summaryrefslogtreecommitdiffstats
path: root/net/socket
diff options
context:
space:
mode:
Diffstat (limited to 'net/socket')
-rw-r--r--net/socket/ssl_client_socket_mac.cc2
-rw-r--r--net/socket/ssl_client_socket_nss.cc11
-rw-r--r--net/socket/ssl_client_socket_openssl.cc2
-rw-r--r--net/socket/ssl_client_socket_win.cc13
4 files changed, 9 insertions, 19 deletions
diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc
index 7c5445f..fb0c26e 100644
--- a/net/socket/ssl_client_socket_mac.cc
+++ b/net/socket/ssl_client_socket_mac.cc
@@ -769,7 +769,7 @@ int SSLClientSocketMac::InitializeSSLContext() {
status = SSLSetProtocolVersionEnabled(ssl_context_,
kSSLProtocol2,
- ssl_config_.ssl2_enabled);
+ false);
if (status)
return NetErrorFromOSStatus(status);
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index b9c6dff..fff4352 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -685,19 +685,14 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
return ERR_UNEXPECTED;
}
- rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SSL2, ssl_config_.ssl2_enabled);
+ rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SSL2, PR_FALSE);
if (rv != SECSuccess) {
LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_SSL2");
return ERR_UNEXPECTED;
}
- // SNI is enabled automatically if TLS is enabled -- as long as
- // SSL_V2_COMPATIBLE_HELLO isn't.
- // So don't do V2 compatible hellos unless we're really using SSL2,
- // to avoid errors like
- // "common name `mail.google.com' != requested host name `gmail.com'"
- rv = SSL_OptionSet(nss_fd_, SSL_V2_COMPATIBLE_HELLO,
- ssl_config_.ssl2_enabled);
+ // Don't do V2 compatible hellos because they don't support TLS extensions.
+ rv = SSL_OptionSet(nss_fd_, SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
if (rv != SECSuccess) {
LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_V2_COMPATIBLE_HELLO");
return ERR_UNEXPECTED;
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 9aaca41..b57d6ee 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -267,7 +267,7 @@ bool SSLClientSocketOpenSSL::Init() {
// set everything we care about to an absolute value.
long set_mask = 0;
long clear_mask = 0;
- SET_SSL_CONFIG_OPTION(SSL_OP_NO_SSLv2, !ssl_config_.ssl2_enabled);
+ SET_SSL_CONFIG_OPTION(SSL_OP_NO_SSLv2, true);
SET_SSL_CONFIG_OPTION(SSL_OP_NO_SSLv3, !ssl_config_.ssl3_enabled);
SET_SSL_CONFIG_OPTION(SSL_OP_NO_TLSv1, !ssl_config_.tls1_enabled);
diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc
index 1faeb7a..fbe4913 100644
--- a/net/socket/ssl_client_socket_win.cc
+++ b/net/socket/ssl_client_socket_win.cc
@@ -110,12 +110,11 @@ static int MapSecurityError(SECURITY_STATUS err) {
//-----------------------------------------------------------------------------
// A bitmask consisting of these bit flags encodes which versions of the SSL
-// protocol (SSL 2.0, SSL 3.0, and TLS 1.0) are enabled.
+// protocol (SSL 3.0 and TLS 1.0) are enabled.
enum {
- SSL2 = 1 << 0,
- SSL3 = 1 << 1,
- TLS1 = 1 << 2,
- SSL_VERSION_MASKS = 1 << 3 // The number of SSL version bitmasks.
+ SSL3 = 1 << 0,
+ TLS1 = 1 << 1,
+ SSL_VERSION_MASKS = 1 << 2 // The number of SSL version bitmasks.
};
// CredHandleClass simply gives a default constructor and a destructor to
@@ -210,8 +209,6 @@ int CredHandleTable::InitializeHandle(CredHandle* handle,
// The global system registry settings take precedence over the value of
// schannel_cred.grbitEnabledProtocols.
schannel_cred.grbitEnabledProtocols = 0;
- if (ssl_version_mask & SSL2)
- schannel_cred.grbitEnabledProtocols |= SP_PROT_SSL2;
if (ssl_version_mask & SSL3)
schannel_cred.grbitEnabledProtocols |= SP_PROT_SSL3;
if (ssl_version_mask & TLS1)
@@ -560,8 +557,6 @@ int SSLClientSocketWin::Connect(CompletionCallback* callback) {
int SSLClientSocketWin::InitializeSSLContext() {
int ssl_version_mask = 0;
- if (ssl_config_.ssl2_enabled)
- ssl_version_mask |= SSL2;
if (ssl_config_.ssl3_enabled)
ssl_version_mask |= SSL3;
if (ssl_config_.tls1_enabled)
generated by cgit v1.1 at 2025-03-11 17:24:11 +0000