diff options
-rw-r--r-- | chrome/browser/net/ssl_config_service_manager_pref.cc | 5 | ||||
-rw-r--r-- | chrome/browser/net/ssl_config_service_manager_pref_unittest.cc | 11 | ||||
-rw-r--r-- | net/socket/ssl_client_socket.h | 4 | ||||
-rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 13 | ||||
-rw-r--r-- | net/socket/ssl_client_socket_openssl.cc | 5 |
5 files changed, 31 insertions, 7 deletions
diff --git a/chrome/browser/net/ssl_config_service_manager_pref.cc b/chrome/browser/net/ssl_config_service_manager_pref.cc index 2ce8e9a..decd895 100644 --- a/chrome/browser/net/ssl_config_service_manager_pref.cc +++ b/chrome/browser/net/ssl_config_service_manager_pref.cc @@ -20,6 +20,7 @@ #include "components/content_settings/core/browser/content_settings_utils.h" #include "components/content_settings/core/common/content_settings.h" #include "content/public/browser/browser_thread.h" +#include "net/socket/ssl_client_socket.h" #include "net/ssl/ssl_cipher_suite_names.h" #include "net/ssl/ssl_config_service.h" @@ -261,7 +262,7 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs( std::string version_max_str = ssl_version_max_.GetValue(); std::string version_fallback_min_str = ssl_version_fallback_min_.GetValue(); config->version_min = net::kDefaultSSLVersionMin; - config->version_max = net::kDefaultSSLVersionMax; + config->version_max = net::SSLClientSocket::GetMaxSupportedSSLVersion(); config->version_fallback_min = net::kDefaultSSLVersionFallbackMin; uint16 version_min = SSLProtocolVersionFromString(version_min_str); uint16 version_max = SSLProtocolVersionFromString(version_max_str); @@ -276,8 +277,6 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs( } } if (version_max) { - // TODO(wtc): get the maximum SSL protocol version supported by the - // SSLClientSocket class. uint16 supported_version_max = config->version_max; config->version_max = std::min(supported_version_max, version_max); } diff --git a/chrome/browser/net/ssl_config_service_manager_pref_unittest.cc b/chrome/browser/net/ssl_config_service_manager_pref_unittest.cc index 366a529..f0a413c 100644 --- a/chrome/browser/net/ssl_config_service_manager_pref_unittest.cc +++ b/chrome/browser/net/ssl_config_service_manager_pref_unittest.cc @@ -18,6 +18,7 @@ #include "components/content_settings/core/browser/host_content_settings_map.h" #include "components/content_settings/core/common/content_settings.h" #include "content/public/test/test_browser_thread.h" +#include "net/socket/ssl_client_socket.h" #include "net/ssl/ssl_config_service.h" #include "testing/gtest/include/gtest/gtest.h" @@ -127,7 +128,7 @@ TEST_F(SSLConfigServiceManagerPrefTest, BadDisabledCipherSuites) { } // Test that without command-line settings for minimum and maximum SSL versions, -// TLS 1.0 ~ kDefaultSSLVersionMax are enabled. +// TLS versions from 1.0 up to 1.1 or 1.2 are enabled. TEST_F(SSLConfigServiceManagerPrefTest, NoCommandLinePrefs) { scoped_refptr<TestingPrefStore> local_state_store(new TestingPrefStore()); @@ -146,10 +147,12 @@ TEST_F(SSLConfigServiceManagerPrefTest, NoCommandLinePrefs) { SSLConfig ssl_config; config_service->GetSSLConfig(&ssl_config); - // The default value in the absence of command-line options is that - // SSL 3.0 ~ kDefaultSSLVersionMax are enabled. + // In the absence of command-line options, TLS versions from 1.0 up to 1.1 or + // 1.2 (depending on the underlying library and cryptographic implementation) + // are enabled. EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1, ssl_config.version_min); - EXPECT_EQ(net::kDefaultSSLVersionMax, ssl_config.version_max); + EXPECT_EQ(net::SSLClientSocket::GetMaxSupportedSSLVersion(), + ssl_config.version_max); // The settings should not be added to the local_state. EXPECT_FALSE(local_state->HasPrefPath(prefs::kSSLVersionMin)); diff --git a/net/socket/ssl_client_socket.h b/net/socket/ssl_client_socket.h index 7adfa8c..af4f3ba 100644 --- a/net/socket/ssl_client_socket.h +++ b/net/socket/ssl_client_socket.h @@ -149,6 +149,10 @@ class NET_EXPORT SSLClientSocket : public SSLSocket { // sessions. static void ClearSessionCache(); + // Get the maximum SSL version supported by the underlying library and + // cryptographic implementation. + static uint16 GetMaxSupportedSSLVersion(); + virtual bool set_was_npn_negotiated(bool negotiated); virtual bool was_spdy_negotiated() const; diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 7eef078..1319e4b 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -2853,6 +2853,19 @@ void SSLClientSocket::ClearSessionCache() { SSL_ClearSessionCache(); } +#if !defined(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256) +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) +#endif + +// static +uint16 SSLClientSocket::GetMaxSupportedSSLVersion() { + if (PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)) { + return SSL_PROTOCOL_VERSION_TLS1_2; + } else { + return SSL_PROTOCOL_VERSION_TLS1_1; + } +} + bool SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) { EnterFunction(""); ssl_info->Reset(); diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index 2e8ba87..b417e13 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -344,6 +344,11 @@ void SSLClientSocket::ClearSessionCache() { context->session_cache()->Flush(); } +// static +uint16 SSLClientSocket::GetMaxSupportedSSLVersion() { + return SSL_PROTOCOL_VERSION_TLS1_2; +} + SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( scoped_ptr<ClientSocketHandle> transport_socket, const HostPortPair& host_and_port, |