Skip to content

Commit d25a7c1

Browse files
uhthomasuhthomas
committed
update ciphers
cherry-picked from redlib-org#510
1 parent f648f60 commit d25a7c1

File tree

3 files changed

+37
-5
lines changed

3 files changed

+37
-5
lines changed

Cargo.lock

Lines changed: 10 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,7 @@ bincode = "1.3.3"
5757
base2048 = "2.0.2"
5858
revision = "0.10.0"
5959
tokio-socks = "0.5.2"
60+
rustls = "0.21.12"
6061

6162

6263
[dev-dependencies]

src/client.rs

Lines changed: 26 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ use futures_lite::future::block_on;
44
use futures_lite::{future::Boxed, FutureExt};
55
use hyper::header::HeaderValue;
66
use hyper::{body, body::Buf, header, Body, Client, Method, Request, Response, Uri};
7-
use hyper_rustls::HttpsConnector;
7+
use hyper_rustls::{ConfigBuilderExt, HttpsConnector};
88
use libflate::gzip;
99
use log::{error, trace, warn};
1010
use once_cell::sync::Lazy;
@@ -32,7 +32,30 @@ const ALTERNATIVE_REDDIT_URL_BASE_HOST: &str = "www.reddit.com";
3232
pub static HTTPS_CONNECTOR: Lazy<HttpsConnector<ProxyConnector>> = Lazy::new(|| {
3333
let proxy_connector = ProxyConnector::new();
3434
hyper_rustls::HttpsConnectorBuilder::new()
35-
.with_native_roots()
35+
.with_tls_config(
36+
rustls::ClientConfig::builder()
37+
// These are the Firefox 145.0 cipher suite,
38+
// minus the suites missing forward-secrecy support,
39+
// in the same order.
40+
// https://github.com/redlib-org/redlib/issues/446#issuecomment-3609306592
41+
.with_cipher_suites(&[
42+
rustls::cipher_suite::TLS13_AES_256_GCM_SHA384,
43+
rustls::cipher_suite::TLS13_AES_128_GCM_SHA256,
44+
rustls::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256,
45+
rustls::cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
46+
rustls::cipher_suite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
47+
rustls::cipher_suite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
48+
rustls::cipher_suite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
49+
rustls::cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
50+
rustls::cipher_suite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
51+
])
52+
// .with_safe_default_cipher_suites()
53+
.with_safe_default_kx_groups()
54+
.with_safe_default_protocol_versions()
55+
.unwrap()
56+
.with_native_roots()
57+
.with_no_client_auth(),
58+
)
3659
.https_only()
3760
.enable_http2()
3861
.wrap_connector(proxy_connector)
@@ -512,9 +535,9 @@ pub async fn rate_limit_check() -> Result<(), String> {
512535
Ok(())
513536
}
514537

538+
use crate::proxy::ProxyConnector;
515539
#[cfg(test)]
516540
use {crate::config::get_setting, sealed_test::prelude::*};
517-
use crate::proxy::ProxyConnector;
518541

519542
#[tokio::test(flavor = "multi_thread")]
520543
async fn test_rate_limit_check() {

0 commit comments

Comments
 (0)