summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/base/ssl_config_service.cc8
-rw-r--r--net/base/ssl_config_service.h2
-rw-r--r--net/http/http_network_transaction.cc9
-rw-r--r--net/http/http_stream_factory_impl_job.cc4
-rw-r--r--net/socket/ssl_client_socket_openssl.cc10
5 files changed, 11 insertions, 22 deletions
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc
index 4867681..1939458 100644
--- a/net/base/ssl_config_service.cc
+++ b/net/base/ssl_config_service.cc
@@ -14,8 +14,8 @@ SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {}
SSLConfig::CertAndStatus::~CertAndStatus() {}
SSLConfig::SSLConfig()
- : rev_checking_enabled(true), ssl3_enabled(true),
- tls1_enabled(true), dnssec_enabled(false),
+ : rev_checking_enabled(true), ssl3_enabled(false),
+ tls1_enabled(true),tls1_1_enabled(true), tls1_2_enabled(true), dnssec_enabled(false),
dns_cert_provenance_checking_enabled(false),
false_start_enabled(true),
send_client_cert(false), verify_ev_cert(false), ssl3_fallback(false) {
@@ -110,7 +110,9 @@ void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
const SSLConfig& new_config) {
if (orig_config.rev_checking_enabled != new_config.rev_checking_enabled ||
orig_config.ssl3_enabled != new_config.ssl3_enabled ||
- orig_config.tls1_enabled != new_config.tls1_enabled) {
+ orig_config.tls1_enabled != new_config.tls1_enabled ||
+ orig_config.tls1_1_enabled != new_config.tls1_1_enabled ||
+ orig_config.tls1_2_enabled != new_config.tls1_2_enabled) {
FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged());
}
}
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h
index efe87f6..84be086 100644
--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -31,6 +31,8 @@ struct NET_EXPORT SSLConfig {
// SSL 2.0 is not supported.
bool ssl3_enabled; // True if SSL 3.0 is enabled.
bool tls1_enabled; // True if TLS 1.0 is enabled.
+ bool tls1_1_enabled; // True if TLS 1.1 is enabled.
+ bool tls1_2_enabled; // True if TLS 1.2 is enabled.
bool dnssec_enabled; // True if we'll accept DNSSEC chains in certificates.
// True if we'll do async checks for certificate provenance using DNS.
bool dns_cert_provenance_checking_enabled;
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index 7f0ac4f..6018e63 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -1164,15 +1164,6 @@ int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
case ERR_SSL_VERSION_OR_CIPHER_MISMATCH:
case ERR_SSL_DECOMPRESSION_FAILURE_ALERT:
case ERR_SSL_BAD_RECORD_MAC_ALERT:
- if (ssl_config_.tls1_enabled) {
- // This could be a TLS-intolerant server, an SSL 3.0 server that
- // chose a TLS-only cipher suite or a server with buggy DEFLATE
- // support. Turn off TLS 1.0, DEFLATE support and retry.
- session_->http_stream_factory()->AddTLSIntolerantServer(
- HostPortPair::FromURL(request_->url));
- ResetConnectionAndRequestForResend();
- error = OK;
- }
break;
}
return error;
diff --git a/net/http/http_stream_factory_impl_job.cc b/net/http/http_stream_factory_impl_job.cc
index 401ba7d..c2a1f0b 100644
--- a/net/http/http_stream_factory_impl_job.cc
+++ b/net/http/http_stream_factory_impl_job.cc
@@ -862,10 +862,8 @@ void HttpStreamFactoryImpl::Job::InitSSLConfig(
const HostPortPair& origin_server,
SSLConfig* ssl_config) const {
if (stream_factory_->IsTLSIntolerantServer(origin_server)) {
- LOG(WARNING) << "Falling back to SSLv3 because host is TLS intolerant: "
+ LOG(WARNING) << "Not falling back to SSLv3 just because host is TLS intolerant: "
<< origin_server.ToString();
- ssl_config->ssl3_fallback = true;
- ssl_config->tls1_enabled = false;
}
if (proxy_info_.is_https() && ssl_config->send_client_cert) {
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 5668c8a..fb05bf3 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -447,12 +447,8 @@ bool SSLClientSocketOpenSSL::Init() {
options.ConfigureFlag(SSL_OP_NO_SSLv2, true);
options.ConfigureFlag(SSL_OP_NO_SSLv3, !ssl_config_.ssl3_enabled);
options.ConfigureFlag(SSL_OP_NO_TLSv1, !ssl_config_.tls1_enabled);
-#ifdef SSL_OP_NO_TLSv1_1
- options.ConfigureFlag(SSL_OP_NO_TLSv1_1, true);
-#endif
-#ifdef SSL_OP_NO_TLSv1_2
- options.ConfigureFlag(SSL_OP_NO_TLSv1_2, true);
-#endif
+ options.ConfigureFlag(SSL_OP_NO_TLSv1_1, !ssl_config_.tls1_1_enabled);
+ options.ConfigureFlag(SSL_OP_NO_TLSv1_2, !ssl_config_.tls1_2_enabled);
#if defined(SSL_OP_NO_COMPRESSION)
// If TLS was disabled also disable compression, to provide maximum site
@@ -498,7 +494,7 @@ bool SSLClientSocketOpenSSL::Init() {
DCHECK(ciphers);
// See SSLConfig::disabled_cipher_suites for description of the suites
// disabled by default.
- std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA");
+ std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA:!RC4");
// Walk through all the installed ciphers, seeing if any need to be
// appended to the cipher removal |command|.
for (int i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {
generated by cgit v1.1 at 2024-12-22 08:40:30 +0000