1 files changed, 47 insertions, 0 deletions

diff --git a/src/http/openssl.rs b/src/http/openssl.rs
new file mode 100644
index 0000000..378b078
--- /dev/null
+++ b/src/http/openssl.rs
@@ -0,0 +1,47 @@
+use hyper::net::Openssl;
+use openssl::ssl::{SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3};
+use openssl::ssl::{SslContext, SslMethod};
+use std::path::Path;
+use std::sync::{Arc, Mutex};
+
+
+lazy_static! {
+    static ref OPENSSL: Arc<Mutex<Option<Openssl>>> = Arc::new(Mutex::new(None));
+}
+
+// default cipher list taken from the Servo project:
+// https://github.com/servo/servo/blob/master/components/net/connector.rs#L18
+const DEFAULT_CIPHERS: &'static str = concat!(
+    "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:",
+    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:",
+    "DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:",
+    "ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:",
+    "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:",
+    "ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:",
+    "DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:",
+    "ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:",
+    "AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
+);
+
+/// This function *must* be called before any call is made to `get_openssl()`
+pub fn set_ca_certificates(path: &Path) {
+    info!("Setting OpenSSL CA certificates path to {:?}", path);
+    let mut openssl = OPENSSL.lock().unwrap();
+    let mut context = SslContext::new(SslMethod::Sslv23).unwrap();
+    context.set_CA_file(path).unwrap_or_else(|err| {
+        panic!("couldn't set CA certificates: {}", err);
+    });
+    context.set_cipher_list(DEFAULT_CIPHERS).unwrap();
+    context.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3);
+    *openssl = Some(Openssl { context: context });
+}
+
+/// This function will return a clone of `Openssl` where the CA certificates
+/// have been bound with `set_ca_certificates()`.
+pub fn get_openssl() -> Openssl {
+    if let Some(ref openssl) = *OPENSSL.lock().unwrap() {
+        openssl.clone()
+    } else {
+        panic!("CA certificates not set")
+    }
+}