diff options
author | agl <agl@chromium.org> | 2014-10-17 15:28:10 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2014-10-17 22:28:55 +0000 |
commit | 33369a4034528613b79464015cf8a000e3f27abb (patch) | |
tree | 2a0b0de61091015fc5f381476645a43ed56270b1 /components | |
parent | a84d8e63b324924aa3d838b2bea9771b51ddfc2f (diff) | |
download | chromium_src-33369a4034528613b79464015cf8a000e3f27abb.zip chromium_src-33369a4034528613b79464015cf8a000e3f27abb.tar.gz chromium_src-33369a4034528613b79464015cf8a000e3f27abb.tar.bz2 |
Add Enterprise policy option to control minimum SSL fallback level.
r299567 disabled SSLv3 fallback. This change adds an enterprise policy option
to control this value so that enterprises can reenable the fallback if they
need it.
This option is in contrast to the one added in r299755. That one allows
enterprises to be more aggressive in disabling SSLv3, while this one is
intended for those who need to more slower that Chrome's default.
BUG=418848,419870
Review URL: https://codereview.chromium.org/644913008
Cr-Commit-Position: refs/heads/master@{#300178}
Diffstat (limited to 'components')
-rw-r--r-- | components/policy/resources/policy_templates.json | 59 |
1 files changed, 58 insertions, 1 deletions
diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json index 51bd259..86184b5 100644 --- a/components/policy/resources/policy_templates.json +++ b/components/policy/resources/policy_templates.json @@ -123,7 +123,7 @@ # persistent IDs for all fields (but not for groups!) are needed. These are # specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs, # because doing so would break the deployed wire format! -# For your editing convenience: highest ID currently used: 279 +# For your editing convenience: highest ID currently used: 280 # # Placeholders: # The following placeholder strings are automatically substituted: @@ -6844,6 +6844,63 @@ Note that, despite the number, "sslv3" is an earier version than "tls1".''', }, + { + 'name': 'SSLVersionFallbackMin', + 'type': 'string-enum', + 'schema': { + 'type': 'string', + 'enum': [ + 'ssl3', + 'tls1', + 'tls1.1', + 'tls1.2', + ], + }, + 'items': [ + { + 'name': 'SSLv3', + 'value': 'ssl3', + 'caption': 'SSL 3.0', + }, + { + 'name': 'TLSv1', + 'value': 'tls1', + 'caption': 'TLS 1.0', + }, + { + 'name': 'TLSv1.1', + 'value': 'tls1.1', + 'caption': 'TLS 1.1', + }, + { + 'name': 'TLSv1.2', + 'value': 'tls1.2', + 'caption': 'TLS 1.2', + }, + ], + 'supported_on': [ + 'chrome.*:39-', + 'chrome_os:39-', + 'android:39-', + 'ios:39-', + ], + 'features': { + 'dynamic_refresh': True, + 'per_profile': False, + }, + 'example_value': 'tls1', + 'id': 280, + 'caption': '''Minimum SSL version to fallback to''', + 'desc': '''When an SSL/TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will retry the connection with a lesser version of SSL/TLS in order to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly then this setting doesn't apply and SSLVersionMin controls. + + If this policy is not configured then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use a default minimum version, which was SSLv3 in Chrome 38 but is TLS 1.0 in Chrome 39. + + Otherwise it may be set to one of the following values: "sslv3", "tls1", "tls1.1" or "tls1.2". A setting of "tls1" protects against attacks on SSLv3 but is already the default. A more likely situation is that compatibility with a buggy server must be maintained and thus this needs to be set to "sslv3". That potentially opens up all connections to SSLv3 attacks since a network attacker can induce fallbacks. Thus this is a stopgap measure and the server should be rapidly fixed. + + A setting of "tls1.2" disables all fallback but this may have a significant compatibility impact. + + Note that, despite the number, "sslv3" is an earier version than "tls1".''', + }, ], 'messages': { # Messages that are not associated to any policies. |