SSL in EmbeddedTestServer

net/ssl/ssl_server_config.h

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_SSL_SSL_SERVER_CONFIG_H_
+#define NET_SSL_SSL_SERVER_CONFIG_H_
+
+#include "base/basictypes.h"
+#include "net/base/net_export.h"
+#include "net/ssl/ssl_config.h"
+
+namespace net {
+
+// A collection of SSLServer-related configuration settings.

[davidben, 2015/10/13 19:43:47]

Maybe change "SSLServer-related" to "server-side SSL-related"

[svaldez, 2015/10/13 20:54:43]

Done.

+struct NET_EXPORT SSLServerConfig {
+  // Defaults
+  SSLServerConfig();
+  ~SSLServerConfig();
+
+  enum ServerCertificate {
+    CERT_OK,
+    CERT_MISMATCHED_NAME,
+    CERT_COMMON_NAME_IS_DOMAIN,
+    CERT_EXPIRED,
+    CERT_BAD_VALIDITY,
+    CERT_CHAIN_WRONG_ROOT,

[davidben, 2015/10/13 19:43:47]

Document what these certificates are. (It might be worth pulling the enum and
some of the lookup functions into their file somewhere in net/test, shared
between the two servers. Then we only document once.)

[svaldez, 2015/10/13 20:54:43]

Done.

+  };
+
+  // The minimum and maximum protocol versions that are enabled.
+  // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.)

[davidben, 2015/10/13 19:43:47]

above? :-)

[svaldez, 2015/10/13 20:54:43]

Done.

+  // SSL 2.0 and SSL 3.0 are not supported. If version_max < version_min, it
+  // means no protocol versions are enabled.
+  uint16 version_min;

[davidben, 2015/10/13 19:43:47]

Nit: new code should use uint16_t and friends from <stdint.h>

[svaldez, 2015/10/13 20:54:43]

Done.

+  uint16 version_max;
+
+  // Presorted list of cipher suites which should be explicitly prevented from
+  // being used in addition to those disabled by the net built-in policy.
+  //
+  // By default, all cipher suites supported by the underlying SSL
+  // implementation will be enabled except for:
+  // - Null encryption cipher suites.
+  // - Weak cipher suites: < 80 bits of security strength.
+  // - FORTEZZA cipher suites (obsolete).
+  // - IDEA cipher suites (RFC 5469 explains why).
+  // - Anonymous cipher suites.
+  // - ECDSA cipher suites on platforms that do not support ECDSA signed
+  //   certificates, as servers may use the presence of such ciphersuites as a
+  //   hint to send an ECDSA certificate.
+  // The ciphers listed in |disabled_cipher_suites| will be removed in addition
+  // to the above list.
+  //
+  // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in
+  // big-endian form, they should be declared in host byte order, with the
+  // first uint8 occupying the most significant byte.
+  // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
+  // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
+  std::vector<uint16> disabled_cipher_suites;
+
+  // If true, causes only ECDHE cipher suites to be enabled.
+  bool require_ecdhe;
+
+  // Requires a Client Cert for Client Auth.

[davidben, 2015/10/13 19:43:47]

Nit: Client Cert -> client certificate
     Client Auth -> client authentication

[svaldez, 2015/10/13 20:54:43]

Done.

+  bool require_client_cert;

[davidben, 2015/10/13 19:43:47]

Should mention this requires any client certificate but doesn't enforce anything
about it.

[svaldez, 2015/10/13 20:54:43]

Done.

+
+  // The certificate kind to use when serving requests.
+  ServerCertificate server_cert;

[davidben, 2015/10/13 19:43:47]

This enum isn't used by SSLServerSocket, so it should be in the test server's
config. I would suggest that either EmbeddedTestServer gets its own config
struct that then converts to whatever SSLServerSocket uses, or that you pass the
enum into EmbeddedTestServer as a separate parameter.

[svaldez, 2015/10/13 20:54:43]

This seems to be fairly closely connected to the SSL configuration, and will end
up needing to be here when we modify the server socket to deal with OCSP. It
also seems like having an additional configuration structure for ETS is
redundant, especially since we want to eventually reach a point where
SpawnedTestServer can also share this structure.

+};
+
+}  // namespace net
+
+#endif  // NET_SSL_SSL_SERVER_CONFIG_H_