diff options
| author | joth@chromium.org <joth@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-12-01 17:08:48 +0000 |
|---|---|---|
| committer | joth@chromium.org <joth@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-12-01 17:08:48 +0000 |
| commit | fb10e228b111e02732725b55fcf4144a3b18f7aa (patch) | |
| tree | 205816b13dbba29948ce474dc4647aa9dcc2f6be /net/socket | |
| parent | bbf3dc84ad9996cc0439f3145f72540b62d9151e (diff) | |
| download | chromium_src-fb10e228b111e02732725b55fcf4144a3b18f7aa.zip chromium_src-fb10e228b111e02732725b55fcf4144a3b18f7aa.tar.gz chromium_src-fb10e228b111e02732725b55fcf4144a3b18f7aa.tar.bz2 | |
Add support for some advanced SLL modes & options (where present)
- fast start (handshake cutthough) if enabled,
- Disable compression when falling back to TLS
- various memory buffer frugality options
Patches to enable some these features in OpenSSL can be found here:
http://android.git.kernel.org/?p=platform/external/openssl.git;a=blob_plain;f=patches/handshake_cutthrough.patch;hb=HEAD
http://android.git.kernel.org/?p=platform/external/openssl.git;a=blob_plain;f=patches/small_records.patch;hb=HEAD
BUG=None
TEST=None
Review URL: http://codereview.chromium.org/5451001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@67861 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/ssl_client_socket_openssl.cc | 59 |
1 files changed, 45 insertions, 14 deletions
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index b57d6ee..da40011 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -202,6 +202,19 @@ class SSLContext { SSLSessionCache session_cache_; }; +// Utility to construct the appropriate set & clear masks for use the OpenSSL +// options and mode configuration functions. (SSL_set_options etc) +struct SslSetClearMask { + SslSetClearMask() : set_mask(0), clear_mask(0) {} + void ConfigureFlag(long flag, bool state) { + (state ? set_mask : clear_mask) |= flag; + // Make sure we haven't got any intersection in the set & clear options. + DCHECK_EQ(0, set_mask & clear_mask) << flag << ":" << state; + } + long set_mask; + long clear_mask; +}; + } // namespace SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( @@ -260,27 +273,45 @@ bool SSLClientSocketOpenSSL::Init() { SSL_set_bio(ssl_, ssl_bio, ssl_bio); -#define SET_SSL_CONFIG_OPTION(option, value) \ - (((value) ? set_mask : clear_mask) |= (option)) - // OpenSSL defaults some options to on, others to off. To avoid ambiguity, // set everything we care about to an absolute value. - long set_mask = 0; - long clear_mask = 0; - SET_SSL_CONFIG_OPTION(SSL_OP_NO_SSLv2, true); - SET_SSL_CONFIG_OPTION(SSL_OP_NO_SSLv3, !ssl_config_.ssl3_enabled); - SET_SSL_CONFIG_OPTION(SSL_OP_NO_TLSv1, !ssl_config_.tls1_enabled); + SslSetClearMask options; + options.ConfigureFlag(SSL_OP_NO_SSLv2, true); + options.ConfigureFlag(SSL_OP_NO_SSLv3, !ssl_config_.ssl3_enabled); + options.ConfigureFlag(SSL_OP_NO_TLSv1, !ssl_config_.tls1_enabled); + +#if defined(SSL_OP_NO_COMPRESSION) + // If TLS was disabled also disable compression, to provide maximum site + // compatibility in the case of protocol fallback. See http://crbug.com/31628 + options.ConfigureFlag(SSL_OP_NO_COMPRESSION, !ssl_config_.tls1_enabled); +#endif // TODO(joth): Set this conditionally, see http://crbug.com/55410 - SET_SSL_CONFIG_OPTION(SSL_OP_LEGACY_SERVER_CONNECT, true); + options.ConfigureFlag(SSL_OP_LEGACY_SERVER_CONNECT, true); + + SSL_set_options(ssl_, options.set_mask); + SSL_clear_options(ssl_, options.clear_mask); - // Make sure we haven't got any intersection in the set & clear options. - DCHECK_EQ(0, set_mask & clear_mask); + // Same as above, this time for the SSL mode. + SslSetClearMask mode; - SSL_set_options(ssl_, set_mask); - SSL_clear_options(ssl_, clear_mask); -#undef SET_SSL_CONFIG_OPTION +#if defined(SSL_MODE_HANDSHAKE_CUTTHROUGH) + mode.ConfigureFlag(SSL_MODE_HANDSHAKE_CUTTHROUGH, + ssl_config_.false_start_enabled && + !SSLConfigService::IsKnownFalseStartIncompatibleServer( + host_and_port_.host())); +#endif + +#if defined(SSL_MODE_RELEASE_BUFFERS) + mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true); +#endif + +#if defined(SSL_MODE_SMALL_BUFFERS) + mode.ConfigureFlag(SSL_MODE_SMALL_BUFFERS, true); +#endif + SSL_set_mode(ssl_, mode.set_mask); + SSL_clear_mode(ssl_, mode.clear_mask); return true; } |