diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-23 15:49:40 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-23 15:49:40 +0000 |
| commit | ac3b2592ae2fa2ec77e4ac82f644220499dd13e9 (patch) | |
| tree | a2a4be682a920de7dc061531a6efe96756b5c321 /net | |
| parent | c4063b8d54260a20e8a25daa58ddeb0abbb692d7 (diff) | |
| download | chromium_src-ac3b2592ae2fa2ec77e4ac82f644220499dd13e9.zip chromium_src-ac3b2592ae2fa2ec77e4ac82f644220499dd13e9.tar.gz chromium_src-ac3b2592ae2fa2ec77e4ac82f644220499dd13e9.tar.bz2 | |
Address post-review comments on r56727.
BUG=none
TEST=none
http://codereview.chromium.org/3107030
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57059 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/base/ssl_config_service.h | 23 | ||||
| -rw-r--r-- | net/http/http_stream_request.cc | 4 |
2 files changed, 14 insertions, 13 deletions
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index 748d8e4..bcfb2f9 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -33,13 +33,12 @@ struct SSLConfig { // needs to clear tls1_enabled). bool dnssec_enabled; // True if we'll accept DNSSEC chains in certificates. - // True if we believe that this connection might be MITM attacked. This - // sounds a little worse than it is: large networks sometimes MITM attack all - // SSL connections on egress. We want to know this because we might not have - // the end-to-end connection that we believe that we have based on the - // hostname. Therefore, certain certificate checks can't be performed and we - // can't use outside knowledge about whether the server has the renegotiation - // extension. + // True if we allow this connection to be MITM attacked. This sounds a little + // worse than it is: large networks sometimes MITM attack all SSL connections + // on egress. We want to know this because we might not have the end-to-end + // connection that we believe that we have based on the hostname. Therefore, + // certain certificate checks can't be performed and we can't use outside + // knowledge about whether the server has the renegotiation extension. bool mitm_proxies_allowed; bool false_start_enabled; // True if we'll use TLS False Start. @@ -118,8 +117,8 @@ class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> { static void EnableDNSSEC(); static bool dnssec_enabled(); - // Enables the |may_be_manipulated| flag in SSLConfig objects. See the - // comment about this flag in |SSLConfig|. + // Sets a global flag which allows SSL connections to be MITM attacked. See + // the comment about this flag in |SSLConfig|. static void AllowMITMProxies(); static bool mitm_proxies_allowed(); @@ -129,12 +128,12 @@ class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> { static bool false_start_enabled(); protected: - // SetFlags sets the values of several flags based on global configuration. - static void SetSSLConfigFlags(SSLConfig*); - friend class base::RefCountedThreadSafe<SSLConfigService>; virtual ~SSLConfigService() {} + + // SetFlags sets the values of several flags based on global configuration. + static void SetSSLConfigFlags(SSLConfig*); }; } // namespace net diff --git a/net/http/http_stream_request.cc b/net/http/http_stream_request.cc index b3310a8..de7554b 100644 --- a/net/http/http_stream_request.cc +++ b/net/http/http_stream_request.cc @@ -520,8 +520,10 @@ int HttpStreamRequest::DoInitConnection() { if (request_info().load_flags & LOAD_VERIFY_EV_CERT) ssl_config()->verify_ev_cert = true; - if (proxy_info()->proxy_server().scheme() == ProxyServer::SCHEME_HTTP) + if (proxy_info()->proxy_server().scheme() == ProxyServer::SCHEME_HTTP || + proxy_info()->proxy_server().scheme() == ProxyServer::SCHEME_HTTPS) { ssl_config()->mitm_proxies_allowed = true; + } scoped_refptr<SSLSocketParams> ssl_params = new SSLSocketParams(tcp_params, http_proxy_params, socks_params, |