diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-11 04:12:53 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-11 04:12:53 +0000 |
| commit | 47f7d746b1468ec3b2de9c293749e347234996ba (patch) | |
| tree | 5a4093494d5e7991001bb3350ccd27fe74f227d8 /net/socket/ssl_client_socket_nss.cc | |
| parent | 8b70d0ce73dd36bc0042ba7a6d8c4521c369b9fe (diff) | |
| download | chromium_src-47f7d746b1468ec3b2de9c293749e347234996ba.zip chromium_src-47f7d746b1468ec3b2de9c293749e347234996ba.tar.gz chromium_src-47f7d746b1468ec3b2de9c293749e347234996ba.tar.bz2 | |
Add support for restricting the cipher suites that SSLClientSocket(Mac,NSS) use. Restricting SSLClientSocketWin is handled by the existing Windows system policy (which deals in algorithms, not cipher suites).
R=wtc
BUG=58831
TEST=SSLClientSocketTest.CipherSuiteDisables
Review URL: http://codereview.chromium.org/3845005
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@65773 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket/ssl_client_socket_nss.cc')
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 31 |
1 files changed, 9 insertions, 22 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index ff49656..a9b8822 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -94,6 +94,7 @@ #include "net/ocsp/nss_ocsp.h" #include "net/socket/client_socket_handle.h" #include "net/socket/dns_cert_provenance_check.h" +#include "net/socket/ssl_error_params.h" #include "net/socket/ssl_host_info.h" static const int kRecvBufferSize = 4096; @@ -272,28 +273,6 @@ int MapHandshakeError(PRErrorCode err) { } } -// Extra parameters to attach to the NetLog when we receive an SSL error. -class SSLErrorParams : public NetLog::EventParameters { - public: - // If |ssl_lib_error| is 0, it will be ignored. - SSLErrorParams(int net_error, PRErrorCode ssl_lib_error) - : net_error_(net_error), - ssl_lib_error_(ssl_lib_error) { - } - - virtual Value* ToValue() const { - DictionaryValue* dict = new DictionaryValue(); - dict->SetInteger("net_error", net_error_); - if (ssl_lib_error_) - dict->SetInteger("ssl_lib_error", ssl_lib_error_); - return dict; - } - - private: - const int net_error_; - const PRErrorCode ssl_lib_error_; -}; - // Extra parameters to attach to the NetLog when we receive an error in response // to a call to an NSS function. Used instead of SSLErrorParams with // events of type TYPE_SSL_NSS_ERROR. Automatically looks up last PR error. @@ -729,6 +708,14 @@ int SSLClientSocketNSS::InitializeSSLOptions() { return ERR_UNEXPECTED; } + for (std::vector<uint16>::const_iterator it = + ssl_config_.disabled_cipher_suites.begin(); + it != ssl_config_.disabled_cipher_suites.end(); ++it) { + // This will fail if the specified cipher is not implemented by NSS, but + // the failure is harmless. + SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE); + } + #ifdef SSL_ENABLE_SESSION_TICKETS // Support RFC 5077 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE); |