diff options
| author | sergeyu@chromium.org <sergeyu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-07-16 20:58:20 +0000 |
|---|---|---|
| committer | sergeyu@chromium.org <sergeyu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-07-16 20:58:20 +0000 |
| commit | 370133c17a8f775a5497a832b892e3b01e159fbd (patch) | |
| tree | 3ee207bef7c343657fcd37faf5a5768e1569e664 /remoting/jingle_glue | |
| parent | 8eef288822981e09b001ca605d15d122748842d3 (diff) | |
| download | chromium_src-370133c17a8f775a5497a832b892e3b01e159fbd.zip chromium_src-370133c17a8f775a5497a832b892e3b01e159fbd.tar.gz chromium_src-370133c17a8f775a5497a832b892e3b01e159fbd.tar.bz2 | |
Enable HSTS for XMPP connection used by Chromoting
Chromoting host uses XMPP connection encrypted with SSL to connect to talk.google.com. Previously it was accepting any certificate signed by a known CA. Updating SSL adapter code to enable HSTS code, so that only limited set of CA's is accepted for the XMPP connection.
BUG=132884
Review URL: https://chromiumcodereview.appspot.com/10787009
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@146876 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'remoting/jingle_glue')
| -rw-r--r-- | remoting/jingle_glue/ssl_socket_adapter.cc | 6 | ||||
| -rw-r--r-- | remoting/jingle_glue/ssl_socket_adapter.h | 2 |
2 files changed, 6 insertions, 2 deletions
diff --git a/remoting/jingle_glue/ssl_socket_adapter.cc b/remoting/jingle_glue/ssl_socket_adapter.cc index 33b04d3..4ff09a5c9 100644 --- a/remoting/jingle_glue/ssl_socket_adapter.cc +++ b/remoting/jingle_glue/ssl_socket_adapter.cc @@ -13,6 +13,7 @@ #include "net/base/host_port_pair.h" #include "net/base/net_errors.h" #include "net/base/ssl_config_service.h" +#include "net/base/transport_security_state.h" #include "net/socket/client_socket_factory.h" #include "net/url_request/url_request_context.h" @@ -26,6 +27,7 @@ SSLSocketAdapter::SSLSocketAdapter(AsyncSocket* socket) : SSLAdapter(socket), ignore_bad_cert_(false), cert_verifier_(net::CertVerifier::CreateDefault()), + transport_security_state_(new net::TransportSecurityState()), ssl_state_(SSLSTATE_NONE), read_pending_(false), write_pending_(false) { @@ -61,8 +63,8 @@ int SSLSocketAdapter::BeginSSL() { // are correct for us, so we don't use the config service to initialize this // object. net::SSLConfig ssl_config; - net::SSLClientSocketContext context; - context.cert_verifier = cert_verifier_.get(); + net::SSLClientSocketContext context( + cert_verifier_.get(), NULL, transport_security_state_.get(), ""); transport_socket_->set_addr(talk_base::SocketAddress(hostname_, 0)); ssl_socket_.reset( diff --git a/remoting/jingle_glue/ssl_socket_adapter.h b/remoting/jingle_glue/ssl_socket_adapter.h index 9d32911..c95ac3a 100644 --- a/remoting/jingle_glue/ssl_socket_adapter.h +++ b/remoting/jingle_glue/ssl_socket_adapter.h @@ -17,6 +17,7 @@ namespace net { class CertVerifier; +class TransportSecurityState; } // namespace net namespace remoting { @@ -136,6 +137,7 @@ class SSLSocketAdapter : public talk_base::SSLAdapter { // |cert_verifier_| must be defined before |ssl_socket_|, so that // it's destroyed after |ssl_socket_|. scoped_ptr<net::CertVerifier> cert_verifier_; + scoped_ptr<net::TransportSecurityState> transport_security_state_; scoped_ptr<net::SSLClientSocket> ssl_socket_; SSLState ssl_state_; |