diff options
| author | davidben@chromium.org <davidben@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-18 23:39:52 +0000 |
|---|---|---|
| committer | davidben@chromium.org <davidben@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-18 23:39:52 +0000 |
| commit | a0deaecf001cf21b043c968d10200307d4105ec2 (patch) | |
| tree | e65a114afed3be4c39e0ad7bb217a5a2638bfcef /net/base | |
| parent | da81f13c4d59797f9a83c35a8acc544138df499f (diff) | |
| download | chromium_src-a0deaecf001cf21b043c968d10200307d4105ec2.zip chromium_src-a0deaecf001cf21b043c968d10200307d4105ec2.tar.gz chromium_src-a0deaecf001cf21b043c968d10200307d4105ec2.tar.bz2 | |
Add a command-line flag to disable SSL/TLS False Start
Some servers are not compatible with False Start. Adding a command-line
flag will make it easier to test and verify such cases.
Also, blacklist www.picnik.com as incompatible with False Start.
BUG=50650
TEST=see bug
Review URL: http://codereview.chromium.org/3167015
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@56622 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base')
| -rw-r--r-- | net/base/ssl_config_service.cc | 29 | ||||
| -rw-r--r-- | net/base/ssl_config_service.h | 12 | ||||
| -rw-r--r-- | net/base/ssl_config_service_defaults.h | 1 | ||||
| -rw-r--r-- | net/base/ssl_config_service_mac.cc | 1 | ||||
| -rw-r--r-- | net/base/ssl_config_service_win.cc | 1 |
5 files changed, 44 insertions, 0 deletions
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc index fb85665..1b367ed 100644 --- a/net/base/ssl_config_service.cc +++ b/net/base/ssl_config_service.cc @@ -55,7 +55,26 @@ bool SSLConfigService::IsKnownStrictTLSServer(const std::string& hostname) { return false; } +// static +bool SSLConfigService::IsKnownFalseStartIncompatibleServer( + const std::string& hostname) { + // If this list starts growing, it'll need to be something more efficient + // than a linear list. + static const char kFalseStartIncompatibleServers[][15] = { + "www.picnik.com", + }; + + for (size_t i = 0; i < arraysize(kFalseStartIncompatibleServers); i++) { + // Note that the hostname is normalised to lower-case by this point. + if (strcmp(hostname.c_str(), kFalseStartIncompatibleServers[i]) == 0) + return true; + } + + return false; +} + static bool g_dnssec_enabled = false; +static bool g_false_start_enabled = true; // static void SSLConfigService::EnableDNSSEC() { @@ -67,4 +86,14 @@ bool SSLConfigService::dnssec_enabled() { return g_dnssec_enabled; } +// static +void SSLConfigService::DisableFalseStart() { + g_false_start_enabled = false; +} + +// static +bool SSLConfigService::false_start_enabled() { + return g_false_start_enabled; +} + } // namespace net diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index d10134e..75a4f74 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -20,6 +20,7 @@ struct SSLConfig { SSLConfig() : rev_checking_enabled(true), ssl2_enabled(false), ssl3_enabled(true), tls1_enabled(true), ssl3_fallback(false), dnssec_enabled(false), + false_start_enabled(true), send_client_cert(false), verify_ev_cert(false) { } @@ -32,6 +33,8 @@ struct SSLConfig { // needs to clear tls1_enabled). bool dnssec_enabled; // True if we'll accept DNSSEC chains in certificates. + bool false_start_enabled; // True if we'll use TLS False Start. + // TODO(wtc): move the following members to a new SSLParams structure. They // are not SSL configuration settings. @@ -97,11 +100,20 @@ class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> { // http://crbug.com and email the link to agl AT chromium DOT org. static bool IsKnownStrictTLSServer(const std::string& hostname); + // Returns true if the given hostname is known to be incompatible with TLS + // False Start. + static bool IsKnownFalseStartIncompatibleServer(const std::string& hostname); + // Enables the acceptance of self-signed certificates which contain an // embedded DNSSEC chain proving their validity. static void EnableDNSSEC(); static bool dnssec_enabled(); + // Disables False Start in SSL connections. + static void DisableFalseStart(); + // True if we use False Start for SSL and TLS. + static bool false_start_enabled(); + protected: friend class base::RefCountedThreadSafe<SSLConfigService>; diff --git a/net/base/ssl_config_service_defaults.h b/net/base/ssl_config_service_defaults.h index 092b2a53..04eff1c 100644 --- a/net/base/ssl_config_service_defaults.h +++ b/net/base/ssl_config_service_defaults.h @@ -21,6 +21,7 @@ class SSLConfigServiceDefaults : public SSLConfigService { virtual void GetSSLConfig(SSLConfig* config) { *config = default_config_; config->dnssec_enabled = SSLConfigService::dnssec_enabled(); + config->false_start_enabled = SSLConfigService::false_start_enabled(); } private: diff --git a/net/base/ssl_config_service_mac.cc b/net/base/ssl_config_service_mac.cc index 792c9ca..63fc017 100644 --- a/net/base/ssl_config_service_mac.cc +++ b/net/base/ssl_config_service_mac.cc @@ -96,6 +96,7 @@ bool SSLConfigServiceMac::GetSSLConfigNow(SSLConfig* config) { config->tls1_enabled = SSLVersionIsEnabled(kTLS1EnabledKey, kTLS1EnabledDefaultValue); config->dnssec_enabled = SSLConfigService::dnssec_enabled(); + config->false_start_enabled = SSLConfigService::false_start_enabled(); return true; } diff --git a/net/base/ssl_config_service_win.cc b/net/base/ssl_config_service_win.cc index fd15849..646e264 100644 --- a/net/base/ssl_config_service_win.cc +++ b/net/base/ssl_config_service_win.cc @@ -76,6 +76,7 @@ bool SSLConfigServiceWin::GetSSLConfigNow(SSLConfig* config) { config->ssl3_enabled = ((protocols & SSL3) != 0); config->tls1_enabled = ((protocols & TLS1) != 0); config->dnssec_enabled = SSLConfigService::dnssec_enabled(); + config->false_start_enabled = SSLConfigService::false_start_enabled(); return true; } |