Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1608)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/socket/nss_ssl_util.cc

Issue 10830326: net: disable ECDSA ciphersuites on platforms where we can't support it. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 8 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/base/ssl_config_service.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/socket/nss_ssl_util.cc
diff --git a/net/socket/nss_ssl_util.cc b/net/socket/nss_ssl_util.cc
index d262f939dc38bd9db7017663891c7e2dfd2bbafc..084cc78d5cfdbcdafd0e9583b49d4f62ad8e0b1a 100644
--- a/net/socket/nss_ssl_util.cc
+++ b/net/socket/nss_ssl_util.cc
@@ -17,10 +17,17 @@
#include "base/memory/singleton.h"
#include "base/threading/thread_restrictions.h"
#include "base/values.h"
+#include "build/build_config.h"
#include "crypto/nss_util.h"
#include "net/base/net_errors.h"
#include "net/base/net_log.h"
+#if defined(OS_WIN)
+#include "base/win/windows_version.h"
+#elif defined(OS_MACOSX)
+#include "base/mac/mac_util.h"
+#endif
+
namespace net {
class NSSSSLInitSingleton {
@@ -60,6 +67,17 @@ class NSSSSLInitSingleton {
// Enable SSL.
SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
+ // On some platforms we cannot verify ECDSA certificates.
Ryan Sleevi 2012/08/15 01:12:07 nit: Suggested re-word to drop the "we" (a pet nit
agl 2012/08/15 01:36:29 Done. (And have reworked the ssl_config_service.h
+#if defined(OS_WIN)
+ if (base::win::GetVersion() < base::win::VERSION_VISTA) {
+ DisableECDSA();
+ }
+#elif defined(OS_MACOSX)
+ if (!base::mac::IsOSSnowLeopardOrLater()) {
+ DisableECDSA();
+ }
+#endif
+
// All other SSL options are set per-session by SSLClientSocket and
// SSLServerSocket.
}
@@ -68,6 +86,24 @@ class NSSSSLInitSingleton {
// Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY.
SSL_ClearSessionCache();
}
+
+ void DisableECDSA() {
+ const PRUint16* ciphersuites = SSL_GetImplementedCiphers();
+ const unsigned num_ciphersuites = SSL_GetNumImplementedCiphers();
+ SECStatus rv;
+ SSLCipherSuiteInfo info;
+
+ for (unsigned i = 0; i < num_ciphersuites; i++) {
+ rv = SSL_GetCipherSuiteInfo(ciphersuites[i], &info, sizeof(info));
+ if (rv != SECSuccess) {
+ LOG(ERROR) << "SSL_GetCipherSuiteInfo failed";
+ break;
Ryan Sleevi 2012/08/15 01:12:07 break or continue? If continue, you can probably
agl 2012/08/15 01:36:29 I did mean break, but less code is better.
+ }
+ if (info.authAlgorithm == ssl_auth_ecdsa) {
+ SSL_CipherPrefSetDefault(ciphersuites[i], PR_FALSE);
+ }
Ryan Sleevi 2012/08/15 01:12:07 nit: lose the braces for the one-line if here
agl 2012/08/15 01:36:29 So many different micro-styles... :)
+ }
+ }
};
static base::LazyInstance<NSSSSLInitSingleton> g_nss_ssl_init_singleton =
« no previous file with comments | « net/base/ssl_config_service.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698