diff options
| author | bnc <bnc@chromium.org> | 2015-10-21 16:24:22 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-10-21 23:25:02 +0000 |
| commit | 1f295377e8de70ba03ce73d9f7929e614d23df68 (patch) | |
| tree | f2c91aa3bc4f18ea27fe5da3331ceb2525ea575d /net/socket/ssl_client_socket_nss.cc | |
| parent | 7a55b51459fbcba769f8248cfcff739fb474b4f5 (diff) | |
| download | chromium_src-1f295377e8de70ba03ce73d9f7929e614d23df68.zip chromium_src-1f295377e8de70ba03ce73d9f7929e614d23df68.tar.gz chromium_src-1f295377e8de70ba03ce73d9f7929e614d23df68.tar.bz2 | |
Disable HTTP/2 over NPN (with OpenSSL).
* Split SSLConfig.next_proto into two members: one for ALPN, one for NPN.
* Remove HTTP/2 from NPN.
* In OpenSSL, use alpn_protos for |ALPN|, and npn_protos for |NPN|.
* In NSS, use |alpn_protos| for both.
* In NSS, disable NPN if |npn_protos| is empty.
BUG=527066
Review URL: https://codereview.chromium.org/1387363004
Cr-Commit-Position: refs/heads/master@{#355427}
Diffstat (limited to 'net/socket/ssl_client_socket_nss.cc')
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 540d65b..514c43b 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -841,15 +841,18 @@ bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket, SECStatus rv = SECSuccess; - if (!ssl_config_.next_protos.empty()) { - NextProtoVector next_protos = ssl_config_.next_protos; + if (!ssl_config_.alpn_protos.empty()) { + NextProtoVector alpn_protos = ssl_config_.alpn_protos; // TODO(bnc): Check ssl_config_.disabled_cipher_suites. if (!IsTLSVersionAdequateForHTTP2(ssl_config_)) - DisableHTTP2(&next_protos); + DisableHTTP2(&alpn_protos); // |ssl_config_| has fallback protocol at the end of the list, but NSS // expects fallback at the first place, thus protocols need to be reordered. - ReorderNextProtos(&next_protos); - std::vector<uint8_t> wire_protos = SerializeNextProtos(next_protos); + ReorderNextProtos(&alpn_protos); + // NSS only supports a single protocol vector to be used with ALPN and NPN. + // Because of this limitation, |alpn_prototos| will be used for both. + // However, it is possible to enable ALPN and NPN separately. + std::vector<uint8_t> wire_protos = SerializeNextProtos(alpn_protos); rv = SSL_SetNextProtoNego( nss_fd_, wire_protos.empty() ? NULL : &wire_protos[0], wire_protos.size()); @@ -858,9 +861,11 @@ bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket, rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_ALPN, PR_TRUE); if (rv != SECSuccess) LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_ALPN"); - rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_NPN, PR_TRUE); - if (rv != SECSuccess) - LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_NPN"); + if (!ssl_config_.npn_protos.empty()) { + rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_NPN, PR_TRUE); + if (rv != SECSuccess) + LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_NPN"); + } } rv = SSL_AuthCertificateHook( |