summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--chrome/browser/net/ssl_config_service_manager_pref.cc4
-rw-r--r--chrome/browser/net/ssl_config_service_manager_pref_unittest.cc4
-rw-r--r--chrome/common/chrome_switches.cc2
-rw-r--r--net/http/http_network_transaction_ssl_unittest.cc12
-rw-r--r--net/http/transport_security_state_static.h1
-rw-r--r--net/http/transport_security_state_static.json1
6 files changed, 7 insertions, 17 deletions
diff --git a/chrome/browser/net/ssl_config_service_manager_pref.cc b/chrome/browser/net/ssl_config_service_manager_pref.cc
index ba52876..dc904ca 100644
--- a/chrome/browser/net/ssl_config_service_manager_pref.cc
+++ b/chrome/browser/net/ssl_config_service_manager_pref.cc
@@ -244,10 +244,8 @@ void SSLConfigServiceManagerPref::RegisterPrefs(PrefRegistrySimple* registry) {
default_config.channel_id_enabled);
registry->RegisterBooleanPref(prefs::kDisableSSLRecordSplitting,
!default_config.false_start_enabled);
- // Note: until http://crbug/237055 is resolved, unrestricted SSL 3.0 fallback
- // is always enabled.
registry->RegisterBooleanPref(prefs::kEnableUnrestrictedSSL3Fallback,
- true /* default_config.unrestricted_ssl3_fallback_enabled */);
+ default_config.unrestricted_ssl3_fallback_enabled);
registry->RegisterListPref(prefs::kCipherSuiteBlacklist);
}
diff --git a/chrome/browser/net/ssl_config_service_manager_pref_unittest.cc b/chrome/browser/net/ssl_config_service_manager_pref_unittest.cc
index f2a9338..7a09c81 100644
--- a/chrome/browser/net/ssl_config_service_manager_pref_unittest.cc
+++ b/chrome/browser/net/ssl_config_service_manager_pref_unittest.cc
@@ -161,8 +161,6 @@ TEST_F(SSLConfigServiceManagerPrefTest, BadDisabledCipherSuites) {
// SSL 3.0 ~ default_version_max() are enabled;
// * without --enable-unrestricted-ssl3-fallback,
// |unrestricted_ssl3_fallback_enabled| is false.
-// TODO(thaidn): |unrestricted_ssl3_fallback_enabled| is true by default
-// temporarily until we have fixed deployment issues.
TEST_F(SSLConfigServiceManagerPrefTest, NoCommandLinePrefs) {
scoped_refptr<TestingPrefStore> local_state_store(new TestingPrefStore());
@@ -186,7 +184,7 @@ TEST_F(SSLConfigServiceManagerPrefTest, NoCommandLinePrefs) {
EXPECT_EQ(net::SSL_PROTOCOL_VERSION_SSL3, ssl_config.version_min);
EXPECT_EQ(net::SSLConfigService::default_version_max(),
ssl_config.version_max);
- EXPECT_TRUE(ssl_config.unrestricted_ssl3_fallback_enabled);
+ EXPECT_FALSE(ssl_config.unrestricted_ssl3_fallback_enabled);
// The settings should not be added to the local_state.
EXPECT_FALSE(local_state->HasPrefPath(prefs::kSSLVersionMin));
diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
index ebc2a88..76b1b22 100644
--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -745,8 +745,6 @@ const char kEnableTranslateNewUX[] = "enable-translate-new-ux";
// With this switch, SSL 3.0 fallback will be enabled for all sites.
// Without this switch, SSL 3.0 fallback will be disabled for a site
// pinned to the Google pin list (indicating that it is a Google site).
-// Note: until http://crbug/237055 is resolved, unrestricted SSL 3.0
-// fallback is always enabled, with or without this switch.
const char kEnableUnrestrictedSSL3Fallback[] =
"enable-unrestricted-ssl3-fallback";
diff --git a/net/http/http_network_transaction_ssl_unittest.cc b/net/http/http_network_transaction_ssl_unittest.cc
index bb21849..e16173e 100644
--- a/net/http/http_network_transaction_ssl_unittest.cc
+++ b/net/http/http_network_transaction_ssl_unittest.cc
@@ -132,9 +132,6 @@ TEST_F(HttpNetworkTransactionSSLTest, SSL3FallbackDisabled_Google) {
scoped_ptr<HttpNetworkTransaction> trans(
new HttpNetworkTransaction(DEFAULT_PRIORITY, session.get()));
- SSLConfig& ssl_config = GetServerSSLConfig(trans.get());
- ssl_config.unrestricted_ssl3_fallback_enabled = false;
-
TestCompletionCallback callback;
// This will consume only |ssl_data1|. |ssl_data2| will not be consumed.
int rv = callback.GetResult(
@@ -147,6 +144,7 @@ TEST_F(HttpNetworkTransactionSSLTest, SSL3FallbackDisabled_Google) {
// Confirms that only |ssl_data1| is consumed.
EXPECT_EQ(1u, mock_data.next_index());
+ SSLConfig& ssl_config = GetServerSSLConfig(trans.get());
// |version_max| never fallbacks to SSLv3 for Google properties.
EXPECT_EQ(SSL_PROTOCOL_VERSION_TLS1, ssl_config.version_max);
EXPECT_FALSE(ssl_config.version_fallback);
@@ -225,9 +223,6 @@ TEST_F(HttpNetworkTransactionSSLTest, SSL3FallbackDisabled_Paypal) {
scoped_ptr<HttpNetworkTransaction> trans(
new HttpNetworkTransaction(DEFAULT_PRIORITY, session.get()));
- SSLConfig& ssl_config = GetServerSSLConfig(trans.get());
- ssl_config.unrestricted_ssl3_fallback_enabled = false;
-
TestCompletionCallback callback;
// This will consume |ssl_data1| and |ssl_data2|.
int rv = callback.GetResult(
@@ -240,6 +235,7 @@ TEST_F(HttpNetworkTransactionSSLTest, SSL3FallbackDisabled_Paypal) {
// Confirms that both |ssl_data1| and |ssl_data2| are consumed.
EXPECT_EQ(2u, mock_data.next_index());
+ SSLConfig& ssl_config = GetServerSSLConfig(trans.get());
// |version_max| fallbacks to SSL 3.0.
EXPECT_EQ(SSL_PROTOCOL_VERSION_SSL3, ssl_config.version_max);
EXPECT_TRUE(ssl_config.version_fallback);
@@ -278,9 +274,6 @@ TEST_F(HttpNetworkTransactionSSLTest, SSLFallback) {
scoped_ptr<HttpNetworkTransaction> trans(
new HttpNetworkTransaction(DEFAULT_PRIORITY, session.get()));
- SSLConfig& ssl_config = GetServerSSLConfig(trans.get());
- ssl_config.unrestricted_ssl3_fallback_enabled = true;
-
TestCompletionCallback callback;
// This will consume |ssl_data1|, |ssl_data2| and |ssl_data3|.
int rv = callback.GetResult(
@@ -293,6 +286,7 @@ TEST_F(HttpNetworkTransactionSSLTest, SSLFallback) {
// Confirms that |ssl_data1|, |ssl_data2| and |ssl_data3| are consumed.
EXPECT_EQ(3u, mock_data.next_index());
+ SSLConfig& ssl_config = GetServerSSLConfig(trans.get());
// |version_max| fallbacks to SSL 3.0.
EXPECT_EQ(SSL_PROTOCOL_VERSION_SSL3, ssl_config.version_max);
EXPECT_TRUE(ssl_config.version_fallback);
diff --git a/net/http/transport_security_state_static.h b/net/http/transport_security_state_static.h
index c097618..60fe02b 100644
--- a/net/http/transport_security_state_static.h
+++ b/net/http/transport_security_state_static.h
@@ -436,6 +436,7 @@ static const struct HSTSPreload kPreloadedSTS[] = {
{15, true, "\002dl\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
{26, true, "\011translate\012googleapis\003com", true, kGooglePins, DOMAIN_GOOGLEAPIS_COM },
{23, true, "\005chart\004apis\006google\003com", false, kGooglePins, DOMAIN_GOOGLE_COM },
+ {28, true, "\012oraprodsso\004corp\006google\003com", true, kNoPins, DOMAIN_NOT_PINNED },
{11, true, "\005ytimg\003com", false, kGooglePins, DOMAIN_YTIMG_COM },
{23, true, "\021googleusercontent\003com", false, kGooglePins, DOMAIN_GOOGLEUSERCONTENT_COM },
{13, true, "\007youtube\003com", false, kGooglePins, DOMAIN_YOUTUBE_COM },
diff --git a/net/http/transport_security_state_static.json b/net/http/transport_security_state_static.json
index c3b7526..22254c0 100644
--- a/net/http/transport_security_state_static.json
+++ b/net/http/transport_security_state_static.json
@@ -207,6 +207,7 @@
// and there are lots of links out there that still use the name. The correct
// hostname for this is chart.googleapis.com.
{ "name": "chart.apis.google.com", "include_subdomains": true, "pins": "google" },
+ { "name": "oraprodsso.corp.google.com", "include_subdomains": true, "mode": "force-https" },
// Other Google-related domains that must use an acceptable certificate
// iff using SSL.
generated by cgit v1.1 at 2025-05-19 18:28:46 +0000