Completely remove SSLv3 support.

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <errno.h>
@@ skipping 82 matching lines @@
          ((compression & SSL_CONNECTION_COMPRESSION_MASK) <<
           SSL_CONNECTION_COMPRESSION_SHIFT) |
          ((version & SSL_CONNECTION_VERSION_MASK) <<
           SSL_CONNECTION_VERSION_SHIFT);
 }
 
 // Returns the net SSL version number (see ssl_connection_status_flags.h) for
 // this SSL connection.
 int GetNetSSLVersion(SSL* ssl) {
   switch (SSL_version(ssl)) {
-    case SSL2_VERSION:
-      return SSL_CONNECTION_VERSION_SSL2;
-    case SSL3_VERSION:
-      return SSL_CONNECTION_VERSION_SSL3;
     case TLS1_VERSION:
       return SSL_CONNECTION_VERSION_TLS1;
     case TLS1_1_VERSION:
       return SSL_CONNECTION_VERSION_TLS1_1;
     case TLS1_2_VERSION:
       return SSL_CONNECTION_VERSION_TLS1_2;
     default:
+      NOTREACHED();
       return SSL_CONNECTION_VERSION_UNKNOWN;
   }
 }
 
 ScopedX509 OSCertHandleToOpenSSL(
     X509Certificate::OSCertHandle os_handle) {
 #if defined(USE_OPENSSL_CERTS)
   return ScopedX509(X509Certificate::DupOSCertHandle(os_handle));
 #else  // !defined(USE_OPENSSL_CERTS)
   std::string der_encoded;
@@ skipping 582 matching lines @@
     return ERR_UNEXPECTED;
   DCHECK(ssl_bio);
   DCHECK(transport_bio_);
 
   // Install a callback on OpenSSL's end to plumb transport errors through.
   BIO_set_callback(ssl_bio, &SSLClientSocketOpenSSL::BIOCallback);
   BIO_set_callback_arg(ssl_bio, reinterpret_cast<char*>(this));
 
   SSL_set_bio(ssl_, ssl_bio, ssl_bio);
 
+  DCHECK_LT(SSL3_VERSION, ssl_config_.version_min);
+  DCHECK_LT(SSL3_VERSION, ssl_config_.version_max);
+  SSL_set_min_version(ssl_, ssl_config_.version_min);
+  SSL_set_max_version(ssl_, ssl_config_.version_max);

[davidben, 2015/05/13 20:46:19]

This is a newer API we added but I apparently never got around to switching it.

(The SSL_OP_NO_SSLv3 flags are weird. For instance, what does this do?

  options.ConfigureFlag(SSL_OP_NO_SSLv2, false);
  options.ConfigureFlag(SSL_OP_NO_SSLv3, false);
  options.ConfigureFlag(SSL_OP_NO_TLSv1, false);
  options.ConfigureFlag(SSL_OP_NO_TLSv1_1, true);
  options.ConfigureFlag(SSL_OP_NO_TLSv1_2, false);

Answer: advertise a maximum version of TLS 1.0, but if the server responds with
TLS 1.2, that's OK.)

+
   // OpenSSL defaults some options to on, others to off. To avoid ambiguity,
   // set everything we care about to an absolute value.
   SslSetClearMask options;
-  options.ConfigureFlag(SSL_OP_NO_SSLv2, true);
-  bool ssl3_enabled = (ssl_config_.version_min == SSL_PROTOCOL_VERSION_SSL3);
-  options.ConfigureFlag(SSL_OP_NO_SSLv3, !ssl3_enabled);
-  bool tls1_enabled = (ssl_config_.version_min <= SSL_PROTOCOL_VERSION_TLS1 &&
-                       ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1);
-  options.ConfigureFlag(SSL_OP_NO_TLSv1, !tls1_enabled);
-  bool tls1_1_enabled =
-      (ssl_config_.version_min <= SSL_PROTOCOL_VERSION_TLS1_1 &&
-       ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1_1);
-  options.ConfigureFlag(SSL_OP_NO_TLSv1_1, !tls1_1_enabled);
-  bool tls1_2_enabled =
-      (ssl_config_.version_min <= SSL_PROTOCOL_VERSION_TLS1_2 &&
-       ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1_2);
-  options.ConfigureFlag(SSL_OP_NO_TLSv1_2, !tls1_2_enabled);
-
   options.ConfigureFlag(SSL_OP_NO_COMPRESSION, true);
 
   // TODO(joth): Set this conditionally, see http://crbug.com/55410
   options.ConfigureFlag(SSL_OP_LEGACY_SERVER_CONNECT, true);
 
   SSL_set_options(ssl_, options.set_mask);
   SSL_clear_options(ssl_, options.clear_mask);
 
   // Same as above, this time for the SSL mode.
   SslSetClearMask mode;
@@ skipping 1129 matching lines @@
 
 std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const {
   std::string result = host_and_port_.ToString();
   result.append("/");
   result.append(ssl_session_cache_shard_);
 
   // Shard the session cache based on maximum protocol version. This causes
   // fallback connections to use a separate session cache.
   result.append("/");
   switch (ssl_config_.version_max) {
-    case SSL_PROTOCOL_VERSION_SSL3:
-      result.append("ssl3");
-      break;
     case SSL_PROTOCOL_VERSION_TLS1:
       result.append("tls1");
       break;
     case SSL_PROTOCOL_VERSION_TLS1_1:
       result.append("tls1.1");
       break;
     case SSL_PROTOCOL_VERSION_TLS1_2:
       result.append("tls1.2");
       break;
     default:
@@ skipping 18 matching lines @@
   }
   return false;
 }
 
 scoped_refptr<X509Certificate>
 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const {
   return server_cert_;
 }
 
 }  // namespace net