Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(182)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 14125003: Do not roll back to SSL 3.0 for Google properties. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/http/transport_security_state_static.h ('K') | « net/http/transport_security_state_unittest.cc ('k') | net/ssl/ssl_connection_status_flags.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in 6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8 8
9 /* ***** BEGIN LICENSE BLOCK ***** 9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
(...skipping 3455 matching lines...) Expand 10 before | Expand all | Expand 10 after
3466 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; 3466 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
3467 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false); 3467 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
3468 TransportSecurityState::ReportUMAOnPinFailure(host); 3468 TransportSecurityState::ReportUMAOnPinFailure(host);
3469 } else { 3469 } else {
3470 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true); 3470 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
3471 } 3471 }
3472 } 3472 }
3473 } 3473 }
3474 #endif 3474 #endif
3475 3475
3476 // Persist the negotiated SSL version if it is newer than the minimum
3477 // version. This is used to prevent SSLv3 fallback for domains known
3478 // to support TLS.
3479
3480 // Note: this is effective only for non-preloaded HSTS hosts.
3481
3482 // TODO(thaidn): determine if the negotiated version is authenticated
3483 // at this point. Chrome must not use it if it isn't; otherwise MITM
3484 // attackers can perform a permanent DoS attack against users by setting
3485 // the version to TLSv1.2 for non-TLSv1.2 servers.
3486 if (transport_security_state_ &&
3487 result == OK) {
3488 bool sni_available =
3489 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 ||
3490 ssl_config_.version_fallback;
3491 const std::string& host = host_and_port_.host();
3492 TransportSecurityState::DomainState domain_state;
3493
3494 if (transport_security_state_->GetDomainState(host, sni_available,
3495 &domain_state)) {
3496 // Update the minimum version of existing |domain_state| if necessary.
3497 int ssl_version = SSLConnectionStatusToVersion(
3498 core_->state().ssl_connection_status);
3499 if (ssl_version > SSL_CONNECTION_VERSION_UNKNOWN &&
3500 ssl_version < SSL_CONNECTION_VERSION_MAX &&
3501 ssl_version > domain_state.ssl_version_min) {
3502 domain_state.ssl_version_min =
3503 static_cast<SSL_CONNECTION_VERSION>(ssl_version);
3504 }
3505 }
3506 // Note: the default value of |domain_state.ssl_version_min| is SSLv3.
3507 transport_security_state_->EnableHost(host, domain_state);
3508 }
3509
3476 // Exit DoHandshakeLoop and return the result to the caller to Connect. 3510 // Exit DoHandshakeLoop and return the result to the caller to Connect.
3477 DCHECK_EQ(STATE_NONE, next_handshake_state_); 3511 DCHECK_EQ(STATE_NONE, next_handshake_state_);
3478 return result; 3512 return result;
3479 } 3513 }
3480 3514
3481 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { 3515 void SSLClientSocketNSS::LogConnectionTypeMetrics() const {
3482 UpdateConnectionTypeHistograms(CONNECTION_SSL); 3516 UpdateConnectionTypeHistograms(CONNECTION_SSL);
3483 if (server_cert_verify_result_.has_md5) 3517 if (server_cert_verify_result_.has_md5)
3484 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5); 3518 UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5);
3485 if (server_cert_verify_result_.has_md2) 3519 if (server_cert_verify_result_.has_md2)
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after
3522 EnsureThreadIdAssigned(); 3556 EnsureThreadIdAssigned();
3523 base::AutoLock auto_lock(lock_); 3557 base::AutoLock auto_lock(lock_);
3524 return valid_thread_id_ == base::PlatformThread::CurrentId(); 3558 return valid_thread_id_ == base::PlatformThread::CurrentId();
3525 } 3559 }
3526 3560
3527 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { 3561 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
3528 return server_bound_cert_service_; 3562 return server_bound_cert_service_;
3529 } 3563 }
3530 3564
3531 } // namespace net 3565 } // namespace net
OLDNEW
« net/http/transport_security_state_static.h ('K') | « net/http/transport_security_state_unittest.cc ('k') | net/ssl/ssl_connection_status_flags.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698