feature: add rustls support

[tirz]

Continuity of https://github.com/aatxe/irc/pull/151

• Rename SSL as TLS
• Set TLS as a feature: -- Provide 2 TLS backends via features: tls-native and tls-rust.
• Does not expose use_tls from config.rs if TLS is disabled: -- We should prefer a compile error instead of a fake config.use_tls() which always return false. Another alternative may be to put an unimplemented!() macro.

[8573]

Thanks for continuing this. I suggest using the modern name "TLS" where possible rather than the obsolete "SSL" (though I would mention both in the documentation in case some people might have heard only of "SSL").

[aatxe]

This looks like great stuff, but is something going on with Travis? Four days and no report?

[aatxe]

maybe a github issue, it looks like everything is clear here: https://travis-ci.org/github/aatxe/irc/builds/667572920

[aatxe]

just restarted it and hopefully it'll report correctly this time

[aatxe]

oh, @tirz, can you also add to the travis configuration a build setup for using the rustls backend? that's definitely something we want to be part of continuous integration.

[tirz]

@aatxe

All connections to irc.pdgn.co return an AlertReceived(HandshakeFailure) while enabled the feature tls-rust (because it is not able to find a supported cipher) :/ The simplest fix should be to use another irc network for the examples. Unfortunatly it will make build-bot.rs useless. So we may force the use of the feature tls-native for the example build-bot.rs?

Another option will be to follow https://github.com/ctz/rustls/issues/259#issuecomment-502267249 which recommend to enabled a cipher suite with elliptic curves on the server irc.pdgn.co side.

running nmap --script ssl-enum-ciphers -p 6697 irc.pdgn.co:

...
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_IDEA_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       64-bit block cipher IDEA vulnerable to SWEET32 attack
|       Broken cipher RC4 is deprecated by RFC 7465
|       Ciphersuite uses MD5 for message integrity
...

Note: OFTC seems to use ECDHE-RSA-AES256-GCM-SHA384 by default (supported by rutls). Suggestion: disable all cipher with grade C.