summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--chrome/browser/chrome_browser_field_trials.cc20
-rw-r--r--chrome/browser/chrome_browser_field_trials.h3
-rw-r--r--chrome/browser/prefs/command_line_pref_store.cc3
-rw-r--r--chrome/common/chrome_switches.cc7
-rw-r--r--chrome/common/chrome_switches.h2
-rw-r--r--net/base/ssl_config_service.cc10
-rw-r--r--net/base/ssl_config_service.h3
-rw-r--r--net/socket/ssl_client_socket_nss.cc10
-rw-r--r--net/socket/ssl_client_socket_nss.h2
9 files changed, 15 insertions, 45 deletions
diff --git a/chrome/browser/chrome_browser_field_trials.cc b/chrome/browser/chrome_browser_field_trials.cc
index d235368..172cbcd 100644
--- a/chrome/browser/chrome_browser_field_trials.cc
+++ b/chrome/browser/chrome_browser_field_trials.cc
@@ -128,7 +128,6 @@ void ChromeBrowserFieldTrials::SetupFieldTrials(bool proxy_policy_is_set) {
AutocompleteFieldTrial::Activate();
DisableNewTabFieldTrialIfNecesssary();
SetUpSafeBrowsingInterstitialFieldTrial();
- SetUpChannelIDFieldTrial();
SetUpInfiniteCacheFieldTrial();
#if defined(ENABLE_ONE_CLICK_SIGNIN)
OneClickSigninHelper::InitializeFieldTrial();
@@ -546,25 +545,6 @@ void ChromeBrowserFieldTrials::SetUpSafeBrowsingInterstitialFieldTrial() {
trial->AppendGroup("V2", kVersion2Probability);
}
-void ChromeBrowserFieldTrials::SetUpChannelIDFieldTrial() {
- chrome::VersionInfo::Channel channel = chrome::VersionInfo::GetChannel();
- if (channel == chrome::VersionInfo::CHANNEL_CANARY) {
- net::SSLConfigService::EnableChannelIDTrial();
- } else if (channel == chrome::VersionInfo::CHANNEL_DEV &&
- base::FieldTrialList::IsOneTimeRandomizationEnabled()) {
- const base::FieldTrial::Probability kDivisor = 100;
- // 10% probability of being in the enabled group.
- const base::FieldTrial::Probability kEnableProbability = 10;
- scoped_refptr<base::FieldTrial> trial =
- base::FieldTrialList::FactoryGetFieldTrial(
- "ChannelID", kDivisor, "disable", 2012, 11, 5, NULL);
- trial->UseOneTimeRandomization();
- int enable_group = trial->AppendGroup("enable", kEnableProbability);
- if (trial->group() == enable_group)
- net::SSLConfigService::EnableChannelIDTrial();
- }
-}
-
void ChromeBrowserFieldTrials::SetUpInfiniteCacheFieldTrial() {
const base::FieldTrial::Probability kDivisor = 100;
diff --git a/chrome/browser/chrome_browser_field_trials.h b/chrome/browser/chrome_browser_field_trials.h
index d994913..5804d5a 100644
--- a/chrome/browser/chrome_browser_field_trials.h
+++ b/chrome/browser/chrome_browser_field_trials.h
@@ -65,9 +65,6 @@ class ChromeBrowserFieldTrials {
// Sets up the Safe Browsing interstitial redesign trial.
void SetUpSafeBrowsingInterstitialFieldTrial();
- // Sets up the field trial for testing TLS channel id.
- void SetUpChannelIDFieldTrial();
-
// Sets up the InfiniteCache field trial.
void SetUpInfiniteCacheFieldTrial();
diff --git a/chrome/browser/prefs/command_line_pref_store.cc b/chrome/browser/prefs/command_line_pref_store.cc
index a3ce691..df49ea2 100644
--- a/chrome/browser/prefs/command_line_pref_store.cc
+++ b/chrome/browser/prefs/command_line_pref_store.cc
@@ -49,8 +49,7 @@ const CommandLinePrefStore::BooleanSwitchToPreferenceMapEntry
prefs::kWebKitAllowDisplayingInsecureContent, false },
{ switches::kAllowCrossOriginAuthPrompt,
prefs::kAllowCrossOriginAuthPrompt, true },
- { switches::kEnableOriginBoundCerts, prefs::kEnableOriginBoundCerts,
- true },
+ { switches::kDisableTLSChannelID, prefs::kEnableOriginBoundCerts, false },
{ switches::kDisableSSLFalseStart, prefs::kDisableSSLRecordSplitting,
true },
{ switches::kEnableMemoryInfo, prefs::kEnableMemoryInfo, true },
diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
index fa03557..914895a 100644
--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -420,6 +420,9 @@ const char kDisableSyncTypedUrls[] = "disable-sync-typed-urls";
// disable translate with the preference.
const char kDisableTranslate[] = "disable-translate";
+// Disables TLS Channel ID extension.
+const char kDisableTLSChannelID[] = "disable-tls-channel-id";
+
// Disables the backend service for web resources.
const char kDisableWebResources[] = "disable-web-resources";
@@ -597,10 +600,6 @@ const char kEnableNpn[] = "enable-npn";
// HTTP is still used for all requests.
const char kEnableNpnHttpOnly[] = "enable-npn-http";
-// Enables TLS Channel ID extension. (The switch is still called
-// "enable-origin-bound-certs" for backwards compatability.)
-const char kEnableOriginBoundCerts[] = "enable-origin-bound-certs";
-
// Enables panels (always on-top docked pop-up windows).
const char kEnablePanels[] = "enable-panels";
diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h
index 6ba7f78..7b4ddf2 100644
--- a/chrome/common/chrome_switches.h
+++ b/chrome/common/chrome_switches.h
@@ -121,6 +121,7 @@ extern const char kDisableSyncSearchEngines[];
extern const char kDisableSyncThemes[];
extern const char kDisableSyncTypedUrls[];
extern const char kDisableTranslate[];
+extern const char kDisableTLSChannelID[];
extern const char kDisableWebResources[];
extern const char kDisableWebsiteSettings[];
extern const char kDisableZeroBrowsersOpenForTests[];
@@ -168,7 +169,6 @@ extern const char kEnableNaClIPCProxy[];
extern const char kEnableNpn[];
extern const char kDisableSyncTabs[];
extern const char kEnableNpnHttpOnly[];
-extern const char kEnableOriginBoundCerts[];
extern const char kEnablePanels[];
extern const char kEnablePasswordGeneration[];
extern const char kEnablePnacl[];
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc
index f9ee9ef..f7c18aa 100644
--- a/net/base/ssl_config_service.cc
+++ b/net/base/ssl_config_service.cc
@@ -38,7 +38,7 @@ SSLConfig::SSLConfig()
version_min(g_default_version_min),
version_max(g_default_version_max),
cached_info_enabled(false),
- channel_id_enabled(false),
+ channel_id_enabled(true),
false_start_enabled(true),
send_client_cert(false),
verify_ev_cert(false),
@@ -74,7 +74,6 @@ SSLConfigService::SSLConfigService()
}
static bool g_cached_info_enabled = false;
-static bool g_channel_id_trial = false;
// GlobalCRLSet holds a reference to the global CRLSet. It simply wraps a lock
// around a scoped_refptr so that getting a reference doesn't race with
@@ -133,11 +132,6 @@ uint16 SSLConfigService::default_version_max() {
return g_default_version_max;
}
-// static
-void SSLConfigService::EnableChannelIDTrial() {
- g_channel_id_trial = true;
-}
-
void SSLConfigService::AddObserver(Observer* observer) {
observer_list_.AddObserver(observer);
}
@@ -152,8 +146,6 @@ SSLConfigService::~SSLConfigService() {
// static
void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) {
ssl_config->cached_info_enabled = g_cached_info_enabled;
- if (g_channel_id_trial)
- ssl_config->channel_id_enabled = true;
}
void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h
index 9f1722e..8210038 100644
--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -183,9 +183,6 @@ class NET_EXPORT SSLConfigService
static void SetDefaultVersionMax(uint16 version_max);
static uint16 default_version_max();
- // Force channel ID support to be enabled.
- static void EnableChannelIDTrial();
-
// Is SNI available in this configuration?
static bool IsSNIAvailable(SSLConfigService* service);
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 04f0ab3..c2b886e 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -930,6 +930,7 @@ class SSLClientSocketNSS::Core : public base::RefCountedThreadSafe<Core> {
// The current handshake state. Mirrors |nss_handshake_state_|.
HandshakeState network_handshake_state_;
+ // The service for retrieving Channel ID keys. May be NULL.
ServerBoundCertService* server_bound_cert_service_;
ServerBoundCertService::RequestHandle domain_bound_cert_request_handle_;
@@ -1080,7 +1081,9 @@ bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket,
}
if (ssl_config_.channel_id_enabled) {
- if (!crypto::ECPrivateKey::IsSupported()) {
+ if (!server_bound_cert_service_) {
+ DVLOG(1) << "NULL server_bound_cert_service_, not enabling channel ID.";
+ } else if (!crypto::ECPrivateKey::IsSupported()) {
DVLOG(1) << "Elliptic Curve not supported, not enabling channel ID.";
} else if (!server_bound_cert_service_->IsSystemTimeValid()) {
DVLOG(1) << "System time is weird, not enabling channel ID.";
@@ -2523,12 +2526,15 @@ void SSLClientSocketNSS::Core::RecordChannelIDSupport() const {
CLIENT_AND_SERVER = 2,
CLIENT_NO_ECC = 3,
CLIENT_BAD_SYSTEM_TIME = 4,
+ CLIENT_NO_SERVER_BOUND_CERT_SERVICE = 5,
DOMAIN_BOUND_CERT_USAGE_MAX
} supported = DISABLED;
if (channel_id_xtn_negotiated_) {
supported = CLIENT_AND_SERVER;
} else if (ssl_config_.channel_id_enabled) {
- if (!crypto::ECPrivateKey::IsSupported())
+ if (!server_bound_cert_service_)
+ supported = CLIENT_NO_SERVER_BOUND_CERT_SERVICE;
+ else if (!crypto::ECPrivateKey::IsSupported())
supported = CLIENT_NO_ECC;
else if (!server_bound_cert_service_->IsSystemTimeValid())
supported = CLIENT_BAD_SYSTEM_TIME;
diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h
index f8f602f..95e0566 100644
--- a/net/socket/ssl_client_socket_nss.h
+++ b/net/socket/ssl_client_socket_nss.h
@@ -162,7 +162,7 @@ class SSLClientSocketNSS : public SSLClientSocket {
CertVerifier* const cert_verifier_;
scoped_ptr<SingleRequestCertVerifier> verifier_;
- // For domain bound certificates in client auth.
+ // The service for retrieving Channel ID keys. May be NULL.
ServerBoundCertService* server_bound_cert_service_;
// ssl_session_cache_shard_ is an opaque string that partitions the SSL
generated by cgit v1.1 at 2025-01-29 21:46:54 +0000