Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(41)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_openssl.cc

Issue 1422293002: Remove RC4 by default. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: rebase Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« components/ssl_config/ssl_config_service_manager_pref.cc ('K') | « net/socket/ssl_client_socket_nss.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle
6 // of operation is derived from SSLClientSocketNSS. 6 // of operation is derived from SSLClientSocketNSS.
7 7
8 #include "net/socket/ssl_client_socket_openssl.h" 8 #include "net/socket/ssl_client_socket_openssl.h"
9 9
10 #include <errno.h> 10 #include <errno.h>
(...skipping 871 matching lines...) Expand 10 before | Expand all | Expand 10 after
882 882
883 // See SSLConfig::disabled_cipher_suites for description of the suites 883 // See SSLConfig::disabled_cipher_suites for description of the suites
884 // disabled by default. Note that SHA256 and SHA384 only select HMAC-SHA256 884 // disabled by default. Note that SHA256 and SHA384 only select HMAC-SHA256
885 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384 885 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384
886 // as the handshake hash. 886 // as the handshake hash.
887 std::string command("DEFAULT:!SHA256:-SHA384:!AESGCM+AES256:!aPSK"); 887 std::string command("DEFAULT:!SHA256:-SHA384:!AESGCM+AES256:!aPSK");
888 888
889 if (ssl_config_.require_ecdhe) 889 if (ssl_config_.require_ecdhe)
890 command.append(":!kRSA:!kDHE"); 890 command.append(":!kRSA:!kDHE");
891 891
892 if (!ssl_config_.enable_deprecated_cipher_suites) { 892 if (!ssl_config_.rc4_enabled)
893 command.append(":!RC4"); 893 command.append(":!RC4");
894 } else { 894
895 if (ssl_config_.deprecated_cipher_suites_enabled) {
895 // Add TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 under a fallback. This is 896 // Add TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 under a fallback. This is
896 // believed to work around a bug in some out-of-date Microsoft IIS servers 897 // believed to work around a bug in some out-of-date Microsoft IIS servers
897 // which cause them to require the version downgrade 898 // which cause them to require the version downgrade
898 // (https://crbug.com/433406). 899 // (https://crbug.com/433406).
899 command.append(":ECDHE-RSA-AES256-SHA384"); 900 command.append(":ECDHE-RSA-AES256-SHA384");
900 } 901 }
901 902
902 // Remove any disabled ciphers. 903 // Remove any disabled ciphers.
903 for (uint16_t id : ssl_config_.disabled_cipher_suites) { 904 for (uint16_t id : ssl_config_.disabled_cipher_suites) {
904 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id); 905 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id);
(...skipping 1139 matching lines...) Expand 10 before | Expand all | Expand 10 after
2044 result.append("tls1.1"); 2045 result.append("tls1.1");
2045 break; 2046 break;
2046 case SSL_PROTOCOL_VERSION_TLS1_2: 2047 case SSL_PROTOCOL_VERSION_TLS1_2:
2047 result.append("tls1.2"); 2048 result.append("tls1.2");
2048 break; 2049 break;
2049 default: 2050 default:
2050 NOTREACHED(); 2051 NOTREACHED();
2051 } 2052 }
2052 2053
2053 result.append("/"); 2054 result.append("/");
2054 if (ssl_config_.enable_deprecated_cipher_suites) 2055 if (ssl_config_.deprecated_cipher_suites_enabled)
2055 result.append("deprecated"); 2056 result.append("deprecated");
2056 2057
2057 result.append("/"); 2058 result.append("/");
2058 if (ssl_config_.channel_id_enabled) 2059 if (ssl_config_.channel_id_enabled)
2059 result.append("channelid"); 2060 result.append("channelid");
2060 2061
2061 return result; 2062 return result;
2062 } 2063 }
2063 2064
2064 bool SSLClientSocketOpenSSL::IsRenegotiationAllowed() const { 2065 bool SSLClientSocketOpenSSL::IsRenegotiationAllowed() const {
(...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after
2156 OnHandshakeIOComplete(signature_result_); 2157 OnHandshakeIOComplete(signature_result_);
2157 return; 2158 return;
2158 } 2159 }
2159 2160
2160 // During a renegotiation, either Read or Write calls may be blocked on an 2161 // During a renegotiation, either Read or Write calls may be blocked on an
2161 // asynchronous private key operation. 2162 // asynchronous private key operation.
2162 PumpReadWriteEvents(); 2163 PumpReadWriteEvents();
2163 } 2164 }
2164 2165
2165 } // namespace net 2166 } // namespace net
OLDNEW
« components/ssl_config/ssl_config_service_manager_pref.cc ('K') | « net/socket/ssl_client_socket_nss.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698