Add Enterprise policy option to control minimum SSL fallback level.

r299567 disabled SSLv3 fallback. This change adds an enterprise policy option to control this value so that enterprises can reenable the fallback if they need it. This option is in contrast to the one added in r299755. That one allows enterprises to be more aggressive in disabling SSLv3, while this one is intended for those who need to more slower that Chrome's default. BUG=418848,419870 Review URL: https://codereview.chromium.org/644913008 (cherry picked from commit 33369a4034528613b79464015cf8a000e3f27abb) Conflicts: components/policy/resources/policy_templates.json Cr-Commit-Position: refs/branch-heads/2171@{#222} Cr-Branched-From: 267aeeb8d85c8503a7fd12bd14654b8ea78d3974-refs/heads/master@{#297060}
author: Adam Langley <agl@google.com> 2014-10-21 15:30:17 -0700
committer: Adam Langley <agl@google.com> 2014-10-21 22:30:58 +0000
commit: d78e6694cfce3f406a21da9017b3e6ddc9a01816 (patch)
tree: f77734d34a8f8536d17e0adcfb027ed8bf5aa380
parent: a5d11515e371eb78b84a84488c352b35b154b7c2 (diff)
download: chromium_src-d78e6694cfce3f406a21da9017b3e6ddc9a01816.zip
chromium_src-d78e6694cfce3f406a21da9017b3e6ddc9a01816.tar.gz
chromium_src-d78e6694cfce3f406a21da9017b3e6ddc9a01816.tar.bz2
5 files changed, 96 insertions, 0 deletions
diff --git a/chrome/browser/policy/configuration_policy_handler_list_factory.cc b/chrome/browser/policy/configuration_policy_handler_list_factory.cc
index 884bc02..3d03cfb 100644
--- a/chrome/browser/policy/configuration_policy_handler_list_factory.cc
+++ b/chrome/browser/policy/configuration_policy_handler_list_factory.cc
@@ -369,6 +369,9 @@ const PolicyToPreferenceMapEntry kSimplePolicyMap[] = {
   { key::kSSLVersionMin,
     prefs::kSSLVersionMin,
     base::Value::TYPE_STRING },
+  { key::kSSLVersionFallbackMin,
+    prefs::kSSLVersionFallbackMin,
+    base::Value::TYPE_STRING },
 
 #if !defined(OS_MACOSX) && !defined(OS_IOS)
   { key::kFullscreenAllowed,
diff --git a/chrome/browser/policy/policy_browsertest.cc b/chrome/browser/policy/policy_browsertest.cc
index 17b8027..7689b7f 100644
--- a/chrome/browser/policy/policy_browsertest.cc
+++ b/chrome/browser/policy/policy_browsertest.cc
@@ -2232,6 +2232,35 @@ IN_PROC_BROWSER_TEST_F(PolicyTest, SSLVersionMin) {
   EXPECT_TRUE(IsMinSSLVersionTLS12(browser()->profile()));
 }
 
+static bool IsMinSSLFallbackVersionTLS12(Profile* profile) {
+  scoped_refptr<net::SSLConfigService> config_service(
+      profile->GetSSLConfigService());
+  net::SSLConfig config;
+  config_service->GetSSLConfig(&config);
+  return config.version_fallback_min == net::SSL_PROTOCOL_VERSION_TLS1_2;
+}
+
+IN_PROC_BROWSER_TEST_F(PolicyTest, SSLVersionFallbackMin) {
+  PrefService* prefs = g_browser_process->local_state();
+
+  const std::string new_value("tls1.2");
+  const std::string default_value(
+      prefs->GetString(prefs::kSSLVersionFallbackMin));
+
+  EXPECT_NE(default_value, new_value);
+  EXPECT_FALSE(IsMinSSLFallbackVersionTLS12(browser()->profile()));
+
+  PolicyMap policies;
+  policies.Set(key::kSSLVersionFallbackMin,
+               POLICY_LEVEL_MANDATORY,
+               POLICY_SCOPE_USER,
+               new base::StringValue(new_value),
+               NULL);
+  UpdateProviderPolicy(policies);
+
+  EXPECT_TRUE(IsMinSSLFallbackVersionTLS12(browser()->profile()));
+}
+
 #if !defined(OS_MACOSX)
 IN_PROC_BROWSER_TEST_F(PolicyTest, FullscreenAllowedBrowser) {
   PolicyMap policies;
diff --git a/chrome/test/data/policy/policy_test_cases.json b/chrome/test/data/policy/policy_test_cases.json
index 3726432..68aac15 100644
--- a/chrome/test/data/policy/policy_test_cases.json
+++ b/chrome/test/data/policy/policy_test_cases.json
@@ -1687,6 +1687,12 @@
     "pref_mappings": []
   },
 
+  "SSLVersionFallbackMin": {
+    "os": ["win", "linux", "mac", "chromeos"],
+    "test_policy": { "SSLVersionFallbackMin": "tls1.2" },
+    "pref_mappings": []
+  },
+
   "----- Chrome OS policies ------------------------------------------------": {},
 
   "ChromeOsLockOnIdleSuspend": {
diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json
index 1a29191..835015f 100644
--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -6760,6 +6760,63 @@
 
       Note that, despite the number, "sslv3" is an earier version than "tls1".''',
     },
+    {
+      'name': 'SSLVersionFallbackMin',
+      'type': 'string-enum',
+      'schema': {
+        'type': 'string',
+        'enum': [
+          'ssl3',
+          'tls1',
+          'tls1.1',
+          'tls1.2',
+        ],
+      },
+      'items': [
+        {
+          'name': 'SSLv3',
+          'value': 'ssl3',
+          'caption': 'SSL 3.0',
+        },
+        {
+          'name': 'TLSv1',
+          'value': 'tls1',
+          'caption': 'TLS 1.0',
+        },
+        {
+          'name': 'TLSv1.1',
+          'value': 'tls1.1',
+          'caption': 'TLS 1.1',
+        },
+        {
+          'name': 'TLSv1.2',
+          'value': 'tls1.2',
+          'caption': 'TLS 1.2',
+        },
+      ],
+      'supported_on': [
+        'chrome.*:39-',
+        'chrome_os:39-',
+        'android:39-',
+        'ios:39-',
+      ],
+      'features': {
+        'dynamic_refresh': True,
+        'per_profile': False,
+      },
+      'example_value': 'tls1',
+      'id': 280,
+      'caption': '''Minimum SSL version to fallback to''',
+      'desc': '''When an SSL/TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will retry the connection with a lesser version of SSL/TLS in order to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly then this setting doesn't apply and SSLVersionMin controls.
+
+      If this policy is not configured then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use a default minimum version, which was SSLv3 in Chrome 38 but is TLS 1.0 in Chrome 39.
+
+      Otherwise it may be set to one of the following values: "sslv3", "tls1", "tls1.1" or "tls1.2". A setting of "tls1" protects against attacks on SSLv3 but is already the default. A more likely situation is that compatibility with a buggy server must be maintained and thus this needs to be set to "sslv3". That potentially opens up all connections to SSLv3 attacks since a network attacker can induce fallbacks. Thus this is a stopgap measure and the server should be rapidly fixed.
+
+      A setting of "tls1.2" disables all fallback but this may have a significant compatibility impact.
+
+      Note that, despite the number, "sslv3" is an earier version than "tls1".''',
+    },
   ],
   'messages': {
     # Messages that are not associated to any policies.
diff --git a/tools/metrics/histograms/histograms.xml b/tools/metrics/histograms/histograms.xml
index 62aa447..efa4fd7 100644
--- a/tools/metrics/histograms/histograms.xml
+++ b/tools/metrics/histograms/histograms.xml
@@ -41181,6 +41181,7 @@ Therefore, the affected-histogram name has to have at least one dot in it.
   <int value="277"
       label="Import autofill form data from default browser on first run"/>
   <int value="279" label="SSL minimum version"/>
+  <int value="280" label="SSL fallback minimum version"/>
 </enum>
 
 <enum name="EnterprisePolicyInvalidations" type="int">
author	Adam Langley <agl@google.com>	2014-10-21 15:30:17 -0700
committer	Adam Langley <agl@google.com>	2014-10-21 22:30:58 +0000
commit	d78e6694cfce3f406a21da9017b3e6ddc9a01816 (patch)
tree	f77734d34a8f8536d17e0adcfb027ed8bf5aa380
parent	a5d11515e371eb78b84a84488c352b35b154b7c2 (diff)
download	chromium_src-d78e6694cfce3f406a21da9017b3e6ddc9a01816.zip chromium_src-d78e6694cfce3f406a21da9017b3e6ddc9a01816.tar.gz chromium_src-d78e6694cfce3f406a21da9017b3e6ddc9a01816.tar.bz2