summaryrefslogtreecommitdiffstats
path: root/net/ssl
diff options
context:
space:
mode:
authorAdam Langley <agl@google.com>2014-10-14 15:31:00 -0700
committerAdam Langley <agl@google.com>2014-10-14 22:31:44 +0000
commit32352ad08ee673a4d43e8593ce988b224f6482d3 (patch)
treea9b12712f9205decaa0aab78de4e1217d62a5075 /net/ssl
parenta257bd3604ae295b606b039925c56c63d62cf7b7 (diff)
downloadchromium_src-32352ad08ee673a4d43e8593ce988b224f6482d3.zip
chromium_src-32352ad08ee673a4d43e8593ce988b224f6482d3.tar.gz
chromium_src-32352ad08ee673a4d43e8593ce988b224f6482d3.tar.bz2
net: disable SSLv3 fallback.
This change adds a "minimum fallback version" (TLS 1.0). When doing fallback, versions below this minimum will still be tried but the resulting connection, if successful won't actually be used. Rather Chrome will show a different error message if SSLv3 would have worked. SSLv3 fallback can still be enabled via a new command line flag for those who need it but it'll be interesting to see how this does on dev and beta. BUG=419870,418848 R=davidben@chromium.org, felt@chromium.org, rsleevi@chromium.org Review URL: https://codereview.chromium.org/619463002 Cr-Commit-Position: refs/heads/master@{#299567}
Diffstat (limited to 'net/ssl')
-rw-r--r--net/ssl/ssl_config.cc3
-rw-r--r--net/ssl/ssl_config.h9
2 files changed, 12 insertions, 0 deletions
diff --git a/net/ssl/ssl_config.cc b/net/ssl/ssl_config.cc
index 269934b..b823f6b 100644
--- a/net/ssl/ssl_config.cc
+++ b/net/ssl/ssl_config.cc
@@ -10,6 +10,8 @@ const uint16 kDefaultSSLVersionMin = SSL_PROTOCOL_VERSION_SSL3;
const uint16 kDefaultSSLVersionMax = SSL_PROTOCOL_VERSION_TLS1_2;
+const uint16 kDefaultSSLVersionFallbackMin = SSL_PROTOCOL_VERSION_TLS1;
+
SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {}
SSLConfig::CertAndStatus::~CertAndStatus() {}
@@ -19,6 +21,7 @@ SSLConfig::SSLConfig()
rev_checking_required_local_anchors(false),
version_min(kDefaultSSLVersionMin),
version_max(kDefaultSSLVersionMax),
+ version_fallback_min(kDefaultSSLVersionFallbackMin),
channel_id_enabled(true),
false_start_enabled(true),
signed_cert_timestamps_enabled(true),
diff --git a/net/ssl/ssl_config.h b/net/ssl/ssl_config.h
index 2731214..1deaf6e 100644
--- a/net/ssl/ssl_config.h
+++ b/net/ssl/ssl_config.h
@@ -32,6 +32,9 @@ NET_EXPORT extern const uint16 kDefaultSSLVersionMin;
// Default maximum protocol version.
NET_EXPORT extern const uint16 kDefaultSSLVersionMax;
+// Default minimum protocol version that it's acceptable to fallback to.
+NET_EXPORT extern const uint16 kDefaultSSLVersionFallbackMin;
+
// A collection of SSL-related configuration settings.
struct NET_EXPORT SSLConfig {
// Default to revocation checking.
@@ -73,6 +76,12 @@ struct NET_EXPORT SSLConfig {
uint16 version_min;
uint16 version_max;
+ // version_fallback_min contains the minimum version that is acceptable to
+ // fallback to. Versions before this may be tried to see whether they would
+ // have succeeded and thus to give a better message to the user, but the
+ // resulting connection won't be used in these cases.
+ uint16 version_fallback_min;
+
// Presorted list of cipher suites which should be explicitly prevented from
// being used in addition to those disabled by the net built-in policy.
//
generated by cgit v1.1 at 2025-02-15 08:17:41 +0000