Expose TLS settings in the Security panel overview, and call out individual obsolete settings.

chrome/browser/ssl/chrome_security_state_model_client.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ssl/chrome_security_state_model_client.h"
 
 #include "base/command_line.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/strings/utf_string_conversions.h"
 #include "build/build_config.h"
 #include "chrome/browser/chromeos/policy/policy_cert_service.h"
 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/grit/generated_resources.h"
 #include "content/public/browser/cert_store.h"
 #include "content/public/browser/navigation_entry.h"
 #include "content/public/browser/security_style_explanation.h"
 #include "content/public/browser/security_style_explanations.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/common/origin_util.h"
 #include "content/public/common/ssl_status.h"
 #include "net/base/net_errors.h"
 #include "net/cert/x509_certificate.h"
+#include "net/ssl/ssl_cipher_suite_names.h"
+#include "net/ssl/ssl_connection_status_flags.h"
 #include "ui/base/l10n/l10n_util.h"
 
 DEFINE_WEB_CONTENTS_USER_DATA_KEY(ChromeSecurityStateModelClient);
 
 using security_state::SecurityStateModel;
 
 namespace {
 
 // Converts a content::SecurityStyle (an indicator of a request's
 // overall security level computed by //content) into a
@@ skipping 35 matching lines @@
     case SecurityStateModel::SECURE:
       return content::SECURITY_STYLE_AUTHENTICATED;
     case SecurityStateModel::SECURITY_ERROR:
       return content::SECURITY_STYLE_AUTHENTICATION_BROKEN;
   }
 
   NOTREACHED();
   return content::SECURITY_STYLE_UNKNOWN;
 }
 
+void AddConnectionExplanation(
+    const security_state::SecurityStateModel::SecurityInfo& security_info,
+    content::SecurityStyleExplanations* security_style_explanations) {
+  int ssl_version =
+      net::SSLConnectionStatusToVersion(security_info.connection_status);
+  const char* protocol;
+  net::SSLVersionToString(&protocol, ssl_version);
+  const char* key_exchange;
+  const char* cipher;
+  const char* mac;
+  bool is_aead;
+  uint16_t cipher_suite =
+      net::SSLConnectionStatusToCipherSuite(security_info.connection_status);
+  net::SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead,
+                               cipher_suite);
+  base::string16 protocol_name = base::ASCIIToUTF16(protocol);
+  base::string16 key_exchange_name = base::ASCIIToUTF16(key_exchange);
+  const base::string16 cipher_name =
+      (mac == NULL) ? base::ASCIIToUTF16(cipher)
+                    : l10n_util::GetStringFUTF16(IDS_CIPHER_WITH_MAC,
+                                                 base::ASCIIToUTF16(cipher),
+                                                 base::ASCIIToUTF16(mac));
+  if (security_info.obsolete_ssl_status == net::OBSOLETE_SSL_NONE) {
+    security_style_explanations->secure_explanations.push_back(
+        content::SecurityStyleExplanation(
+            l10n_util::GetStringUTF8(IDS_STRONG_SSL_SUMMARY),
+            l10n_util::GetStringFUTF8(IDS_STRONG_SSL_DESCRIPTION, protocol_name,
+                                      key_exchange_name, cipher_name)));
+    return;
+  } else {

[estark, 2016/06/15 04:46:08]

no need for else + indentation after return

[lgarron, 2016/08/05 23:22:58]

Done.

+    // We avoid trying to show TLS details when we couldn't even establish a TLS

[estark, 2016/06/15 04:46:08]

nit: avoid "we" in comments

[lgarron, 2016/08/05 23:22:58]

Done.

+    // connection (e.g. for net errors). We check the cert_id to see if there

[estark, 2016/06/15 04:46:08]

nit: |cert_id|

[lgarron, 2016/08/05 23:22:58]

Done.

+    // was a connection.
+    if (security_info.cert_id != 0) {

[estark, 2016/06/15 04:46:08]

prefer early return:

if (security_info.cert_id == 0)
  return;
...

[lgarron, 2016/08/05 23:22:58]

Done.

+      std::vector<base::string16> description_replacements;
+      int status = security_info.obsolete_ssl_status;
+      int str_id;
+
+      str_id = (status & net::OBSOLETE_SSL_MASK_PROTOCOL)
+                   ? IDS_SSL_AN_OBSOLETE_PROTOCOL
+                   : IDS_SSL_A_STRONG_PROTOCOL;
+      description_replacements.push_back(l10n_util::GetStringUTF16(str_id));
+      description_replacements.push_back(protocol_name);
+
+      str_id = (status & net::OBSOLETE_SSL_MASK_KEY_EXCHANGE)
+                   ? IDS_SSL_AN_OBSOLETE_KEY_EXCHANGE
+                   : IDS_SSL_A_STRONG_KEY_EXCHANGE;
+      description_replacements.push_back(l10n_util::GetStringUTF16(str_id));
+      description_replacements.push_back(key_exchange_name);
+
+      str_id = (status & net::OBSOLETE_SSL_MASK_CIPHER)
+                   ? IDS_SSL_AN_OBSOLETE_CIPHER
+                   : IDS_SSL_A_STRONG_CIPHER;
+      description_replacements.push_back(l10n_util::GetStringUTF16(str_id));
+      description_replacements.push_back(cipher_name);
+
+      security_style_explanations->info_explanations.push_back(
+          content::SecurityStyleExplanation(
+              l10n_util::GetStringUTF8(IDS_OBSOLETE_SSL_SUMMARY),
+              base::UTF16ToUTF8(l10n_util::GetStringFUTF16(
+                  IDS_OBSOLETE_SSL_DESCRIPTION, description_replacements,
+                  nullptr))));
+      return;

[estark, 2016/06/15 04:46:08]

no return necessary here

[lgarron, 2016/08/05 23:22:58]

Done.

+    }
+  }
+}
+
 }  // namespace
 
 ChromeSecurityStateModelClient::ChromeSecurityStateModelClient(
     content::WebContents* web_contents)
     : web_contents_(web_contents),
       security_state_model_(new SecurityStateModel()) {
   security_state_model_->SetClient(this);
 }
 
 ChromeSecurityStateModelClient::~ChromeSecurityStateModelClient() {}
@@ skipping 75 matching lines @@
         SecurityStateModel::NO_DEPRECATED_SHA1) {
       security_style_explanations->secure_explanations.push_back(
           content::SecurityStyleExplanation(
               l10n_util::GetStringUTF8(IDS_VALID_SERVER_CERTIFICATE),
               l10n_util::GetStringUTF8(
                   IDS_VALID_SERVER_CERTIFICATE_DESCRIPTION),
               security_info.cert_id));
     }
   }
 
-  if (security_info.is_secure_protocol_and_ciphersuite) {
-    security_style_explanations->secure_explanations.push_back(
-        content::SecurityStyleExplanation(
-            l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE),
-            l10n_util::GetStringUTF8(
-                IDS_SECURE_PROTOCOL_AND_CIPHERSUITE_DESCRIPTION)));
-  }
+  AddConnectionExplanation(security_info, security_style_explanations);
 
   return security_style;
 }
 
 const SecurityStateModel::SecurityInfo&
 ChromeSecurityStateModelClient::GetSecurityInfo() const {
   return security_state_model_->GetSecurityInfo();
 }
 
 bool ChromeSecurityStateModelClient::RetrieveCert(
@@ skipping 50 matching lines @@
   state->sct_verify_statuses.insert(state->sct_verify_statuses.end(),
                                     ssl.num_valid_scts, net::ct::SCT_STATUS_OK);
   state->displayed_mixed_content =
       (ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT)
           ? true
           : false;
   state->ran_mixed_content =
       (ssl.content_status & content::SSLStatus::RAN_INSECURE_CONTENT) ? true
                                                                       : false;
 }