diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-05-26 16:22:17 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-05-26 16:22:17 +0000 |
| commit | 80c75f6850ba88b4a2305663c63069fec9d7580a (patch) | |
| tree | e9aef636347e0f10a7ff7356cb759976c665f073 /net/socket/ssl_client_socket_win.cc | |
| parent | 0969d1b4edbc89ee74421a20b2fb4f78b7e43448 (diff) | |
| download | chromium_src-80c75f6850ba88b4a2305663c63069fec9d7580a.zip chromium_src-80c75f6850ba88b4a2305663c63069fec9d7580a.tar.gz chromium_src-80c75f6850ba88b4a2305663c63069fec9d7580a.tar.bz2 | |
Use TLS 1.1.
Enable SSL 3.0 ~ TLS 1.1 by default. If the SSLClientSocket class does
not support TLS 1.1, enable SSL 3.0 ~ TLS 1.0 by default.
TLS intolerant servers are handled by falling back to the next lower
protocol version at a time, rather than falling back to SSL 3.0 directly.
In the SSLConfig structure, replace the ssl3_enabled and tls1_enabled
members by version_min and version_max to allow multiple, contiguous
protocol versions to be enabled, and rename the ssl3_fallback member to
version_fallback.
The preferences prefs::kSSL3Enabled and prefs::kTLS1Enabled are not
yet removed. Generalize prefs::kTLS1Enabled to mean enabling or
disabling all TLS versions.
R=agl@chromium.org,rsleevi@chromium.org
BUG=126340
TEST=net_unittests --gtest_filter=HTTPSRequestTest.TLSv1Fallback
Review URL: https://chromiumcodereview.appspot.com/10377022
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@139204 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket/ssl_client_socket_win.cc')
| -rw-r--r-- | net/socket/ssl_client_socket_win.cc | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc index 1442ad6..8728532 100644 --- a/net/socket/ssl_client_socket_win.cc +++ b/net/socket/ssl_client_socket_win.cc @@ -116,6 +116,7 @@ static int MapSecurityError(SECURITY_STATUS err) { // A bitmask consisting of these bit flags encodes which versions of the SSL // protocol (SSL 3.0 and TLS 1.0) are enabled. +// TODO(wtc): support TLS 1.1 and TLS 1.2 on Windows Vista and later. enum { SSL3 = 1 << 0, TLS1 = 1 << 1, @@ -423,6 +424,8 @@ void SSLClientSocketWin::GetSSLInfo(SSLInfo* ssl_info) { // dwExchStrength and dwHashStrength. dwExchStrength needs to be // normalized. ssl_info->security_bits = connection_info.dwCipherStrength; + // TODO(wtc): connection_info.dwProtocol is the negotiated version. + // Save it in ssl_info->connection_status. } // SecPkgContext_CipherInfo comes from CNG and is available on Vista or // later only. On XP, the next QueryContextAttributes call fails with @@ -442,8 +445,8 @@ void SSLClientSocketWin::GetSSLInfo(SSLInfo* ssl_info) { // any field related to the compression method. } - if (ssl_config_.ssl3_fallback) - ssl_info->connection_status |= SSL_CONNECTION_SSL3_FALLBACK; + if (ssl_config_.version_fallback) + ssl_info->connection_status |= SSL_CONNECTION_VERSION_FALLBACK; } void SSLClientSocketWin::GetSSLCertRequestInfo( @@ -585,11 +588,17 @@ int SSLClientSocketWin::Connect(const CompletionCallback& callback) { } int SSLClientSocketWin::InitializeSSLContext() { + // If ssl_config_.version_max > SSL_PROTOCOL_VERSION_TLS1, it means the + // SSLConfigService::SetDefaultVersionMax(SSL_PROTOCOL_VERSION_TLS1) call + // in ClientSocketFactory::UseSystemSSL() is not effective. + DCHECK_LE(ssl_config_.version_max, SSL_PROTOCOL_VERSION_TLS1); int ssl_version_mask = 0; - if (ssl_config_.ssl3_enabled) + if (ssl_config_.version_min == SSL_PROTOCOL_VERSION_SSL3) ssl_version_mask |= SSL3; - if (ssl_config_.tls1_enabled) + if (ssl_config_.version_min <= SSL_PROTOCOL_VERSION_TLS1 && + ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1) { ssl_version_mask |= TLS1; + } // If we pass 0 to GetCredHandle, we will let Schannel select the protocols, // rather than enabling no protocols. So we have to fail here. if (ssl_version_mask == 0) |