diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-01 16:25:54 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-01 16:25:54 +0000 |
| commit | 7a8de307caef3ed87448fde283201273f063f024 (patch) | |
| tree | 7660501ff318592e9577e571446139726a33f5a0 /net/base | |
| parent | 5a41c4c0b8cdb997062b8bf197e2d0cf65bd508c (diff) | |
| download | chromium_src-7a8de307caef3ed87448fde283201273f063f024.zip chromium_src-7a8de307caef3ed87448fde283201273f063f024.tar.gz chromium_src-7a8de307caef3ed87448fde283201273f063f024.tar.bz2 | |
net: add Snap Start support to NSS sockets.
(This doesn't actually enable any functional changes yet.)
BUG=none
TEST=none (yet)
http://codereview.chromium.org/3454021
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@61181 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base')
| -rw-r--r-- | net/base/net_error_list.h | 6 | ||||
| -rw-r--r-- | net/base/ssl_config_service.cc | 18 | ||||
| -rw-r--r-- | net/base/ssl_config_service.h | 13 |
3 files changed, 34 insertions, 3 deletions
diff --git a/net/base/net_error_list.h b/net/base/net_error_list.h index 0370874..9e4ec6a 100644 --- a/net/base/net_error_list.h +++ b/net/base/net_error_list.h @@ -177,6 +177,12 @@ NET_ERROR(SSL_WEAK_SERVER_EPHEMERAL_DH_KEY, -129) // of an HTTP proxy. NET_ERROR(PROXY_CONNECTION_FAILED, -130) +// This means that we tried a Snap Start connection and sent a request, +// predicting the server's NPN protocol support. However, after doing the +// actual handshake, our prediction turned out to be incorrect so we sent a +// request in the wrong protocol. +NET_ERROR(SSL_SNAP_START_NPN_MISPREDICTION, -131) + // Certificate error codes // // The values of certificate error codes must be consecutive. diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc index c20284f..fc35f5d 100644 --- a/net/base/ssl_config_service.cc +++ b/net/base/ssl_config_service.cc @@ -17,9 +17,9 @@ namespace net { SSLConfig::SSLConfig() : rev_checking_enabled(true), ssl2_enabled(false), ssl3_enabled(true), - tls1_enabled(true), dnssec_enabled(false), mitm_proxies_allowed(false), - false_start_enabled(true), send_client_cert(false), - verify_ev_cert(false), ssl3_fallback(false) { + tls1_enabled(true), dnssec_enabled(false), snap_start_enabled(false), + mitm_proxies_allowed(false), false_start_enabled(true), + send_client_cert(false), verify_ev_cert(false), ssl3_fallback(false) { } SSLConfig::~SSLConfig() { @@ -90,12 +90,14 @@ bool SSLConfigService::IsKnownFalseStartIncompatibleServer( static bool g_dnssec_enabled = false; static bool g_false_start_enabled = true; static bool g_mitm_proxies_allowed = false; +static bool g_snap_start_enabled = false; // static void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) { ssl_config->dnssec_enabled = g_dnssec_enabled; ssl_config->false_start_enabled = g_false_start_enabled; ssl_config->mitm_proxies_allowed = g_mitm_proxies_allowed; + ssl_config->snap_start_enabled = g_snap_start_enabled; } // static @@ -109,6 +111,16 @@ bool SSLConfigService::dnssec_enabled() { } // static +void SSLConfigService::EnableSnapStart() { + g_snap_start_enabled = true; +} + +// static +bool SSLConfigService::snap_start_enabled() { + return g_snap_start_enabled; +} + +// static void SSLConfigService::DisableFalseStart() { g_false_start_enabled = false; } diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index f78e3df..5eb2397 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -10,6 +10,7 @@ #include "base/observer_list.h" #include "base/ref_counted.h" +#include "net/base/ssl_non_sensitive_host_info.h" #include "net/base/x509_certificate.h" namespace net { @@ -27,6 +28,7 @@ struct SSLConfig { bool ssl3_enabled; // True if SSL 3.0 is enabled. bool tls1_enabled; // True if TLS 1.0 is enabled. bool dnssec_enabled; // True if we'll accept DNSSEC chains in certificates. + bool snap_start_enabled; // True if we'll try Snap Start handshakes. // True if we allow this connection to be MITM attacked. This sounds a little // worse than it is: large networks sometimes MITM attack all SSL connections @@ -72,6 +74,12 @@ struct SSLConfig { std::string next_protos; scoped_refptr<X509Certificate> client_cert; + + // ssl_host_info contains an optional context that is needed for Snap Start. + // If provided, the SSL socket will assume that the application protocol is + // client-speaks-first. Also needs SSLConfigService::EnableSnapStart to + // have been called. + scoped_refptr<SSLNonSensitiveHostInfo> ssl_host_info; }; // The interface for retrieving the SSL configuration. This interface @@ -125,6 +133,11 @@ class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> { static void EnableDNSSEC(); static bool dnssec_enabled(); + // Enables Snap Start, an experiemental SSL/TLS extension for zero round + // trip handshakes. + static void EnableSnapStart(); + static bool snap_start_enabled(); + // Sets a global flag which allows SSL connections to be MITM attacked. See // the comment about this flag in |SSLConfig|. static void AllowMITMProxies(); |