diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-05 19:54:14 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-05 19:54:14 +0000 |
| commit | 53a17e24bba43fb1c6b11303b02cce4dfaa2b65d (patch) | |
| tree | 3ff7fb87980d94aef7efd72fde11465a2211d529 /net/socket/ssl_client_socket_nss.cc | |
| parent | ff268ff5dc3e23701eadda8f72a3f25a56e1797c (diff) | |
| download | chromium_src-53a17e24bba43fb1c6b11303b02cce4dfaa2b65d.zip chromium_src-53a17e24bba43fb1c6b11303b02cce4dfaa2b65d.tar.gz chromium_src-53a17e24bba43fb1c6b11303b02cce4dfaa2b65d.tar.bz2 | |
net: remove forced renegotiation checks
We lost this battle. We had to step back from requirement the renegotiation
extension, even on sites which we know support it, because of the number of
MITM proxies.
Since there doesn't seem to be any way forward, this change removes the code.
BUG=55410
TEST=compiles
Review URL: http://codereview.chromium.org/6792032
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@80513 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket/ssl_client_socket_nss.cc')
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 25 |
1 files changed, 6 insertions, 19 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 9923025..173fe36 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -983,26 +983,13 @@ int SSLClientSocketNSS::InitializeSSLOptions() { #endif #ifdef SSL_ENABLE_RENEGOTIATION - // Deliberately disable this check for now: http://crbug.com/55410 - if (false && - SSLConfigService::IsKnownStrictTLSServer(host_and_port_.host()) && - !ssl_config_.mitm_proxies_allowed) { - rv = SSL_OptionSet(nss_fd_, SSL_REQUIRE_SAFE_NEGOTIATION, PR_TRUE); - if (rv != SECSuccess) { - LogFailedNSSFunction( - net_log_, "SSL_OptionSet", "SSL_REQUIRE_SAFE_NEGOTIATION"); - } - rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION, - SSL_RENEGOTIATE_REQUIRES_XTN); - } else { - // We allow servers to request renegotiation. Since we're a client, - // prohibiting this is rather a waste of time. Only servers are in a - // position to prevent renegotiation attacks. - // http://extendedsubset.com/?p=8 + // We allow servers to request renegotiation. Since we're a client, + // prohibiting this is rather a waste of time. Only servers are in a + // position to prevent renegotiation attacks. + // http://extendedsubset.com/?p=8 - rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION, - SSL_RENEGOTIATE_TRANSITIONAL); - } + rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION, + SSL_RENEGOTIATE_TRANSITIONAL); if (rv != SECSuccess) { LogFailedNSSFunction( net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION"); |