Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(125)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/http_stream_factory_impl_job.cc

Issue 1131763002: Reject renegotiations in SSLClientSocket by default. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: NSS greediness... Created 5 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | net/socket/ssl_client_socket_nss.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/http/http_stream_factory_impl_job.h" 5 #include "net/http/http_stream_factory_impl_job.h"
6 6
7 #include <algorithm> 7 #include <algorithm>
8 #include <string> 8 #include <string>
9 9
10 #include "base/bind.h" 10 #include "base/bind.h"
(...skipping 1239 matching lines...) Expand 10 before | Expand all | Expand 10 after
1250 } 1250 }
1251 1251
1252 bool HttpStreamFactoryImpl::Job::IsSpdyAlternate() const { 1252 bool HttpStreamFactoryImpl::Job::IsSpdyAlternate() const {
1253 return alternative_service_.protocol >= NPN_SPDY_MINIMUM_VERSION && 1253 return alternative_service_.protocol >= NPN_SPDY_MINIMUM_VERSION &&
1254 alternative_service_.protocol <= NPN_SPDY_MAXIMUM_VERSION; 1254 alternative_service_.protocol <= NPN_SPDY_MAXIMUM_VERSION;
1255 } 1255 }
1256 1256
1257 void HttpStreamFactoryImpl::Job::InitSSLConfig(const HostPortPair& server, 1257 void HttpStreamFactoryImpl::Job::InitSSLConfig(const HostPortPair& server,
1258 SSLConfig* ssl_config, 1258 SSLConfig* ssl_config,
1259 bool is_proxy) const { 1259 bool is_proxy) const {
1260 if (!is_proxy) {
1261 // Prior to HTTP/2 and SPDY, some servers use TLS renegotiation to request
1262 // TLS client authentication after the HTTP request was sent. Allow
1263 // renegotiation for only those connections.
1264 //
1265 // Note that this does NOT implement the provision in
1266 // https://http2.github.io/http2-spec/#rfc.section.9.2.1 which allows the
1267 // server to request a renegotiation immediately before sending the
1268 // connection preface as waiting for the preface would cost the round trip
1269 // that False Start otherwise saves.
1270 ssl_config->renego_allowed_default = true;
1271 ssl_config->renego_allowed_for_protos.push_back(kProtoHTTP11);
1272 }
1273
1260 if (proxy_info_.is_https() && ssl_config->send_client_cert) { 1274 if (proxy_info_.is_https() && ssl_config->send_client_cert) {
1261 // When connecting through an HTTPS proxy, disable TLS False Start so 1275 // When connecting through an HTTPS proxy, disable TLS False Start so
1262 // that client authentication errors can be distinguished between those 1276 // that client authentication errors can be distinguished between those
1263 // originating from the proxy server (ERR_PROXY_CONNECTION_FAILED) and 1277 // originating from the proxy server (ERR_PROXY_CONNECTION_FAILED) and
1264 // those originating from the endpoint (ERR_SSL_PROTOCOL_ERROR / 1278 // those originating from the endpoint (ERR_SSL_PROTOCOL_ERROR /
1265 // ERR_BAD_SSL_CLIENT_AUTH_CERT). 1279 // ERR_BAD_SSL_CLIENT_AUTH_CERT).
1266 // TODO(rch): This assumes that the HTTPS proxy will only request a 1280 //
1267 // client certificate during the initial handshake. 1281 // This assumes the proxy will only request certificates on the initial
1268 // http://crbug.com/59292 1282 // handshake; renegotiation on the proxy connection is unsupported.
1269 ssl_config->false_start_enabled = false; 1283 ssl_config->false_start_enabled = false;
1270 } 1284 }
1271 1285
1272 if (request_info_.load_flags & LOAD_VERIFY_EV_CERT) 1286 if (request_info_.load_flags & LOAD_VERIFY_EV_CERT)
1273 ssl_config->verify_ev_cert = true; 1287 ssl_config->verify_ev_cert = true;
1274 1288
1275 // Disable Channel ID if privacy mode is enabled. 1289 // Disable Channel ID if privacy mode is enabled.
1276 if (request_info_.privacy_mode == PRIVACY_MODE_ENABLED) 1290 if (request_info_.privacy_mode == PRIVACY_MODE_ENABLED)
1277 ssl_config->channel_id_enabled = false; 1291 ssl_config->channel_id_enabled = false;
1278 } 1292 }
(...skipping 226 matching lines...) Expand 10 before | Expand all | Expand 10 after
1505 1519
1506 void HttpStreamFactoryImpl::Job:: 1520 void HttpStreamFactoryImpl::Job::
1507 MaybeCopyConnectionAttemptsFromClientSocketHandleToRequest() { 1521 MaybeCopyConnectionAttemptsFromClientSocketHandleToRequest() {
1508 if (IsOrphaned() || !connection_) 1522 if (IsOrphaned() || !connection_)
1509 return; 1523 return;
1510 1524
1511 request_->AddConnectionAttempts(connection_->connection_attempts()); 1525 request_->AddConnectionAttempts(connection_->connection_attempts());
1512 } 1526 }
1513 1527
1514 } // namespace net 1528 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | net/socket/ssl_client_socket_nss.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698