
               I::Item: AsRef<X509Ref>
-    {
-        ServerConnectorBuilder::new(SslMethod::tls(), private_key, certificate, chain)
-    }
-
-    fn new<I>(method: SslMethod,
-              private_key: &PKeyRef,
-              certificate: &X509Ref,
-              chain: I)
-              -> Result<ServerConnectorBuilder, ErrorStack>
-        where I: IntoIterator,
-              I::Item: AsRef<X509Ref>
     {
         let mut ctx = try!(ctx(method));
         ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_SINGLE_ECDH_USE |
-- 
cgit v1.2.3


From 7d13176cd1719dd0047c3fafad8e0fd6bbaa1711 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 30 Oct 2016 14:34:05 -0700
Subject: Rename nwe to mozilla_intermediate

---
 openssl/src/ssl/connector.rs | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 794523bb..0bac87cf 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -103,11 +103,11 @@ impl ServerConnectorBuilder {
     ///
     /// The default configuration is based off of the intermediate profile of Mozilla's server side
     /// TLS configuration recommendations, and is subject to change.
-    pub fn new<I>(method: SslMethod,
-                  private_key: &PKeyRef,
-                  certificate: &X509Ref,
-                  chain: I)
-                  -> Result<ServerConnectorBuilder, ErrorStack>
+    pub fn mozilla_intermediate<I>(method: SslMethod,
+                                   private_key: &PKeyRef,
+                                   certificate: &X509Ref,
+                                   chain: I)
+                                   -> Result<ServerConnectorBuilder, ErrorStack>
         where I: IntoIterator,
               I::Item: AsRef<X509Ref>
     {
-- 
cgit v1.2.3


From 52f288e090ef5d420ea0692c435c42c30570a957 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 30 Oct 2016 14:57:22 -0700
Subject: Add a mozilla modern profile

---
 openssl/src/ssl/connector.rs | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 0bac87cf..701fdeaf 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -101,8 +101,8 @@ pub struct ServerConnectorBuilder(SslContextBuilder);
 impl ServerConnectorBuilder {
     /// Creates a new builder for server-side TLS connections.
     ///
-    /// The default configuration is based off of the intermediate profile of Mozilla's server side
-    /// TLS configuration recommendations, and is subject to change.
+    /// The configuration is based off of the intermediate profile of Mozilla's server side
+    /// TLS configuration recommendations.
     pub fn mozilla_intermediate<I>(method: SslMethod,
                                    private_key: &PKeyRef,
                                    certificate: &X509Ref,
@@ -128,6 +128,37 @@ impl ServerConnectorBuilder {
              DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
              EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:\
              AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"));
+        ServerConnectorBuilder::finish_setup(ctx, private_key, certificate, chain)
+    }
+
+    pub fn mozilla_modern<I>(method: SslMethod,
+                             private_key: &PKeyRef,
+                             certificate: &X509Ref,
+                             chain: I)
+                             -> Result<ServerConnectorBuilder, ErrorStack>
+        where I: IntoIterator,
+              I::Item: AsRef<X509Ref>
+    {
+        let mut ctx = try!(ctx(method));
+        ctx.set_options(ssl::SSL_OP_SINGLE_ECDH_USE | ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
+        try!(setup_curves(&mut ctx));
+        try!(ctx.set_cipher_list(
+            "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
+             ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
+             ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
+             ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:\
+             ECDHE-RSA-AES128-SHA256"));
+        ServerConnectorBuilder::finish_setup(ctx, private_key, certificate, chain)
+    }
+
+    fn finish_setup<I>(mut ctx: SslContextBuilder,
+                       private_key: &PKeyRef,
+                       certificate: &X509Ref,
+                       chain: I)
+                       -> Result<ServerConnectorBuilder, ErrorStack>
+        where I: IntoIterator,
+             I::Item: AsRef<X509Ref>
+    {
         try!(ctx.set_private_key(private_key));
         try!(ctx.set_certificate(certificate));
         try!(ctx.check_private_key());
-- 
cgit v1.2.3


From d1179f1ad28f16c90eba8d89a03b2821aabd9469 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 30 Oct 2016 15:14:29 -0700
Subject: Update docs

---
 openssl/src/ssl/connector.rs | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 701fdeaf..c283145e 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -99,10 +99,13 @@ impl ClientConnector {
 pub struct ServerConnectorBuilder(SslContextBuilder);
 
 impl ServerConnectorBuilder {
-    /// Creates a new builder for server-side TLS connections.
+    /// Creates a new builder configured to connect to non-legacy clients. This should generally be
+    /// considered a reasonable default choice.
     ///
-    /// The configuration is based off of the intermediate profile of Mozilla's server side
-    /// TLS configuration recommendations.
+    /// This corresponds to the intermediate configuration of Mozilla's server side TLS
+    /// recommendations. See its [documentation][docs] for more details on specifics.
+    ///
+    /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS
     pub fn mozilla_intermediate<I>(method: SslMethod,
                                    private_key: &PKeyRef,
                                    certificate: &X509Ref,
@@ -131,6 +134,12 @@ impl ServerConnectorBuilder {
         ServerConnectorBuilder::finish_setup(ctx, private_key, certificate, chain)
     }
 
+    /// Creates a new builder configured to connect to modern clients.
+    ///
+    /// This corresponds to the modern configuration of Mozilla's server side TLS recommendations.
+    /// See its [documentation][docs] for more details on specifics.
+    ///
+    /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS
     pub fn mozilla_modern<I>(method: SslMethod,
                              private_key: &PKeyRef,
                              certificate: &X509Ref,
-- 
cgit v1.2.3


From 9abbf6f80e98bbefea60d2410c69a08265cd3808 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 30 Oct 2016 16:29:33 -0700
Subject: Use Python's cipher list on the client side.

---
 openssl/src/ssl/connector.rs | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index c283145e..44e3488c 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -46,11 +46,14 @@ pub struct ClientConnectorBuilder(SslContextBuilder);
 impl ClientConnectorBuilder {
     /// Creates a new builder for TLS connections.
     ///
-    /// The default configuration is based off of libcurl's and is subject to change.
+    /// The default configuration is subject to change, and is currently derived from Python.
     pub fn new(method: SslMethod) -> Result<ClientConnectorBuilder, ErrorStack> {
         let mut ctx = try!(ctx(method));
         try!(ctx.set_default_verify_paths());
-        try!(ctx.set_cipher_list("ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"));
+        // From https://github.com/python/cpython/blob/c30098c8c6014f3340a369a31df9c74bdbacc269/Lib/ssl.py#L191
+        try!(ctx.set_cipher_list(
+            "ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:\
+             DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES"));
 
         Ok(ClientConnectorBuilder(ctx))
     }
-- 
cgit v1.2.3


From 78696514071ef998a2cea67d01db37cf5f6188c6 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 30 Oct 2016 16:34:50 -0700
Subject: Remove out of date comment

---
 openssl/src/ssl/connector.rs | 1 -
 1 file changed, 1 deletion(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 44e3488c..f89acf1e 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -27,7 +27,6 @@ See https://tools.ietf.org/html/rfc2412 for how they were generated."#;
 fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
     let mut ctx = try!(SslContextBuilder::new(method));
 
-    // options to enable and cipher list lifted from libcurl
     let mut opts = ssl::SSL_OP_ALL;
     opts |= ssl::SSL_OP_NO_TICKET;
     opts |= ssl::SSL_OP_NO_COMPRESSION;
-- 
cgit v1.2.3


From f75f82e466993848393c7a26ccb51dc31b4547fe Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 30 Oct 2016 16:37:45 -0700
Subject: Rustfmt

---
 openssl/src/ssl/connector.rs | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index f89acf1e..bea54a4e 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -118,7 +118,7 @@ impl ServerConnectorBuilder {
     {
         let mut ctx = try!(ctx(method));
         ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_SINGLE_ECDH_USE |
-            ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
+                        ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
         let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
         try!(ctx.set_tmp_dh(&dh));
         try!(setup_curves(&mut ctx));
@@ -168,7 +168,7 @@ impl ServerConnectorBuilder {
                        chain: I)
                        -> Result<ServerConnectorBuilder, ErrorStack>
         where I: IntoIterator,
-             I::Item: AsRef<X509Ref>
+              I::Item: AsRef<X509Ref>
     {
         try!(ctx.set_private_key(private_key));
         try!(ctx.set_certificate(certificate));
@@ -238,7 +238,8 @@ fn setup_verify(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
 #[cfg(not(any(ossl102, ossl110)))]
 fn setup_verify(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
     let domain = domain.to_owned();
-    ssl.set_verify_callback(SSL_VERIFY_PEER, move |p, x| verify::verify_callback(&domain, p, x));
+    ssl.set_verify_callback(SSL_VERIFY_PEER,
+                            move |p, x| verify::verify_callback(&domain, p, x));
     Ok(())
 }
 
-- 
cgit v1.2.3


From 997e92e052301e633fd6560bc5a369fc0d965f8d Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 30 Oct 2016 18:49:29 -0700
Subject: Merge ssl option setup

The client will ignore server-side options so we may as well stick them
all in the same spot.
---
 openssl/src/ssl/connector.rs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index bea54a4e..94784e81 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -34,6 +34,9 @@ fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
     opts &= !ssl::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
     opts |= ssl::SSL_OP_NO_SSLV2;
     opts |= ssl::SSL_OP_NO_SSLV3;
+    opts |= ssl::SSL_OP_SINGLE_DH_USE;
+    opts |= ssl::SSL_OP_SINGLE_ECDH_USE;
+    opts |= ssl::SSL_OP_CIPHER_SERVER_PREFERENCE;
     ctx.set_options(opts);
 
     Ok(ctx)
@@ -117,8 +120,6 @@ impl ServerConnectorBuilder {
               I::Item: AsRef<X509Ref>
     {
         let mut ctx = try!(ctx(method));
-        ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_SINGLE_ECDH_USE |
-                        ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
         let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
         try!(ctx.set_tmp_dh(&dh));
         try!(setup_curves(&mut ctx));
@@ -151,7 +152,6 @@ impl ServerConnectorBuilder {
               I::Item: AsRef<X509Ref>
     {
         let mut ctx = try!(ctx(method));
-        ctx.set_options(ssl::SSL_OP_SINGLE_ECDH_USE | ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
         try!(setup_curves(&mut ctx));
         try!(ctx.set_cipher_list(
             "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
-- 
cgit v1.2.3


From add8e4023e826a21616e909921a9f1ae2a4b4223 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 30 Oct 2016 19:39:18 -0700
Subject: Rename connectors

---
 openssl/src/ssl/connector.rs | 50 ++++++++++++++++++++++----------------------
 1 file changed, 25 insertions(+), 25 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 94784e81..dd7656dd 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -42,14 +42,14 @@ fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
     Ok(ctx)
 }
 
-/// A builder for `ClientConnector`s.
-pub struct ClientConnectorBuilder(SslContextBuilder);
+/// A builder for `SslConnector`s.
+pub struct SslConnectorBuilder(SslContextBuilder);
 
-impl ClientConnectorBuilder {
+impl SslConnectorBuilder {
     /// Creates a new builder for TLS connections.
     ///
     /// The default configuration is subject to change, and is currently derived from Python.
-    pub fn new(method: SslMethod) -> Result<ClientConnectorBuilder, ErrorStack> {
+    pub fn new(method: SslMethod) -> Result<SslConnectorBuilder, ErrorStack> {
         let mut ctx = try!(ctx(method));
         try!(ctx.set_default_verify_paths());
         // From https://github.com/python/cpython/blob/c30098c8c6014f3340a369a31df9c74bdbacc269/Lib/ssl.py#L191
@@ -57,7 +57,7 @@ impl ClientConnectorBuilder {
             "ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:\
              DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES"));
 
-        Ok(ClientConnectorBuilder(ctx))
+        Ok(SslConnectorBuilder(ctx))
     }
 
     /// Returns a shared reference to the inner `SslContextBuilder`.
@@ -70,9 +70,9 @@ impl ClientConnectorBuilder {
         &mut self.0
     }
 
-    /// Consumes the builder, returning a `ClientConnector`.
-    pub fn build(self) -> ClientConnector {
-        ClientConnector(self.0.build())
+    /// Consumes the builder, returning a `SslConnector`.
+    pub fn build(self) -> SslConnector {
+        SslConnector(self.0.build())
     }
 }
 
@@ -83,9 +83,9 @@ impl ClientConnectorBuilder {
 ///
 /// OpenSSL's built in hostname verification is used when linking against OpenSSL 1.0.2 or 1.1.0,
 /// and a custom implementation is used when linking against OpenSSL 1.0.1.
-pub struct ClientConnector(SslContext);
+pub struct SslConnector(SslContext);
 
-impl ClientConnector {
+impl SslConnector {
     /// Initiates a client-side TLS session on a stream.
     ///
     /// The domain is used for SNI and hostname verification.
@@ -100,10 +100,10 @@ impl ClientConnector {
     }
 }
 
-/// A builder for `ServerConnector`s.
-pub struct ServerConnectorBuilder(SslContextBuilder);
+/// A builder for `SslAcceptor`s.
+pub struct SslAcceptorBuilder(SslContextBuilder);
 
-impl ServerConnectorBuilder {
+impl SslAcceptorBuilder {
     /// Creates a new builder configured to connect to non-legacy clients. This should generally be
     /// considered a reasonable default choice.
     ///
@@ -115,7 +115,7 @@ impl ServerConnectorBuilder {
                                    private_key: &PKeyRef,
                                    certificate: &X509Ref,
                                    chain: I)
-                                   -> Result<ServerConnectorBuilder, ErrorStack>
+                                   -> Result<SslAcceptorBuilder, ErrorStack>
         where I: IntoIterator,
               I::Item: AsRef<X509Ref>
     {
@@ -134,7 +134,7 @@ impl ServerConnectorBuilder {
              DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
              EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:\
              AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"));
-        ServerConnectorBuilder::finish_setup(ctx, private_key, certificate, chain)
+        SslAcceptorBuilder::finish_setup(ctx, private_key, certificate, chain)
     }
 
     /// Creates a new builder configured to connect to modern clients.
@@ -147,7 +147,7 @@ impl ServerConnectorBuilder {
                              private_key: &PKeyRef,
                              certificate: &X509Ref,
                              chain: I)
-                             -> Result<ServerConnectorBuilder, ErrorStack>
+                             -> Result<SslAcceptorBuilder, ErrorStack>
         where I: IntoIterator,
               I::Item: AsRef<X509Ref>
     {
@@ -159,14 +159,14 @@ impl ServerConnectorBuilder {
              ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
              ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:\
              ECDHE-RSA-AES128-SHA256"));
-        ServerConnectorBuilder::finish_setup(ctx, private_key, certificate, chain)
+        SslAcceptorBuilder::finish_setup(ctx, private_key, certificate, chain)
     }
 
     fn finish_setup<I>(mut ctx: SslContextBuilder,
                        private_key: &PKeyRef,
                        certificate: &X509Ref,
                        chain: I)
-                       -> Result<ServerConnectorBuilder, ErrorStack>
+                       -> Result<SslAcceptorBuilder, ErrorStack>
         where I: IntoIterator,
               I::Item: AsRef<X509Ref>
     {
@@ -176,7 +176,7 @@ impl ServerConnectorBuilder {
         for cert in chain {
             try!(ctx.add_extra_chain_cert(cert.as_ref().to_owned()));
         }
-        Ok(ServerConnectorBuilder(ctx))
+        Ok(SslAcceptorBuilder(ctx))
     }
 
     /// Returns a shared reference to the inner `SslContextBuilder`.
@@ -189,9 +189,9 @@ impl ServerConnectorBuilder {
         &mut self.0
     }
 
-    /// Consumes the builder, returning a `ServerConnector`.
-    pub fn build(self) -> ServerConnector {
-        ServerConnector(self.0.build())
+    /// Consumes the builder, returning a `SslAcceptor`.
+    pub fn build(self) -> SslAcceptor {
+        SslAcceptor(self.0.build())
     }
 }
 
@@ -215,11 +215,11 @@ fn setup_curves(_: &mut SslContextBuilder) -> Result<(), ErrorStack> {
 ///
 /// OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL
 /// structures, configuring cipher suites, session options, and more.
-pub struct ServerConnector(SslContext);
+pub struct SslAcceptor(SslContext);
 
-impl ServerConnector {
+impl SslAcceptor {
     /// Initiates a server-side TLS session on a stream.
-    pub fn connect<S>(&self, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
+    pub fn accept<S>(&self, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
         where S: Read + Write
     {
         let ssl = try!(Ssl::new(&self.0));
-- 
cgit v1.2.3


From 558124b7555539e09292b61be057d9ba24e64bf5 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 30 Oct 2016 22:02:26 -0700
Subject: Expose SSL_MODEs

---
 openssl/src/ssl/connector.rs | 46 +++++++++++++++++++++++++-------------------
 1 file changed, 26 insertions(+), 20 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index dd7656dd..c7bfb209 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -39,6 +39,10 @@ fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
     opts |= ssl::SSL_OP_CIPHER_SERVER_PREFERENCE;
     ctx.set_options(opts);
 
+    let mode = ssl::SSL_MODE_AUTO_RETRY | ssl::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
+               ssl::SSL_MODE_ENABLE_PARTIAL_WRITE;
+    ctx.set_mode(mode);
+
     Ok(ctx)
 }
 
@@ -53,9 +57,9 @@ impl SslConnectorBuilder {
         let mut ctx = try!(ctx(method));
         try!(ctx.set_default_verify_paths());
         // From https://github.com/python/cpython/blob/c30098c8c6014f3340a369a31df9c74bdbacc269/Lib/ssl.py#L191
-        try!(ctx.set_cipher_list(
-            "ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:\
-             DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES"));
+        try!(ctx.set_cipher_list("ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:\
+                                  DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:\
+                                  RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES"));
 
         Ok(SslConnectorBuilder(ctx))
     }
@@ -123,17 +127,20 @@ impl SslAcceptorBuilder {
         let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
         try!(ctx.set_tmp_dh(&dh));
         try!(setup_curves(&mut ctx));
-        try!(ctx.set_cipher_list(
-            "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
-             ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
-             ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
-             DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:\
-             ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:\
-             ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:\
-             ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:\
-             DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
-             EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:\
-             AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"));
+        try!(ctx.set_cipher_list("ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
+                                  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
+                                  ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
+                                  DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:\
+                                  ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:\
+                                  ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:\
+                                  ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:\
+                                  ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:\
+                                  DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:\
+                                  DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:\
+                                  ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
+                                  EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:\
+                                  AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:\
+                                  DES-CBC3-SHA:!DSS"));
         SslAcceptorBuilder::finish_setup(ctx, private_key, certificate, chain)
     }
 
@@ -153,12 +160,11 @@ impl SslAcceptorBuilder {
     {
         let mut ctx = try!(ctx(method));
         try!(setup_curves(&mut ctx));
-        try!(ctx.set_cipher_list(
-            "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
-             ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
-             ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
-             ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:\
-             ECDHE-RSA-AES128-SHA256"));
+        try!(ctx.set_cipher_list("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
+                                  ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
+                                  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
+                                  ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:\
+                                  ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"));
         SslAcceptorBuilder::finish_setup(ctx, private_key, certificate, chain)
     }
 
-- 
cgit v1.2.3


From f640613863f0b66bc004f9d9d89f73a31701d396 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Mon, 31 Oct 2016 20:12:55 -0700
Subject: Update PKey

---
 openssl/src/ssl/connector.rs | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index c7bfb209..752126e0 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -4,8 +4,9 @@ use dh::Dh;
 use error::ErrorStack;
 use ssl::{self, SslMethod, SslContextBuilder, SslContext, Ssl, SSL_VERIFY_PEER, SslStream,
           HandshakeError};
-use pkey::PKeyRef;
+use pkey::PKey;
 use x509::X509Ref;
+use types::Ref;
 
 // apps/dh2048.pem
 const DHPARAM_PEM: &'static str = r#"
@@ -116,7 +117,7 @@ impl SslAcceptorBuilder {
     ///
     /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS
     pub fn mozilla_intermediate<I>(method: SslMethod,
-                                   private_key: &PKeyRef,
+                                   private_key: &Ref<PKey>,
                                    certificate: &X509Ref,
                                    chain: I)
                                    -> Result<SslAcceptorBuilder, ErrorStack>
@@ -151,7 +152,7 @@ impl SslAcceptorBuilder {
     ///
     /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS
     pub fn mozilla_modern<I>(method: SslMethod,
-                             private_key: &PKeyRef,
+                             private_key: &Ref<PKey>,
                              certificate: &X509Ref,
                              chain: I)
                              -> Result<SslAcceptorBuilder, ErrorStack>
@@ -169,7 +170,7 @@ impl SslAcceptorBuilder {
     }
 
     fn finish_setup<I>(mut ctx: SslContextBuilder,
-                       private_key: &PKeyRef,
+                       private_key: &Ref<PKey>,
                        certificate: &X509Ref,
                        chain: I)
                        -> Result<SslAcceptorBuilder, ErrorStack>
-- 
cgit v1.2.3


From cd7fa9fca29296adebe37dfc20d3cebc96010534 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Mon, 31 Oct 2016 20:54:34 -0700
Subject: Update x509

---
 openssl/src/ssl/connector.rs | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 752126e0..a1bcfa77 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -5,7 +5,7 @@ use error::ErrorStack;
 use ssl::{self, SslMethod, SslContextBuilder, SslContext, Ssl, SSL_VERIFY_PEER, SslStream,
           HandshakeError};
 use pkey::PKey;
-use x509::X509Ref;
+use x509::X509;
 use types::Ref;
 
 // apps/dh2048.pem
@@ -118,11 +118,11 @@ impl SslAcceptorBuilder {
     /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS
     pub fn mozilla_intermediate<I>(method: SslMethod,
                                    private_key: &Ref<PKey>,
-                                   certificate: &X509Ref,
+                                   certificate: &Ref<X509>,
                                    chain: I)
                                    -> Result<SslAcceptorBuilder, ErrorStack>
         where I: IntoIterator,
-              I::Item: AsRef<X509Ref>
+              I::Item: AsRef<Ref<X509>>
     {
         let mut ctx = try!(ctx(method));
         let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
@@ -153,11 +153,11 @@ impl SslAcceptorBuilder {
     /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS
     pub fn mozilla_modern<I>(method: SslMethod,
                              private_key: &Ref<PKey>,
-                             certificate: &X509Ref,
+                             certificate: &Ref<X509>,
                              chain: I)
                              -> Result<SslAcceptorBuilder, ErrorStack>
         where I: IntoIterator,
-              I::Item: AsRef<X509Ref>
+              I::Item: AsRef<Ref<X509>>
     {
         let mut ctx = try!(ctx(method));
         try!(setup_curves(&mut ctx));
@@ -171,11 +171,11 @@ impl SslAcceptorBuilder {
 
     fn finish_setup<I>(mut ctx: SslContextBuilder,
                        private_key: &Ref<PKey>,
-                       certificate: &X509Ref,
+                       certificate: &Ref<X509>,
                        chain: I)
                        -> Result<SslAcceptorBuilder, ErrorStack>
         where I: IntoIterator,
-              I::Item: AsRef<X509Ref>
+              I::Item: AsRef<Ref<X509>>
     {
         try!(ctx.set_private_key(private_key));
         try!(ctx.set_certificate(certificate));
@@ -255,11 +255,12 @@ mod verify {
     use std::net::IpAddr;
 
     use nid;
-    use x509::{X509StoreContextRef, X509Ref, GeneralNames, X509NameRef};
+    use x509::{X509StoreContext, X509, GeneralNames, X509Name};
+    use types::Ref;
 
     pub fn verify_callback(domain: &str,
                            preverify_ok: bool,
-                           x509_ctx: &X509StoreContextRef)
+                           x509_ctx: &Ref<X509StoreContext>)
                            -> bool {
         if !preverify_ok || x509_ctx.error_depth() != 0 {
             return preverify_ok;
@@ -271,7 +272,7 @@ mod verify {
         }
     }
 
-    fn verify_hostname(domain: &str, cert: &X509Ref) -> bool {
+    fn verify_hostname(domain: &str, cert: &Ref<X509>) -> bool {
         match cert.subject_alt_names() {
             Some(names) => verify_subject_alt_names(domain, &names),
             None => verify_subject_name(domain, &cert.subject_name()),
@@ -303,7 +304,7 @@ mod verify {
         false
     }
 
-    fn verify_subject_name(domain: &str, subject_name: &X509NameRef) -> bool {
+    fn verify_subject_name(domain: &str, subject_name: &Ref<X509Name>) -> bool {
         if let Some(pattern) = subject_name.text_by_nid(nid::COMMONNAME) {
             // Unlike with SANs, IP addresses in the subject name don't have a
             // different encoding. We need to pass this down to matches_dns to
-- 
cgit v1.2.3


From dc4098bdd83e23703b2490741ee7461caea83375 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Mon, 31 Oct 2016 22:43:05 -0700
Subject: Clean up x509 name entries

---
 openssl/src/ssl/connector.rs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index a1bcfa77..5520e578 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -253,6 +253,7 @@ fn setup_verify(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
 #[cfg(not(any(ossl102, ossl110)))]
 mod verify {
     use std::net::IpAddr;
+    use std::str;
 
     use nid;
     use x509::{X509StoreContext, X509, GeneralNames, X509Name};
@@ -305,7 +306,12 @@ mod verify {
     }
 
     fn verify_subject_name(domain: &str, subject_name: &Ref<X509Name>) -> bool {
-        if let Some(pattern) = subject_name.text_by_nid(nid::COMMONNAME) {
+        if let Some(pattern) = subject_name.entries_by_nid(nid::COMMONNAME).next() {
+            let pattern = match str::from_utf8(pattern.data().as_slice()) {
+                Ok(pattern) => pattern,
+                Err(_) => return false,
+            };
+
             // Unlike with SANs, IP addresses in the subject name don't have a
             // different encoding. We need to pass this down to matches_dns to
             // disallow wildcard matches with bogus patterns like *.0.0.1
-- 
cgit v1.2.3


From f71395c600a2605bf4a22c63e2c7ba8ae58e12c7 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Mon, 31 Oct 2016 22:45:51 -0700
Subject: Little cfg cleanup

---
 openssl/src/ssl/connector.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 5520e578..b2e00a81 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -242,7 +242,7 @@ fn setup_verify(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
     param.set_host(domain)
 }
 
-#[cfg(not(any(ossl102, ossl110)))]
+#[cfg(ossl101)]
 fn setup_verify(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
     let domain = domain.to_owned();
     ssl.set_verify_callback(SSL_VERIFY_PEER,
@@ -250,7 +250,7 @@ fn setup_verify(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
     Ok(())
 }
 
-#[cfg(not(any(ossl102, ossl110)))]
+#[cfg(ossl101)]
 mod verify {
     use std::net::IpAddr;
     use std::str;
-- 
cgit v1.2.3


From 36bf0bb38750412e5c2700273a850f16398cc427 Mon Sep 17 00:00:00 2001
From: Lionel Flandrin <lionel@svkt.org>
Date: Mon, 31 Oct 2016 23:53:28 +0100
Subject: Replace GeneralNames by the new Stack API

---
 openssl/src/ssl/connector.rs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index b2e00a81..c95b0fa1 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -256,7 +256,8 @@ mod verify {
     use std::str;
 
     use nid;
-    use x509::{X509StoreContext, X509, GeneralNames, X509Name};
+    use x509::{X509StoreContext, X509, X509Name, GeneralName};
+    use stack::Stack;
     use types::Ref;
 
     pub fn verify_callback(domain: &str,
@@ -275,15 +276,16 @@ mod verify {
 
     fn verify_hostname(domain: &str, cert: &Ref<X509>) -> bool {
         match cert.subject_alt_names() {
-            Some(names) => verify_subject_alt_names(domain, &names),
+            Some(names) => verify_subject_alt_names(domain, names),
             None => verify_subject_name(domain, &cert.subject_name()),
         }
     }
 
-    fn verify_subject_alt_names(domain: &str, names: &GeneralNames) -> bool {
+    fn verify_subject_alt_names(domain: &str,
+                                names: Stack<GeneralName>) -> bool {
         let ip = domain.parse();
 
-        for name in names {
+        for name in &names {
             match ip {
                 Ok(ip) => {
                     if let Some(actual) = name.ipaddress() {
-- 
cgit v1.2.3


From aa0040125b4006bd7520220cb8330b5b3d24ffb4 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Tue, 1 Nov 2016 22:50:22 -0700
Subject: Use built in DH parameters when available

Fall back to a hardcoded PEM blob on 1.0.1, but serialized from
DH_get_2048_256.
---
 openssl/src/ssl/connector.rs | 64 +++++++++++++++++++++++++++++++++-----------
 1 file changed, 49 insertions(+), 15 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index c95b0fa1..75a1a03c 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -8,22 +8,23 @@ use pkey::PKey;
 use x509::X509;
 use types::Ref;
 
-// apps/dh2048.pem
+// Serialized form of DH_get_2048_256
+#[cfg(any(ossl101, all(test, any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))))]
 const DHPARAM_PEM: &'static str = r#"
 -----BEGIN DH PARAMETERS-----
-MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
-IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
-awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
-mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
-fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
-5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==
+MIICCQKCAQEAh6jmHbS2Zjz/u9GcZRlZmYzu9ghmDdDyXSzu1ENeOwDgDfjx1hlX
+1Pr330VhsqowFsPZETQJb6o79Cltgw6afCCeDGSXUXq9WoqdMGvPZ+2R+eZyW0dY
+wCLgse9Cdb97bFv8EdRfkIi5QfVOseWbuLw5oL8SMH9cT9twxYGyP3a2Osrhyqa3
+kC1SUmc1SIoO8TxtmlG/pKs62DR3llJNjvahZ7WkGCXZZ+FE5RQFZCUcysuD5rSG
+9rPKP3lxUGAmwLhX9omWKFbe1AEKvQvmIcOjlgpU5xDDdfJjddcBQQOktUMwwZiv
+EmEW0iduEXFfaTh3+tfvCcrbCUrpHhoVlwKCAQA/syybcxNNCy53UGZg7b1ITKex
+jyHvIFQH9Hk6GguhJRDbwVB3vkY//0/tSqwLtVW+OmwbDGtHsbw3c79+jG9ikBIo
++MKMuxilWuMTQQAKZQGW+THHelfy3fRj5ensFEt3feYqqrioYorDdtKC1u04ZOZ5
+gkKOvIMdFDSPby+Rk7UEWvJ2cWTh38lnwfs/LlWkvRv/6DucgNBSuYXRguoK2yo7
+cxPT/hTISEseBSWIubfSu9LfAWGZ7NBuFVfNCRWzNTu7ZODsN3/QKDcN+StSx4kU
+KM3GfrYYS1I9HbJGwy9jB4SQ8A741kfRSNR5VFFeIyfP75jFgmZLTA9sxBZZ
 -----END DH PARAMETERS-----
-
-These are the 2048-bit DH parameters from "More Modular Exponential
-(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
-https://tools.ietf.org/html/rfc3526
-
-See https://tools.ietf.org/html/rfc2412 for how they were generated."#;
+"#;
 
 fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
     let mut ctx = try!(SslContextBuilder::new(method));
@@ -125,7 +126,7 @@ impl SslAcceptorBuilder {
               I::Item: AsRef<Ref<X509>>
     {
         let mut ctx = try!(ctx(method));
-        let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
+        let dh = try!(get_dh());
         try!(ctx.set_tmp_dh(&dh));
         try!(setup_curves(&mut ctx));
         try!(ctx.set_cipher_list("ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
@@ -202,9 +203,30 @@ impl SslAcceptorBuilder {
     }
 }
 
+#[cfg(ossl101)]
+fn get_dh() -> Result<Dh, ErrorStack> {
+    Dh::from_pem(DHPARAM_PEM.as_bytes())
+}
+
+#[cfg(not(ossl101))]
+fn get_dh() -> Result<Dh, ErrorStack> {
+    use ffi;
+
+    use cvt_p;
+    use types::OpenSslType;
+
+    // manually call into ffi to avoid forcing the features
+    unsafe {
+        cvt_p(ffi::DH_get_2048_256()).map(|p| Dh::from_ptr(p))
+    }
+}
+
 #[cfg(ossl101)]
 fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
-    let curve = try!(::ec_key::EcKey::new_by_curve_name(::nid::X9_62_PRIME256V1));
+    use ec_key::EcKey;
+    use nid;
+
+    let curve = try!(EcKey::new_by_curve_name(nid::X9_62_PRIME256V1));
     ctx.set_tmp_ecdh(&curve)
 }
 
@@ -420,3 +442,15 @@ mod verify {
         }
     }
 }
+
+#[cfg(test)]
+mod test {
+    #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
+    #[test]
+    fn check_dhparam() {
+        use dh::Dh;
+
+        let expected = String::from_utf8(Dh::get_2048_256().unwrap().to_pem().unwrap()).unwrap();
+        assert_eq!(expected.trim(), super::DHPARAM_PEM.trim());
+    }
+}
-- 
cgit v1.2.3


From 01ae978db0dc8620b2cc754c0d5cf94a68c1f549 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Fri, 4 Nov 2016 16:32:20 -0700
Subject: Get rid of Ref

There's unfortunately a rustdoc bug that causes all methods implemented
for any Ref<T> to be inlined in the deref methods section :(
---
 openssl/src/ssl/connector.rs | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 75a1a03c..52d26ef5 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -4,9 +4,8 @@ use dh::Dh;
 use error::ErrorStack;
 use ssl::{self, SslMethod, SslContextBuilder, SslContext, Ssl, SSL_VERIFY_PEER, SslStream,
           HandshakeError};
-use pkey::PKey;
-use x509::X509;
-use types::Ref;
+use pkey::PKeyRef;
+use x509::X509Ref;
 
 // Serialized form of DH_get_2048_256
 #[cfg(any(ossl101, all(test, any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))))]
@@ -118,12 +117,12 @@ impl SslAcceptorBuilder {
     ///
     /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS
     pub fn mozilla_intermediate<I>(method: SslMethod,
-                                   private_key: &Ref<PKey>,
-                                   certificate: &Ref<X509>,
+                                   private_key: &PKeyRef,
+                                   certificate: &X509Ref,
                                    chain: I)
                                    -> Result<SslAcceptorBuilder, ErrorStack>
         where I: IntoIterator,
-              I::Item: AsRef<Ref<X509>>
+              I::Item: AsRef<X509Ref>
     {
         let mut ctx = try!(ctx(method));
         let dh = try!(get_dh());
@@ -153,12 +152,12 @@ impl SslAcceptorBuilder {
     ///
     /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS
     pub fn mozilla_modern<I>(method: SslMethod,
-                             private_key: &Ref<PKey>,
-                             certificate: &Ref<X509>,
+                             private_key: &PKeyRef,
+                             certificate: &X509Ref,
                              chain: I)
                              -> Result<SslAcceptorBuilder, ErrorStack>
         where I: IntoIterator,
-              I::Item: AsRef<Ref<X509>>
+              I::Item: AsRef<X509Ref>
     {
         let mut ctx = try!(ctx(method));
         try!(setup_curves(&mut ctx));
@@ -171,12 +170,12 @@ impl SslAcceptorBuilder {
     }
 
     fn finish_setup<I>(mut ctx: SslContextBuilder,
-                       private_key: &Ref<PKey>,
-                       certificate: &Ref<X509>,
+                       private_key: &PKeyRef,
+                       certificate: &X509Ref,
                        chain: I)
                        -> Result<SslAcceptorBuilder, ErrorStack>
         where I: IntoIterator,
-              I::Item: AsRef<Ref<X509>>
+              I::Item: AsRef<X509Ref>
     {
         try!(ctx.set_private_key(private_key));
         try!(ctx.set_certificate(certificate));
@@ -278,13 +277,13 @@ mod verify {
     use std::str;
 
     use nid;
-    use x509::{X509StoreContext, X509, X509Name, GeneralName};
+    use x509::{X509StoreContextRef, X509Ref, X509NameRef, GeneralName};
     use stack::Stack;
-    use types::Ref;
+    use types::OpenSslTypeRef;
 
     pub fn verify_callback(domain: &str,
                            preverify_ok: bool,
-                           x509_ctx: &Ref<X509StoreContext>)
+                           x509_ctx: &X509StoreContextRef)
                            -> bool {
         if !preverify_ok || x509_ctx.error_depth() != 0 {
             return preverify_ok;
@@ -296,7 +295,7 @@ mod verify {
         }
     }
 
-    fn verify_hostname(domain: &str, cert: &Ref<X509>) -> bool {
+    fn verify_hostname(domain: &str, cert: &X509Ref) -> bool {
         match cert.subject_alt_names() {
             Some(names) => verify_subject_alt_names(domain, names),
             None => verify_subject_name(domain, &cert.subject_name()),
@@ -329,7 +328,7 @@ mod verify {
         false
     }
 
-    fn verify_subject_name(domain: &str, subject_name: &Ref<X509Name>) -> bool {
+    fn verify_subject_name(domain: &str, subject_name: &X509NameRef) -> bool {
         if let Some(pattern) = subject_name.entries_by_nid(nid::COMMONNAME).next() {
             let pattern = match str::from_utf8(pattern.data().as_slice()) {
                 Ok(pattern) => pattern,
-- 
cgit v1.2.3


From 99b41a005041018484284d3c85bf2474f90d7d8a Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sat, 5 Nov 2016 10:13:21 -0700
Subject: Rename accessors

---
 openssl/src/ssl/connector.rs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 52d26ef5..4bebecd8 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -66,12 +66,12 @@ impl SslConnectorBuilder {
     }
 
     /// Returns a shared reference to the inner `SslContextBuilder`.
-    pub fn context(&self) -> &SslContextBuilder {
+    pub fn builder(&self) -> &SslContextBuilder {
         &self.0
     }
 
     /// Returns a mutable reference to the inner `SslContextBuilder`.
-    pub fn context_mut(&mut self) -> &mut SslContextBuilder {
+    pub fn builder_mut(&mut self) -> &mut SslContextBuilder {
         &mut self.0
     }
 
@@ -187,12 +187,12 @@ impl SslAcceptorBuilder {
     }
 
     /// Returns a shared reference to the inner `SslContextBuilder`.
-    pub fn context(&self) -> &SslContextBuilder {
+    pub fn builder(&self) -> &SslContextBuilder {
         &self.0
     }
 
     /// Returns a mutable reference to the inner `SslContextBuilder`.
-    pub fn context_mut(&mut self) -> &mut SslContextBuilder {
+    pub fn builder_mut(&mut self) -> &mut SslContextBuilder {
         &mut self.0
     }
 
-- 
cgit v1.2.3


From f15c817c2d1fad288fe0f88d4e3995df4aa4a477 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sat, 5 Nov 2016 10:54:17 -0700
Subject: Rustfmt

---
 openssl/src/ssl/connector.rs | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

(limited to 'openssl/src/ssl/connector.rs')

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 4bebecd8..0d92529d 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -215,9 +215,7 @@ fn get_dh() -> Result<Dh, ErrorStack> {
     use types::OpenSslType;
 
     // manually call into ffi to avoid forcing the features
-    unsafe {
-        cvt_p(ffi::DH_get_2048_256()).map(|p| Dh::from_ptr(p))
-    }
+    unsafe { cvt_p(ffi::DH_get_2048_256()).map(|p| Dh::from_ptr(p)) }
 }
 
 #[cfg(ossl101)]
@@ -302,8 +300,7 @@ mod verify {
         }
     }
 
-    fn verify_subject_alt_names(domain: &str,
-                                names: Stack<GeneralName>) -> bool {
+    fn verify_subject_alt_names(domain: &str, names: Stack<GeneralName>) -> bool {
         let ip = domain.parse();
 
         for name in &names {
-- 
cgit v1.2.3