Chromium Code Reviews Chromium Code Reviews
Issue 1474983003:
Support for client certs in ssl_server_socket. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_SSL_SSL_SERVER_CONFIG_H_ | 5 #ifndef NET_SSL_SSL_SERVER_CONFIG_H_ |
| 6 #define NET_SSL_SSL_SERVER_CONFIG_H_ | 6 #define NET_SSL_SSL_SERVER_CONFIG_H_ |
| 7 | 7 |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| 11 #include "base/basictypes.h" | 11 #include "base/basictypes.h" |
| 12 #include "net/base/net_export.h" | 12 #include "net/base/net_export.h" |
| 13 #include "net/ssl/ssl_config.h" | 13 #include "net/ssl/ssl_config.h" |
| 14 | 14 |
| 15 namespace net { | 15 namespace net { |
| 16 | 16 |
| 17 class ClientCertVerifier; | |
| 18 | |
| 17 // A collection of server-side SSL-related configuration settings. | 19 // A collection of server-side SSL-related configuration settings. |
| 18 struct NET_EXPORT SSLServerConfig { | 20 struct NET_EXPORT SSLServerConfig { |
| 19 // Defaults | 21 // Defaults |
| 20 SSLServerConfig(); | 22 SSLServerConfig(); |
| 21 ~SSLServerConfig(); | 23 ~SSLServerConfig(); |
| 22 | 24 |
| 23 // The minimum and maximum protocol versions that are enabled. | 25 // The minimum and maximum protocol versions that are enabled. |
| 24 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined in ssl_config.h) | 26 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined in ssl_config.h) |
| 25 // SSL 2.0 and SSL 3.0 are not supported. If version_max < version_min, it | 27 // SSL 2.0 and SSL 3.0 are not supported. If version_max < version_min, it |
| 26 // means no protocol versions are enabled. | 28 // means no protocol versions are enabled. |
| (...skipping 22 matching lines...) Expand all Loading... | |
| 49 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to | 51 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to |
| 50 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. | 52 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. |
| 51 std::vector<uint16_t> disabled_cipher_suites; | 53 std::vector<uint16_t> disabled_cipher_suites; |
| 52 | 54 |
| 53 // If true, causes only ECDHE cipher suites to be enabled. | 55 // If true, causes only ECDHE cipher suites to be enabled. |
| 54 bool require_ecdhe; | 56 bool require_ecdhe; |
| 55 | 57 |
| 56 // Requires a client certificate for client authentication from the client. | 58 // Requires a client certificate for client authentication from the client. |
| 57 // This doesn't currently enforce certificate validity. | 59 // This doesn't currently enforce certificate validity. |
| 58 bool require_client_cert; | 60 bool require_client_cert; |
| 61 | |
| 62 // Provides the list of certificates whose names are to be included in the | |
| 63 // CertificateRequest handshake message. This member is only useful if | |
| 64 // certificates are allowed. | |
|
davidben
2015/12/14 23:56:51
Nit: Slightly shorter:
// A list of certificate
ryanchung
2015/12/16 22:40:03
Done.
| |
| 65 CertificateList client_cert_ca_list; | |
| 66 | |
| 67 // Indicates that a client certificate is required, and provides the | |
|
davidben
2015/12/14 23:56:51
This isn't actually true, no? require_client_cert
ryanchung
2015/12/16 22:40:03
You're right. The CertVerifyCallback in SSLServerS
| |
| 68 // CertificateVerifier that is to be used to verify it during the handshake. | |
| 69 // The |client_cert_verifier| continues to be owned by the caller, | |
| 70 // and must exist at least until the handshake has completed. | |
|
davidben
2015/12/14 23:56:51
and must exist [...] -> and must outlive any socke
ryanchung
2015/12/16 22:40:03
Done.
| |
| 71 // This field is meaningful only if client certificates are required. | |
| 72 // NOTES: | |
| 73 // 1. If no CertificateVerifier is provided, then a client certificate may | |
| 74 // still be allowed (if ssl_server_config.send_client_cert is true), | |
|
davidben
2015/12/14 23:56:51
What's send_client_cert?
ryanchung
2015/12/16 22:40:02
Sorry, this is now called require_client_cert.
| |
| 75 // but in that case verification must be done after the handshake | |
| 76 // has completed, by which time the session will have been cached, | |
| 77 // and may be subject to resumption. | |
|
davidben
2015/12/14 23:56:51
This API doesn't do session caching right now.
ryanchung
2015/12/16 22:40:03
Done.
| |
| 78 // 2. OpenSSL expects the certificate verification callback to complete | |
| 79 // synchronously. | |
|
davidben
2015/12/14 23:56:51
This note seems unnecessary. If you want to make i
ryanchung
2015/12/16 22:40:03
Done. Removed note.
| |
| 80 // 3. For verifying a client certificate, the CertVerifier::Verify method | |
| 81 // will be called with input parameters as follows: | |
| 82 // - cert: the cert to be verified | |
|
davidben
2015/12/14 23:56:51
This seems unnecessary.
ryanchung
2015/12/16 22:40:03
Done.
| |
| 83 ClientCertVerifier* client_cert_verifier; | |
| 59 }; | 84 }; |
| 60 | 85 |
| 61 } // namespace net | 86 } // namespace net |
| 62 | 87 |
| 63 #endif // NET_SSL_SSL_SERVER_CONFIG_H_ | 88 #endif // NET_SSL_SSL_SERVER_CONFIG_H_ |
| OLD | NEW |
