Use cert config options in SSLServerSocketOpenSSL.

net/socket/ssl_server_socket_openssl.cc

Index: net/socket/ssl_server_socket_openssl.cc
diff --git a/net/socket/ssl_server_socket_openssl.cc b/net/socket/ssl_server_socket_openssl.cc
index 6bc13e6a3469942dcf75cd31ee29be8185780980..ab5cc7699fee9b2cf5192c3e3bfabb9ff05069d7 100644
--- a/net/socket/ssl_server_socket_openssl.cc
+++ b/net/socket/ssl_server_socket_openssl.cc
@@ -9,6 +9,7 @@
 
 #include "base/callback_helpers.h"
 #include "base/logging.h"
+#include "base/strings/string_util.h"
 #include "crypto/openssl_util.h"
 #include "crypto/rsa_private_key.h"
 #include "crypto/scoped_openssl_types.h"
@@ -685,6 +686,49 @@ int SSLServerSocketOpenSSL::Init() {
   SSL_set_mode(ssl_, mode.set_mask);
   SSL_clear_mode(ssl_, mode.clear_mask);
 
+  // Removing ciphers by ID from OpenSSL is a bit involved as we must use the
+  // textual name with SSL_set_cipher_list because there is no public API to
+  // directly remove a cipher by ID.
+  STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_);
+  DCHECK(ciphers);
+  // See SSLConfig::disabled_cipher_suites for description of the suites
+  // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256
+  // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384
+  // as the handshake hash.
+  std::string command(
+      "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK:!RC4");

[Sergey Ulanov, 2015/05/12 18:55:47]

This is the same string that's used for client sockets with "!RC4" added at the
end.
But can this be changed to "DEFAULT" now with boringssl?

[davidben, 2015/05/12 19:05:16]

It can be pruned significantly, but we do still want to prune out
!SHA256:!SHA384:!AESGCM+AES256. Probably also worth pruning out !aPSK even
though BoringSSL will do that automatically by virtue of not configuring PSK
options.

[davidben, 2015/05/12 19:05:16]

The !RC4 shouldn't be there. It's still enabled on the NSS side. It might be
worth pruning that from SSLServerSocket, but we should do that separately as
it'd need to be mirrored on NSS as well.

[Sergey Ulanov, 2015/05/12 19:42:21]

Done.

[Sergey Ulanov, 2015/05/12 19:42:21]

Done.

+  // Walk through all the installed ciphers, seeing if any need to be
+  // appended to the cipher removal |command|.
+  for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {
+    const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i);
+    const uint16_t id = static_cast<uint16_t>(SSL_CIPHER_get_id(cipher));
+    const char* name = SSL_CIPHER_get_name(cipher);

[davidben, 2015/05/12 19:05:16]

Nit: This line can be moved down to the block in line 717.

[Sergey Ulanov, 2015/05/12 19:42:21]

Done.

+
+    bool disable = false;
+    if (ssl_config_.require_ecdhe) {
+      StringPiece kx_name(SSL_CIPHER_get_kx_name(cipher));

[davidben, 2015/05/12 19:05:16]

Shouldn't this be base::StringPiece?

[Sergey Ulanov, 2015/05/12 19:42:21]

Done.

+      disable = kx_name != "ECDHE_RSA") && kx_name != "ECDHE_ECDSA";

[davidben, 2015/05/12 19:05:16]

Stray )?

[Sergey Ulanov, 2015/05/12 19:42:21]

Apparently I was trying to compile this code with use_openssl=0 :(

+    }
+    if (!disable) {
+      disable = std::find(ssl_config_.disabled_cipher_suites.begin(),
+                          ssl_config_.disabled_cipher_suites.end(),
+                          id) != ssl_config_.disabled_cipher_suites.end();
+    }
+    if (disable) {
+      DVLOG(3) << "Found cipher to remove: '" << name << "', ID: " << id
+               << " strength: " << SSL_CIPHER_get_bits(cipher, NULL);
+      command.append(":!");
+      command.append(name);
+    }
+  }
+
+  int rv = SSL_set_cipher_list(ssl_, command.c_str());
+  // If this fails (rv = 0) it means there are no ciphers enabled on this SSL.
+  // This will almost certainly result in the socket failing to complete the
+  // handshake at which point the appropriate error is bubbled up to the client.
+  LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command
+                           << "') returned " << rv;
+
   return OK;
 }