Index: components/policy/resources/policy_templates.json |
diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json |
index 7573cc26f68d8fd272f5f56bcf439ed95addff97..b626efa809c0eddb20130f5a285754fd6409bac8 100644 |
--- a/components/policy/resources/policy_templates.json |
+++ b/components/policy/resources/policy_templates.json |
@@ -7836,18 +7836,12 @@ |
'schema': { |
'type': 'string', |
'enum': [ |
- 'tls1', |
'tls1.1', |
'tls1.2', |
], |
}, |
'items': [ |
{ |
- 'name': 'TLSv1', |
- 'value': 'tls1', |
- 'caption': 'TLS 1.0', |
- }, |
- { |
'name': 'TLSv1.1', |
'value': 'tls1.1', |
'caption': 'TLS 1.1', |
@@ -7859,10 +7853,10 @@ |
}, |
], |
'supported_on': [ |
- 'chrome.*:45-47', |
- 'chrome_os:45-47', |
- 'android:45-47', |
- 'ios:45-47', |
+ 'chrome.*:50-52', |
+ 'chrome_os:50-52', |
+ 'android:50-52', |
+ 'ios:50-52', |
], |
'features': { |
'dynamic_refresh': True, |
@@ -7871,16 +7865,14 @@ |
'example_value': 'tls1.1', |
'id': 280, |
'caption': '''Minimum TLS version to fallback to''', |
- 'tags': [], |
- 'desc': '''Warning: The TLS 1.0 version fallback will be removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> after version 47 (around January 2016) and the "tls1" option will stop working then. |
- |
- When a TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will retry the connection with a lesser version of TLS in order to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly (i.e. without breaking the connection) then this setting doesn't apply. Regardless, the resulting connection must still comply with SSLVersionMin. |
+ 'tags': ['system-security'], |
+ 'desc': '''Warning: The TLS version fallback will be removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> after version 52 (around September 2016) and this policy will stop working then. |
- If this policy is not configured then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses a default minimum version which is TLS 1.0 in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 44 and TLS 1.1 in later versions. Note this does not disable support for TLS 1.0, only whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will work around buggy servers which cannot negotiate versions correctly. |
+ When a TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> would previously retry the connection with a lesser version of TLS in order to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly (i.e. without breaking the connection) then this setting doesn't apply. Regardless, the resulting connection must still comply with SSLVersionMin. |
- Otherwise it may be set to one of the following values: "tls1", "tls1.1" or "tls1.2". If compatibility with a buggy server must be maintained, this may be set to "tls1". This is a stopgap measure and the server should be rapidly fixed. |
+ If this policy is not configured or if it is set to "tls1.2" then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> no longer performs this fallback. Note this does not disable support for older TLS versions, only whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will work around buggy servers which cannot negotiate versions correctly. |
- A setting of "tls1.2" disables all fallback but this may have a significant compatibility impact.''', |
+ Otherwise, if compatibility with a buggy server must be maintained, this policy may be set to "tls1.1". This is a stopgap measure and the server should be rapidly fixed.''', |
}, |
{ |
'name': 'RC4Enabled', |