summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWolfgang Wiedmeyer <wolfgit@wiedmeyer.de>2015-09-27 23:06:40 +0200
committerWolfgang Wiedmeyer <wolfgit@wiedmeyer.de>2015-09-27 23:06:40 +0200
commit109c1679d462802b7abb241f4d42e25cffcbcd31 (patch)
tree3c0d3c220419fd64edc3b91215ce776c04935b78
parent657fb1c9269ce235b66a0f32c9bf0afc64fa7c77 (diff)
downloadexternal_chromium-109c1679d462802b7abb241f4d42e25cffcbcd31.zip
external_chromium-109c1679d462802b7abb241f4d42e25cffcbcd31.tar.gz
external_chromium-109c1679d462802b7abb241f4d42e25cffcbcd31.tar.bz2
add tls1_1, tls1_2 settings, remove sslv3 fallback code, disable RC4HEADmaster
Change-Id: I9ab98fbeb040a4a2a0e8ba3c5e260f61303ed199
-rw-r--r--chrome/browser/net/ssl_config_service_manager_pref.cc14
-rw-r--r--net/base/ssl_config_service.cc8
-rw-r--r--net/base/ssl_config_service.h2
-rw-r--r--net/http/http_network_transaction.cc9
-rw-r--r--net/http/http_stream_factory_impl_job.cc4
-rw-r--r--net/socket/ssl_client_socket_openssl.cc10
6 files changed, 25 insertions, 22 deletions
diff --git a/chrome/browser/net/ssl_config_service_manager_pref.cc b/chrome/browser/net/ssl_config_service_manager_pref.cc
index 71e385b..fe31117 100644
--- a/chrome/browser/net/ssl_config_service_manager_pref.cc
+++ b/chrome/browser/net/ssl_config_service_manager_pref.cc
@@ -92,6 +92,8 @@ class SSLConfigServiceManagerPref
BooleanPrefMember rev_checking_enabled_;
BooleanPrefMember ssl3_enabled_;
BooleanPrefMember tls1_enabled_;
+ BooleanPrefMember tls1_1_enabled_;
+ BooleanPrefMember tls1_2_enabled_;
scoped_refptr<SSLConfigServicePref> ssl_config_service_;
@@ -114,6 +116,8 @@ SSLConfigServiceManagerPref::SSLConfigServiceManagerPref(
local_state, this);
ssl3_enabled_.Init(prefs::kSSL3Enabled, local_state, this);
tls1_enabled_.Init(prefs::kTLS1Enabled, local_state, this);
+ tls1_1_enabled_.Init(prefs::kTLS1_1Enabled, local_state, this);
+ tls1_2_enabled_.Init(prefs::kTLS1_2Enabled, local_state, this);
// Initialize from UI thread. This is okay as there shouldn't be anything on
// the IO thread trying to access it yet.
@@ -135,6 +139,14 @@ void SSLConfigServiceManagerPref::RegisterPrefs(PrefService* prefs) {
prefs->RegisterBooleanPref(prefs::kTLS1Enabled,
default_config.tls1_enabled);
}
+ if (!prefs->FindPreference(prefs::kTLS1_1Enabled)) {
+ prefs->RegisterBooleanPref(prefs::kTLS1_1Enabled,
+ default_config.tls1_1_enabled);
+ }
+ if (!prefs->FindPreference(prefs::kTLS1_2Enabled)) {
+ prefs->RegisterBooleanPref(prefs::kTLS1_2Enabled,
+ default_config.tls1_2_enabled);
+ }
}
// static
@@ -194,6 +206,8 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
config->rev_checking_enabled = rev_checking_enabled_.GetValue();
config->ssl3_enabled = ssl3_enabled_.GetValue();
config->tls1_enabled = tls1_enabled_.GetValue();
+ config->tls1_1_enabled = tls1_1_enabled_.GetValue();
+ config->tls1_2_enabled = tls1_2_enabled_.GetValue();
SSLConfigServicePref::SetSSLConfigFlags(config);
}
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc
index 4867681..1939458 100644
--- a/net/base/ssl_config_service.cc
+++ b/net/base/ssl_config_service.cc
@@ -14,8 +14,8 @@ SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {}
SSLConfig::CertAndStatus::~CertAndStatus() {}
SSLConfig::SSLConfig()
- : rev_checking_enabled(true), ssl3_enabled(true),
- tls1_enabled(true), dnssec_enabled(false),
+ : rev_checking_enabled(true), ssl3_enabled(false),
+ tls1_enabled(true),tls1_1_enabled(true), tls1_2_enabled(true), dnssec_enabled(false),
dns_cert_provenance_checking_enabled(false),
false_start_enabled(true),
send_client_cert(false), verify_ev_cert(false), ssl3_fallback(false) {
@@ -110,7 +110,9 @@ void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
const SSLConfig& new_config) {
if (orig_config.rev_checking_enabled != new_config.rev_checking_enabled ||
orig_config.ssl3_enabled != new_config.ssl3_enabled ||
- orig_config.tls1_enabled != new_config.tls1_enabled) {
+ orig_config.tls1_enabled != new_config.tls1_enabled ||
+ orig_config.tls1_1_enabled != new_config.tls1_1_enabled ||
+ orig_config.tls1_2_enabled != new_config.tls1_2_enabled) {
FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged());
}
}
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h
index efe87f6..84be086 100644
--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -31,6 +31,8 @@ struct NET_EXPORT SSLConfig {
// SSL 2.0 is not supported.
bool ssl3_enabled; // True if SSL 3.0 is enabled.
bool tls1_enabled; // True if TLS 1.0 is enabled.
+ bool tls1_1_enabled; // True if TLS 1.1 is enabled.
+ bool tls1_2_enabled; // True if TLS 1.2 is enabled.
bool dnssec_enabled; // True if we'll accept DNSSEC chains in certificates.
// True if we'll do async checks for certificate provenance using DNS.
bool dns_cert_provenance_checking_enabled;
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index 7f0ac4f..6018e63 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -1164,15 +1164,6 @@ int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
case ERR_SSL_VERSION_OR_CIPHER_MISMATCH:
case ERR_SSL_DECOMPRESSION_FAILURE_ALERT:
case ERR_SSL_BAD_RECORD_MAC_ALERT:
- if (ssl_config_.tls1_enabled) {
- // This could be a TLS-intolerant server, an SSL 3.0 server that
- // chose a TLS-only cipher suite or a server with buggy DEFLATE
- // support. Turn off TLS 1.0, DEFLATE support and retry.
- session_->http_stream_factory()->AddTLSIntolerantServer(
- HostPortPair::FromURL(request_->url));
- ResetConnectionAndRequestForResend();
- error = OK;
- }
break;
}
return error;
diff --git a/net/http/http_stream_factory_impl_job.cc b/net/http/http_stream_factory_impl_job.cc
index 401ba7d..c2a1f0b 100644
--- a/net/http/http_stream_factory_impl_job.cc
+++ b/net/http/http_stream_factory_impl_job.cc
@@ -862,10 +862,8 @@ void HttpStreamFactoryImpl::Job::InitSSLConfig(
const HostPortPair& origin_server,
SSLConfig* ssl_config) const {
if (stream_factory_->IsTLSIntolerantServer(origin_server)) {
- LOG(WARNING) << "Falling back to SSLv3 because host is TLS intolerant: "
+ LOG(WARNING) << "Not falling back to SSLv3 just because host is TLS intolerant: "
<< origin_server.ToString();
- ssl_config->ssl3_fallback = true;
- ssl_config->tls1_enabled = false;
}
if (proxy_info_.is_https() && ssl_config->send_client_cert) {
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 5668c8a..fb05bf3 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -447,12 +447,8 @@ bool SSLClientSocketOpenSSL::Init() {
options.ConfigureFlag(SSL_OP_NO_SSLv2, true);
options.ConfigureFlag(SSL_OP_NO_SSLv3, !ssl_config_.ssl3_enabled);
options.ConfigureFlag(SSL_OP_NO_TLSv1, !ssl_config_.tls1_enabled);
-#ifdef SSL_OP_NO_TLSv1_1
- options.ConfigureFlag(SSL_OP_NO_TLSv1_1, true);
-#endif
-#ifdef SSL_OP_NO_TLSv1_2
- options.ConfigureFlag(SSL_OP_NO_TLSv1_2, true);
-#endif
+ options.ConfigureFlag(SSL_OP_NO_TLSv1_1, !ssl_config_.tls1_1_enabled);
+ options.ConfigureFlag(SSL_OP_NO_TLSv1_2, !ssl_config_.tls1_2_enabled);
#if defined(SSL_OP_NO_COMPRESSION)
// If TLS was disabled also disable compression, to provide maximum site
@@ -498,7 +494,7 @@ bool SSLClientSocketOpenSSL::Init() {
DCHECK(ciphers);
// See SSLConfig::disabled_cipher_suites for description of the suites
// disabled by default.
- std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA");
+ std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA:!RC4");
// Walk through all the installed ciphers, seeing if any need to be
// appended to the cipher removal |command|.
for (int i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {