Chromium Code Reviews Chromium Code Reviews
Issue 1682623002:
Disable the TLS version fallback. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 #include "components/ssl_config/ssl_config_service_manager.h" | 4 #include "components/ssl_config/ssl_config_service_manager.h" |
| 5 | 5 |
| 6 #include <stdint.h> | 6 #include <stdint.h> |
| 7 | 7 |
| 8 #include <algorithm> | 8 #include <algorithm> |
| 9 #include <string> | 9 #include <string> |
| 10 #include <vector> | 10 #include <vector> |
| 11 | 11 |
| 12 #include "base/bind.h" | 12 #include "base/bind.h" |
| 13 #include "base/feature_list.h" | |
| 13 #include "base/macros.h" | 14 #include "base/macros.h" |
| 14 #include "base/metrics/field_trial.h" | 15 #include "base/metrics/field_trial.h" |
| 15 #include "base/single_thread_task_runner.h" | 16 #include "base/single_thread_task_runner.h" |
| 16 #include "base/strings/string_util.h" | 17 #include "base/strings/string_util.h" |
| 17 #include "base/values.h" | 18 #include "base/values.h" |
| 18 #include "components/content_settings/core/browser/content_settings_utils.h" | 19 #include "components/content_settings/core/browser/content_settings_utils.h" |
| 19 #include "components/content_settings/core/common/content_settings.h" | 20 #include "components/content_settings/core/common/content_settings.h" |
| 20 #include "components/prefs/pref_change_registrar.h" | 21 #include "components/prefs/pref_change_registrar.h" |
| 21 #include "components/prefs/pref_member.h" | 22 #include "components/prefs/pref_member.h" |
| 22 #include "components/prefs/pref_registry_simple.h" | 23 #include "components/prefs/pref_registry_simple.h" |
| (...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 81 } | 82 } |
| 82 return version; | 83 return version; |
| 83 } | 84 } |
| 84 | 85 |
| 85 bool IsRC4EnabledByDefault() { | 86 bool IsRC4EnabledByDefault() { |
| 86 const std::string group_name = | 87 const std::string group_name = |
| 87 base::FieldTrialList::FindFullName("RC4Ciphers"); | 88 base::FieldTrialList::FindFullName("RC4Ciphers"); |
| 88 return base::StartsWith(group_name, "Enabled", base::CompareCase::SENSITIVE); | 89 return base::StartsWith(group_name, "Enabled", base::CompareCase::SENSITIVE); |
| 89 } | 90 } |
| 90 | 91 |
| 92 const base::Feature kSSLVersionFallbackTLSv11 = { | |
|
Alexei Svitkine (slow)
2016/02/16 16:25:04
Nit: No =
davidben
2016/02/16 17:01:08
Done.
| |
| 93 "SSLVersionFallbackTLSv1.1", base::FEATURE_DISABLED_BY_DEFAULT, | |
| 94 }; | |
| 95 | |
| 91 } // namespace | 96 } // namespace |
| 92 | 97 |
| 93 //////////////////////////////////////////////////////////////////////////////// | 98 //////////////////////////////////////////////////////////////////////////////// |
| 94 // SSLConfigServicePref | 99 // SSLConfigServicePref |
| 95 | 100 |
| 96 // An SSLConfigService which stores a cached version of the current SSLConfig | 101 // An SSLConfigService which stores a cached version of the current SSLConfig |
| 97 // prefs, which are updated by SSLConfigServiceManagerPref when the prefs | 102 // prefs, which are updated by SSLConfigServiceManagerPref when the prefs |
| 98 // change. | 103 // change. |
| 99 class SSLConfigServicePref : public net::SSLConfigService { | 104 class SSLConfigServicePref : public net::SSLConfigService { |
| 100 public: | 105 public: |
| (...skipping 89 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 190 PrefService* local_state, | 195 PrefService* local_state, |
| 191 const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) | 196 const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) |
| 192 : ssl_config_service_(new SSLConfigServicePref(io_task_runner)), | 197 : ssl_config_service_(new SSLConfigServicePref(io_task_runner)), |
| 193 io_task_runner_(io_task_runner) { | 198 io_task_runner_(io_task_runner) { |
| 194 DCHECK(local_state); | 199 DCHECK(local_state); |
| 195 | 200 |
| 196 local_state->SetDefaultPrefValue( | 201 local_state->SetDefaultPrefValue( |
| 197 ssl_config::prefs::kRC4Enabled, | 202 ssl_config::prefs::kRC4Enabled, |
| 198 new base::FundamentalValue(IsRC4EnabledByDefault())); | 203 new base::FundamentalValue(IsRC4EnabledByDefault())); |
| 199 | 204 |
| 205 // Restore the TLS 1.1 fallback leg if enabled via features. | |
| 206 // TODO(davidben): Remove this when the fallback removal has succeeded. | |
| 207 // https://crbug.com/536200. | |
| 208 if (base::FeatureList::IsEnabled(kSSLVersionFallbackTLSv11)) { | |
| 209 local_state->SetDefaultPrefValue( | |
| 210 ssl_config::prefs::kSSLVersionFallbackMin, | |
| 211 new base::StringValue(switches::kSSLVersionTLSv11)); | |
| 212 } | |
| 213 | |
| 200 PrefChangeRegistrar::NamedChangeCallback local_state_callback = | 214 PrefChangeRegistrar::NamedChangeCallback local_state_callback = |
| 201 base::Bind(&SSLConfigServiceManagerPref::OnPreferenceChanged, | 215 base::Bind(&SSLConfigServiceManagerPref::OnPreferenceChanged, |
| 202 base::Unretained(this), local_state); | 216 base::Unretained(this), local_state); |
| 203 | 217 |
| 204 rev_checking_enabled_.Init(ssl_config::prefs::kCertRevocationCheckingEnabled, | 218 rev_checking_enabled_.Init(ssl_config::prefs::kCertRevocationCheckingEnabled, |
| 205 local_state, local_state_callback); | 219 local_state, local_state_callback); |
| 206 rev_checking_required_local_anchors_.Init( | 220 rev_checking_required_local_anchors_.Init( |
| 207 ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors, | 221 ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors, |
| 208 local_state, local_state_callback); | 222 local_state, local_state_callback); |
| 209 ssl_version_min_.Init(ssl_config::prefs::kSSLVersionMin, local_state, | 223 ssl_version_min_.Init(ssl_config::prefs::kSSLVersionMin, local_state, |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 287 uint16_t version_max = SSLProtocolVersionFromString(version_max_str); | 301 uint16_t version_max = SSLProtocolVersionFromString(version_max_str); |
| 288 uint16_t version_fallback_min = | 302 uint16_t version_fallback_min = |
| 289 SSLProtocolVersionFromString(version_fallback_min_str); | 303 SSLProtocolVersionFromString(version_fallback_min_str); |
| 290 if (version_min) { | 304 if (version_min) { |
| 291 config->version_min = version_min; | 305 config->version_min = version_min; |
| 292 } | 306 } |
| 293 if (version_max) { | 307 if (version_max) { |
| 294 uint16_t supported_version_max = config->version_max; | 308 uint16_t supported_version_max = config->version_max; |
| 295 config->version_max = std::min(supported_version_max, version_max); | 309 config->version_max = std::min(supported_version_max, version_max); |
| 296 } | 310 } |
| 297 if (version_fallback_min) { | 311 // Values below TLS 1.1 are invalid. |
| 312 if (version_fallback_min && | |
| 313 version_fallback_min >= net::SSL_PROTOCOL_VERSION_TLS1_1) { | |
| 298 config->version_fallback_min = version_fallback_min; | 314 config->version_fallback_min = version_fallback_min; |
| 299 } | 315 } |
| 300 config->disabled_cipher_suites = disabled_cipher_suites_; | 316 config->disabled_cipher_suites = disabled_cipher_suites_; |
| 301 config->rc4_enabled = rc4_enabled_.GetValue(); | 317 config->rc4_enabled = rc4_enabled_.GetValue(); |
| 302 } | 318 } |
| 303 | 319 |
| 304 void SSLConfigServiceManagerPref::OnDisabledCipherSuitesChange( | 320 void SSLConfigServiceManagerPref::OnDisabledCipherSuitesChange( |
| 305 PrefService* local_state) { | 321 PrefService* local_state) { |
| 306 const base::ListValue* value = | 322 const base::ListValue* value = |
| 307 local_state->GetList(ssl_config::prefs::kCipherSuiteBlacklist); | 323 local_state->GetList(ssl_config::prefs::kCipherSuiteBlacklist); |
| 308 disabled_cipher_suites_ = ParseCipherSuites(ListValueToStringVector(value)); | 324 disabled_cipher_suites_ = ParseCipherSuites(ListValueToStringVector(value)); |
| 309 } | 325 } |
| 310 | 326 |
| 311 //////////////////////////////////////////////////////////////////////////////// | 327 //////////////////////////////////////////////////////////////////////////////// |
| 312 // SSLConfigServiceManager | 328 // SSLConfigServiceManager |
| 313 | 329 |
| 314 namespace ssl_config { | 330 namespace ssl_config { |
| 315 // static | 331 // static |
| 316 SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager( | 332 SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager( |
| 317 PrefService* local_state, | 333 PrefService* local_state, |
| 318 const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) { | 334 const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) { |
| 319 return new SSLConfigServiceManagerPref(local_state, io_task_runner); | 335 return new SSLConfigServiceManagerPref(local_state, io_task_runner); |
| 320 } | 336 } |
| 321 | 337 |
| 322 // static | 338 // static |
| 323 void SSLConfigServiceManager::RegisterPrefs(PrefRegistrySimple* registry) { | 339 void SSLConfigServiceManager::RegisterPrefs(PrefRegistrySimple* registry) { |
| 324 SSLConfigServiceManagerPref::RegisterPrefs(registry); | 340 SSLConfigServiceManagerPref::RegisterPrefs(registry); |
| 325 } | 341 } |
| 326 } // namespace ssl_config | 342 } // namespace ssl_config |
| OLD | NEW |
