OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_SSL_SSL_CONFIG_H_ | 5 #ifndef NET_SSL_SSL_CONFIG_H_ |
6 #define NET_SSL_SSL_CONFIG_H_ | 6 #define NET_SSL_SSL_CONFIG_H_ |
7 | 7 |
8 #include <stdint.h> | 8 #include <stdint.h> |
9 | 9 |
10 #include "base/memory/ref_counted.h" | 10 #include "base/memory/ref_counted.h" |
11 #include "net/base/net_export.h" | 11 #include "net/base/net_export.h" |
12 #include "net/cert/x509_certificate.h" | 12 #include "net/cert/x509_certificate.h" |
13 #include "net/socket/next_proto.h" | 13 #include "net/socket/next_proto.h" |
14 #include "net/ssl/ssl_private_key.h" | 14 #include "net/ssl/ssl_private_key.h" |
15 | 15 |
16 namespace net { | 16 namespace net { |
17 | 17 |
18 // Various TLS/SSL ProtocolVersion values encoded as uint16 | 18 // Various TLS/SSL ProtocolVersion values encoded as uint16_t |
19 // struct { | 19 // struct { |
20 // uint8 major; | 20 // uint8_t major; |
21 // uint8 minor; | 21 // uint8_t minor; |
22 // } ProtocolVersion; | 22 // } ProtocolVersion; |
23 // The most significant byte is |major|, and the least significant byte | 23 // The most significant byte is |major|, and the least significant byte |
24 // is |minor|. | 24 // is |minor|. |
25 enum { | 25 enum { |
26 SSL_PROTOCOL_VERSION_TLS1 = 0x0301, | 26 SSL_PROTOCOL_VERSION_TLS1 = 0x0301, |
27 SSL_PROTOCOL_VERSION_TLS1_1 = 0x0302, | 27 SSL_PROTOCOL_VERSION_TLS1_1 = 0x0302, |
28 SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303, | 28 SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303, |
29 }; | 29 }; |
30 | 30 |
31 enum TokenBindingParam { | 31 enum TokenBindingParam { |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
77 // certificates will be treated as revoked ("hard-fail"). | 77 // certificates will be treated as revoked ("hard-fail"). |
78 // Note: This is distinct from rev_checking_enabled. If true, it is | 78 // Note: This is distinct from rev_checking_enabled. If true, it is |
79 // equivalent to also setting rev_checking_enabled, but only when the | 79 // equivalent to also setting rev_checking_enabled, but only when the |
80 // certificate chain chains to a local (non-public) trust anchor. | 80 // certificate chain chains to a local (non-public) trust anchor. |
81 bool rev_checking_required_local_anchors; | 81 bool rev_checking_required_local_anchors; |
82 | 82 |
83 // The minimum and maximum protocol versions that are enabled. | 83 // The minimum and maximum protocol versions that are enabled. |
84 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.) | 84 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.) |
85 // SSL 2.0 and SSL 3.0 are not supported. If version_max < version_min, it | 85 // SSL 2.0 and SSL 3.0 are not supported. If version_max < version_min, it |
86 // means no protocol versions are enabled. | 86 // means no protocol versions are enabled. |
87 uint16 version_min; | 87 uint16_t version_min; |
88 uint16 version_max; | 88 uint16_t version_max; |
89 | 89 |
90 // version_fallback_min contains the minimum version that is acceptable to | 90 // version_fallback_min contains the minimum version that is acceptable to |
91 // fallback to. Versions before this may be tried to see whether they would | 91 // fallback to. Versions before this may be tried to see whether they would |
92 // have succeeded and thus to give a better message to the user, but the | 92 // have succeeded and thus to give a better message to the user, but the |
93 // resulting connection won't be used in these cases. | 93 // resulting connection won't be used in these cases. |
94 uint16 version_fallback_min; | 94 uint16_t version_fallback_min; |
95 | 95 |
96 // Presorted list of cipher suites which should be explicitly prevented from | 96 // Presorted list of cipher suites which should be explicitly prevented from |
97 // being used in addition to those disabled by the net built-in policy. | 97 // being used in addition to those disabled by the net built-in policy. |
98 // | 98 // |
99 // By default, all cipher suites supported by the underlying SSL | 99 // By default, all cipher suites supported by the underlying SSL |
100 // implementation will be enabled except for: | 100 // implementation will be enabled except for: |
101 // - Null encryption cipher suites. | 101 // - Null encryption cipher suites. |
102 // - Weak cipher suites: < 80 bits of security strength. | 102 // - Weak cipher suites: < 80 bits of security strength. |
103 // - FORTEZZA cipher suites (obsolete). | 103 // - FORTEZZA cipher suites (obsolete). |
104 // - IDEA cipher suites (RFC 5469 explains why). | 104 // - IDEA cipher suites (RFC 5469 explains why). |
105 // - Anonymous cipher suites. | 105 // - Anonymous cipher suites. |
106 // - ECDSA cipher suites on platforms that do not support ECDSA signed | 106 // - ECDSA cipher suites on platforms that do not support ECDSA signed |
107 // certificates, as servers may use the presence of such ciphersuites as a | 107 // certificates, as servers may use the presence of such ciphersuites as a |
108 // hint to send an ECDSA certificate. | 108 // hint to send an ECDSA certificate. |
109 // The ciphers listed in |disabled_cipher_suites| will be removed in addition | 109 // The ciphers listed in |disabled_cipher_suites| will be removed in addition |
110 // to the above list. | 110 // to the above list. |
111 // | 111 // |
112 // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in | 112 // Though cipher suites are sent in TLS as "uint8_t CipherSuite[2]", in |
113 // big-endian form, they should be declared in host byte order, with the | 113 // big-endian form, they should be declared in host byte order, with the |
114 // first uint8 occupying the most significant byte. | 114 // first uint8_t occupying the most significant byte. |
115 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to | 115 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to |
116 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. | 116 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. |
117 std::vector<uint16> disabled_cipher_suites; | 117 std::vector<uint16_t> disabled_cipher_suites; |
118 | 118 |
119 // Enables deprecated cipher suites. These cipher suites are selected under a | 119 // Enables deprecated cipher suites. These cipher suites are selected under a |
120 // fallback to distinguish servers which require them from servers which | 120 // fallback to distinguish servers which require them from servers which |
121 // merely prefer them. | 121 // merely prefer them. |
122 // | 122 // |
123 // NOTE: because they are under a fallback, connections are still vulnerable | 123 // NOTE: because they are under a fallback, connections are still vulnerable |
124 // to them as far as downgrades are concerned, so this should only be used for | 124 // to them as far as downgrades are concerned, so this should only be used for |
125 // measurement of ciphers not to be carried long-term. It is no fix for | 125 // measurement of ciphers not to be carried long-term. It is no fix for |
126 // servers with bad configurations without full removal. | 126 // servers with bad configurations without full removal. |
127 bool deprecated_cipher_suites_enabled; | 127 bool deprecated_cipher_suites_enabled; |
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
198 // The list of application-level protocols to enable renegotiation for. | 198 // The list of application-level protocols to enable renegotiation for. |
199 NextProtoVector renego_allowed_for_protos; | 199 NextProtoVector renego_allowed_for_protos; |
200 | 200 |
201 scoped_refptr<X509Certificate> client_cert; | 201 scoped_refptr<X509Certificate> client_cert; |
202 scoped_refptr<SSLPrivateKey> client_private_key; | 202 scoped_refptr<SSLPrivateKey> client_private_key; |
203 }; | 203 }; |
204 | 204 |
205 } // namespace net | 205 } // namespace net |
206 | 206 |
207 #endif // NET_SSL_SSL_CONFIG_H_ | 207 #endif // NET_SSL_SSL_CONFIG_H_ |
OLD | NEW |