From 109c1679d462802b7abb241f4d42e25cffcbcd31 Mon Sep 17 00:00:00 2001 From: Wolfgang Wiedmeyer Date: Sun, 27 Sep 2015 23:06:40 +0200 Subject: add tls1_1, tls1_2 settings, remove sslv3 fallback code, disable RC4 Change-Id: I9ab98fbeb040a4a2a0e8ba3c5e260f61303ed199 --- chrome/browser/net/ssl_config_service_manager_pref.cc | 14 ++++++++++++++ net/base/ssl_config_service.cc | 8 +++++--- net/base/ssl_config_service.h | 2 ++ net/http/http_network_transaction.cc | 9 --------- net/http/http_stream_factory_impl_job.cc | 4 +--- net/socket/ssl_client_socket_openssl.cc | 10 +++------- 6 files changed, 25 insertions(+), 22 deletions(-) diff --git a/chrome/browser/net/ssl_config_service_manager_pref.cc b/chrome/browser/net/ssl_config_service_manager_pref.cc index 71e385b..fe31117 100644 --- a/chrome/browser/net/ssl_config_service_manager_pref.cc +++ b/chrome/browser/net/ssl_config_service_manager_pref.cc @@ -92,6 +92,8 @@ class SSLConfigServiceManagerPref BooleanPrefMember rev_checking_enabled_; BooleanPrefMember ssl3_enabled_; BooleanPrefMember tls1_enabled_; + BooleanPrefMember tls1_1_enabled_; + BooleanPrefMember tls1_2_enabled_; scoped_refptr ssl_config_service_; @@ -114,6 +116,8 @@ SSLConfigServiceManagerPref::SSLConfigServiceManagerPref( local_state, this); ssl3_enabled_.Init(prefs::kSSL3Enabled, local_state, this); tls1_enabled_.Init(prefs::kTLS1Enabled, local_state, this); + tls1_1_enabled_.Init(prefs::kTLS1_1Enabled, local_state, this); + tls1_2_enabled_.Init(prefs::kTLS1_2Enabled, local_state, this); // Initialize from UI thread. This is okay as there shouldn't be anything on // the IO thread trying to access it yet. @@ -135,6 +139,14 @@ void SSLConfigServiceManagerPref::RegisterPrefs(PrefService* prefs) { prefs->RegisterBooleanPref(prefs::kTLS1Enabled, default_config.tls1_enabled); } + if (!prefs->FindPreference(prefs::kTLS1_1Enabled)) { + prefs->RegisterBooleanPref(prefs::kTLS1_1Enabled, + default_config.tls1_1_enabled); + } + if (!prefs->FindPreference(prefs::kTLS1_2Enabled)) { + prefs->RegisterBooleanPref(prefs::kTLS1_2Enabled, + default_config.tls1_2_enabled); + } } // static @@ -194,6 +206,8 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs( config->rev_checking_enabled = rev_checking_enabled_.GetValue(); config->ssl3_enabled = ssl3_enabled_.GetValue(); config->tls1_enabled = tls1_enabled_.GetValue(); + config->tls1_1_enabled = tls1_1_enabled_.GetValue(); + config->tls1_2_enabled = tls1_2_enabled_.GetValue(); SSLConfigServicePref::SetSSLConfigFlags(config); } diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc index 4867681..1939458 100644 --- a/net/base/ssl_config_service.cc +++ b/net/base/ssl_config_service.cc @@ -14,8 +14,8 @@ SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {} SSLConfig::CertAndStatus::~CertAndStatus() {} SSLConfig::SSLConfig() - : rev_checking_enabled(true), ssl3_enabled(true), - tls1_enabled(true), dnssec_enabled(false), + : rev_checking_enabled(true), ssl3_enabled(false), + tls1_enabled(true),tls1_1_enabled(true), tls1_2_enabled(true), dnssec_enabled(false), dns_cert_provenance_checking_enabled(false), false_start_enabled(true), send_client_cert(false), verify_ev_cert(false), ssl3_fallback(false) { @@ -110,7 +110,9 @@ void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config, const SSLConfig& new_config) { if (orig_config.rev_checking_enabled != new_config.rev_checking_enabled || orig_config.ssl3_enabled != new_config.ssl3_enabled || - orig_config.tls1_enabled != new_config.tls1_enabled) { + orig_config.tls1_enabled != new_config.tls1_enabled || + orig_config.tls1_1_enabled != new_config.tls1_1_enabled || + orig_config.tls1_2_enabled != new_config.tls1_2_enabled) { FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged()); } } diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index efe87f6..84be086 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -31,6 +31,8 @@ struct NET_EXPORT SSLConfig { // SSL 2.0 is not supported. bool ssl3_enabled; // True if SSL 3.0 is enabled. bool tls1_enabled; // True if TLS 1.0 is enabled. + bool tls1_1_enabled; // True if TLS 1.1 is enabled. + bool tls1_2_enabled; // True if TLS 1.2 is enabled. bool dnssec_enabled; // True if we'll accept DNSSEC chains in certificates. // True if we'll do async checks for certificate provenance using DNS. bool dns_cert_provenance_checking_enabled; diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc index 7f0ac4f..6018e63 100644 --- a/net/http/http_network_transaction.cc +++ b/net/http/http_network_transaction.cc @@ -1164,15 +1164,6 @@ int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: case ERR_SSL_DECOMPRESSION_FAILURE_ALERT: case ERR_SSL_BAD_RECORD_MAC_ALERT: - if (ssl_config_.tls1_enabled) { - // This could be a TLS-intolerant server, an SSL 3.0 server that - // chose a TLS-only cipher suite or a server with buggy DEFLATE - // support. Turn off TLS 1.0, DEFLATE support and retry. - session_->http_stream_factory()->AddTLSIntolerantServer( - HostPortPair::FromURL(request_->url)); - ResetConnectionAndRequestForResend(); - error = OK; - } break; } return error; diff --git a/net/http/http_stream_factory_impl_job.cc b/net/http/http_stream_factory_impl_job.cc index 401ba7d..c2a1f0b 100644 --- a/net/http/http_stream_factory_impl_job.cc +++ b/net/http/http_stream_factory_impl_job.cc @@ -862,10 +862,8 @@ void HttpStreamFactoryImpl::Job::InitSSLConfig( const HostPortPair& origin_server, SSLConfig* ssl_config) const { if (stream_factory_->IsTLSIntolerantServer(origin_server)) { - LOG(WARNING) << "Falling back to SSLv3 because host is TLS intolerant: " + LOG(WARNING) << "Not falling back to SSLv3 just because host is TLS intolerant: " << origin_server.ToString(); - ssl_config->ssl3_fallback = true; - ssl_config->tls1_enabled = false; } if (proxy_info_.is_https() && ssl_config->send_client_cert) { diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index 5668c8a..fb05bf3 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -447,12 +447,8 @@ bool SSLClientSocketOpenSSL::Init() { options.ConfigureFlag(SSL_OP_NO_SSLv2, true); options.ConfigureFlag(SSL_OP_NO_SSLv3, !ssl_config_.ssl3_enabled); options.ConfigureFlag(SSL_OP_NO_TLSv1, !ssl_config_.tls1_enabled); -#ifdef SSL_OP_NO_TLSv1_1 - options.ConfigureFlag(SSL_OP_NO_TLSv1_1, true); -#endif -#ifdef SSL_OP_NO_TLSv1_2 - options.ConfigureFlag(SSL_OP_NO_TLSv1_2, true); -#endif + options.ConfigureFlag(SSL_OP_NO_TLSv1_1, !ssl_config_.tls1_1_enabled); + options.ConfigureFlag(SSL_OP_NO_TLSv1_2, !ssl_config_.tls1_2_enabled); #if defined(SSL_OP_NO_COMPRESSION) // If TLS was disabled also disable compression, to provide maximum site @@ -498,7 +494,7 @@ bool SSLClientSocketOpenSSL::Init() { DCHECK(ciphers); // See SSLConfig::disabled_cipher_suites for description of the suites // disabled by default. - std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA"); + std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA:!RC4"); // Walk through all the installed ciphers, seeing if any need to be // appended to the cipher removal |command|. for (int i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) { -- cgit v1.1