Add back prefs::kSSL3Enabled and prefs::kTLS1Enabled, but control

chrome/browser/net/ssl_config_service_manager_pref.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #include "chrome/browser/net/ssl_config_service_manager.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
 #include "base/basictypes.h"
-#include "base/command_line.h"
 #include "chrome/browser/prefs/pref_change_registrar.h"
 #include "chrome/browser/prefs/pref_member.h"
 #include "chrome/browser/prefs/pref_service.h"
 #include "chrome/common/chrome_notification_types.h"
-#include "chrome/common/chrome_switches.h"
 #include "chrome/common/pref_names.h"
 #include "content/browser/browser_thread.h"
 #include "content/common/notification_details.h"
 #include "content/common/notification_source.h"
 #include "net/base/ssl_cipher_suite_names.h"
 #include "net/base/ssl_config_service.h"
 
 namespace {
 
 // Converts a ListValue of StringValues into a vector of strings. Any Values
@@ skipping 102 matching lines @@
   void GetSSLConfigFromPrefs(net::SSLConfig* config);
 
   // Processes changes to the disabled cipher suites preference, updating the
   // cached list of parsed SSL/TLS cipher suites that are disabled.
   void OnDisabledCipherSuitesChange(PrefService* prefs);
 
   PrefChangeRegistrar pref_change_registrar_;
 
   // The prefs (should only be accessed from UI thread)
   BooleanPrefMember rev_checking_enabled_;
+  BooleanPrefMember ssl3_enabled_;
+  BooleanPrefMember tls1_enabled_;
 
   // The cached list of disabled SSL cipher suites.
   std::vector<uint16> disabled_cipher_suites_;
 
   scoped_refptr<SSLConfigServicePref> ssl_config_service_;
 
   DISALLOW_COPY_AND_ASSIGN(SSLConfigServiceManagerPref);
 };
 
 SSLConfigServiceManagerPref::SSLConfigServiceManagerPref(
     PrefService* local_state)
     : ssl_config_service_(new SSLConfigServicePref()) {
   DCHECK(local_state);
 
   rev_checking_enabled_.Init(prefs::kCertRevocationCheckingEnabled,
                              local_state, this);
+  ssl3_enabled_.Init(prefs::kSSL3Enabled, local_state, this);
+  tls1_enabled_.Init(prefs::kTLS1Enabled, local_state, this);

[wtc, 2011/08/27 22:14:33]

rsleevi: I just realized that I forgot to ask you an important
question: how do I make sure that ssl3_enabled_ and tls1_enabled_
ignore any preference values the user may have previously
stored in Local State?  Now we want ssl3_enabled_ and
tls1_enabled_ to default to true and can only be reset
by command-line options or group policy in the future.

[Ryan Sleevi, 2011/08/27 22:21:45]

That is a good question. I don't know what the method is for resetting a local
state preference, but I would imagine there is one, considering the about:flags
resets that have happened.

In the worst case, renaming the preferences would work, but that seems a very
heavy-handed approach. It might be best to ask one of the Policy people how this
is dealt with.

[wtc, 2011/10/09 15:18:51]

rsleevi,palmer: thank you for testing the patch, and I'm sorry
that I didn't get back to this CL until now.

Unfortunately my experiments showed what I feared is true:
if the user's "Local State" file has an entry for the
ssl.ssl3.enabled or ssl.tls1.enabled preference, it is
honored.  Although the command-line options can override
the entries in Local State as expected, this is still bad
because there is no UI to correct an old
ssl.tls1.enabled=false entry in Local State now.

I will need to ask the Policy people if there is a way
to deal with this, or we will need to rename the preferences
(for example, ssl.ssl3.disabled and ssl.tls1.disabled).
Ideally I'd like a way to remove or ignore the old
preference entries in Local State.

   pref_change_registrar_.Init(local_state);
   pref_change_registrar_.Add(prefs::kCipherSuiteBlacklist, this);
 
   OnDisabledCipherSuitesChange(local_state);
   // Initialize from UI thread.  This is okay as there shouldn't be anything on
   // the IO thread trying to access it yet.
   GetSSLConfigFromPrefs(&ssl_config_service_->cached_config_);
 }
 
 // static
 void SSLConfigServiceManagerPref::RegisterPrefs(PrefService* prefs) {
   net::SSLConfig default_config;
   prefs->RegisterBooleanPref(prefs::kCertRevocationCheckingEnabled,
                              default_config.rev_checking_enabled);
+  prefs->RegisterBooleanPref(prefs::kSSL3Enabled,
+                             default_config.ssl3_enabled);
+  prefs->RegisterBooleanPref(prefs::kTLS1Enabled,
+                             default_config.tls1_enabled);
   prefs->RegisterListPref(prefs::kCipherSuiteBlacklist);
 }

[Ryan Sleevi, 2011/10/10 01:37:22]

wtc: The pattern I've seen is to call prefs->ClearPref(prefs::kTLS1Enabled),
which will clear the existing value from |prefs|, causing it to return the
default (default_config.tls1_enabled)

You can see usage at
http://codesearch.google.com/codesearch#search&q=ClearPref&exact_package=chro...

You should be able to confirm with the policy people the correctness of this.

 
 net::SSLConfigService* SSLConfigServiceManagerPref::Get() {
   return ssl_config_service_;
 }
 
 void SSLConfigServiceManagerPref::Observe(int type,
                                           const NotificationSource& source,
                                           const NotificationDetails& details) {
   if (type == chrome::NOTIFICATION_PREF_CHANGED) {
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
@@ skipping 14 matching lines @@
         NewRunnableMethod(
             ssl_config_service_.get(),
             &SSLConfigServicePref::SetNewSSLConfig,
             new_config));
   }
 }
 
 void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
     net::SSLConfig* config) {
   config->rev_checking_enabled = rev_checking_enabled_.GetValue();
-
-  config->ssl3_enabled =
-      !CommandLine::ForCurrentProcess()->HasSwitch(switches::kDisableSSL3);
-  config->tls1_enabled =
-      !CommandLine::ForCurrentProcess()->HasSwitch(switches::kDisableTLS1);
-
+  config->ssl3_enabled = ssl3_enabled_.GetValue();
+  config->tls1_enabled = tls1_enabled_.GetValue();
   config->disabled_cipher_suites = disabled_cipher_suites_;
   SSLConfigServicePref::SetSSLConfigFlags(config);
 }
 
 void SSLConfigServiceManagerPref::OnDisabledCipherSuitesChange(
     PrefService* prefs) {
   const ListValue* value = prefs->GetList(prefs::kCipherSuiteBlacklist);
   disabled_cipher_suites_ = ParseCipherSuites(ListValueToStringVector(value));
 }
 
 ////////////////////////////////////////////////////////////////////////////////
 //  SSLConfigServiceManager
 
 // static
 SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager(
     PrefService* local_state) {
   return new SSLConfigServiceManagerPref(local_state);
 }
 
 // static
 void SSLConfigServiceManager::RegisterPrefs(PrefService* prefs) {
   SSLConfigServiceManagerPref::RegisterPrefs(prefs);
 }