diff options
| author | davidben@chromium.org <davidben@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-18 23:39:52 +0000 |
|---|---|---|
| committer | davidben@chromium.org <davidben@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-18 23:39:52 +0000 |
| commit | a0deaecf001cf21b043c968d10200307d4105ec2 (patch) | |
| tree | e65a114afed3be4c39e0ad7bb217a5a2638bfcef | |
| parent | da81f13c4d59797f9a83c35a8acc544138df499f (diff) | |
| download | chromium_src-a0deaecf001cf21b043c968d10200307d4105ec2.zip chromium_src-a0deaecf001cf21b043c968d10200307d4105ec2.tar.gz chromium_src-a0deaecf001cf21b043c968d10200307d4105ec2.tar.bz2 | |
Add a command-line flag to disable SSL/TLS False Start
Some servers are not compatible with False Start. Adding a command-line
flag will make it easier to test and verify such cases.
Also, blacklist www.picnik.com as incompatible with False Start.
BUG=50650
TEST=see bug
Review URL: http://codereview.chromium.org/3167015
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@56622 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | chrome/browser/browser_main.cc | 2 | ||||
| -rw-r--r-- | chrome/browser/net/ssl_config_service_manager_pref.cc | 1 | ||||
| -rw-r--r-- | chrome/common/chrome_switches.cc | 3 | ||||
| -rw-r--r-- | chrome/common/chrome_switches.h | 1 | ||||
| -rw-r--r-- | net/base/ssl_config_service.cc | 29 | ||||
| -rw-r--r-- | net/base/ssl_config_service.h | 12 | ||||
| -rw-r--r-- | net/base/ssl_config_service_defaults.h | 1 | ||||
| -rw-r--r-- | net/base/ssl_config_service_mac.cc | 1 | ||||
| -rw-r--r-- | net/base/ssl_config_service_win.cc | 1 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 7 |
10 files changed, 56 insertions, 2 deletions
diff --git a/chrome/browser/browser_main.cc b/chrome/browser/browser_main.cc index b5fa926..9730dbe 100644 --- a/chrome/browser/browser_main.cc +++ b/chrome/browser/browser_main.cc @@ -178,6 +178,8 @@ void BrowserMainParts::EarlyInitialization() { if (parsed_command_line().HasSwitch(switches::kEnableDNSSECCerts)) net::SSLConfigService::EnableDNSSEC(); + if (parsed_command_line().HasSwitch(switches::kDisableSSLFalseStart)) + net::SSLConfigService::DisableFalseStart(); PostEarlyInitialization(); } diff --git a/chrome/browser/net/ssl_config_service_manager_pref.cc b/chrome/browser/net/ssl_config_service_manager_pref.cc index c729d0e..23954c1 100644 --- a/chrome/browser/net/ssl_config_service_manager_pref.cc +++ b/chrome/browser/net/ssl_config_service_manager_pref.cc @@ -146,6 +146,7 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs( config->ssl3_enabled = ssl3_enabled_.GetValue(); config->tls1_enabled = tls1_enabled_.GetValue(); config->dnssec_enabled = net::SSLConfigService::dnssec_enabled(); + config->false_start_enabled = net::SSLConfigService::false_start_enabled(); } //////////////////////////////////////////////////////////////////////////////// diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc index 5dfeb0c..6d55c59 100644 --- a/chrome/common/chrome_switches.cc +++ b/chrome/common/chrome_switches.cc @@ -226,6 +226,9 @@ const char kDisableSharedWorkers[] = "disable-shared-workers"; // Disable site-specific tailoring to compatibility issues in WebKit. const char kDisableSiteSpecificQuirks[] = "disable-site-specific-quirks"; +// Disable False Start in SSL and TLS connections. +const char kDisableSSLFalseStart[] = "disable-ssl-false-start"; + // Disable syncing browser data to a Google Account. const char kDisableSync[] = "disable-sync"; diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h index 770f6d9..a0636d7 100644 --- a/chrome/common/chrome_switches.h +++ b/chrome/common/chrome_switches.h @@ -79,6 +79,7 @@ extern const char kDisableRendererAccessibility[]; extern const char kDisableSessionStorage[]; extern const char kDisableSharedWorkers[]; extern const char kDisableSiteSpecificQuirks[]; +extern const char kDisableSSLFalseStart[]; extern const char kDisableSync[]; extern const char kDisableSyncApps[]; extern const char kDisableSyncAutofill[]; diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc index fb85665..1b367ed 100644 --- a/net/base/ssl_config_service.cc +++ b/net/base/ssl_config_service.cc @@ -55,7 +55,26 @@ bool SSLConfigService::IsKnownStrictTLSServer(const std::string& hostname) { return false; } +// static +bool SSLConfigService::IsKnownFalseStartIncompatibleServer( + const std::string& hostname) { + // If this list starts growing, it'll need to be something more efficient + // than a linear list. + static const char kFalseStartIncompatibleServers[][15] = { + "www.picnik.com", + }; + + for (size_t i = 0; i < arraysize(kFalseStartIncompatibleServers); i++) { + // Note that the hostname is normalised to lower-case by this point. + if (strcmp(hostname.c_str(), kFalseStartIncompatibleServers[i]) == 0) + return true; + } + + return false; +} + static bool g_dnssec_enabled = false; +static bool g_false_start_enabled = true; // static void SSLConfigService::EnableDNSSEC() { @@ -67,4 +86,14 @@ bool SSLConfigService::dnssec_enabled() { return g_dnssec_enabled; } +// static +void SSLConfigService::DisableFalseStart() { + g_false_start_enabled = false; +} + +// static +bool SSLConfigService::false_start_enabled() { + return g_false_start_enabled; +} + } // namespace net diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index d10134e..75a4f74 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -20,6 +20,7 @@ struct SSLConfig { SSLConfig() : rev_checking_enabled(true), ssl2_enabled(false), ssl3_enabled(true), tls1_enabled(true), ssl3_fallback(false), dnssec_enabled(false), + false_start_enabled(true), send_client_cert(false), verify_ev_cert(false) { } @@ -32,6 +33,8 @@ struct SSLConfig { // needs to clear tls1_enabled). bool dnssec_enabled; // True if we'll accept DNSSEC chains in certificates. + bool false_start_enabled; // True if we'll use TLS False Start. + // TODO(wtc): move the following members to a new SSLParams structure. They // are not SSL configuration settings. @@ -97,11 +100,20 @@ class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> { // http://crbug.com and email the link to agl AT chromium DOT org. static bool IsKnownStrictTLSServer(const std::string& hostname); + // Returns true if the given hostname is known to be incompatible with TLS + // False Start. + static bool IsKnownFalseStartIncompatibleServer(const std::string& hostname); + // Enables the acceptance of self-signed certificates which contain an // embedded DNSSEC chain proving their validity. static void EnableDNSSEC(); static bool dnssec_enabled(); + // Disables False Start in SSL connections. + static void DisableFalseStart(); + // True if we use False Start for SSL and TLS. + static bool false_start_enabled(); + protected: friend class base::RefCountedThreadSafe<SSLConfigService>; diff --git a/net/base/ssl_config_service_defaults.h b/net/base/ssl_config_service_defaults.h index 092b2a53..04eff1c 100644 --- a/net/base/ssl_config_service_defaults.h +++ b/net/base/ssl_config_service_defaults.h @@ -21,6 +21,7 @@ class SSLConfigServiceDefaults : public SSLConfigService { virtual void GetSSLConfig(SSLConfig* config) { *config = default_config_; config->dnssec_enabled = SSLConfigService::dnssec_enabled(); + config->false_start_enabled = SSLConfigService::false_start_enabled(); } private: diff --git a/net/base/ssl_config_service_mac.cc b/net/base/ssl_config_service_mac.cc index 792c9ca..63fc017 100644 --- a/net/base/ssl_config_service_mac.cc +++ b/net/base/ssl_config_service_mac.cc @@ -96,6 +96,7 @@ bool SSLConfigServiceMac::GetSSLConfigNow(SSLConfig* config) { config->tls1_enabled = SSLVersionIsEnabled(kTLS1EnabledKey, kTLS1EnabledDefaultValue); config->dnssec_enabled = SSLConfigService::dnssec_enabled(); + config->false_start_enabled = SSLConfigService::false_start_enabled(); return true; } diff --git a/net/base/ssl_config_service_win.cc b/net/base/ssl_config_service_win.cc index fd15849..646e264 100644 --- a/net/base/ssl_config_service_win.cc +++ b/net/base/ssl_config_service_win.cc @@ -76,6 +76,7 @@ bool SSLConfigServiceWin::GetSSLConfigNow(SSLConfig* config) { config->ssl3_enabled = ((protocols & SSL3) != 0); config->tls1_enabled = ((protocols & TLS1) != 0); config->dnssec_enabled = SSLConfigService::dnssec_enabled(); + config->false_start_enabled = SSLConfigService::false_start_enabled(); return true; } diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index cef4744..b02eb2b 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -504,9 +504,12 @@ int SSLClientSocketNSS::InitializeSSLOptions() { #endif #ifdef SSL_ENABLE_FALSE_START - rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START, PR_TRUE); + rv = SSL_OptionSet( + nss_fd_, SSL_ENABLE_FALSE_START, + ssl_config_.false_start_enabled && + !SSLConfigService::IsKnownFalseStartIncompatibleServer(hostname_)); if (rv != SECSuccess) - LOG(INFO) << "SSL_ENABLE_FALSE_START failed. Old system nss?"; + LOG(INFO) << "SSL_ENABLE_FALSE_START failed. Old system nss?"; #endif #ifdef SSL_ENABLE_RENEGOTIATION |