diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-08-16 04:08:34 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-08-16 04:08:34 +0000 |
| commit | a6194ed157fda49d8332c03112ce8cdee0eaba9e (patch) | |
| tree | 3525aae8ba6cf0b3da862721e260a5823abee6d7 /net | |
| parent | 32080ab87e1954ccb0e2da31587ec30351284124 (diff) | |
| download | chromium_src-a6194ed157fda49d8332c03112ce8cdee0eaba9e.zip chromium_src-a6194ed157fda49d8332c03112ce8cdee0eaba9e.tar.gz chromium_src-a6194ed157fda49d8332c03112ce8cdee0eaba9e.tar.bz2 | |
net: disable ECDSA ciphersuites on platforms where we can't support it.
BUG=142782
https://chromiumcodereview.appspot.com/10830326/
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@151845 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/base/ssl_config_service.h | 3 | ||||
| -rw-r--r-- | net/socket/nss_ssl_util.cc | 31 |
2 files changed, 34 insertions, 0 deletions
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index de430e1..8210038 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -74,6 +74,9 @@ struct NET_EXPORT SSLConfig { // - FORTEZZA cipher suites (obsolete). // - IDEA cipher suites (RFC 5469 explains why). // - Anonymous cipher suites. + // - ECDSA cipher suites on platforms that do not support ECDSA signed + // certificates, as servers may use the presence of such ciphersuites as a + // hint to send an ECDSA certificate. // The ciphers listed in |disabled_cipher_suites| will be removed in addition // to the above list. // diff --git a/net/socket/nss_ssl_util.cc b/net/socket/nss_ssl_util.cc index 54f0a2c..68699cc 100644 --- a/net/socket/nss_ssl_util.cc +++ b/net/socket/nss_ssl_util.cc @@ -25,10 +25,17 @@ bool IsOSSnowLeopardOrLater() { return true; } #include "base/memory/singleton.h" #include "base/threading/thread_restrictions.h" #include "base/values.h" +#include "build/build_config.h" #include "crypto/nss_util.h" #include "net/base/net_errors.h" #include "net/base/net_log.h" +#if defined(OS_WIN) +#include "base/win/windows_version.h" +#elif defined(OS_MACOSX) +#include "base/mac/mac_util.h" +#endif + namespace net { class NSSSSLInitSingleton { @@ -68,6 +75,17 @@ class NSSSSLInitSingleton { // Enable SSL. SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); + // Disable ECDSA cipher suites on platforms that do not support ECDSA + // signed certificates, as servers may use the presence of such + // ciphersuites as a hint to send an ECDSA certificate. +#if defined(OS_WIN) + if (base::win::GetVersion() < base::win::VERSION_VISTA) + DisableECDSA(); +#elif defined(OS_MACOSX) + if (!base::mac::IsOSSnowLeopardOrLater()) + DisableECDSA(); +#endif + // All other SSL options are set per-session by SSLClientSocket and // SSLServerSocket. } @@ -76,6 +94,19 @@ class NSSSSLInitSingleton { // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY. SSL_ClearSessionCache(); } + + void DisableECDSA() { + const PRUint16* ciphersuites = SSL_GetImplementedCiphers(); + const unsigned num_ciphersuites = SSL_GetNumImplementedCiphers(); + SECStatus rv; + SSLCipherSuiteInfo info; + + for (unsigned i = 0; i < num_ciphersuites; i++) { + rv = SSL_GetCipherSuiteInfo(ciphersuites[i], &info, sizeof(info)); + if (rv == SECSuccess && info.authAlgorithm == ssl_auth_ecdsa) + SSL_CipherPrefSetDefault(ciphersuites[i], PR_FALSE); + } + } }; static base::LazyInstance<NSSSSLInitSingleton> g_nss_ssl_init_singleton = |