Componentize ssl_config_service_manager_pref.cc

. Removed not needed notifications.
. Created new switches and prefs for ssl_config.
. Using SingleThreadTaskRunner over BrowserThread to remove content dependencies.

BUG=517014

TBR=jochen

Review URL: https://codereview.chromium.org/1320533007

Cr-Commit-Position: refs/heads/master@{#355038}

10 files changed, 657 insertions, 0 deletions

diff --git a/components/ssl_config/BUILD.gn b/components/ssl_config/BUILD.gn
new file mode 100644
index 0000000..cc79bea
--- /dev/null
+++ b/components/ssl_config/BUILD.gn
@@ -0,0 +1,34 @@
+# Copyright 2015 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# GYP version: components/ssl_config.gypi:ssl_config
+source_set("ssl_config") {
+  sources = [
+    "ssl_config_prefs.cc",
+    "ssl_config_prefs.h",
+    "ssl_config_service_manager.h",
+    "ssl_config_service_manager_pref.cc",
+    "ssl_config_switches.cc",
+    "ssl_config_switches.h",
+  ]
+
+  deps = [
+    "//base",
+    "//base:prefs",
+    "//components/content_settings/core/browser",
+    "//components/content_settings/core/common",
+    "//net",
+  ]
+}
+
+source_set("unit_tests") {
+  testonly = true
+  sources = [
+    "ssl_config_service_manager_pref_unittest.cc",
+  ]
+  deps = [
+    ":ssl_config",
+    "//testing/gtest",
+  ]
+}
diff --git a/components/ssl_config/DEPS b/components/ssl_config/DEPS
new file mode 100644
index 0000000..198af50
--- /dev/null
+++ b/components/ssl_config/DEPS
@@ -0,0 +1,7 @@
+include_rules = [
+  "+components/content_settings/core/browser",
+  "+components/content_settings/core/common",
+  "+net/socket",
+  "+net/ssl",
+]
+
diff --git a/components/ssl_config/OWNERS b/components/ssl_config/OWNERS
new file mode 100644
index 0000000..42d0d3b
--- /dev/null
+++ b/components/ssl_config/OWNERS
@@ -0,0 +1,3 @@
+agl@chromium.org
+davidben@chromium.org
+rsleevi@chromium.org
diff --git a/components/ssl_config/ssl_config_prefs.cc b/components/ssl_config/ssl_config_prefs.cc
new file mode 100644
index 0000000..8f4bc72
--- /dev/null
+++ b/components/ssl_config/ssl_config_prefs.cc
@@ -0,0 +1,21 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/ssl_config/ssl_config_prefs.h"
+
+namespace ssl_config {
+namespace prefs {
+
+// Prefs for SSLConfigServicePref.
+const char kCertRevocationCheckingEnabled[] = "ssl.rev_checking.enabled";
+const char kCertRevocationCheckingRequiredLocalAnchors[] =
+    "ssl.rev_checking.required_for_local_anchors";
+const char kSSLVersionMin[] = "ssl.version_min";
+const char kSSLVersionMax[] = "ssl.version_max";
+const char kSSLVersionFallbackMin[] = "ssl.version_fallback_min";
+const char kCipherSuiteBlacklist[] = "ssl.cipher_suites.blacklist";
+const char kDisableSSLRecordSplitting[] = "ssl.ssl_record_splitting.disabled";
+
+}  // namespace prefs
+}  // namespace ssl_config
diff --git a/components/ssl_config/ssl_config_prefs.h b/components/ssl_config/ssl_config_prefs.h
new file mode 100644
index 0000000..e29bb0f
--- /dev/null
+++ b/components/ssl_config/ssl_config_prefs.h
@@ -0,0 +1,22 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_SSL_CONFIG_SSL_CONFIG_PREFS_H_
+#define COMPONENTS_SSL_CONFIG_SSL_CONFIG_PREFS_H_
+
+namespace ssl_config {
+namespace prefs {
+
+extern const char kCertRevocationCheckingEnabled[];
+extern const char kCertRevocationCheckingRequiredLocalAnchors[];
+extern const char kSSLVersionMin[];
+extern const char kSSLVersionMax[];
+extern const char kSSLVersionFallbackMin[];
+extern const char kCipherSuiteBlacklist[];
+extern const char kDisableSSLRecordSplitting[];
+
+}  // namespace prefs
+}  // namespace ssl_config
+
+#endif  // COMPONENTS_SSL_CONFIG_SSL_CONFIG_PREFS_H_
diff --git a/components/ssl_config/ssl_config_service_manager.h b/components/ssl_config/ssl_config_service_manager.h
new file mode 100644
index 0000000..30bc1c0
--- /dev/null
+++ b/components/ssl_config/ssl_config_service_manager.h
@@ -0,0 +1,45 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_SSL_CONFIG_SSL_CONFIG_SERVICE_MANAGER_H_
+#define COMPONENTS_SSL_CONFIG_SSL_CONFIG_SERVICE_MANAGER_H_
+
+#include "base/memory/ref_counted.h"
+
+namespace base {
+class SingleThreadTaskRunner;
+}
+
+namespace net {
+class SSLConfigService;
+}  // namespace net
+
+class PrefService;
+class PrefRegistrySimple;
+
+namespace ssl_config {
+
+// An interface for creating SSLConfigService objects.
+class SSLConfigServiceManager {
+ public:
+  // Create an instance of the SSLConfigServiceManager. The lifetime of the
+  // PrefService objects must be longer than that of the manager. Get SSL
+  // preferences from local_state object.
+  static SSLConfigServiceManager* CreateDefaultManager(
+      PrefService* local_state,
+      const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner);
+
+  static void RegisterPrefs(PrefRegistrySimple* registry);
+
+  virtual ~SSLConfigServiceManager() {}
+
+  // Get an SSLConfigService instance.  It may be a new instance or the manager
+  // may return the same instance multiple times.
+  // The caller should hold a reference as long as it needs the instance (eg,
+  // using scoped_refptr.)
+  virtual net::SSLConfigService* Get() = 0;
+};
+
+}  // namespace ssl_config
+#endif  // COMPONENTS_SSL_CONFIG_SSL_CONFIG_SERVICE_MANAGER_H_
diff --git a/components/ssl_config/ssl_config_service_manager_pref.cc b/components/ssl_config/ssl_config_service_manager_pref.cc
new file mode 100644
index 0000000..0f7329f
--- /dev/null
+++ b/components/ssl_config/ssl_config_service_manager_pref.cc
@@ -0,0 +1,306 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "components/ssl_config/ssl_config_service_manager.h"
+
+#include <algorithm>
+#include <string>
+#include <vector>
+
+#include "base/basictypes.h"
+#include "base/bind.h"
+#include "base/metrics/field_trial.h"
+#include "base/prefs/pref_change_registrar.h"
+#include "base/prefs/pref_member.h"
+#include "base/prefs/pref_registry_simple.h"
+#include "base/prefs/pref_service.h"
+#include "base/single_thread_task_runner.h"
+#include "components/content_settings/core/browser/content_settings_utils.h"
+#include "components/content_settings/core/common/content_settings.h"
+#include "components/ssl_config/ssl_config_prefs.h"
+#include "components/ssl_config/ssl_config_switches.h"
+#include "net/ssl/ssl_cipher_suite_names.h"
+#include "net/ssl/ssl_config_service.h"
+
+namespace base {
+class SingleThreadTaskRunner;
+}
+
+namespace {
+
+// Converts a ListValue of StringValues into a vector of strings. Any Values
+// which cannot be converted will be skipped.
+std::vector<std::string> ListValueToStringVector(const base::ListValue* value) {
+  std::vector<std::string> results;
+  results.reserve(value->GetSize());
+  std::string s;
+  for (base::ListValue::const_iterator it = value->begin(); it != value->end();
+       ++it) {
+    if (!(*it)->GetAsString(&s))
+      continue;
+    results.push_back(s);
+  }
+  return results;
+}
+
+// Parses a vector of cipher suite strings, returning a sorted vector
+// containing the underlying SSL/TLS cipher suites. Unrecognized/invalid
+// cipher suites will be ignored.
+std::vector<uint16> ParseCipherSuites(
+    const std::vector<std::string>& cipher_strings) {
+  std::vector<uint16> cipher_suites;
+  cipher_suites.reserve(cipher_strings.size());
+
+  for (std::vector<std::string>::const_iterator it = cipher_strings.begin();
+       it != cipher_strings.end(); ++it) {
+    uint16 cipher_suite = 0;
+    if (!net::ParseSSLCipherString(*it, &cipher_suite)) {
+      LOG(ERROR) << "Ignoring unrecognized or unparsable cipher suite: " << *it;
+      continue;
+    }
+    cipher_suites.push_back(cipher_suite);
+  }
+  std::sort(cipher_suites.begin(), cipher_suites.end());
+  return cipher_suites;
+}
+
+// Returns the SSL protocol version (as a uint16) represented by a string.
+// Returns 0 if the string is invalid.
+uint16 SSLProtocolVersionFromString(const std::string& version_str) {
+  uint16 version = 0;  // Invalid.
+  if (version_str == switches::kSSLVersionTLSv1) {
+    version = net::SSL_PROTOCOL_VERSION_TLS1;
+  } else if (version_str == switches::kSSLVersionTLSv11) {
+    version = net::SSL_PROTOCOL_VERSION_TLS1_1;
+  } else if (version_str == switches::kSSLVersionTLSv12) {
+    version = net::SSL_PROTOCOL_VERSION_TLS1_2;
+  }
+  return version;
+}
+
+}  // namespace
+
+////////////////////////////////////////////////////////////////////////////////
+//  SSLConfigServicePref
+
+// An SSLConfigService which stores a cached version of the current SSLConfig
+// prefs, which are updated by SSLConfigServiceManagerPref when the prefs
+// change.
+class SSLConfigServicePref : public net::SSLConfigService {
+ public:
+  explicit SSLConfigServicePref(
+      const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner);
+
+  // Store SSL config settings in |config|. Must only be called from IO thread.
+  void GetSSLConfig(net::SSLConfig* config) override;
+
+ private:
+  // Allow the pref watcher to update our internal state.
+  friend class SSLConfigServiceManagerPref;
+
+  ~SSLConfigServicePref() override {}
+
+  // This method is posted to the IO thread from the browser thread to carry the
+  // new config information.
+  void SetNewSSLConfig(const net::SSLConfig& new_config);
+
+  // Cached value of prefs, should only be accessed from IO thread.
+  net::SSLConfig cached_config_;
+
+  scoped_refptr<base::SingleThreadTaskRunner> io_task_runner_;
+
+  DISALLOW_COPY_AND_ASSIGN(SSLConfigServicePref);
+};
+
+SSLConfigServicePref::SSLConfigServicePref(
+    const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner)
+    : io_task_runner_(io_task_runner) {}
+
+void SSLConfigServicePref::GetSSLConfig(net::SSLConfig* config) {
+  DCHECK(io_task_runner_->BelongsToCurrentThread());
+  *config = cached_config_;
+}
+
+void SSLConfigServicePref::SetNewSSLConfig(const net::SSLConfig& new_config) {
+  net::SSLConfig orig_config = cached_config_;
+  cached_config_ = new_config;
+  ProcessConfigUpdate(orig_config, new_config);
+}
+
+////////////////////////////////////////////////////////////////////////////////
+//  SSLConfigServiceManagerPref
+
+// The manager for holding and updating an SSLConfigServicePref instance.
+class SSLConfigServiceManagerPref : public ssl_config::SSLConfigServiceManager {
+ public:
+  SSLConfigServiceManagerPref(
+      PrefService* local_state,
+      const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner);
+  ~SSLConfigServiceManagerPref() override {}
+
+  // Register local_state SSL preferences.
+  static void RegisterPrefs(PrefRegistrySimple* registry);
+
+  net::SSLConfigService* Get() override;
+
+ private:
+  // Callback for preference changes.  This will post the changes to the IO
+  // thread with SetNewSSLConfig.
+  void OnPreferenceChanged(PrefService* prefs, const std::string& pref_name);
+
+  // Store SSL config settings in |config|, directly from the preferences. Must
+  // only be called from UI thread.
+  void GetSSLConfigFromPrefs(net::SSLConfig* config);
+
+  // Processes changes to the disabled cipher suites preference, updating the
+  // cached list of parsed SSL/TLS cipher suites that are disabled.
+  void OnDisabledCipherSuitesChange(PrefService* local_state);
+
+  PrefChangeRegistrar local_state_change_registrar_;
+
+  // The local_state prefs (should only be accessed from UI thread)
+  BooleanPrefMember rev_checking_enabled_;
+  BooleanPrefMember rev_checking_required_local_anchors_;
+  StringPrefMember ssl_version_min_;
+  StringPrefMember ssl_version_max_;
+  StringPrefMember ssl_version_fallback_min_;
+
+  // The cached list of disabled SSL cipher suites.
+  std::vector<uint16> disabled_cipher_suites_;
+
+  scoped_refptr<SSLConfigServicePref> ssl_config_service_;
+
+  scoped_refptr<base::SingleThreadTaskRunner> io_task_runner_;
+
+  DISALLOW_COPY_AND_ASSIGN(SSLConfigServiceManagerPref);
+};
+
+SSLConfigServiceManagerPref::SSLConfigServiceManagerPref(
+    PrefService* local_state,
+    const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner)
+    : ssl_config_service_(new SSLConfigServicePref(io_task_runner)),
+      io_task_runner_(io_task_runner) {
+  DCHECK(local_state);
+
+  PrefChangeRegistrar::NamedChangeCallback local_state_callback =
+      base::Bind(&SSLConfigServiceManagerPref::OnPreferenceChanged,
+                 base::Unretained(this), local_state);
+
+  rev_checking_enabled_.Init(ssl_config::prefs::kCertRevocationCheckingEnabled,
+                             local_state, local_state_callback);
+  rev_checking_required_local_anchors_.Init(
+      ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors,
+      local_state, local_state_callback);
+  ssl_version_min_.Init(ssl_config::prefs::kSSLVersionMin, local_state,
+                        local_state_callback);
+  ssl_version_max_.Init(ssl_config::prefs::kSSLVersionMax, local_state,
+                        local_state_callback);
+  ssl_version_fallback_min_.Init(ssl_config::prefs::kSSLVersionFallbackMin,
+                                 local_state, local_state_callback);
+
+  local_state_change_registrar_.Init(local_state);
+  local_state_change_registrar_.Add(ssl_config::prefs::kCipherSuiteBlacklist,
+                                    local_state_callback);
+
+  OnDisabledCipherSuitesChange(local_state);
+
+  // Initialize from UI thread.  This is okay as there shouldn't be anything on
+  // the IO thread trying to access it yet.
+  GetSSLConfigFromPrefs(&ssl_config_service_->cached_config_);
+}
+
+// static
+void SSLConfigServiceManagerPref::RegisterPrefs(PrefRegistrySimple* registry) {
+  net::SSLConfig default_config;
+  registry->RegisterBooleanPref(
+      ssl_config::prefs::kCertRevocationCheckingEnabled,
+      default_config.rev_checking_enabled);
+  registry->RegisterBooleanPref(
+      ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors,
+      default_config.rev_checking_required_local_anchors);
+  registry->RegisterStringPref(ssl_config::prefs::kSSLVersionMin,
+                               std::string());
+  registry->RegisterStringPref(ssl_config::prefs::kSSLVersionMax,
+                               std::string());
+  registry->RegisterStringPref(ssl_config::prefs::kSSLVersionFallbackMin,
+                               std::string());
+  registry->RegisterListPref(ssl_config::prefs::kCipherSuiteBlacklist);
+}
+
+net::SSLConfigService* SSLConfigServiceManagerPref::Get() {
+  return ssl_config_service_.get();
+}
+
+void SSLConfigServiceManagerPref::OnPreferenceChanged(
+    PrefService* prefs,
+    const std::string& pref_name_in) {
+  DCHECK(prefs);
+  if (pref_name_in == ssl_config::prefs::kCipherSuiteBlacklist)
+    OnDisabledCipherSuitesChange(prefs);
+
+  net::SSLConfig new_config;
+  GetSSLConfigFromPrefs(&new_config);
+
+  // Post a task to |io_loop| with the new configuration, so it can
+  // update |cached_config_|.
+  io_task_runner_->PostTask(FROM_HERE,
+                            base::Bind(&SSLConfigServicePref::SetNewSSLConfig,
+                                       ssl_config_service_.get(), new_config));
+}
+
+void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
+    net::SSLConfig* config) {
+  // rev_checking_enabled was formerly a user-settable preference, but now
+  // it is managed-only.
+  if (rev_checking_enabled_.IsManaged())
+    config->rev_checking_enabled = rev_checking_enabled_.GetValue();
+  else
+    config->rev_checking_enabled = false;
+  config->rev_checking_required_local_anchors =
+      rev_checking_required_local_anchors_.GetValue();
+  std::string version_min_str = ssl_version_min_.GetValue();
+  std::string version_max_str = ssl_version_max_.GetValue();
+  std::string version_fallback_min_str = ssl_version_fallback_min_.GetValue();
+  config->version_min = net::kDefaultSSLVersionMin;
+  config->version_max = net::kDefaultSSLVersionMax;
+  config->version_fallback_min = net::kDefaultSSLVersionFallbackMin;
+  uint16 version_min = SSLProtocolVersionFromString(version_min_str);
+  uint16 version_max = SSLProtocolVersionFromString(version_max_str);
+  uint16 version_fallback_min =
+      SSLProtocolVersionFromString(version_fallback_min_str);
+  if (version_min) {
+    config->version_min = version_min;
+  }
+  if (version_max) {
+    uint16 supported_version_max = config->version_max;
+    config->version_max = std::min(supported_version_max, version_max);
+  }
+  if (version_fallback_min) {
+    config->version_fallback_min = version_fallback_min;
+  }
+  config->disabled_cipher_suites = disabled_cipher_suites_;
+}
+
+void SSLConfigServiceManagerPref::OnDisabledCipherSuitesChange(
+    PrefService* local_state) {
+  const base::ListValue* value =
+      local_state->GetList(ssl_config::prefs::kCipherSuiteBlacklist);
+  disabled_cipher_suites_ = ParseCipherSuites(ListValueToStringVector(value));
+}
+
+////////////////////////////////////////////////////////////////////////////////
+//  SSLConfigServiceManager
+
+namespace ssl_config {
+// static
+SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager(
+    PrefService* local_state,
+    const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) {
+  return new SSLConfigServiceManagerPref(local_state, io_task_runner);
+}
+
+// static
+void SSLConfigServiceManager::RegisterPrefs(PrefRegistrySimple* registry) {
+  SSLConfigServiceManagerPref::RegisterPrefs(registry);
+}
+}  // namespace ssl_config
diff --git a/components/ssl_config/ssl_config_service_manager_pref_unittest.cc b/components/ssl_config/ssl_config_service_manager_pref_unittest.cc
new file mode 100644
index 0000000..85cbc20
--- /dev/null
+++ b/components/ssl_config/ssl_config_service_manager_pref_unittest.cc
@@ -0,0 +1,175 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/ssl_config/ssl_config_service_manager.h"
+
+#include "base/memory/ref_counted.h"
+#include "base/message_loop/message_loop.h"
+#include "base/prefs/testing_pref_service.h"
+#include "base/thread_task_runner_handle.h"
+#include "base/values.h"
+#include "components/ssl_config/ssl_config_prefs.h"
+#include "components/ssl_config/ssl_config_switches.h"
+#include "net/ssl/ssl_config.h"
+#include "net/ssl/ssl_config_service.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+using base::ListValue;
+using net::SSLConfig;
+using net::SSLConfigService;
+using ssl_config::SSLConfigServiceManager;
+
+class SSLConfigServiceManagerPrefTest : public testing::Test {
+ public:
+  SSLConfigServiceManagerPrefTest() {}
+
+ protected:
+  base::MessageLoop message_loop_;
+};
+
+// Test channel id with no user prefs.
+TEST_F(SSLConfigServiceManagerPrefTest, ChannelIDWithoutUserPrefs) {
+  TestingPrefServiceSimple local_state;
+  SSLConfigServiceManager::RegisterPrefs(local_state.registry());
+
+  scoped_ptr<SSLConfigServiceManager> config_manager(
+      SSLConfigServiceManager::CreateDefaultManager(
+          &local_state, base::ThreadTaskRunnerHandle::Get()));
+  ASSERT_TRUE(config_manager.get());
+  scoped_refptr<SSLConfigService> config_service(config_manager->Get());
+  ASSERT_TRUE(config_service.get());
+
+  SSLConfig config;
+  config_service->GetSSLConfig(&config);
+  EXPECT_TRUE(config.channel_id_enabled);
+}
+
+// Test that cipher suites can be disabled. "Good" refers to the fact that
+// every value is expected to be successfully parsed into a cipher suite.
+TEST_F(SSLConfigServiceManagerPrefTest, GoodDisabledCipherSuites) {
+  TestingPrefServiceSimple local_state;
+  SSLConfigServiceManager::RegisterPrefs(local_state.registry());
+
+  scoped_ptr<SSLConfigServiceManager> config_manager(
+      SSLConfigServiceManager::CreateDefaultManager(
+          &local_state, base::ThreadTaskRunnerHandle::Get()));
+  ASSERT_TRUE(config_manager.get());
+  scoped_refptr<SSLConfigService> config_service(config_manager->Get());
+  ASSERT_TRUE(config_service.get());
+
+  SSLConfig old_config;
+  config_service->GetSSLConfig(&old_config);
+  EXPECT_TRUE(old_config.disabled_cipher_suites.empty());
+
+  base::ListValue* list_value = new base::ListValue();
+  list_value->Append(new base::StringValue("0x0004"));
+  list_value->Append(new base::StringValue("0x0005"));
+  local_state.SetUserPref(ssl_config::prefs::kCipherSuiteBlacklist, list_value);
+
+  // Pump the message loop to notify the SSLConfigServiceManagerPref that the
+  // preferences changed.
+  message_loop_.RunUntilIdle();
+
+  SSLConfig config;
+  config_service->GetSSLConfig(&config);
+
+  EXPECT_NE(old_config.disabled_cipher_suites, config.disabled_cipher_suites);
+  ASSERT_EQ(2u, config.disabled_cipher_suites.size());
+  EXPECT_EQ(0x0004, config.disabled_cipher_suites[0]);
+  EXPECT_EQ(0x0005, config.disabled_cipher_suites[1]);
+}
+
+// Test that cipher suites can be disabled. "Bad" refers to the fact that
+// there are one or more non-cipher suite strings in the preference. They
+// should be ignored.
+TEST_F(SSLConfigServiceManagerPrefTest, BadDisabledCipherSuites) {
+  TestingPrefServiceSimple local_state;
+  SSLConfigServiceManager::RegisterPrefs(local_state.registry());
+
+  scoped_ptr<SSLConfigServiceManager> config_manager(
+      SSLConfigServiceManager::CreateDefaultManager(
+          &local_state, base::ThreadTaskRunnerHandle::Get()));
+  ASSERT_TRUE(config_manager.get());
+  scoped_refptr<SSLConfigService> config_service(config_manager->Get());
+  ASSERT_TRUE(config_service.get());
+
+  SSLConfig old_config;
+  config_service->GetSSLConfig(&old_config);
+  EXPECT_TRUE(old_config.disabled_cipher_suites.empty());
+
+  base::ListValue* list_value = new base::ListValue();
+  list_value->Append(new base::StringValue("0x0004"));
+  list_value->Append(new base::StringValue("TLS_NOT_WITH_A_CIPHER_SUITE"));
+  list_value->Append(new base::StringValue("0x0005"));
+  list_value->Append(new base::StringValue("0xBEEFY"));
+  local_state.SetUserPref(ssl_config::prefs::kCipherSuiteBlacklist, list_value);
+
+  // Pump the message loop to notify the SSLConfigServiceManagerPref that the
+  // preferences changed.
+  message_loop_.RunUntilIdle();
+
+  SSLConfig config;
+  config_service->GetSSLConfig(&config);
+
+  EXPECT_NE(old_config.disabled_cipher_suites, config.disabled_cipher_suites);
+  ASSERT_EQ(2u, config.disabled_cipher_suites.size());
+  EXPECT_EQ(0x0004, config.disabled_cipher_suites[0]);
+  EXPECT_EQ(0x0005, config.disabled_cipher_suites[1]);
+}
+
+// Test that without command-line settings for minimum and maximum SSL versions,
+// TLS versions from 1.0 up to 1.1 or 1.2 are enabled.
+TEST_F(SSLConfigServiceManagerPrefTest, NoCommandLinePrefs) {
+  scoped_refptr<TestingPrefStore> local_state_store(new TestingPrefStore());
+  TestingPrefServiceSimple local_state;
+  SSLConfigServiceManager::RegisterPrefs(local_state.registry());
+
+  scoped_ptr<SSLConfigServiceManager> config_manager(
+      SSLConfigServiceManager::CreateDefaultManager(
+          &local_state, base::ThreadTaskRunnerHandle::Get()));
+  ASSERT_TRUE(config_manager.get());
+  scoped_refptr<SSLConfigService> config_service(config_manager->Get());
+  ASSERT_TRUE(config_service.get());
+
+  SSLConfig ssl_config;
+  config_service->GetSSLConfig(&ssl_config);
+  // In the absence of command-line options, the default TLS version range is
+  // enabled.
+  EXPECT_EQ(net::kDefaultSSLVersionMin, ssl_config.version_min);
+  EXPECT_EQ(net::kDefaultSSLVersionMax, ssl_config.version_max);
+
+  // The settings should not be added to the local_state.
+  EXPECT_FALSE(local_state.HasPrefPath(ssl_config::prefs::kSSLVersionMin));
+  EXPECT_FALSE(local_state.HasPrefPath(ssl_config::prefs::kSSLVersionMax));
+
+  // Explicitly double-check the settings are not in the preference store.
+  std::string version_min_str;
+  std::string version_max_str;
+  EXPECT_FALSE(local_state_store->GetString(ssl_config::prefs::kSSLVersionMin,
+                                            &version_min_str));
+  EXPECT_FALSE(local_state_store->GetString(ssl_config::prefs::kSSLVersionMax,
+                                            &version_max_str));
+}
+
+// Tests that "ssl3" is not treated as a valid minimum version.
+TEST_F(SSLConfigServiceManagerPrefTest, NoSSL3) {
+  scoped_refptr<TestingPrefStore> local_state_store(new TestingPrefStore());
+
+  TestingPrefServiceSimple local_state;
+  local_state.SetUserPref(ssl_config::prefs::kSSLVersionMin,
+                          new base::StringValue("ssl3"));
+  SSLConfigServiceManager::RegisterPrefs(local_state.registry());
+
+  scoped_ptr<SSLConfigServiceManager> config_manager(
+      SSLConfigServiceManager::CreateDefaultManager(
+          &local_state, base::ThreadTaskRunnerHandle::Get()));
+  ASSERT_TRUE(config_manager.get());
+  scoped_refptr<SSLConfigService> config_service(config_manager->Get());
+  ASSERT_TRUE(config_service.get());
+
+  SSLConfig ssl_config;
+  config_service->GetSSLConfig(&ssl_config);
+  // The command-line option must not have been honored.
+  EXPECT_LE(net::SSL_PROTOCOL_VERSION_TLS1, ssl_config.version_min);
+}
diff --git a/components/ssl_config/ssl_config_switches.cc b/components/ssl_config/ssl_config_switches.cc
new file mode 100644
index 0000000..139593e
--- /dev/null
+++ b/components/ssl_config/ssl_config_switches.cc
@@ -0,0 +1,25 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/ssl_config/ssl_config_switches.h"
+
+namespace switches {
+
+// Specifies the maximum SSL/TLS version ("tls1", "tls1.1", or "tls1.2").
+const char kSSLVersionMax[] = "ssl-version-max";
+
+// Specifies the minimum SSL/TLS version ("tls1", "tls1.1", or "tls1.2").
+const char kSSLVersionMin[] = "ssl-version-min";
+
+// Specifies the minimum SSL/TLS version ("tls1", "tls1.1", or "tls1.2") that
+// TLS fallback will accept.
+const char kSSLVersionFallbackMin[] = "ssl-version-fallback-min";
+
+// These values aren't switches, but rather the values that kSSLVersionMax,
+// kSSLVersionMin and kSSLVersionFallbackMin can have.
+const char kSSLVersionTLSv1[] = "tls1";
+const char kSSLVersionTLSv11[] = "tls1.1";
+const char kSSLVersionTLSv12[] = "tls1.2";
+
+}  // namespace switches
diff --git a/components/ssl_config/ssl_config_switches.h b/components/ssl_config/ssl_config_switches.h
new file mode 100644
index 0000000..fc8d437
--- /dev/null
+++ b/components/ssl_config/ssl_config_switches.h
@@ -0,0 +1,19 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_SSL_CONFIG_SSL_CONFIG_SWITCHES_H_
+#define COMPONENTS_SSL_CONFIG_SSL_CONFIG_SWITCHES_H_
+
+namespace switches {
+
+extern const char kSSLVersionMax[];
+extern const char kSSLVersionMin[];
+extern const char kSSLVersionFallbackMin[];
+extern const char kSSLVersionTLSv1[];
+extern const char kSSLVersionTLSv11[];
+extern const char kSSLVersionTLSv12[];
+
+}  // namespace switches
+
+#endif  // COMPONENTS_SSL_CONFIG_SSL_CONFIG_SWITCHES_H_