summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--chrome/browser/policy/configuration_policy_handler_list_factory.cc3
-rw-r--r--chrome/browser/policy/policy_browsertest.cc29
-rw-r--r--chrome/test/data/policy/policy_test_cases.json6
-rw-r--r--components/policy/resources/policy_templates.json59
-rw-r--r--tools/metrics/histograms/histograms.xml1
5 files changed, 97 insertions, 1 deletions
diff --git a/chrome/browser/policy/configuration_policy_handler_list_factory.cc b/chrome/browser/policy/configuration_policy_handler_list_factory.cc
index 121975c..633dbea 100644
--- a/chrome/browser/policy/configuration_policy_handler_list_factory.cc
+++ b/chrome/browser/policy/configuration_policy_handler_list_factory.cc
@@ -369,6 +369,9 @@ const PolicyToPreferenceMapEntry kSimplePolicyMap[] = {
{ key::kSSLVersionMin,
prefs::kSSLVersionMin,
base::Value::TYPE_STRING },
+ { key::kSSLVersionFallbackMin,
+ prefs::kSSLVersionFallbackMin,
+ base::Value::TYPE_STRING },
#if !defined(OS_MACOSX) && !defined(OS_IOS)
{ key::kFullscreenAllowed,
diff --git a/chrome/browser/policy/policy_browsertest.cc b/chrome/browser/policy/policy_browsertest.cc
index 965f610..b433268 100644
--- a/chrome/browser/policy/policy_browsertest.cc
+++ b/chrome/browser/policy/policy_browsertest.cc
@@ -2295,6 +2295,35 @@ IN_PROC_BROWSER_TEST_F(PolicyTest, SSLVersionMin) {
EXPECT_TRUE(IsMinSSLVersionTLS12(browser()->profile()));
}
+static bool IsMinSSLFallbackVersionTLS12(Profile* profile) {
+ scoped_refptr<net::SSLConfigService> config_service(
+ profile->GetSSLConfigService());
+ net::SSLConfig config;
+ config_service->GetSSLConfig(&config);
+ return config.version_fallback_min == net::SSL_PROTOCOL_VERSION_TLS1_2;
+}
+
+IN_PROC_BROWSER_TEST_F(PolicyTest, SSLVersionFallbackMin) {
+ PrefService* prefs = g_browser_process->local_state();
+
+ const std::string new_value("tls1.2");
+ const std::string default_value(
+ prefs->GetString(prefs::kSSLVersionFallbackMin));
+
+ EXPECT_NE(default_value, new_value);
+ EXPECT_FALSE(IsMinSSLFallbackVersionTLS12(browser()->profile()));
+
+ PolicyMap policies;
+ policies.Set(key::kSSLVersionFallbackMin,
+ POLICY_LEVEL_MANDATORY,
+ POLICY_SCOPE_USER,
+ new base::StringValue(new_value),
+ NULL);
+ UpdateProviderPolicy(policies);
+
+ EXPECT_TRUE(IsMinSSLFallbackVersionTLS12(browser()->profile()));
+}
+
#if !defined(OS_MACOSX)
IN_PROC_BROWSER_TEST_F(PolicyTest, FullscreenAllowedBrowser) {
PolicyMap policies;
diff --git a/chrome/test/data/policy/policy_test_cases.json b/chrome/test/data/policy/policy_test_cases.json
index 5245396..3ad037d 100644
--- a/chrome/test/data/policy/policy_test_cases.json
+++ b/chrome/test/data/policy/policy_test_cases.json
@@ -1710,6 +1710,12 @@
"pref_mappings": []
},
+ "SSLVersionFallbackMin": {
+ "os": ["win", "linux", "mac", "chromeos"],
+ "test_policy": { "SSLVersionFallbackMin": "tls1.2" },
+ "pref_mappings": []
+ },
+
"----- Chrome OS policies ------------------------------------------------": {},
"ChromeOsLockOnIdleSuspend": {
diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json
index 51bd259..86184b5 100644
--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -123,7 +123,7 @@
# persistent IDs for all fields (but not for groups!) are needed. These are
# specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
# because doing so would break the deployed wire format!
-# For your editing convenience: highest ID currently used: 279
+# For your editing convenience: highest ID currently used: 280
#
# Placeholders:
# The following placeholder strings are automatically substituted:
@@ -6844,6 +6844,63 @@
Note that, despite the number, "sslv3" is an earier version than "tls1".''',
},
+ {
+ 'name': 'SSLVersionFallbackMin',
+ 'type': 'string-enum',
+ 'schema': {
+ 'type': 'string',
+ 'enum': [
+ 'ssl3',
+ 'tls1',
+ 'tls1.1',
+ 'tls1.2',
+ ],
+ },
+ 'items': [
+ {
+ 'name': 'SSLv3',
+ 'value': 'ssl3',
+ 'caption': 'SSL 3.0',
+ },
+ {
+ 'name': 'TLSv1',
+ 'value': 'tls1',
+ 'caption': 'TLS 1.0',
+ },
+ {
+ 'name': 'TLSv1.1',
+ 'value': 'tls1.1',
+ 'caption': 'TLS 1.1',
+ },
+ {
+ 'name': 'TLSv1.2',
+ 'value': 'tls1.2',
+ 'caption': 'TLS 1.2',
+ },
+ ],
+ 'supported_on': [
+ 'chrome.*:39-',
+ 'chrome_os:39-',
+ 'android:39-',
+ 'ios:39-',
+ ],
+ 'features': {
+ 'dynamic_refresh': True,
+ 'per_profile': False,
+ },
+ 'example_value': 'tls1',
+ 'id': 280,
+ 'caption': '''Minimum SSL version to fallback to''',
+ 'desc': '''When an SSL/TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will retry the connection with a lesser version of SSL/TLS in order to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly then this setting doesn't apply and SSLVersionMin controls.
+
+ If this policy is not configured then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use a default minimum version, which was SSLv3 in Chrome 38 but is TLS 1.0 in Chrome 39.
+
+ Otherwise it may be set to one of the following values: "sslv3", "tls1", "tls1.1" or "tls1.2". A setting of "tls1" protects against attacks on SSLv3 but is already the default. A more likely situation is that compatibility with a buggy server must be maintained and thus this needs to be set to "sslv3". That potentially opens up all connections to SSLv3 attacks since a network attacker can induce fallbacks. Thus this is a stopgap measure and the server should be rapidly fixed.
+
+ A setting of "tls1.2" disables all fallback but this may have a significant compatibility impact.
+
+ Note that, despite the number, "sslv3" is an earier version than "tls1".''',
+ },
],
'messages': {
# Messages that are not associated to any policies.
diff --git a/tools/metrics/histograms/histograms.xml b/tools/metrics/histograms/histograms.xml
index 5a05ca52..28379db 100644
--- a/tools/metrics/histograms/histograms.xml
+++ b/tools/metrics/histograms/histograms.xml
@@ -41799,6 +41799,7 @@ Therefore, the affected-histogram name has to have at least one dot in it.
label="Import autofill form data from default browser on first run"/>
<int value="278" label="Extension Settings"/>
<int value="279" label="SSL minimum version"/>
+ <int value="280" label="SSL fallback minimum version"/>
</enum>
<enum name="EnterprisePolicyInvalidations" type="int">