From 109c1679d462802b7abb241f4d42e25cffcbcd31 Mon Sep 17 00:00:00 2001
From: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
Date: Sun, 27 Sep 2015 23:06:40 +0200
Subject: add tls1_1, tls1_2 settings, remove sslv3 fallback code, disable RC4

Change-Id: I9ab98fbeb040a4a2a0e8ba3c5e260f61303ed199
---
 chrome/browser/net/ssl_config_service_manager_pref.cc | 14 ++++++++++++++
 net/base/ssl_config_service.cc                        |  8 +++++---
 net/base/ssl_config_service.h                         |  2 ++
 net/http/http_network_transaction.cc                  |  9 ---------
 net/http/http_stream_factory_impl_job.cc              |  4 +---
 net/socket/ssl_client_socket_openssl.cc               | 10 +++-------
 6 files changed, 25 insertions(+), 22 deletions(-)

diff --git a/chrome/browser/net/ssl_config_service_manager_pref.cc b/chrome/browser/net/ssl_config_service_manager_pref.cc
index 71e385b..fe31117 100644
--- a/chrome/browser/net/ssl_config_service_manager_pref.cc
+++ b/chrome/browser/net/ssl_config_service_manager_pref.cc
@@ -92,6 +92,8 @@ class SSLConfigServiceManagerPref
   BooleanPrefMember rev_checking_enabled_;
   BooleanPrefMember ssl3_enabled_;
   BooleanPrefMember tls1_enabled_;
+  BooleanPrefMember tls1_1_enabled_;
+  BooleanPrefMember tls1_2_enabled_;
 
   scoped_refptr<SSLConfigServicePref> ssl_config_service_;
 
@@ -114,6 +116,8 @@ SSLConfigServiceManagerPref::SSLConfigServiceManagerPref(
                              local_state, this);
   ssl3_enabled_.Init(prefs::kSSL3Enabled, local_state, this);
   tls1_enabled_.Init(prefs::kTLS1Enabled, local_state, this);
+  tls1_1_enabled_.Init(prefs::kTLS1_1Enabled, local_state, this);
+  tls1_2_enabled_.Init(prefs::kTLS1_2Enabled, local_state, this);
 
   // Initialize from UI thread.  This is okay as there shouldn't be anything on
   // the IO thread trying to access it yet.
@@ -135,6 +139,14 @@ void SSLConfigServiceManagerPref::RegisterPrefs(PrefService* prefs) {
     prefs->RegisterBooleanPref(prefs::kTLS1Enabled,
                                default_config.tls1_enabled);
   }
+  if (!prefs->FindPreference(prefs::kTLS1_1Enabled)) {
+    prefs->RegisterBooleanPref(prefs::kTLS1_1Enabled,
+                               default_config.tls1_1_enabled);
+  }
+  if (!prefs->FindPreference(prefs::kTLS1_2Enabled)) {
+    prefs->RegisterBooleanPref(prefs::kTLS1_2Enabled,
+                               default_config.tls1_2_enabled);
+  }
 }
 
 // static
@@ -194,6 +206,8 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
   config->rev_checking_enabled = rev_checking_enabled_.GetValue();
   config->ssl3_enabled = ssl3_enabled_.GetValue();
   config->tls1_enabled = tls1_enabled_.GetValue();
+  config->tls1_1_enabled = tls1_1_enabled_.GetValue();
+  config->tls1_2_enabled = tls1_2_enabled_.GetValue();
   SSLConfigServicePref::SetSSLConfigFlags(config);
 }
 
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc
index 4867681..1939458 100644
--- a/net/base/ssl_config_service.cc
+++ b/net/base/ssl_config_service.cc
@@ -14,8 +14,8 @@ SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {}
 SSLConfig::CertAndStatus::~CertAndStatus() {}
 
 SSLConfig::SSLConfig()
-    : rev_checking_enabled(true), ssl3_enabled(true),
-      tls1_enabled(true), dnssec_enabled(false),
+    : rev_checking_enabled(true), ssl3_enabled(false),
+      tls1_enabled(true),tls1_1_enabled(true), tls1_2_enabled(true), dnssec_enabled(false),
       dns_cert_provenance_checking_enabled(false),
       false_start_enabled(true),
       send_client_cert(false), verify_ev_cert(false), ssl3_fallback(false) {
@@ -110,7 +110,9 @@ void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
                                            const SSLConfig& new_config) {
   if (orig_config.rev_checking_enabled != new_config.rev_checking_enabled ||
       orig_config.ssl3_enabled != new_config.ssl3_enabled ||
-      orig_config.tls1_enabled != new_config.tls1_enabled) {
+      orig_config.tls1_enabled != new_config.tls1_enabled ||
+      orig_config.tls1_1_enabled != new_config.tls1_1_enabled ||
+      orig_config.tls1_2_enabled != new_config.tls1_2_enabled) {
     FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged());
   }
 }
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h
index efe87f6..84be086 100644
--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -31,6 +31,8 @@ struct NET_EXPORT SSLConfig {
   // SSL 2.0 is not supported.
   bool ssl3_enabled;  // True if SSL 3.0 is enabled.
   bool tls1_enabled;  // True if TLS 1.0 is enabled.
+  bool tls1_1_enabled;  // True if TLS 1.1 is enabled.
+  bool tls1_2_enabled;  // True if TLS 1.2 is enabled.
   bool dnssec_enabled;  // True if we'll accept DNSSEC chains in certificates.
   // True if we'll do async checks for certificate provenance using DNS.
   bool dns_cert_provenance_checking_enabled;
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index 7f0ac4f..6018e63 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -1164,15 +1164,6 @@ int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
     case ERR_SSL_VERSION_OR_CIPHER_MISMATCH:
     case ERR_SSL_DECOMPRESSION_FAILURE_ALERT:
     case ERR_SSL_BAD_RECORD_MAC_ALERT:
-      if (ssl_config_.tls1_enabled) {
-        // This could be a TLS-intolerant server, an SSL 3.0 server that
-        // chose a TLS-only cipher suite or a server with buggy DEFLATE
-        // support. Turn off TLS 1.0, DEFLATE support and retry.
-        session_->http_stream_factory()->AddTLSIntolerantServer(
-            HostPortPair::FromURL(request_->url));
-        ResetConnectionAndRequestForResend();
-        error = OK;
-      }
       break;
   }
   return error;
diff --git a/net/http/http_stream_factory_impl_job.cc b/net/http/http_stream_factory_impl_job.cc
index 401ba7d..c2a1f0b 100644
--- a/net/http/http_stream_factory_impl_job.cc
+++ b/net/http/http_stream_factory_impl_job.cc
@@ -862,10 +862,8 @@ void HttpStreamFactoryImpl::Job::InitSSLConfig(
     const HostPortPair& origin_server,
     SSLConfig* ssl_config) const {
   if (stream_factory_->IsTLSIntolerantServer(origin_server)) {
-    LOG(WARNING) << "Falling back to SSLv3 because host is TLS intolerant: "
+    LOG(WARNING) << "Not falling back to SSLv3 just because host is TLS intolerant: "
         << origin_server.ToString();
-    ssl_config->ssl3_fallback = true;
-    ssl_config->tls1_enabled = false;
   }
 
   if (proxy_info_.is_https() && ssl_config->send_client_cert) {
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 5668c8a..fb05bf3 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -447,12 +447,8 @@ bool SSLClientSocketOpenSSL::Init() {
   options.ConfigureFlag(SSL_OP_NO_SSLv2, true);
   options.ConfigureFlag(SSL_OP_NO_SSLv3, !ssl_config_.ssl3_enabled);
   options.ConfigureFlag(SSL_OP_NO_TLSv1, !ssl_config_.tls1_enabled);
-#ifdef SSL_OP_NO_TLSv1_1
-  options.ConfigureFlag(SSL_OP_NO_TLSv1_1, true);
-#endif
-#ifdef SSL_OP_NO_TLSv1_2
-  options.ConfigureFlag(SSL_OP_NO_TLSv1_2, true);
-#endif
+  options.ConfigureFlag(SSL_OP_NO_TLSv1_1, !ssl_config_.tls1_1_enabled);
+  options.ConfigureFlag(SSL_OP_NO_TLSv1_2, !ssl_config_.tls1_2_enabled);
 
 #if defined(SSL_OP_NO_COMPRESSION)
   // If TLS was disabled also disable compression, to provide maximum site
@@ -498,7 +494,7 @@ bool SSLClientSocketOpenSSL::Init() {
   DCHECK(ciphers);
   // See SSLConfig::disabled_cipher_suites for description of the suites
   // disabled by default.
-  std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA");
+  std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA:!RC4");
   // Walk through all the installed ciphers, seeing if any need to be
   // appended to the cipher removal |command|.
   for (int i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {
-- 
cgit v1.1