diff options
| -rw-r--r-- | chrome/browser/policy/configuration_policy_handler_list_factory.cc | 3 | ||||
| -rw-r--r-- | chrome/browser/policy/policy_browsertest.cc | 31 | ||||
| -rw-r--r-- | chrome/test/data/policy/policy_test_cases.json | 6 | ||||
| -rw-r--r-- | components/policy/resources/policy_templates.json | 55 | ||||
| -rw-r--r-- | tools/metrics/histograms/histograms.xml | 1 |
5 files changed, 95 insertions, 1 deletions
diff --git a/chrome/browser/policy/configuration_policy_handler_list_factory.cc b/chrome/browser/policy/configuration_policy_handler_list_factory.cc index 20f1edd..121975c 100644 --- a/chrome/browser/policy/configuration_policy_handler_list_factory.cc +++ b/chrome/browser/policy/configuration_policy_handler_list_factory.cc @@ -366,6 +366,9 @@ const PolicyToPreferenceMapEntry kSimplePolicyMap[] = { { key::kForceEphemeralProfiles, prefs::kForceEphemeralProfiles, base::Value::TYPE_BOOLEAN }, + { key::kSSLVersionMin, + prefs::kSSLVersionMin, + base::Value::TYPE_STRING }, #if !defined(OS_MACOSX) && !defined(OS_IOS) { key::kFullscreenAllowed, diff --git a/chrome/browser/policy/policy_browsertest.cc b/chrome/browser/policy/policy_browsertest.cc index 0f4b212..016e70c 100644 --- a/chrome/browser/policy/policy_browsertest.cc +++ b/chrome/browser/policy/policy_browsertest.cc @@ -46,6 +46,7 @@ #include "chrome/browser/media/media_stream_devices_controller.h" #include "chrome/browser/metrics/variations/variations_service.h" #include "chrome/browser/net/prediction_options.h" +#include "chrome/browser/net/ssl_config_service_manager.h" #include "chrome/browser/net/url_request_mock_util.h" #include "chrome/browser/plugins/plugin_prefs.h" #include "chrome/browser/policy/cloud/test_request_interceptor.h" @@ -133,6 +134,8 @@ #include "net/base/net_util.h" #include "net/base/url_util.h" #include "net/http/http_stream_factory.h" +#include "net/ssl/ssl_config.h" +#include "net/ssl/ssl_config_service.h" #include "net/test/url_request/url_request_failed_job.h" #include "net/test/url_request/url_request_mock_http_job.h" #include "net/url_request/url_request.h" @@ -2264,6 +2267,34 @@ IN_PROC_BROWSER_TEST_F(PolicyTest, MAYBE_FileURLBlacklist) { CheckURLIsBlocked(browser(), file_path2.c_str()); } +static bool IsMinSSLVersionTLS12(Profile* profile) { + scoped_refptr<net::SSLConfigService> config_service( + profile->GetSSLConfigService()); + net::SSLConfig config; + config_service->GetSSLConfig(&config); + return config.version_min == net::SSL_PROTOCOL_VERSION_TLS1_2; +} + +IN_PROC_BROWSER_TEST_F(PolicyTest, SSLVersionMin) { + PrefService* prefs = g_browser_process->local_state(); + + const std::string new_value("tls1.2"); + const std::string default_value(prefs->GetString(prefs::kSSLVersionMin)); + + EXPECT_NE(default_value, new_value); + EXPECT_FALSE(IsMinSSLVersionTLS12(browser()->profile())); + + PolicyMap policies; + policies.Set(key::kSSLVersionMin, + POLICY_LEVEL_MANDATORY, + POLICY_SCOPE_USER, + new base::StringValue(new_value), + NULL); + UpdateProviderPolicy(policies); + + EXPECT_TRUE(IsMinSSLVersionTLS12(browser()->profile())); +} + #if !defined(OS_MACOSX) IN_PROC_BROWSER_TEST_F(PolicyTest, FullscreenAllowedBrowser) { PolicyMap policies; diff --git a/chrome/test/data/policy/policy_test_cases.json b/chrome/test/data/policy/policy_test_cases.json index bd5cc38..5245396 100644 --- a/chrome/test/data/policy/policy_test_cases.json +++ b/chrome/test/data/policy/policy_test_cases.json @@ -1704,6 +1704,12 @@ ] }, + "SSLVersionMin": { + "os": ["win", "linux", "mac", "chromeos"], + "test_policy": { "SSLVersionMin": "tls1.2" }, + "pref_mappings": [] + }, + "----- Chrome OS policies ------------------------------------------------": {}, "ChromeOsLockOnIdleSuspend": { diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json index baf7722..51bd259 100644 --- a/components/policy/resources/policy_templates.json +++ b/components/policy/resources/policy_templates.json @@ -123,7 +123,7 @@ # persistent IDs for all fields (but not for groups!) are needed. These are # specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs, # because doing so would break the deployed wire format! -# For your editing convenience: highest ID currently used: 278 +# For your editing convenience: highest ID currently used: 279 # # Placeholders: # The following placeholder strings are automatically substituted: @@ -6791,6 +6791,59 @@ If this policy is set to false, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not allow creation of new profiles from the profile manager.''', }, + { + 'name': 'SSLVersionMin', + 'type': 'string-enum', + 'schema': { + 'type': 'string', + 'enum': [ + 'ssl3', + 'tls1', + 'tls1.1', + 'tls1.2', + ], + }, + 'items': [ + { + 'name': 'SSLv3', + 'value': 'ssl3', + 'caption': 'SSL 3.0', + }, + { + 'name': 'TLSv1', + 'value': 'tls1', + 'caption': 'TLS 1.0', + }, + { + 'name': 'TLSv1.1', + 'value': 'tls1.1', + 'caption': 'TLS 1.1', + }, + { + 'name': 'TLSv1.2', + 'value': 'tls1.2', + 'caption': 'TLS 1.2', + }, + ], + 'supported_on': [ + 'chrome.*:39-', + 'chrome_os:39-', + 'android:39-', + 'ios:39-', + ], + 'features': { + 'dynamic_refresh': True, + 'per_profile': False, + }, + 'example_value': 'ssl3', + 'id': 279, + 'caption': '''Minimum SSL version enabled''', + 'desc': '''If this policy is not configured then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use a default minimum version, which is SSLv3 in Chrome 39 but may be TLS 1.0 in Chrome 40. + + Otherwise it may be set to one of the following values: "sslv3", "tls1", "tls1.1" or "tls1.2". When set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not use SSL/TLS versions less than the specified version. An unrecognized value will be ignored. + + Note that, despite the number, "sslv3" is an earier version than "tls1".''', + }, ], 'messages': { # Messages that are not associated to any policies. diff --git a/tools/metrics/histograms/histograms.xml b/tools/metrics/histograms/histograms.xml index 56758ec..bd599c0 100644 --- a/tools/metrics/histograms/histograms.xml +++ b/tools/metrics/histograms/histograms.xml @@ -41659,6 +41659,7 @@ Therefore, the affected-histogram name has to have at least one dot in it. <int value="277" label="Import autofill form data from default browser on first run"/> <int value="278" label="Extension Settings"/> + <int value="279" label="SSL minimum version"/> </enum> <enum name="EnterprisePolicyInvalidations" type="int"> |