Chromium Code Reviews Chromium Code Reviews
Issue 14125003:
Do not roll back to SSL 3.0 for Google properties. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: net/http/http_network_transaction.cc |
| diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc |
| index 467eb940a65d7a6687b7085b3e9257f615036ab5..8bd7859be7eb13d78781c25cb374015ce53856df 100644 |
| --- a/net/http/http_network_transaction.cc |
| +++ b/net/http/http_network_transaction.cc |
| @@ -47,6 +47,7 @@ |
| #include "net/http/http_stream_base.h" |
| #include "net/http/http_stream_factory.h" |
| #include "net/http/http_util.h" |
| +#include "net/http/transport_security_state.h" |
| #include "net/http/url_security_manager.h" |
| #include "net/socket/client_socket_factory.h" |
| #include "net/socket/socks_client_socket_pool.h" |
| @@ -177,6 +178,20 @@ int HttpNetworkTransaction::Start(const HttpRequestInfo* request_info, |
| proxy_ssl_config_.rev_checking_enabled = false; |
| } |
| + |
| + if (!server_ssl_config_.ssl_version_min_preloaded_disabled) { |
| + // If this is a Google domain, set the minimum SSL version to TLS 1.0. |
| + // This prevents SSLv3 fallback. |
| + bool sni_available = |
| + server_ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 || |
| + server_ssl_config_.version_fallback; |
|
agl
2013/04/15 15:23:51
I don't think version_fallback makes sense here. I
thaidn_google
2013/04/16 00:38:16
Done.
|
| + const std::string& host = request_->url.host(); |
| + |
| + if (TransportSecurityState::IsGooglePinnedProperty(host, sni_available)) { |
|
Ryan Sleevi
2013/04/15 18:03:28
nit: net/ style is to omit braces on one-line if s
thaidn_google
2013/04/16 00:38:16
Done.
|
| + server_ssl_config_.version_min = SSL_PROTOCOL_VERSION_TLS1; |
| + } |
| + } |
| + |
| next_state_ = STATE_CREATE_STREAM; |
| int rv = DoLoop(OK); |
| if (rv == ERR_IO_PENDING) |
