diff options
-rw-r--r-- | chrome/browser/policy/configuration_policy_handler_list_factory.cc | 3 | ||||
-rw-r--r-- | chrome/browser/policy/policy_browsertest.cc | 29 | ||||
-rw-r--r-- | chrome/test/data/policy/policy_test_cases.json | 6 | ||||
-rw-r--r-- | components/policy/resources/policy_templates.json | 59 | ||||
-rw-r--r-- | tools/metrics/histograms/histograms.xml | 1 |
5 files changed, 97 insertions, 1 deletions
diff --git a/chrome/browser/policy/configuration_policy_handler_list_factory.cc b/chrome/browser/policy/configuration_policy_handler_list_factory.cc index 121975c..633dbea 100644 --- a/chrome/browser/policy/configuration_policy_handler_list_factory.cc +++ b/chrome/browser/policy/configuration_policy_handler_list_factory.cc @@ -369,6 +369,9 @@ const PolicyToPreferenceMapEntry kSimplePolicyMap[] = { { key::kSSLVersionMin, prefs::kSSLVersionMin, base::Value::TYPE_STRING }, + { key::kSSLVersionFallbackMin, + prefs::kSSLVersionFallbackMin, + base::Value::TYPE_STRING }, #if !defined(OS_MACOSX) && !defined(OS_IOS) { key::kFullscreenAllowed, diff --git a/chrome/browser/policy/policy_browsertest.cc b/chrome/browser/policy/policy_browsertest.cc index 965f610..b433268 100644 --- a/chrome/browser/policy/policy_browsertest.cc +++ b/chrome/browser/policy/policy_browsertest.cc @@ -2295,6 +2295,35 @@ IN_PROC_BROWSER_TEST_F(PolicyTest, SSLVersionMin) { EXPECT_TRUE(IsMinSSLVersionTLS12(browser()->profile())); } +static bool IsMinSSLFallbackVersionTLS12(Profile* profile) { + scoped_refptr<net::SSLConfigService> config_service( + profile->GetSSLConfigService()); + net::SSLConfig config; + config_service->GetSSLConfig(&config); + return config.version_fallback_min == net::SSL_PROTOCOL_VERSION_TLS1_2; +} + +IN_PROC_BROWSER_TEST_F(PolicyTest, SSLVersionFallbackMin) { + PrefService* prefs = g_browser_process->local_state(); + + const std::string new_value("tls1.2"); + const std::string default_value( + prefs->GetString(prefs::kSSLVersionFallbackMin)); + + EXPECT_NE(default_value, new_value); + EXPECT_FALSE(IsMinSSLFallbackVersionTLS12(browser()->profile())); + + PolicyMap policies; + policies.Set(key::kSSLVersionFallbackMin, + POLICY_LEVEL_MANDATORY, + POLICY_SCOPE_USER, + new base::StringValue(new_value), + NULL); + UpdateProviderPolicy(policies); + + EXPECT_TRUE(IsMinSSLFallbackVersionTLS12(browser()->profile())); +} + #if !defined(OS_MACOSX) IN_PROC_BROWSER_TEST_F(PolicyTest, FullscreenAllowedBrowser) { PolicyMap policies; diff --git a/chrome/test/data/policy/policy_test_cases.json b/chrome/test/data/policy/policy_test_cases.json index 5245396..3ad037d 100644 --- a/chrome/test/data/policy/policy_test_cases.json +++ b/chrome/test/data/policy/policy_test_cases.json @@ -1710,6 +1710,12 @@ "pref_mappings": [] }, + "SSLVersionFallbackMin": { + "os": ["win", "linux", "mac", "chromeos"], + "test_policy": { "SSLVersionFallbackMin": "tls1.2" }, + "pref_mappings": [] + }, + "----- Chrome OS policies ------------------------------------------------": {}, "ChromeOsLockOnIdleSuspend": { diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json index 51bd259..86184b5 100644 --- a/components/policy/resources/policy_templates.json +++ b/components/policy/resources/policy_templates.json @@ -123,7 +123,7 @@ # persistent IDs for all fields (but not for groups!) are needed. These are # specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs, # because doing so would break the deployed wire format! -# For your editing convenience: highest ID currently used: 279 +# For your editing convenience: highest ID currently used: 280 # # Placeholders: # The following placeholder strings are automatically substituted: @@ -6844,6 +6844,63 @@ Note that, despite the number, "sslv3" is an earier version than "tls1".''', }, + { + 'name': 'SSLVersionFallbackMin', + 'type': 'string-enum', + 'schema': { + 'type': 'string', + 'enum': [ + 'ssl3', + 'tls1', + 'tls1.1', + 'tls1.2', + ], + }, + 'items': [ + { + 'name': 'SSLv3', + 'value': 'ssl3', + 'caption': 'SSL 3.0', + }, + { + 'name': 'TLSv1', + 'value': 'tls1', + 'caption': 'TLS 1.0', + }, + { + 'name': 'TLSv1.1', + 'value': 'tls1.1', + 'caption': 'TLS 1.1', + }, + { + 'name': 'TLSv1.2', + 'value': 'tls1.2', + 'caption': 'TLS 1.2', + }, + ], + 'supported_on': [ + 'chrome.*:39-', + 'chrome_os:39-', + 'android:39-', + 'ios:39-', + ], + 'features': { + 'dynamic_refresh': True, + 'per_profile': False, + }, + 'example_value': 'tls1', + 'id': 280, + 'caption': '''Minimum SSL version to fallback to''', + 'desc': '''When an SSL/TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will retry the connection with a lesser version of SSL/TLS in order to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly then this setting doesn't apply and SSLVersionMin controls. + + If this policy is not configured then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use a default minimum version, which was SSLv3 in Chrome 38 but is TLS 1.0 in Chrome 39. + + Otherwise it may be set to one of the following values: "sslv3", "tls1", "tls1.1" or "tls1.2". A setting of "tls1" protects against attacks on SSLv3 but is already the default. A more likely situation is that compatibility with a buggy server must be maintained and thus this needs to be set to "sslv3". That potentially opens up all connections to SSLv3 attacks since a network attacker can induce fallbacks. Thus this is a stopgap measure and the server should be rapidly fixed. + + A setting of "tls1.2" disables all fallback but this may have a significant compatibility impact. + + Note that, despite the number, "sslv3" is an earier version than "tls1".''', + }, ], 'messages': { # Messages that are not associated to any policies. diff --git a/tools/metrics/histograms/histograms.xml b/tools/metrics/histograms/histograms.xml index 5a05ca52..28379db 100644 --- a/tools/metrics/histograms/histograms.xml +++ b/tools/metrics/histograms/histograms.xml @@ -41799,6 +41799,7 @@ Therefore, the affected-histogram name has to have at least one dot in it. label="Import autofill form data from default browser on first run"/> <int value="278" label="Extension Settings"/> <int value="279" label="SSL minimum version"/> + <int value="280" label="SSL fallback minimum version"/> </enum> <enum name="EnterprisePolicyInvalidations" type="int"> |