summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/base/ssl_config_service.h5
-rw-r--r--net/base/ssl_connection_status_flags.h31
-rw-r--r--net/base/ssl_info.h9
-rw-r--r--net/http/http_network_transaction.cc5
-rw-r--r--net/socket/ssl_client_socket_mac.cc4
-rw-r--r--net/socket/ssl_client_socket_nss.cc15
-rw-r--r--net/socket/ssl_client_socket_win.cc6
7 files changed, 72 insertions, 3 deletions
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h
index d195039..3f0f479 100644
--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -18,7 +18,8 @@ struct SSLConfig {
// Default to SSL 2.0 off, SSL 3.0 on, and TLS 1.0 on.
SSLConfig()
: rev_checking_enabled(true), ssl2_enabled(false), ssl3_enabled(true),
- tls1_enabled(true), send_client_cert(false), verify_ev_cert(false) {
+ tls1_enabled(true), ssl3_fallback(false), send_client_cert(false),
+ verify_ev_cert(false) {
}
bool rev_checking_enabled; // True if server certificate revocation
@@ -26,6 +27,8 @@ struct SSLConfig {
bool ssl2_enabled; // True if SSL 2.0 is enabled.
bool ssl3_enabled; // True if SSL 3.0 is enabled.
bool tls1_enabled; // True if TLS 1.0 is enabled.
+ bool ssl3_fallback; // True if we are falling back to SSL 3.0 (one still
+ // needs to clear tls1_enabled).
// TODO(wtc): move the following members to a new SSLParams structure. They
// are not SSL configuration settings.
diff --git a/net/base/ssl_connection_status_flags.h b/net/base/ssl_connection_status_flags.h
new file mode 100644
index 0000000..2618f57
--- /dev/null
+++ b/net/base/ssl_connection_status_flags.h
@@ -0,0 +1,31 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_SSL_CONNECTION_STATUS_FLAGS_H_
+#define NET_BASE_SSL_CONNECTION_STATUS_FLAGS_H_
+
+namespace net {
+
+// Status flags for SSLInfo::connection_status.
+enum {
+ // The lower 16 bits are reserved for the TLS ciphersuite id.
+ SSL_CONNECTION_CIPHERSUITE_SHIFT = 0,
+ SSL_CONNECTION_CIPHERSUITE_MASK = 0xffff,
+
+ // The next two bits are reserved for the compression used.
+ SSL_CONNECTION_COMPRESSION_SHIFT = 16,
+ SSL_CONNECTION_COMPRESSION_MASK = 3,
+
+ // We fell back to SSLv3 for this connection.
+ SSL_CONNECTION_SSL3_FALLBACK = 1 << 18,
+ // The server doesn't support the renegotiation_info extension.
+ SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION = 1 << 19,
+
+ // 1 << 31 (the sign bit) is reserved so that the SSL connection status will
+ // never be negative.
+};
+
+} // namespace net
+
+#endif // NET_BASE_SSL_CONNECTION_STATUS_FLAGS_H_
diff --git a/net/base/ssl_info.h b/net/base/ssl_info.h
index 3fe0ce4..280b497 100644
--- a/net/base/ssl_info.h
+++ b/net/base/ssl_info.h
@@ -16,12 +16,13 @@ namespace net {
// This is really a struct. All members are public.
class SSLInfo {
public:
- SSLInfo() : cert_status(0), security_bits(-1) { }
+ SSLInfo() : cert_status(0), security_bits(-1), connection_status(0) { }
void Reset() {
cert = NULL;
- security_bits = -1;
cert_status = 0;
+ security_bits = -1;
+ connection_status = 0;
}
bool is_valid() const { return cert != NULL; }
@@ -43,6 +44,10 @@ class SSLInfo {
// 0 means the connection is not encrypted.
// -1 means the security strength is unknown.
int security_bits;
+
+ // Bitmask of information about the SSL connection itself. See
+ // ssl_connection_status_flags.h for values.
+ int connection_status;
};
} // namespace net
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index fed8af8..1d58863 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -22,6 +22,7 @@
#include "net/base/net_errors.h"
#include "net/base/net_util.h"
#include "net/base/ssl_cert_request_info.h"
+#include "net/base/ssl_connection_status_flags.h"
#include "net/base/upload_data_stream.h"
#include "net/http/http_auth.h"
#include "net/http/http_auth_handler.h"
@@ -1084,9 +1085,13 @@ int HttpNetworkTransaction::DoSSLConnect() {
if (ContainsKey(*g_tls_intolerant_servers, GetHostAndPort(request_->url))) {
LOG(WARNING) << "Falling back to SSLv3 because host is TLS intolerant: "
<< GetHostAndPort(request_->url);
+ ssl_config_.ssl3_fallback = true;
ssl_config_.tls1_enabled = false;
}
+ UMA_HISTOGRAM_ENUMERATION("Net.ConnectionUsedSSLv3Fallback",
+ (int) ssl_config_.ssl3_fallback, 2);
+
if (request_->load_flags & LOAD_VERIFY_EV_CERT)
ssl_config_.verify_ev_cert = true;
diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc
index f1d2278..325df61 100644
--- a/net/socket/ssl_client_socket_mac.cc
+++ b/net/socket/ssl_client_socket_mac.cc
@@ -18,6 +18,7 @@
#include "net/base/net_errors.h"
#include "net/base/net_log.h"
#include "net/base/ssl_cert_request_info.h"
+#include "net/base/ssl_connection_status_flags.h"
#include "net/base/ssl_info.h"
// Welcome to Mac SSL. We've been waiting for you.
@@ -652,6 +653,9 @@ void SSLClientSocketMac::GetSSLInfo(SSLInfo* ssl_info) {
OSStatus status = SSLGetNegotiatedCipher(ssl_context_, &suite);
if (!status)
ssl_info->security_bits = KeySizeOfCipherSuite(suite);
+
+ if (ssl_config_.ssl3_fallback)
+ ssl_info->connection_status |= SSL_CONNECTION_SSL3_FALLBACK;
}
void SSLClientSocketMac::GetSSLCertRequestInfo(
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 285499e..5226c56 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -60,6 +60,7 @@
#include <pk11pub.h>
#include "base/compiler_specific.h"
+#include "base/histogram.h"
#include "base/logging.h"
#include "base/nss_util.h"
#include "base/singleton.h"
@@ -70,6 +71,7 @@
#include "net/base/net_log.h"
#include "net/base/net_errors.h"
#include "net/base/ssl_cert_request_info.h"
+#include "net/base/ssl_connection_status_flags.h"
#include "net/base/ssl_info.h"
#include "net/base/sys_addrinfo.h"
#include "net/ocsp/nss_ocsp.h"
@@ -789,6 +791,19 @@ void SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) {
DCHECK(server_cert_ != NULL);
ssl_info->cert = server_cert_;
+ PRBool peer_supports_renego_ext;
+ ok = SSL_HandshakeNegotiatedExtension(nss_fd_, ssl_renegotiation_info_xtn,
+ &peer_supports_renego_ext);
+ if (ok == SECSuccess) {
+ if (!peer_supports_renego_ext)
+ ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
+ UMA_HISTOGRAM_ENUMERATION("Net.RenegotiationExtensionSupported",
+ (int)peer_supports_renego_ext, 2);
+ }
+
+ if (ssl_config_.ssl3_fallback)
+ ssl_info->connection_status |= SSL_CONNECTION_SSL3_FALLBACK;
+
LeaveFunction("");
}
diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc
index a0da5f4..9a4be48 100644
--- a/net/socket/ssl_client_socket_win.cc
+++ b/net/socket/ssl_client_socket_win.cc
@@ -17,6 +17,7 @@
#include "net/base/net_log.h"
#include "net/base/net_errors.h"
#include "net/base/ssl_cert_request_info.h"
+#include "net/base/ssl_connection_status_flags.h"
#include "net/base/ssl_info.h"
#pragma comment(lib, "secur32.lib")
@@ -335,6 +336,8 @@ SSLClientSocketWin::~SSLClientSocketWin() {
}
void SSLClientSocketWin::GetSSLInfo(SSLInfo* ssl_info) {
+ ssl_info->Reset();
+
if (!server_cert_)
return;
@@ -349,6 +352,9 @@ void SSLClientSocketWin::GetSSLInfo(SSLInfo* ssl_info) {
// normalized.
ssl_info->security_bits = connection_info.dwCipherStrength;
}
+
+ if (ssl_config_.ssl3_fallback)
+ ssl_info->connection_status |= SSL_CONNECTION_SSL3_FALLBACK;
}
void SSLClientSocketWin::GetSSLCertRequestInfo(
generated by cgit v1.1 at 2025-02-14 23:18:34 +0000