Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(705)

Side by Side Diff: net/ssl/ssl_server_config.h

Issue 1474983003: Support for client certs in ssl_server_socket. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Fixed nits on utils Created 5 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef NET_SSL_SSL_SERVER_CONFIG_H_ 5 #ifndef NET_SSL_SSL_SERVER_CONFIG_H_
6 #define NET_SSL_SSL_SERVER_CONFIG_H_ 6 #define NET_SSL_SSL_SERVER_CONFIG_H_
7 7
8 #include <stdint.h> 8 #include <stdint.h>
9 #include <vector> 9 #include <vector>
10 10
11 #include "base/basictypes.h" 11 #include "base/basictypes.h"
12 #include "net/base/net_export.h" 12 #include "net/base/net_export.h"
13 #include "net/ssl/ssl_config.h" 13 #include "net/ssl/ssl_config.h"
14 14
15 namespace net { 15 namespace net {
16 16
17 class ClientCertVerifier;
18
17 // A collection of server-side SSL-related configuration settings. 19 // A collection of server-side SSL-related configuration settings.
18 struct NET_EXPORT SSLServerConfig { 20 struct NET_EXPORT SSLServerConfig {
19 // Defaults 21 // Defaults
20 SSLServerConfig(); 22 SSLServerConfig();
21 ~SSLServerConfig(); 23 ~SSLServerConfig();
22 24
23 // The minimum and maximum protocol versions that are enabled. 25 // The minimum and maximum protocol versions that are enabled.
24 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined in ssl_config.h) 26 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined in ssl_config.h)
25 // SSL 2.0 and SSL 3.0 are not supported. If version_max < version_min, it 27 // SSL 2.0 and SSL 3.0 are not supported. If version_max < version_min, it
26 // means no protocol versions are enabled. 28 // means no protocol versions are enabled.
(...skipping 22 matching lines...) Expand all
49 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to 51 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
50 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. 52 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
51 std::vector<uint16_t> disabled_cipher_suites; 53 std::vector<uint16_t> disabled_cipher_suites;
52 54
53 // If true, causes only ECDHE cipher suites to be enabled. 55 // If true, causes only ECDHE cipher suites to be enabled.
54 bool require_ecdhe; 56 bool require_ecdhe;
55 57
56 // Requires a client certificate for client authentication from the client. 58 // Requires a client certificate for client authentication from the client.
57 // This doesn't currently enforce certificate validity. 59 // This doesn't currently enforce certificate validity.
58 bool require_client_cert; 60 bool require_client_cert;
61
62 // Provides the list of certificates whose names are to be included in the
63 // CertificateRequest handshake message. This member is only useful if
64 // certificates are allowed.
davidben 2015/12/14 23:56:51 Nit: Slightly shorter: // A list of certificate
ryanchung 2015/12/16 22:40:03 Done.
65 CertificateList client_cert_ca_list;
66
67 // Indicates that a client certificate is required, and provides the
davidben 2015/12/14 23:56:51 This isn't actually true, no? require_client_cert
ryanchung 2015/12/16 22:40:03 You're right. The CertVerifyCallback in SSLServerS
68 // CertificateVerifier that is to be used to verify it during the handshake.
69 // The |client_cert_verifier| continues to be owned by the caller,
70 // and must exist at least until the handshake has completed.
davidben 2015/12/14 23:56:51 and must exist [...] -> and must outlive any socke
ryanchung 2015/12/16 22:40:03 Done.
71 // This field is meaningful only if client certificates are required.
72 // NOTES:
73 // 1. If no CertificateVerifier is provided, then a client certificate may
74 // still be allowed (if ssl_server_config.send_client_cert is true),
davidben 2015/12/14 23:56:51 What's send_client_cert?
ryanchung 2015/12/16 22:40:02 Sorry, this is now called require_client_cert.
75 // but in that case verification must be done after the handshake
76 // has completed, by which time the session will have been cached,
77 // and may be subject to resumption.
davidben 2015/12/14 23:56:51 This API doesn't do session caching right now.
ryanchung 2015/12/16 22:40:03 Done.
78 // 2. OpenSSL expects the certificate verification callback to complete
79 // synchronously.
davidben 2015/12/14 23:56:51 This note seems unnecessary. If you want to make i
ryanchung 2015/12/16 22:40:03 Done. Removed note.
80 // 3. For verifying a client certificate, the CertVerifier::Verify method
81 // will be called with input parameters as follows:
82 // - cert: the cert to be verified
davidben 2015/12/14 23:56:51 This seems unnecessary.
ryanchung 2015/12/16 22:40:03 Done.
83 ClientCertVerifier* client_cert_verifier;
59 }; 84 };
60 85
61 } // namespace net 86 } // namespace net
62 87
63 #endif // NET_SSL_SSL_SERVER_CONFIG_H_ 88 #endif // NET_SSL_SSL_SERVER_CONFIG_H_
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698