Chromium Code Reviews Chromium Code Reviews
Issue 3107030:
Address post-review comments on r56727. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2006-2009 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2009 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_BASE_SSL_CONFIG_SERVICE_H_ | 5 #ifndef NET_BASE_SSL_CONFIG_SERVICE_H_ |
| 6 #define NET_BASE_SSL_CONFIG_SERVICE_H_ | 6 #define NET_BASE_SSL_CONFIG_SERVICE_H_ |
| 7 #pragma once | 7 #pragma once |
| 8 | 8 |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 15 matching lines...) Expand all Loading... | |
| 26 | 26 |
| 27 bool rev_checking_enabled; // True if server certificate revocation | 27 bool rev_checking_enabled; // True if server certificate revocation |
| 28 // checking is enabled. | 28 // checking is enabled. |
| 29 bool ssl2_enabled; // True if SSL 2.0 is enabled. | 29 bool ssl2_enabled; // True if SSL 2.0 is enabled. |
| 30 bool ssl3_enabled; // True if SSL 3.0 is enabled. | 30 bool ssl3_enabled; // True if SSL 3.0 is enabled. |
| 31 bool tls1_enabled; // True if TLS 1.0 is enabled. | 31 bool tls1_enabled; // True if TLS 1.0 is enabled. |
| 32 bool ssl3_fallback; // True if we are falling back to SSL 3.0 (one still | 32 bool ssl3_fallback; // True if we are falling back to SSL 3.0 (one still |
| 33 // needs to clear tls1_enabled). | 33 // needs to clear tls1_enabled). |
| 34 bool dnssec_enabled; // True if we'll accept DNSSEC chains in certificates. | 34 bool dnssec_enabled; // True if we'll accept DNSSEC chains in certificates. |
| 35 | 35 |
| 36 // True if we believe that this connection might be MITM attacked. This | 36 // True if we believe that this connection might be MITM attacked. This |
|
wtc
2010/08/22 04:44:35
Should this say
True if we allow this connection
| |
| 37 // sounds a little worse than it is: large networks sometimes MITM attack all | 37 // sounds a little worse than it is: large networks sometimes MITM attack all |
| 38 // SSL connections on egress. We want to know this because we might not have | 38 // SSL connections on egress. We want to know this because we might not have |
| 39 // the end-to-end connection that we believe that we have based on the | 39 // the end-to-end connection that we believe that we have based on the |
| 40 // hostname. Therefore, certain certificate checks can't be performed and we | 40 // hostname. Therefore, certain certificate checks can't be performed and we |
| 41 // can't use outside knowledge about whether the server has the renegotiation | 41 // can't use outside knowledge about whether the server has the renegotiation |
| 42 // extension. | 42 // extension. |
| 43 bool mitm_proxies_allowed; | 43 bool mitm_proxies_allowed; |
| 44 | 44 |
| 45 bool false_start_enabled; // True if we'll use TLS False Start. | 45 bool false_start_enabled; // True if we'll use TLS False Start. |
| 46 | 46 |
| (...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 111 | 111 |
| 112 // Returns true if the given hostname is known to be incompatible with TLS | 112 // Returns true if the given hostname is known to be incompatible with TLS |
| 113 // False Start. | 113 // False Start. |
| 114 static bool IsKnownFalseStartIncompatibleServer(const std::string& hostname); | 114 static bool IsKnownFalseStartIncompatibleServer(const std::string& hostname); |
| 115 | 115 |
| 116 // Enables the acceptance of self-signed certificates which contain an | 116 // Enables the acceptance of self-signed certificates which contain an |
| 117 // embedded DNSSEC chain proving their validity. | 117 // embedded DNSSEC chain proving their validity. |
| 118 static void EnableDNSSEC(); | 118 static void EnableDNSSEC(); |
| 119 static bool dnssec_enabled(); | 119 static bool dnssec_enabled(); |
| 120 | 120 |
| 121 // Enables the |may_be_manipulated| flag in SSLConfig objects. See the | 121 // Sets a global flag which causes SetSSLConfigFlags to set the |
|
wtc
2010/08/22 04:44:35
Nit: SetSSLConfigFlags is an implementation detail
| |
| 122 // comment about this flag in |SSLConfig|. | 122 // |mitm_proxies_allowed| flag in SSLConfig objects. See the comment about |
| 123 // this flag in |SSLConfig|. | |
| 123 static void AllowMITMProxies(); | 124 static void AllowMITMProxies(); |
| 124 static bool mitm_proxies_allowed(); | 125 static bool mitm_proxies_allowed(); |
| 125 | 126 |
| 126 // Disables False Start in SSL connections. | 127 // Disables False Start in SSL connections. |
| 127 static void DisableFalseStart(); | 128 static void DisableFalseStart(); |
| 128 // True if we use False Start for SSL and TLS. | 129 // True if we use False Start for SSL and TLS. |
| 129 static bool false_start_enabled(); | 130 static bool false_start_enabled(); |
| 130 | 131 |
| 131 protected: | 132 protected: |
| 132 // SetFlags sets the values of several flags based on global configuration. | |
| 133 static void SetSSLConfigFlags(SSLConfig*); | |
| 134 | |
| 135 friend class base::RefCountedThreadSafe<SSLConfigService>; | 133 friend class base::RefCountedThreadSafe<SSLConfigService>; |
| 136 | 134 |
| 137 virtual ~SSLConfigService() {} | 135 virtual ~SSLConfigService() {} |
| 136 | |
| 137 // SetFlags sets the values of several flags based on global configuration. | |
| 138 static void SetSSLConfigFlags(SSLConfig*); | |
| 138 }; | 139 }; |
| 139 | 140 |
| 140 } // namespace net | 141 } // namespace net |
| 141 | 142 |
| 142 #endif // NET_BASE_SSL_CONFIG_SERVICE_H_ | 143 #endif // NET_BASE_SSL_CONFIG_SERVICE_H_ |
| OLD | NEW |
