Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(138)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/ssl/ssl_config.h

Issue 1139013002: Completely remove SSLv3 support. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/socket/ssl_client_socket_openssl.cc ('K') | « net/socket/ssl_server_socket_openssl.cc ('k') | net/ssl/ssl_config_service_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef NET_SSL_SSL_CONFIG_H_ 5 #ifndef NET_SSL_SSL_CONFIG_H_
6 #define NET_SSL_SSL_CONFIG_H_ 6 #define NET_SSL_SSL_CONFIG_H_
7 7
8 #include "base/basictypes.h" 8 #include "base/basictypes.h"
9 #include "base/memory/ref_counted.h" 9 #include "base/memory/ref_counted.h"
10 #include "net/base/net_export.h" 10 #include "net/base/net_export.h"
11 #include "net/cert/x509_certificate.h" 11 #include "net/cert/x509_certificate.h"
12 #include "net/socket/next_proto.h" 12 #include "net/socket/next_proto.h"
13 13
14 namespace net { 14 namespace net {
15 15
16 // Various TLS/SSL ProtocolVersion values encoded as uint16 16 // Various TLS/SSL ProtocolVersion values encoded as uint16
17 // struct { 17 // struct {
18 // uint8 major; 18 // uint8 major;
19 // uint8 minor; 19 // uint8 minor;
20 // } ProtocolVersion; 20 // } ProtocolVersion;
21 // The most significant byte is |major|, and the least significant byte 21 // The most significant byte is |major|, and the least significant byte
22 // is |minor|. 22 // is |minor|.
23 enum { 23 enum {
24 SSL_PROTOCOL_VERSION_SSL3 = 0x0300,
25 SSL_PROTOCOL_VERSION_TLS1 = 0x0301, 24 SSL_PROTOCOL_VERSION_TLS1 = 0x0301,
26 SSL_PROTOCOL_VERSION_TLS1_1 = 0x0302, 25 SSL_PROTOCOL_VERSION_TLS1_1 = 0x0302,
27 SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303, 26 SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303,
28 }; 27 };
29 28
30 // Default minimum protocol version. 29 // Default minimum protocol version.
31 NET_EXPORT extern const uint16 kDefaultSSLVersionMin; 30 NET_EXPORT extern const uint16 kDefaultSSLVersionMin;
32 31
33 // For maximum supported protocol version, use 32 // For maximum supported protocol version, use
34 // SSLClientSocket::GetMaxSupportedSSLVersion(). 33 // SSLClientSocket::GetMaxSupportedSSLVersion().
35 34
36 // Default minimum protocol version that it's acceptable to fallback to. 35 // Default minimum protocol version that it's acceptable to fallback to.
37 NET_EXPORT extern const uint16 kDefaultSSLVersionFallbackMin; 36 NET_EXPORT extern const uint16 kDefaultSSLVersionFallbackMin;
38 37
39 // A collection of SSL-related configuration settings. 38 // A collection of SSL-related configuration settings.
40 struct NET_EXPORT SSLConfig { 39 struct NET_EXPORT SSLConfig {
41 // Default to revocation checking. 40 // Default to revocation checking.
42 // Default to SSL 3.0 ~ default_version_max() on.
43 SSLConfig(); 41 SSLConfig();
44 ~SSLConfig(); 42 ~SSLConfig();
45 43
46 // Returns true if |cert| is one of the certs in |allowed_bad_certs|. 44 // Returns true if |cert| is one of the certs in |allowed_bad_certs|.
47 // The expected cert status is written to |cert_status|. |*cert_status| can 45 // The expected cert status is written to |cert_status|. |*cert_status| can
48 // be NULL if user doesn't care about the cert status. 46 // be NULL if user doesn't care about the cert status.
49 bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const; 47 bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const;
50 48
51 // Same as above except works with DER encoded certificates instead 49 // Same as above except works with DER encoded certificates instead
52 // of X509Certificate. 50 // of X509Certificate.
(...skipping 10 matching lines...) Expand all
63 // rev_checking_required_local_anchors is true if revocation checking is 61 // rev_checking_required_local_anchors is true if revocation checking is
64 // required to succeed when certificates chain to local trust anchors (that 62 // required to succeed when certificates chain to local trust anchors (that
65 // is, non-public CAs). If revocation information cannot be obtained, such 63 // is, non-public CAs). If revocation information cannot be obtained, such
66 // certificates will be treated as revoked ("hard-fail"). 64 // certificates will be treated as revoked ("hard-fail").
67 // Note: This is distinct from rev_checking_enabled. If true, it is 65 // Note: This is distinct from rev_checking_enabled. If true, it is
68 // equivalent to also setting rev_checking_enabled, but only when the 66 // equivalent to also setting rev_checking_enabled, but only when the
69 // certificate chain chains to a local (non-public) trust anchor. 67 // certificate chain chains to a local (non-public) trust anchor.
70 bool rev_checking_required_local_anchors; 68 bool rev_checking_required_local_anchors;
71 69
72 // The minimum and maximum protocol versions that are enabled. 70 // The minimum and maximum protocol versions that are enabled.
73 // SSL 3.0 is 0x0300, TLS 1.0 is 0x0301, TLS 1.1 is 0x0302, and so on.
74 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.) 71 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.)
75 // SSL 2.0 is not supported. If version_max < version_min, it means no 72 // SSL 2.0 and SSL 3.0 are not supported. If version_max < version_min, it
76 // protocol versions are enabled. 73 // means no protocol versions are enabled.
77 uint16 version_min; 74 uint16 version_min;
78 uint16 version_max; 75 uint16 version_max;
79 76
80 // version_fallback_min contains the minimum version that is acceptable to 77 // version_fallback_min contains the minimum version that is acceptable to
81 // fallback to. Versions before this may be tried to see whether they would 78 // fallback to. Versions before this may be tried to see whether they would
82 // have succeeded and thus to give a better message to the user, but the 79 // have succeeded and thus to give a better message to the user, but the
83 // resulting connection won't be used in these cases. 80 // resulting connection won't be used in these cases.
84 uint16 version_fallback_min; 81 uint16 version_fallback_min;
85 82
86 // Presorted list of cipher suites which should be explicitly prevented from 83 // Presorted list of cipher suites which should be explicitly prevented from
(...skipping 90 matching lines...) Expand 10 before | Expand all | Expand 10 after
177 // |fastradio_padding_eligible| can be true when |fastradio_padding_enabled| 174 // |fastradio_padding_eligible| can be true when |fastradio_padding_enabled|
178 // is false: in this case, fastradio padding would not be enabled, but 175 // is false: in this case, fastradio padding would not be enabled, but
179 // metrics can be collected for experiments. 176 // metrics can be collected for experiments.
180 bool fastradio_padding_enabled; 177 bool fastradio_padding_enabled;
181 bool fastradio_padding_eligible; 178 bool fastradio_padding_eligible;
182 }; 179 };
183 180
184 } // namespace net 181 } // namespace net
185 182
186 #endif // NET_SSL_SSL_CONFIG_H_ 183 #endif // NET_SSL_SSL_CONFIG_H_
OLDNEW
« net/socket/ssl_client_socket_openssl.cc ('K') | « net/socket/ssl_server_socket_openssl.cc ('k') | net/ssl/ssl_config_service_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698