diff options
Diffstat (limited to 'components/policy/resources/policy_templates.json')
| -rw-r--r-- | components/policy/resources/policy_templates.json | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json index 1a29191..835015f 100644 --- a/components/policy/resources/policy_templates.json +++ b/components/policy/resources/policy_templates.json @@ -6760,6 +6760,63 @@ Note that, despite the number, "sslv3" is an earier version than "tls1".''', }, + { + 'name': 'SSLVersionFallbackMin', + 'type': 'string-enum', + 'schema': { + 'type': 'string', + 'enum': [ + 'ssl3', + 'tls1', + 'tls1.1', + 'tls1.2', + ], + }, + 'items': [ + { + 'name': 'SSLv3', + 'value': 'ssl3', + 'caption': 'SSL 3.0', + }, + { + 'name': 'TLSv1', + 'value': 'tls1', + 'caption': 'TLS 1.0', + }, + { + 'name': 'TLSv1.1', + 'value': 'tls1.1', + 'caption': 'TLS 1.1', + }, + { + 'name': 'TLSv1.2', + 'value': 'tls1.2', + 'caption': 'TLS 1.2', + }, + ], + 'supported_on': [ + 'chrome.*:39-', + 'chrome_os:39-', + 'android:39-', + 'ios:39-', + ], + 'features': { + 'dynamic_refresh': True, + 'per_profile': False, + }, + 'example_value': 'tls1', + 'id': 280, + 'caption': '''Minimum SSL version to fallback to''', + 'desc': '''When an SSL/TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will retry the connection with a lesser version of SSL/TLS in order to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly then this setting doesn't apply and SSLVersionMin controls. + + If this policy is not configured then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use a default minimum version, which was SSLv3 in Chrome 38 but is TLS 1.0 in Chrome 39. + + Otherwise it may be set to one of the following values: "sslv3", "tls1", "tls1.1" or "tls1.2". A setting of "tls1" protects against attacks on SSLv3 but is already the default. A more likely situation is that compatibility with a buggy server must be maintained and thus this needs to be set to "sslv3". That potentially opens up all connections to SSLv3 attacks since a network attacker can induce fallbacks. Thus this is a stopgap measure and the server should be rapidly fixed. + + A setting of "tls1.2" disables all fallback but this may have a significant compatibility impact. + + Note that, despite the number, "sslv3" is an earier version than "tls1".''', + }, ], 'messages': { # Messages that are not associated to any policies. |