Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(246)

Unified Diff: net/http/http_stream_factory_impl_job.cc

Issue 1131763002: Reject renegotiations in SSLClientSocket by default. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: NSS greediness... Created 5 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | net/socket/ssl_client_socket_nss.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/http_stream_factory_impl_job.cc
diff --git a/net/http/http_stream_factory_impl_job.cc b/net/http/http_stream_factory_impl_job.cc
index 38f185a4e9edd69b15517afa531d4c5027430020..d2c4149b234e2156296f7aa1bcb4137153082e48 100644
--- a/net/http/http_stream_factory_impl_job.cc
+++ b/net/http/http_stream_factory_impl_job.cc
@@ -1257,15 +1257,29 @@ bool HttpStreamFactoryImpl::Job::IsSpdyAlternate() const {
void HttpStreamFactoryImpl::Job::InitSSLConfig(const HostPortPair& server,
SSLConfig* ssl_config,
bool is_proxy) const {
+ if (!is_proxy) {
+ // Prior to HTTP/2 and SPDY, some servers use TLS renegotiation to request
+ // TLS client authentication after the HTTP request was sent. Allow
+ // renegotiation for only those connections.
+ //
+ // Note that this does NOT implement the provision in
+ // https://http2.github.io/http2-spec/#rfc.section.9.2.1 which allows the
+ // server to request a renegotiation immediately before sending the
+ // connection preface as waiting for the preface would cost the round trip
+ // that False Start otherwise saves.
+ ssl_config->renego_allowed_default = true;
+ ssl_config->renego_allowed_for_protos.push_back(kProtoHTTP11);
+ }
+
if (proxy_info_.is_https() && ssl_config->send_client_cert) {
// When connecting through an HTTPS proxy, disable TLS False Start so
// that client authentication errors can be distinguished between those
// originating from the proxy server (ERR_PROXY_CONNECTION_FAILED) and
// those originating from the endpoint (ERR_SSL_PROTOCOL_ERROR /
// ERR_BAD_SSL_CLIENT_AUTH_CERT).
- // TODO(rch): This assumes that the HTTPS proxy will only request a
- // client certificate during the initial handshake.
- // http://crbug.com/59292
+ //
+ // This assumes the proxy will only request certificates on the initial
+ // handshake; renegotiation on the proxy connection is unsupported.
ssl_config->false_start_enabled = false;
}
« no previous file with comments | « no previous file | net/socket/ssl_client_socket_nss.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698