summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authormattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2012-09-15 00:23:07 +0000
committermattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2012-09-15 00:23:07 +0000
commitf6c02375c9a589f5415b9f9869d70b83528bc73d (patch)
tree2763106b466b16d994197b18745da6c13201f9d3 /net
parentff56572b431626b608de7df634cddf179ae38cc3 (diff)
downloadchromium_src-f6c02375c9a589f5415b9f9869d70b83528bc73d.zip
chromium_src-f6c02375c9a589f5415b9f9869d70b83528bc73d.tar.gz
chromium_src-f6c02375c9a589f5415b9f9869d70b83528bc73d.tar.bz2
Enable TLS channeld id by default.
Replace --enable-origin-bound-certs command line flag with --disable-tls-channel-id. Remove field trial. BUG=136462,129174 Review URL: https://chromiumcodereview.appspot.com/10910240 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@156939 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
-rw-r--r--net/base/ssl_config_service.cc10
-rw-r--r--net/base/ssl_config_service.h3
-rw-r--r--net/socket/ssl_client_socket_nss.cc10
-rw-r--r--net/socket/ssl_client_socket_nss.h2
4 files changed, 10 insertions, 15 deletions
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc
index f9ee9ef..f7c18aa 100644
--- a/net/base/ssl_config_service.cc
+++ b/net/base/ssl_config_service.cc
@@ -38,7 +38,7 @@ SSLConfig::SSLConfig()
version_min(g_default_version_min),
version_max(g_default_version_max),
cached_info_enabled(false),
- channel_id_enabled(false),
+ channel_id_enabled(true),
false_start_enabled(true),
send_client_cert(false),
verify_ev_cert(false),
@@ -74,7 +74,6 @@ SSLConfigService::SSLConfigService()
}
static bool g_cached_info_enabled = false;
-static bool g_channel_id_trial = false;
// GlobalCRLSet holds a reference to the global CRLSet. It simply wraps a lock
// around a scoped_refptr so that getting a reference doesn't race with
@@ -133,11 +132,6 @@ uint16 SSLConfigService::default_version_max() {
return g_default_version_max;
}
-// static
-void SSLConfigService::EnableChannelIDTrial() {
- g_channel_id_trial = true;
-}
-
void SSLConfigService::AddObserver(Observer* observer) {
observer_list_.AddObserver(observer);
}
@@ -152,8 +146,6 @@ SSLConfigService::~SSLConfigService() {
// static
void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) {
ssl_config->cached_info_enabled = g_cached_info_enabled;
- if (g_channel_id_trial)
- ssl_config->channel_id_enabled = true;
}
void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h
index 9f1722e..8210038 100644
--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -183,9 +183,6 @@ class NET_EXPORT SSLConfigService
static void SetDefaultVersionMax(uint16 version_max);
static uint16 default_version_max();
- // Force channel ID support to be enabled.
- static void EnableChannelIDTrial();
-
// Is SNI available in this configuration?
static bool IsSNIAvailable(SSLConfigService* service);
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 04f0ab3..c2b886e 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -930,6 +930,7 @@ class SSLClientSocketNSS::Core : public base::RefCountedThreadSafe<Core> {
// The current handshake state. Mirrors |nss_handshake_state_|.
HandshakeState network_handshake_state_;
+ // The service for retrieving Channel ID keys. May be NULL.
ServerBoundCertService* server_bound_cert_service_;
ServerBoundCertService::RequestHandle domain_bound_cert_request_handle_;
@@ -1080,7 +1081,9 @@ bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket,
}
if (ssl_config_.channel_id_enabled) {
- if (!crypto::ECPrivateKey::IsSupported()) {
+ if (!server_bound_cert_service_) {
+ DVLOG(1) << "NULL server_bound_cert_service_, not enabling channel ID.";
+ } else if (!crypto::ECPrivateKey::IsSupported()) {
DVLOG(1) << "Elliptic Curve not supported, not enabling channel ID.";
} else if (!server_bound_cert_service_->IsSystemTimeValid()) {
DVLOG(1) << "System time is weird, not enabling channel ID.";
@@ -2523,12 +2526,15 @@ void SSLClientSocketNSS::Core::RecordChannelIDSupport() const {
CLIENT_AND_SERVER = 2,
CLIENT_NO_ECC = 3,
CLIENT_BAD_SYSTEM_TIME = 4,
+ CLIENT_NO_SERVER_BOUND_CERT_SERVICE = 5,
DOMAIN_BOUND_CERT_USAGE_MAX
} supported = DISABLED;
if (channel_id_xtn_negotiated_) {
supported = CLIENT_AND_SERVER;
} else if (ssl_config_.channel_id_enabled) {
- if (!crypto::ECPrivateKey::IsSupported())
+ if (!server_bound_cert_service_)
+ supported = CLIENT_NO_SERVER_BOUND_CERT_SERVICE;
+ else if (!crypto::ECPrivateKey::IsSupported())
supported = CLIENT_NO_ECC;
else if (!server_bound_cert_service_->IsSystemTimeValid())
supported = CLIENT_BAD_SYSTEM_TIME;
diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h
index f8f602f..95e0566 100644
--- a/net/socket/ssl_client_socket_nss.h
+++ b/net/socket/ssl_client_socket_nss.h
@@ -162,7 +162,7 @@ class SSLClientSocketNSS : public SSLClientSocket {
CertVerifier* const cert_verifier_;
scoped_ptr<SingleRequestCertVerifier> verifier_;
- // For domain bound certificates in client auth.
+ // The service for retrieving Channel ID keys. May be NULL.
ServerBoundCertService* server_bound_cert_service_;
// ssl_session_cache_shard_ is an opaque string that partitions the SSL
generated by cgit v1.1 at 2025-03-12 13:57:34 +0000