diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-05 19:54:14 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-05 19:54:14 +0000 |
| commit | 53a17e24bba43fb1c6b11303b02cce4dfaa2b65d (patch) | |
| tree | 3ff7fb87980d94aef7efd72fde11465a2211d529 /net/base/ssl_config_service.h | |
| parent | ff268ff5dc3e23701eadda8f72a3f25a56e1797c (diff) | |
| download | chromium_src-53a17e24bba43fb1c6b11303b02cce4dfaa2b65d.zip chromium_src-53a17e24bba43fb1c6b11303b02cce4dfaa2b65d.tar.gz chromium_src-53a17e24bba43fb1c6b11303b02cce4dfaa2b65d.tar.bz2 | |
net: remove forced renegotiation checks
We lost this battle. We had to step back from requirement the renegotiation
extension, even on sites which we know support it, because of the number of
MITM proxies.
Since there doesn't seem to be any way forward, this change removes the code.
BUG=55410
TEST=compiles
Review URL: http://codereview.chromium.org/6792032
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@80513 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base/ssl_config_service.h')
| -rw-r--r-- | net/base/ssl_config_service.h | 21 |
1 files changed, 0 insertions, 21 deletions
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index e0879ed..1fad97a 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -56,14 +56,6 @@ struct SSLConfig { // TODO(rsleevi): Not implemented when using Schannel. std::vector<uint16> disabled_cipher_suites; - // True if we allow this connection to be MITM attacked. This sounds a little - // worse than it is: large networks sometimes MITM attack all SSL connections - // on egress. We want to know this because we might not have the end-to-end - // connection that we believe that we have based on the hostname. Therefore, - // certain certificate checks can't be performed and we can't use outside - // knowledge about whether the server has the renegotiation extension. - bool mitm_proxies_allowed; - bool false_start_enabled; // True if we'll use TLS False Start. // TODO(wtc): move the following members to a new SSLParams structure. They @@ -135,14 +127,6 @@ class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> { // May not be thread-safe, should only be called on the IO thread. virtual void GetSSLConfig(SSLConfig* config) = 0; - // Returns true if the given hostname is known to be 'strict'. This means - // that we will require the renegotiation extension and will always use TLS - // (no SSLv3 fallback). - // - // If you wish to add an element to this list, file a bug at - // http://crbug.com and email the link to agl AT chromium DOT org. - static bool IsKnownStrictTLSServer(const std::string& hostname); - // Returns true if the given hostname is known to be incompatible with TLS // False Start. static bool IsKnownFalseStartIncompatibleServer(const std::string& hostname); @@ -157,11 +141,6 @@ class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> { static void EnableSnapStart(); static bool snap_start_enabled(); - // Sets a global flag which allows SSL connections to be MITM attacked. See - // the comment about this flag in |SSLConfig|. - static void AllowMITMProxies(); - static bool mitm_proxies_allowed(); - // Disables False Start in SSL connections. static void DisableFalseStart(); // True if we use False Start for SSL and TLS. |