| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "build/build_config.h" | 5 #include "build/build_config.h" |
| 6 | 6 |
| 7 #if defined(OS_WIN) | 7 #if defined(OS_WIN) |
| 8 #include <windows.h> | 8 #include <windows.h> |
| 9 #include <shlobj.h> | 9 #include <shlobj.h> |
| 10 #endif | 10 #endif |
| (...skipping 7878 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 7889 public: | 7889 public: |
| 7890 explicit FallbackTestURLRequestContext(bool delay_initialization) | 7890 explicit FallbackTestURLRequestContext(bool delay_initialization) |
| 7891 : TestURLRequestContext(delay_initialization) {} | 7891 : TestURLRequestContext(delay_initialization) {} |
| 7892 | 7892 |
| 7893 void set_fallback_min_version(uint16 version) { | 7893 void set_fallback_min_version(uint16 version) { |
| 7894 TestSSLConfigService *ssl_config_service = | 7894 TestSSLConfigService *ssl_config_service = |
| 7895 new TestSSLConfigService(true /* check for EV */, | 7895 new TestSSLConfigService(true /* check for EV */, |
| 7896 false /* online revocation checking */, | 7896 false /* online revocation checking */, |
| 7897 false /* require rev. checking for local | 7897 false /* require rev. checking for local |
| 7898 anchors */); | 7898 anchors */); |
| 7899 ssl_config_service->set_min_version(SSL_PROTOCOL_VERSION_SSL3); | |
| 7900 ssl_config_service->set_fallback_min_version(version); | 7899 ssl_config_service->set_fallback_min_version(version); |
| 7901 set_ssl_config_service(ssl_config_service); | 7900 set_ssl_config_service(ssl_config_service); |
| 7902 } | 7901 } |
| 7903 }; | 7902 }; |
| 7904 | 7903 |
| 7905 class HTTPSFallbackTest : public testing::Test { | 7904 class HTTPSFallbackTest : public testing::Test { |
| 7906 public: | 7905 public: |
| 7907 HTTPSFallbackTest() : context_(true) {} | 7906 HTTPSFallbackTest() : context_(true) {} |
| 7908 ~HTTPSFallbackTest() override {} | 7907 ~HTTPSFallbackTest() override {} |
| 7909 | 7908 |
| (...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8017 // Have the server process TLS_FALLBACK_SCSV so that version fallback | 8016 // Have the server process TLS_FALLBACK_SCSV so that version fallback |
| 8018 // connections are rejected. | 8017 // connections are rejected. |
| 8019 ssl_options.fallback_scsv_enabled = true; | 8018 ssl_options.fallback_scsv_enabled = true; |
| 8020 | 8019 |
| 8021 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8020 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 8022 | 8021 |
| 8023 // The original error should be replayed on rejected fallback. | 8022 // The original error should be replayed on rejected fallback. |
| 8024 ExpectFailure(ERR_CONNECTION_CLOSED); | 8023 ExpectFailure(ERR_CONNECTION_CLOSED); |
| 8025 } | 8024 } |
| 8026 | 8025 |
| 8027 // Tests that the SSLv3 fallback doesn't happen by default. | 8026 // Tests that the SSLv3 fallback doesn't happen. |
| 8028 TEST_F(HTTPSFallbackTest, SSLv3Fallback) { | 8027 TEST_F(HTTPSFallbackTest, SSLv3Fallback) { |
| 8029 SpawnedTestServer::SSLOptions ssl_options( | 8028 SpawnedTestServer::SSLOptions ssl_options( |
| 8030 SpawnedTestServer::SSLOptions::CERT_OK); | 8029 SpawnedTestServer::SSLOptions::CERT_OK); |
| 8031 ssl_options.tls_intolerant = | 8030 ssl_options.tls_intolerant = |
| 8032 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | 8031 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| 8033 | 8032 |
| 8034 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8033 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 8035 ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); | 8034 ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); |
| 8036 } | 8035 } |
| 8037 | 8036 |
| 8038 // Tests that the SSLv3 fallback works when explicitly enabled. | 8037 // Tests that the TLSv1 fallback triggers on closed connections. |
| 8039 TEST_F(HTTPSFallbackTest, SSLv3FallbackEnabled) { | |
| 8040 SpawnedTestServer::SSLOptions ssl_options( | |
| 8041 SpawnedTestServer::SSLOptions::CERT_OK); | |
| 8042 ssl_options.tls_intolerant = | |
| 8043 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | |
| 8044 set_fallback_min_version(SSL_PROTOCOL_VERSION_SSL3); | |
| 8045 | |
| 8046 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | |
| 8047 ExpectConnection(SSL_CONNECTION_VERSION_SSL3); | |
| 8048 } | |
| 8049 | |
| 8050 // Tests that the SSLv3 fallback triggers on closed connections when explicitly | |
| 8051 // enabled. | |
| 8052 TEST_F(HTTPSFallbackTest, SSLv3FallbackClosed) { | 8038 TEST_F(HTTPSFallbackTest, SSLv3FallbackClosed) { |
| 8053 SpawnedTestServer::SSLOptions ssl_options( | 8039 SpawnedTestServer::SSLOptions ssl_options( |
| 8054 SpawnedTestServer::SSLOptions::CERT_OK); | 8040 SpawnedTestServer::SSLOptions::CERT_OK); |
| 8055 ssl_options.tls_intolerant = | 8041 ssl_options.tls_intolerant = |
| 8056 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | 8042 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
| 8057 ssl_options.tls_intolerance_type = | 8043 ssl_options.tls_intolerance_type = |
| 8058 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; | 8044 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
| 8059 set_fallback_min_version(SSL_PROTOCOL_VERSION_SSL3); | |
| 8060 | 8045 |
| 8061 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8046 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 8062 ExpectConnection(SSL_CONNECTION_VERSION_SSL3); | 8047 ExpectConnection(SSL_CONNECTION_VERSION_TLS1); |
| 8063 } | 8048 } |
| 8064 | 8049 |
| 8065 // Test that SSLv3 fallback probe connections don't cause sessions to be cached. | 8050 // Test that fallback probe connections don't cause sessions to be cached. |
| 8066 TEST_F(HTTPSRequestTest, SSLv3FallbackNoCache) { | 8051 TEST_F(HTTPSRequestTest, FallbackProbeNoCache) { |
| 8067 SpawnedTestServer::SSLOptions ssl_options( | 8052 SpawnedTestServer::SSLOptions ssl_options( |
| 8068 SpawnedTestServer::SSLOptions::CERT_OK); | 8053 SpawnedTestServer::SSLOptions::CERT_OK); |
| 8069 ssl_options.tls_intolerant = | 8054 ssl_options.tls_intolerant = |
| 8070 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | 8055 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
| 8071 ssl_options.tls_intolerance_type = | 8056 ssl_options.tls_intolerance_type = |
| 8072 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; | 8057 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
| 8073 ssl_options.record_resume = true; | 8058 ssl_options.record_resume = true; |
| 8074 | 8059 |
| 8075 SpawnedTestServer test_server( | 8060 SpawnedTestServer test_server( |
| 8076 SpawnedTestServer::TYPE_HTTPS, | 8061 SpawnedTestServer::TYPE_HTTPS, |
| 8077 ssl_options, | 8062 ssl_options, |
| 8078 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | 8063 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
| 8079 ASSERT_TRUE(test_server.Start()); | 8064 ASSERT_TRUE(test_server.Start()); |
| 8080 | 8065 |
| 8081 SSLClientSocket::ClearSessionCache(); | 8066 SSLClientSocket::ClearSessionCache(); |
| 8082 | 8067 |
| 8083 // Make a connection that does a probe fallback to SSLv3 but fails because | 8068 // Make a connection that does a probe fallback to TLSv1 but fails because |
| 8084 // SSLv3 fallback is disabled. We don't wish a session for this connection to | 8069 // TLSv1 fallback is disabled. We don't wish a session for this connection to |
| 8085 // be inserted locally. | 8070 // be inserted locally. |
| 8086 { | 8071 { |
| 8087 TestDelegate delegate; | 8072 TestDelegate delegate; |
| 8088 FallbackTestURLRequestContext context(true); | 8073 FallbackTestURLRequestContext context(true); |
| 8089 | 8074 |
| 8090 context.set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1); | 8075 context.set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_2); |
| 8091 context.Init(); | 8076 context.Init(); |
| 8092 scoped_ptr<URLRequest> request(context.CreateRequest( | 8077 scoped_ptr<URLRequest> request(context.CreateRequest( |
| 8093 test_server.GetURL(std::string()), DEFAULT_PRIORITY, &delegate)); | 8078 test_server.GetURL(std::string()), DEFAULT_PRIORITY, &delegate)); |
| 8094 request->Start(); | 8079 request->Start(); |
| 8095 | 8080 |
| 8096 base::RunLoop().Run(); | 8081 base::RunLoop().Run(); |
| 8097 | 8082 |
| 8098 EXPECT_EQ(1, delegate.response_started_count()); | 8083 EXPECT_EQ(1, delegate.response_started_count()); |
| 8099 EXPECT_FALSE(request->status().is_success()); | 8084 EXPECT_FALSE(request->status().is_success()); |
| 8100 EXPECT_EQ(URLRequestStatus::FAILED, request->status().status()); | 8085 EXPECT_EQ(URLRequestStatus::FAILED, request->status().status()); |
| 8101 EXPECT_EQ(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, | 8086 EXPECT_EQ(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, |
| 8102 request->status().error()); | 8087 request->status().error()); |
| 8103 } | 8088 } |
| 8104 | 8089 |
| 8105 // Now allow SSLv3 connections and request the session cache log. | 8090 // Now allow TLSv1 fallback connections and request the session cache log. |
| 8106 { | 8091 { |
| 8107 TestDelegate delegate; | 8092 TestDelegate delegate; |
| 8108 FallbackTestURLRequestContext context(true); | 8093 FallbackTestURLRequestContext context(true); |
| 8109 context.set_fallback_min_version(SSL_PROTOCOL_VERSION_SSL3); | 8094 context.set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1); |
| 8110 | 8095 |
| 8111 context.Init(); | 8096 context.Init(); |
| 8112 scoped_ptr<URLRequest> request(context.CreateRequest( | 8097 scoped_ptr<URLRequest> request(context.CreateRequest( |
| 8113 test_server.GetURL("ssl-session-cache"), DEFAULT_PRIORITY, &delegate)); | 8098 test_server.GetURL("ssl-session-cache"), DEFAULT_PRIORITY, &delegate)); |
| 8114 request->Start(); | 8099 request->Start(); |
| 8115 | 8100 |
| 8116 base::RunLoop().Run(); | 8101 base::RunLoop().Run(); |
| 8117 | 8102 |
| 8118 EXPECT_EQ(1, delegate.response_started_count()); | 8103 EXPECT_EQ(1, delegate.response_started_count()); |
| 8119 EXPECT_NE(0, delegate.bytes_received()); | 8104 EXPECT_NE(0, delegate.bytes_received()); |
| 8120 EXPECT_EQ(SSL_CONNECTION_VERSION_SSL3, SSLConnectionStatusToVersion( | 8105 EXPECT_EQ( |
| 8121 request->ssl_info().connection_status)); | 8106 SSL_CONNECTION_VERSION_TLS1, |
| 8107 SSLConnectionStatusToVersion(request->ssl_info().connection_status)); |
| 8122 EXPECT_TRUE(request->ssl_info().connection_status & | 8108 EXPECT_TRUE(request->ssl_info().connection_status & |
| 8123 SSL_CONNECTION_VERSION_FALLBACK); | 8109 SSL_CONNECTION_VERSION_FALLBACK); |
| 8124 | 8110 |
| 8125 std::vector<std::string> lines; | 8111 std::vector<std::string> lines; |
| 8126 // If no sessions were cached then the server should have seen two sessions | 8112 // If no sessions were cached then the server should have seen two sessions |
| 8127 // inserted with no lookups. | 8113 // inserted with no lookups. |
| 8128 AssertTwoDistinctSessionsInserted(delegate.data_received()); | 8114 AssertTwoDistinctSessionsInserted(delegate.data_received()); |
| 8129 } | 8115 } |
| 8130 } | 8116 } |
| 8131 | 8117 |
| 8132 // This test is disabled on Android because the remote test server doesn't cause | |
| 8133 // a TCP reset. | |
| 8134 #if !defined(OS_ANDROID) | |
| 8135 // Tests that a reset connection does not fallback down to SSL3. | |
| 8136 TEST_F(HTTPSFallbackTest, SSLv3NoFallbackReset) { | |
| 8137 SpawnedTestServer::SSLOptions ssl_options( | |
| 8138 SpawnedTestServer::SSLOptions::CERT_OK); | |
| 8139 ssl_options.tls_intolerant = | |
| 8140 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | |
| 8141 ssl_options.tls_intolerance_type = | |
| 8142 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET; | |
| 8143 | |
| 8144 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | |
| 8145 ExpectFailure(ERR_CONNECTION_RESET); | |
| 8146 } | |
| 8147 #endif // !OS_ANDROID | |
| 8148 | |
| 8149 class HTTPSSessionTest : public testing::Test { | 8118 class HTTPSSessionTest : public testing::Test { |
| 8150 public: | 8119 public: |
| 8151 HTTPSSessionTest() : default_context_(true) { | 8120 HTTPSSessionTest() : default_context_(true) { |
| 8152 cert_verifier_.set_default_result(OK); | 8121 cert_verifier_.set_default_result(OK); |
| 8153 | 8122 |
| 8154 default_context_.set_network_delegate(&default_network_delegate_); | 8123 default_context_.set_network_delegate(&default_network_delegate_); |
| 8155 default_context_.set_cert_verifier(&cert_verifier_); | 8124 default_context_.set_cert_verifier(&cert_verifier_); |
| 8156 default_context_.Init(); | 8125 default_context_.Init(); |
| 8157 } | 8126 } |
| 8158 ~HTTPSSessionTest() override {} | 8127 ~HTTPSSessionTest() override {} |
| (...skipping 955 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9114 | 9083 |
| 9115 EXPECT_FALSE(r->is_pending()); | 9084 EXPECT_FALSE(r->is_pending()); |
| 9116 EXPECT_EQ(1, d->response_started_count()); | 9085 EXPECT_EQ(1, d->response_started_count()); |
| 9117 EXPECT_FALSE(d->received_data_before_response()); | 9086 EXPECT_FALSE(d->received_data_before_response()); |
| 9118 EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size)); | 9087 EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size)); |
| 9119 } | 9088 } |
| 9120 } | 9089 } |
| 9121 #endif // !defined(DISABLE_FTP_SUPPORT) | 9090 #endif // !defined(DISABLE_FTP_SUPPORT) |
| 9122 | 9091 |
| 9123 } // namespace net | 9092 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1139013002:
Completely remove SSLv3 support. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master