summaryrefslogtreecommitdiffstats
path: root/components
diff options
context:
space:
mode:
authoragl <agl@chromium.org>2014-10-17 15:28:10 -0700
committerCommit bot <commit-bot@chromium.org>2014-10-17 22:28:55 +0000
commit33369a4034528613b79464015cf8a000e3f27abb (patch)
tree2a0b0de61091015fc5f381476645a43ed56270b1 /components
parenta84d8e63b324924aa3d838b2bea9771b51ddfc2f (diff)
downloadchromium_src-33369a4034528613b79464015cf8a000e3f27abb.zip
chromium_src-33369a4034528613b79464015cf8a000e3f27abb.tar.gz
chromium_src-33369a4034528613b79464015cf8a000e3f27abb.tar.bz2
Add Enterprise policy option to control minimum SSL fallback level.
r299567 disabled SSLv3 fallback. This change adds an enterprise policy option to control this value so that enterprises can reenable the fallback if they need it. This option is in contrast to the one added in r299755. That one allows enterprises to be more aggressive in disabling SSLv3, while this one is intended for those who need to more slower that Chrome's default. BUG=418848,419870 Review URL: https://codereview.chromium.org/644913008 Cr-Commit-Position: refs/heads/master@{#300178}
Diffstat (limited to 'components')
-rw-r--r--components/policy/resources/policy_templates.json59
1 files changed, 58 insertions, 1 deletions
diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json
index 51bd259..86184b5 100644
--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -123,7 +123,7 @@
# persistent IDs for all fields (but not for groups!) are needed. These are
# specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
# because doing so would break the deployed wire format!
-# For your editing convenience: highest ID currently used: 279
+# For your editing convenience: highest ID currently used: 280
#
# Placeholders:
# The following placeholder strings are automatically substituted:
@@ -6844,6 +6844,63 @@
Note that, despite the number, "sslv3" is an earier version than "tls1".''',
},
+ {
+ 'name': 'SSLVersionFallbackMin',
+ 'type': 'string-enum',
+ 'schema': {
+ 'type': 'string',
+ 'enum': [
+ 'ssl3',
+ 'tls1',
+ 'tls1.1',
+ 'tls1.2',
+ ],
+ },
+ 'items': [
+ {
+ 'name': 'SSLv3',
+ 'value': 'ssl3',
+ 'caption': 'SSL 3.0',
+ },
+ {
+ 'name': 'TLSv1',
+ 'value': 'tls1',
+ 'caption': 'TLS 1.0',
+ },
+ {
+ 'name': 'TLSv1.1',
+ 'value': 'tls1.1',
+ 'caption': 'TLS 1.1',
+ },
+ {
+ 'name': 'TLSv1.2',
+ 'value': 'tls1.2',
+ 'caption': 'TLS 1.2',
+ },
+ ],
+ 'supported_on': [
+ 'chrome.*:39-',
+ 'chrome_os:39-',
+ 'android:39-',
+ 'ios:39-',
+ ],
+ 'features': {
+ 'dynamic_refresh': True,
+ 'per_profile': False,
+ },
+ 'example_value': 'tls1',
+ 'id': 280,
+ 'caption': '''Minimum SSL version to fallback to''',
+ 'desc': '''When an SSL/TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will retry the connection with a lesser version of SSL/TLS in order to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly then this setting doesn't apply and SSLVersionMin controls.
+
+ If this policy is not configured then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use a default minimum version, which was SSLv3 in Chrome 38 but is TLS 1.0 in Chrome 39.
+
+ Otherwise it may be set to one of the following values: "sslv3", "tls1", "tls1.1" or "tls1.2". A setting of "tls1" protects against attacks on SSLv3 but is already the default. A more likely situation is that compatibility with a buggy server must be maintained and thus this needs to be set to "sslv3". That potentially opens up all connections to SSLv3 attacks since a network attacker can induce fallbacks. Thus this is a stopgap measure and the server should be rapidly fixed.
+
+ A setting of "tls1.2" disables all fallback but this may have a significant compatibility impact.
+
+ Note that, despite the number, "sslv3" is an earier version than "tls1".''',
+ },
],
'messages': {
# Messages that are not associated to any policies.