diff options
Diffstat (limited to 'net/base')
| -rw-r--r-- | net/base/ssl_config_service.h | 19 | ||||
| -rw-r--r-- | net/base/ssl_config_service_mac.cc | 2 | ||||
| -rw-r--r-- | net/base/ssl_config_service_win.cc | 7 |
3 files changed, 28 insertions, 0 deletions
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index be50097..0639f48 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -8,6 +8,7 @@ #include <vector> +#include "base/basictypes.h" #include "base/observer_list.h" #include "base/ref_counted.h" #include "net/base/x509_certificate.h" @@ -31,6 +32,24 @@ struct SSLConfig { // True if we'll do async checks for certificate provenance using DNS. bool dns_cert_provenance_checking_enabled; + // Cipher suites which should be explicitly prevented from being used. By + // default, all cipher suites supported by the underlying SSL implementation + // will be enabled, except for: + // - Null encryption cipher suites. + // - Weak cipher suites: < 80 bits of security strength. + // - FORTEZZA cipher suites (obsolete). + // - IDEA cipher suites (RFC 5469 explains why). + // - Anonymous cipher suites. + // + // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in + // big-endian form, they should be declared in host byte order, with the + // first uint8 occupying the most significant byte. + // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to + // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. + // + // TODO(rsleevi): Not implemented when using OpenSSL or Schannel. + std::vector<uint16> disabled_cipher_suites; + // True if we allow this connection to be MITM attacked. This sounds a little // worse than it is: large networks sometimes MITM attack all SSL connections // on egress. We want to know this because we might not have the end-to-end diff --git a/net/base/ssl_config_service_mac.cc b/net/base/ssl_config_service_mac.cc index 2ce1d5c..148bba4 100644 --- a/net/base/ssl_config_service_mac.cc +++ b/net/base/ssl_config_service_mac.cc @@ -97,6 +97,8 @@ bool SSLConfigServiceMac::GetSSLConfigNow(SSLConfig* config) { kTLS1EnabledDefaultValue); SSLConfigService::SetSSLConfigFlags(config); + // TODO(rsleevi): http://crbug.com/58831 - Implement preferences for + // disabling cipher suites. return true; } diff --git a/net/base/ssl_config_service_win.cc b/net/base/ssl_config_service_win.cc index debea7d..d4153c3 100644 --- a/net/base/ssl_config_service_win.cc +++ b/net/base/ssl_config_service_win.cc @@ -82,6 +82,13 @@ bool SSLConfigServiceWin::GetSSLConfigNow(SSLConfig* config) { config->tls1_enabled = ((protocols & TLS1) != 0); SSLConfigService::SetSSLConfigFlags(config); + // TODO(rsleevi): Possibly respect the registry keys defined in + // http://support.microsoft.com/kb/245030 (pre-Vista) or + // http://msdn.microsoft.com/en-us/library/bb870930(VS.85).aspx (post-Vista). + // Currently, these values are respected implicitly when using + // SSLClientSocketWin, but they do not propogate to SSLClientSocketNSS + // because we're not currently translating the keys. + return true; } |