Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(301)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_openssl.cc

Issue 1422293002: Remove RC4 by default. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: rebase Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/socket/ssl_client_socket_nss.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle
6 // of operation is derived from SSLClientSocketNSS. 6 // of operation is derived from SSLClientSocketNSS.
7 7
8 #include "net/socket/ssl_client_socket_openssl.h" 8 #include "net/socket/ssl_client_socket_openssl.h"
9 9
10 #include <errno.h> 10 #include <errno.h>
(...skipping 870 matching lines...) Expand 10 before | Expand all | Expand 10 after
881 881
882 // See SSLConfig::disabled_cipher_suites for description of the suites 882 // See SSLConfig::disabled_cipher_suites for description of the suites
883 // disabled by default. Note that SHA256 and SHA384 only select HMAC-SHA256 883 // disabled by default. Note that SHA256 and SHA384 only select HMAC-SHA256
884 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384 884 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384
885 // as the handshake hash. 885 // as the handshake hash.
886 std::string command("DEFAULT:!SHA256:-SHA384:!AESGCM+AES256:!aPSK"); 886 std::string command("DEFAULT:!SHA256:-SHA384:!AESGCM+AES256:!aPSK");
887 887
888 if (ssl_config_.require_ecdhe) 888 if (ssl_config_.require_ecdhe)
889 command.append(":!kRSA:!kDHE"); 889 command.append(":!kRSA:!kDHE");
890 890
891 if (!ssl_config_.enable_deprecated_cipher_suites) { 891 if (!ssl_config_.rc4_enabled)
892 command.append(":!RC4"); 892 command.append(":!RC4");
893 } else { 893
894 if (ssl_config_.deprecated_cipher_suites_enabled) {
894 // Add TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 under a fallback. This is 895 // Add TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 under a fallback. This is
895 // believed to work around a bug in some out-of-date Microsoft IIS servers 896 // believed to work around a bug in some out-of-date Microsoft IIS servers
896 // which cause them to require the version downgrade 897 // which cause them to require the version downgrade
897 // (https://crbug.com/433406). 898 // (https://crbug.com/433406).
898 command.append(":ECDHE-RSA-AES256-SHA384"); 899 command.append(":ECDHE-RSA-AES256-SHA384");
899 } 900 }
900 901
901 // Remove any disabled ciphers. 902 // Remove any disabled ciphers.
902 for (uint16_t id : ssl_config_.disabled_cipher_suites) { 903 for (uint16_t id : ssl_config_.disabled_cipher_suites) {
903 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id); 904 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id);
(...skipping 1142 matching lines...) Expand 10 before | Expand all | Expand 10 after
2046 result.append("tls1.1"); 2047 result.append("tls1.1");
2047 break; 2048 break;
2048 case SSL_PROTOCOL_VERSION_TLS1_2: 2049 case SSL_PROTOCOL_VERSION_TLS1_2:
2049 result.append("tls1.2"); 2050 result.append("tls1.2");
2050 break; 2051 break;
2051 default: 2052 default:
2052 NOTREACHED(); 2053 NOTREACHED();
2053 } 2054 }
2054 2055
2055 result.append("/"); 2056 result.append("/");
2056 if (ssl_config_.enable_deprecated_cipher_suites) 2057 if (ssl_config_.deprecated_cipher_suites_enabled)
2057 result.append("deprecated"); 2058 result.append("deprecated");
2058 2059
2059 result.append("/"); 2060 result.append("/");
2060 if (ssl_config_.channel_id_enabled) 2061 if (ssl_config_.channel_id_enabled)
2061 result.append("channelid"); 2062 result.append("channelid");
2062 2063
2063 return result; 2064 return result;
2064 } 2065 }
2065 2066
2066 bool SSLClientSocketOpenSSL::IsRenegotiationAllowed() const { 2067 bool SSLClientSocketOpenSSL::IsRenegotiationAllowed() const {
(...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after
2158 OnHandshakeIOComplete(signature_result_); 2159 OnHandshakeIOComplete(signature_result_);
2159 return; 2160 return;
2160 } 2161 }
2161 2162
2162 // During a renegotiation, either Read or Write calls may be blocked on an 2163 // During a renegotiation, either Read or Write calls may be blocked on an
2163 // asynchronous private key operation. 2164 // asynchronous private key operation.
2164 PumpReadWriteEvents(); 2165 PumpReadWriteEvents();
2165 } 2166 }
2166 2167
2167 } // namespace net 2168 } // namespace net
OLDNEW
« no previous file with comments | « net/socket/ssl_client_socket_nss.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698