Remove SSL 2.0 support.

R=agl BUG=53659 TEST=none Review URL: http://codereview.chromium.org/4091005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@67722 0039d316-1c4b-4281-b951-d872f2087c98
author: wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-11-30 17:48:54 +0000
committer: wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-11-30 17:48:54 +0000
commit: cc50fdf70bc11e259c319d06086111d2177047be (patch)
tree: ae9e85b77d0c635ca4eedf43b3690826138c3823 /net/socket
parent: 258ed9ed8f5c6de199d935647e9c0ffc7790797c (diff)
download: chromium_src-cc50fdf70bc11e259c319d06086111d2177047be.zip
chromium_src-cc50fdf70bc11e259c319d06086111d2177047be.tar.gz
chromium_src-cc50fdf70bc11e259c319d06086111d2177047be.tar.bz2
4 files changed, 9 insertions, 19 deletions
diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc
index 7c5445f..fb0c26e 100644
--- a/net/socket/ssl_client_socket_mac.cc
+++ b/net/socket/ssl_client_socket_mac.cc
@@ -769,7 +769,7 @@ int SSLClientSocketMac::InitializeSSLContext() {
 
   status = SSLSetProtocolVersionEnabled(ssl_context_,
                                         kSSLProtocol2,
-                                        ssl_config_.ssl2_enabled);
+                                        false);
   if (status)
     return NetErrorFromOSStatus(status);
 
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index b9c6dff..fff4352 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -685,19 +685,14 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
     return ERR_UNEXPECTED;
   }
 
-  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SSL2, ssl_config_.ssl2_enabled);
+  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SSL2, PR_FALSE);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_SSL2");
     return ERR_UNEXPECTED;
   }
 
-  // SNI is enabled automatically if TLS is enabled -- as long as
-  // SSL_V2_COMPATIBLE_HELLO isn't.
-  // So don't do V2 compatible hellos unless we're really using SSL2,
-  // to avoid errors like
-  // "common name `mail.google.com' != requested host name `gmail.com'"
-  rv = SSL_OptionSet(nss_fd_, SSL_V2_COMPATIBLE_HELLO,
-                     ssl_config_.ssl2_enabled);
+  // Don't do V2 compatible hellos because they don't support TLS extensions.
+  rv = SSL_OptionSet(nss_fd_, SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_V2_COMPATIBLE_HELLO");
     return ERR_UNEXPECTED;
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 9aaca41..b57d6ee 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -267,7 +267,7 @@ bool SSLClientSocketOpenSSL::Init() {
   // set everything we care about to an absolute value.
   long set_mask = 0;
   long clear_mask = 0;
-  SET_SSL_CONFIG_OPTION(SSL_OP_NO_SSLv2, !ssl_config_.ssl2_enabled);
+  SET_SSL_CONFIG_OPTION(SSL_OP_NO_SSLv2, true);
   SET_SSL_CONFIG_OPTION(SSL_OP_NO_SSLv3, !ssl_config_.ssl3_enabled);
   SET_SSL_CONFIG_OPTION(SSL_OP_NO_TLSv1, !ssl_config_.tls1_enabled);
 
diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc
index 1faeb7a..fbe4913 100644
--- a/net/socket/ssl_client_socket_win.cc
+++ b/net/socket/ssl_client_socket_win.cc
@@ -110,12 +110,11 @@ static int MapSecurityError(SECURITY_STATUS err) {
 //-----------------------------------------------------------------------------
 
 // A bitmask consisting of these bit flags encodes which versions of the SSL
-// protocol (SSL 2.0, SSL 3.0, and TLS 1.0) are enabled.
+// protocol (SSL 3.0 and TLS 1.0) are enabled.
 enum {
-  SSL2 = 1 << 0,
-  SSL3 = 1 << 1,
-  TLS1 = 1 << 2,
-  SSL_VERSION_MASKS = 1 << 3  // The number of SSL version bitmasks.
+  SSL3 = 1 << 0,
+  TLS1 = 1 << 1,
+  SSL_VERSION_MASKS = 1 << 2  // The number of SSL version bitmasks.
 };
 
 // CredHandleClass simply gives a default constructor and a destructor to
@@ -210,8 +209,6 @@ int CredHandleTable::InitializeHandle(CredHandle* handle,
   // The global system registry settings take precedence over the value of
   // schannel_cred.grbitEnabledProtocols.
   schannel_cred.grbitEnabledProtocols = 0;
-  if (ssl_version_mask & SSL2)
-    schannel_cred.grbitEnabledProtocols |= SP_PROT_SSL2;
   if (ssl_version_mask & SSL3)
     schannel_cred.grbitEnabledProtocols |= SP_PROT_SSL3;
   if (ssl_version_mask & TLS1)
@@ -560,8 +557,6 @@ int SSLClientSocketWin::Connect(CompletionCallback* callback) {
 
 int SSLClientSocketWin::InitializeSSLContext() {
   int ssl_version_mask = 0;
-  if (ssl_config_.ssl2_enabled)
-    ssl_version_mask |= SSL2;
   if (ssl_config_.ssl3_enabled)
     ssl_version_mask |= SSL3;
   if (ssl_config_.tls1_enabled)
author	wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-11-30 17:48:54 +0000
committer	wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-11-30 17:48:54 +0000
commit	cc50fdf70bc11e259c319d06086111d2177047be (patch)
tree	ae9e85b77d0c635ca4eedf43b3690826138c3823 /net/socket
parent	258ed9ed8f5c6de199d935647e9c0ffc7790797c (diff)
download	chromium_src-cc50fdf70bc11e259c319d06086111d2177047be.zip chromium_src-cc50fdf70bc11e259c319d06086111d2177047be.tar.gz chromium_src-cc50fdf70bc11e259c319d06086111d2177047be.tar.bz2