Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(114)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/ssl/ssl_config_service.cc

Issue 14125003: Do not roll back to SSL 3.0 for Google properties. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Remove learning mode. Enforce TLS for Google's properties. Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/ssl/ssl_config_service.h ('K') | « net/ssl/ssl_config_service.h ('k') | net/ssl/ssl_config_service_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/ssl/ssl_config_service.h" 5 #include "net/ssl/ssl_config_service.h"
6 6
7 #include "base/lazy_instance.h" 7 #include "base/lazy_instance.h"
8 #include "base/memory/ref_counted.h" 8 #include "base/memory/ref_counted.h"
9 #include "base/synchronization/lock.h" 9 #include "base/synchronization/lock.h"
10 #include "net/cert/crl_set.h" 10 #include "net/cert/crl_set.h"
(...skipping 22 matching lines...) Expand all
33 33
34 SSLConfig::CertAndStatus::~CertAndStatus() {} 34 SSLConfig::CertAndStatus::~CertAndStatus() {}
35 35
36 SSLConfig::SSLConfig() 36 SSLConfig::SSLConfig()
37 : rev_checking_enabled(false), 37 : rev_checking_enabled(false),
38 version_min(g_default_version_min), 38 version_min(g_default_version_min),
39 version_max(g_default_version_max), 39 version_max(g_default_version_max),
40 cached_info_enabled(false), 40 cached_info_enabled(false),
41 channel_id_enabled(true), 41 channel_id_enabled(true),
42 false_start_enabled(true), 42 false_start_enabled(true),
43 ssl_version_min_preloaded_disabled(false),
43 send_client_cert(false), 44 send_client_cert(false),
44 verify_ev_cert(false), 45 verify_ev_cert(false),
45 version_fallback(false), 46 version_fallback(false),
46 cert_io_enabled(true) { 47 cert_io_enabled(true) {
47 } 48 }
48 49
49 SSLConfig::~SSLConfig() { 50 SSLConfig::~SSLConfig() {
50 } 51 }
51 52
52 bool SSLConfig::IsAllowedBadCert(X509Certificate* cert, 53 bool SSLConfig::IsAllowedBadCert(X509Certificate* cert,
53 CertStatus* cert_status) const { 54 CertStatus* cert_status) const {
54 std::string der_cert; 55 std::string der_cert;
55 if (!X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_cert)) 56 if (!X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_cert))
56 return false; 57 return false;
57 return IsAllowedBadCert(der_cert, cert_status); 58 return IsAllowedBadCert(der_cert, cert_status);
58 } 59 }
59 60
60 bool SSLConfig::IsAllowedBadCert(const base::StringPiece& der_cert, 61 bool SSLConfig::IsAllowedBadCert(const base::StringPiece& der_cert,
61 CertStatus* cert_status) const { 62 CertStatus* cert_status) const {
62 for (size_t i = 0; i < allowed_bad_certs.size(); ++i) { 63 for (size_t i = 0; i < allowed_bad_certs.size(); ++i) {
63 if (der_cert == allowed_bad_certs[i].der_cert) { 64 if (der_cert == allowed_bad_certs[i].der_cert) {
64 if (cert_status) 65 if (cert_status)
65 *cert_status = allowed_bad_certs[i].cert_status; 66 *cert_status = allowed_bad_certs[i].cert_status;
66 return true; 67 return true;
67 } 68 }
68 } 69 }
69 return false; 70 return false;
70 } 71 }
71 72
73 // static
74 std::string SSLConfig::SSLProtocolVersionToString(uint16 version) {
75 switch (version) {
76 case net::SSL_PROTOCOL_VERSION_SSL3:
77 return "ssl3";
78 case net::SSL_PROTOCOL_VERSION_TLS1:
79 return "tls1";
80 case net::SSL_PROTOCOL_VERSION_TLS1_1:
81 return "tls1.1";
82 case net::SSL_PROTOCOL_VERSION_TLS1_2:
83 return "tls1.2";
84 default:
85 NOTREACHED();
86 return std::string();
87 }
88 }
89
90 // static
91 uint16 SSLConfig::SSLProtocolVersionFromString(const std::string& version_str) {
92 uint16 version = 0; // Invalid.
93 if (version_str == "ssl3") {
94 version = net::SSL_PROTOCOL_VERSION_SSL3;
95 } else if (version_str == "tls1") {
96 version = net::SSL_PROTOCOL_VERSION_TLS1;
97 } else if (version_str == "tls1.1") {
98 version = net::SSL_PROTOCOL_VERSION_TLS1_1;
99 } else if (version_str == "tls1.2") {
100 version = net::SSL_PROTOCOL_VERSION_TLS1_2;
101 }
102 return version;
103 }
104
72 SSLConfigService::SSLConfigService() 105 SSLConfigService::SSLConfigService()
73 : observer_list_(ObserverList<Observer>::NOTIFY_EXISTING_ONLY) { 106 : observer_list_(ObserverList<Observer>::NOTIFY_EXISTING_ONLY) {
74 } 107 }
75 108
76 static bool g_cached_info_enabled = false; 109 static bool g_cached_info_enabled = false;
77 110
78 // GlobalCRLSet holds a reference to the global CRLSet. It simply wraps a lock 111 // GlobalCRLSet holds a reference to the global CRLSet. It simply wraps a lock
79 // around a scoped_refptr so that getting a reference doesn't race with 112 // around a scoped_refptr so that getting a reference doesn't race with
80 // updating the CRLSet. 113 // updating the CRLSet.
81 class GlobalCRLSet { 114 class GlobalCRLSet {
(...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after
147 ssl_config->cached_info_enabled = g_cached_info_enabled; 180 ssl_config->cached_info_enabled = g_cached_info_enabled;
148 } 181 }
149 182
150 void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config, 183 void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
151 const SSLConfig& new_config) { 184 const SSLConfig& new_config) {
152 bool config_changed = 185 bool config_changed =
153 (orig_config.rev_checking_enabled != new_config.rev_checking_enabled) || 186 (orig_config.rev_checking_enabled != new_config.rev_checking_enabled) ||
154 (orig_config.version_min != new_config.version_min) || 187 (orig_config.version_min != new_config.version_min) ||
155 (orig_config.version_max != new_config.version_max) || 188 (orig_config.version_max != new_config.version_max) ||
156 (orig_config.disabled_cipher_suites != 189 (orig_config.disabled_cipher_suites !=
157 new_config.disabled_cipher_suites) || 190 new_config.disabled_cipher_suites) ||
agl 2013/04/15 15:23:51 This looks like a stray space.
thaidn_google 2013/04/16 00:38:16 Done.
158 (orig_config.channel_id_enabled != new_config.channel_id_enabled) || 191 (orig_config.channel_id_enabled != new_config.channel_id_enabled) ||
192 (orig_config.ssl_version_min_preloaded_disabled !=
193 new_config.ssl_version_min_preloaded_disabled) ||
159 (orig_config.false_start_enabled != new_config.false_start_enabled); 194 (orig_config.false_start_enabled != new_config.false_start_enabled);
160 195
161 if (config_changed) 196 if (config_changed)
162 NotifySSLConfigChange(); 197 NotifySSLConfigChange();
163 } 198 }
164 199
165 // static 200 // static
166 bool SSLConfigService::IsSNIAvailable(SSLConfigService* service) { 201 bool SSLConfigService::IsSNIAvailable(SSLConfigService* service) {
167 if (!service) 202 if (!service)
168 return false; 203 return false;
169 204
170 SSLConfig ssl_config; 205 SSLConfig ssl_config;
171 service->GetSSLConfig(&ssl_config); 206 service->GetSSLConfig(&ssl_config);
172 return ssl_config.version_max >= SSL_PROTOCOL_VERSION_TLS1; 207 return ssl_config.version_max >= SSL_PROTOCOL_VERSION_TLS1;
173 } 208 }
174 209
175 } // namespace net 210 } // namespace net
OLDNEW
« net/ssl/ssl_config_service.h ('K') | « net/ssl/ssl_config_service.h ('k') | net/ssl/ssl_config_service_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698