Add a more robust wrapper for OpenSSL support

Author: sfackler

src/io/mod.rs

@@ -6,7 +6,7 @@ use std::io::prelude::*;
 use std::fmt;
 
 #[cfg(feature = "with-openssl")]
-mod openssl;
+pub mod openssl;
 #[cfg(feature = "security-framework")]
 mod security_framework;
 

src/io/openssl.rs

@@ -1,9 +1,12 @@
+//! NegotiateSsl support for OpenSSL.
 extern crate openssl;
 extern crate openssl_verify;
 
 use std::error::Error;
 
-use self::openssl::ssl::{IntoSsl, SslContext, SslStream, SSL_VERIFY_PEER};
+use self::openssl::ssl::{IntoSsl, SslContext, SslStream, SslMethod, SSL_VERIFY_PEER,
+                         SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3, SSL_OP_NO_COMPRESSION};
+use self::openssl::ssl::error::SslError;
 use self::openssl_verify::verify_callback;
 use io::{StreamWrapper, Stream, NegotiateSsl};
 
@@ -17,13 +20,46 @@ impl StreamWrapper for SslStream<Stream> {
     }
 }
 
-impl NegotiateSsl for SslContext {
+/// A `NegotiateSsl` implementation that uses OpenSSL.
+#[derive(Debug)]
+pub struct Negotiator(SslContext);
+
+impl Negotiator {
+    /// Creates a `Negotiator` with a reasonable default configuration.
+    ///
+    /// The configuration is modeled after libcurl's and is subject to change.
+    pub fn new() -> Result<Negotiator, SslError> {
+        let mut ctx = try!(SslContext::new(SslMethod::Sslv23));
+        try!(ctx.set_default_verify_paths());
+        ctx.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3 | SSL_OP_NO_COMPRESSION);
+        try!(ctx.set_cipher_list("ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4@STRENGTH"));
+        Ok(ctx.into())
+    }
+
+    /// Returns a reference to the associated `SslContext`.
+    pub fn context(&self) -> &SslContext {
+        &self.0
+    }
+
+    /// Returns a mutable reference to the associated `SslContext`.
+    pub fn context_mut(&mut self) -> &mut SslContext {
+        &mut self.0
+    }
+}
+
+impl From<SslContext> for Negotiator {
+    fn from(ctx: SslContext) -> Negotiator {
+        Negotiator(ctx)
+    }
+}
+
+impl NegotiateSsl for Negotiator {
     fn negotiate_ssl(&self,
                      domain: &str,
                      stream: Stream)
                      -> Result<Box<StreamWrapper>, Box<Error + Send + Sync>> {
         let domain = domain.to_owned();
-        let mut ssl = try!(self.into_ssl());
+        let mut ssl = try!(self.0.into_ssl());
         ssl.set_verify_callback(SSL_VERIFY_PEER, move |p, x| verify_callback(&domain, p, x));
         let stream = try!(SslStream::connect(ssl, stream));
         Ok(Box::new(stream))

tests/test.rs

@@ -6,8 +6,6 @@ extern crate openssl;
 #[cfg(feature = "security-framework")]
 extern crate security_framework;
 
-#[cfg(feature = "with-openssl")]
-use openssl::ssl::{SslContext, SslMethod};
 use std::thread;
 use std::io;
 use std::io::prelude::*;
@@ -26,6 +24,8 @@ use postgres::error::SqlState::{SyntaxError,
 use postgres::error::ErrorPosition::Normal;
 use postgres::rows::RowIndex;
 use postgres::notification::Notification;
+#[cfg(feature = "with-openssl")]
+use postgres::io::openssl::Negotiator;
 
 macro_rules! or_panic {
     ($e:expr) => (
@@ -665,20 +665,20 @@ fn test_cancel_query() {
 #[test]
 #[cfg(feature = "with-openssl")]
 fn test_require_ssl_conn() {
-    let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap();
-    ctx.set_CA_file(".travis/server.crt").unwrap();
+    let mut negotiator = Negotiator::new().unwrap();
+    negotiator.context_mut().set_CA_file(".travis/server.crt").unwrap();
     let conn = or_panic!(Connection::connect("postgres://postgres@localhost",
-                                             SslMode::Require(&ctx)));
+                                             SslMode::Require(&negotiator)));
     or_panic!(conn.execute("SELECT 1::VARCHAR", &[]));
 }
 
 #[test]
 #[cfg(feature = "with-openssl")]
 fn test_prefer_ssl_conn() {
-    let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap();
-    ctx.set_CA_file(".travis/server.crt").unwrap();
+    let mut negotiator = Negotiator::new().unwrap();
+    negotiator.context_mut().set_CA_file(".travis/server.crt").unwrap();
     let conn = or_panic!(Connection::connect("postgres://postgres@localhost",
-                                             SslMode::Prefer(&ctx)));
+                                             SslMode::Require(&negotiator)));
     or_panic!(conn.execute("SELECT 1::VARCHAR", &[]));
 }