diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-04 21:51:12 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-04 21:51:12 +0000 |
| commit | d8fbf589947080e223c40c3dad7b2f3f7a54c66d (patch) | |
| tree | 197f56d4838ae199613e1d60e0a869f6f7c478cb /net/base | |
| parent | a74507d345c15f077dcd72b810185ade89fedce5 (diff) | |
| download | chromium_src-d8fbf589947080e223c40c3dad7b2f3f7a54c66d.zip chromium_src-d8fbf589947080e223c40c3dad7b2f3f7a54c66d.tar.gz chromium_src-d8fbf589947080e223c40c3dad7b2f3f7a54c66d.tar.bz2 | |
net: add certificate provenance checking.
BUG=none
TEST=none
http://codereview.chromium.org/4448001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@65116 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base')
| -rw-r--r-- | net/base/ssl_config_service.cc | 13 | ||||
| -rw-r--r-- | net/base/ssl_config_service.h | 6 |
2 files changed, 19 insertions, 0 deletions
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc index 46fce20..cdfa4d3 100644 --- a/net/base/ssl_config_service.cc +++ b/net/base/ssl_config_service.cc @@ -95,6 +95,7 @@ static bool g_dnssec_enabled = false; static bool g_false_start_enabled = true; static bool g_mitm_proxies_allowed = false; static bool g_snap_start_enabled = false; +static bool g_dns_cert_provenance_checking = false; // static void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) { @@ -102,6 +103,8 @@ void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) { ssl_config->false_start_enabled = g_false_start_enabled; ssl_config->mitm_proxies_allowed = g_mitm_proxies_allowed; ssl_config->snap_start_enabled = g_snap_start_enabled; + ssl_config->dns_cert_provenance_checking_enabled = + g_dns_cert_provenance_checking; } // static @@ -144,6 +147,16 @@ bool SSLConfigService::mitm_proxies_allowed() { return g_mitm_proxies_allowed; } +// static +void SSLConfigService::EnableDNSCertProvenanceChecking() { + g_dns_cert_provenance_checking = true; +} + +// static +bool SSLConfigService::dns_cert_provenance_checking_enabled() { + return g_dns_cert_provenance_checking; +} + void SSLConfigService::AddObserver(Observer* observer) { observer_list_.AddObserver(observer); } diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index 0ab88b2..be50097 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -28,6 +28,8 @@ struct SSLConfig { bool tls1_enabled; // True if TLS 1.0 is enabled. bool dnssec_enabled; // True if we'll accept DNSSEC chains in certificates. bool snap_start_enabled; // True if we'll try Snap Start handshakes. + // True if we'll do async checks for certificate provenance using DNS. + bool dns_cert_provenance_checking_enabled; // True if we allow this connection to be MITM attacked. This sounds a little // worse than it is: large networks sometimes MITM attack all SSL connections @@ -144,6 +146,10 @@ class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> { // True if we use False Start for SSL and TLS. static bool false_start_enabled(); + // Enables DNS side checks for certificates. + static void EnableDNSCertProvenanceChecking(); + static bool dns_cert_provenance_checking_enabled(); + // Add an observer of this service. void AddObserver(Observer* observer); |