Expose TLS settings in the Security panel overview, and call out individual obsolete settings.

chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ssl/chrome_security_state_model_client.h"
 
 #include "base/command_line.h"
 #include "base/files/file_path.h"
 #include "base/macros.h"
 #include "base/strings/string_split.h"
@@ skipping 140 matching lines @@
         secure_explanations[0].description);
     int cert_id = browser->tab_strip_model()
                       ->GetActiveWebContents()
                       ->GetController()
                       .GetActiveEntry()
                       ->GetSSL()
                       .cert_id;
     EXPECT_EQ(cert_id, secure_explanations[0].cert_id);
   }
 
-  EXPECT_EQ(l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE),
+  EXPECT_EQ(l10n_util::GetStringUTF8(IDS_STRONG_SSL_SUMMARY),
             secure_explanations.back().summary);
-  EXPECT_EQ(
-      l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE_DESCRIPTION),
-      secure_explanations.back().description);
+
+  content::WebContents* web_contents =
+      browser->tab_strip_model()->GetActiveWebContents();
+  const SecurityStateModel::SecurityInfo& security_info =
+      ChromeSecurityStateModelClient::FromWebContents(web_contents)
+          ->GetSecurityInfo();
+
+  const char *protocol, *key_exchange, *cipher, *mac;
+  int ssl_version =
+      net::SSLConnectionStatusToVersion(security_info.connection_status);
+  net::SSLVersionToString(&protocol, ssl_version);
+  bool is_aead;
+  uint16_t cipher_suite =
+      net::SSLConnectionStatusToCipherSuite(security_info.connection_status);
+  net::SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead,
+                               cipher_suite);
+  EXPECT_EQ(TRUE, is_aead);

[estark, 2016/08/08 18:01:38]

nit: EXPECT_TRUE(is_aead)

[lgarron, 2016/08/08 20:38:26]

Done.

+  EXPECT_EQ(NULL, mac);  // The default secure cipher does not have a MAC.
+
+  std::vector<base::string16> description_replacements;
+  description_replacements.push_back(base::ASCIIToUTF16(protocol));
+  description_replacements.push_back(base::ASCIIToUTF16(key_exchange));
+  description_replacements.push_back(base::ASCIIToUTF16(cipher));
+  base::string16 secure_description = l10n_util::GetStringFUTF16(
+      IDS_STRONG_SSL_DESCRIPTION, description_replacements, nullptr);
+
+  EXPECT_EQ(secure_description,
+            base::ASCIIToUTF16(secure_explanations.back().description));
 }
 
 void CheckSecurityInfoForSecure(
     content::WebContents* contents,
     SecurityStateModel::SecurityLevel expect_security_level,
     SecurityStateModel::SHA1DeprecationStatus expect_sha1_status,
     SecurityStateModel::MixedContentStatus expect_mixed_content_status,
     bool pkp_bypassed,
     bool expect_cert_error) {
   ASSERT_TRUE(contents);
@@ skipping 801 matching lines @@
   EXPECT_TRUE(observer.latest_explanations().scheme_is_cryptographic);
   EXPECT_FALSE(observer.latest_explanations().pkp_bypassed);
   EXPECT_TRUE(observer.latest_explanations().info_explanations.empty());
   EXPECT_FALSE(observer.latest_explanations().displayed_insecure_content);
   EXPECT_FALSE(observer.latest_explanations().ran_insecure_content);
 }
 
 // After AddNonsecureUrlHandler() is called, requests to this hostname
 // will use obsolete TLS settings.
 const char kMockNonsecureHostname[] = "example-nonsecure.test";
+const int kObsoleteTLSVersion = net::SSL_CONNECTION_VERSION_TLS1_1;
+// ECDHE_RSA + AES_128_CBC with HMAC-SHA1
+const uint16_t kObsoleteCipherSuite = 0xc013;
 
-// A URLRequestMockHTTPJob that mocks a TLS connection with an obsolete
-// protocol version.
+// A URLRequestMockHTTPJob that mocks a TLS connection with the obsolete
+// TLS settings specified in kObsoleteTLSVersion and
+// kObsoleteCipherSuite.
 class URLRequestObsoleteTLSJob : public net::URLRequestMockHTTPJob {
  public:
   URLRequestObsoleteTLSJob(net::URLRequest* request,
                            net::NetworkDelegate* network_delegate,
                            const base::FilePath& file_path,
                            scoped_refptr<net::X509Certificate> cert,
                            scoped_refptr<base::TaskRunner> task_runner)
       : net::URLRequestMockHTTPJob(request,
                                    network_delegate,
                                    file_path,
                                    task_runner),
         cert_(std::move(cert)) {}
 
   void GetResponseInfo(net::HttpResponseInfo* info) override {
     net::URLRequestMockHTTPJob::GetResponseInfo(info);
-    net::SSLConnectionStatusSetVersion(net::SSL_CONNECTION_VERSION_TLS1_1,
+    net::SSLConnectionStatusSetVersion(kObsoleteTLSVersion,
                                        &info->ssl_info.connection_status);
-    const uint16_t kTlsEcdheRsaWithAes128CbcSha = 0xc013;
-    net::SSLConnectionStatusSetCipherSuite(kTlsEcdheRsaWithAes128CbcSha,
+    net::SSLConnectionStatusSetCipherSuite(kObsoleteCipherSuite,
                                            &info->ssl_info.connection_status);
     info->ssl_info.cert = cert_;
   }
 
  protected:
   ~URLRequestObsoleteTLSJob() override {}
 
  private:
   const scoped_refptr<net::X509Certificate> cert_;
 
@@ skipping 87 matching lines @@
   // The security style of the page doesn't get downgraded for obsolete
   // TLS settings, so it should remain at SECURITY_STYLE_AUTHENTICATED.
   EXPECT_EQ(content::SECURITY_STYLE_AUTHENTICATED,
             observer.latest_security_style());
 
   // The messages explaining the security style do, however, get
   // downgraded: SECURE_PROTOCOL_AND_CIPHERSUITE should not show up when
   // the TLS settings are obsolete.
   for (const auto& explanation :
        observer.latest_explanations().secure_explanations) {
-    EXPECT_NE(l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE),
+    EXPECT_NE(l10n_util::GetStringUTF8(IDS_STRONG_SSL_SUMMARY),
               explanation.summary);
   }
+
+  // Populate description string replacement with values corresponding
+  // to test constants.
+  std::vector<base::string16> description_replacements;
+  description_replacements.push_back(
+      l10n_util::GetStringUTF16(IDS_SSL_AN_OBSOLETE_PROTOCOL));
+  description_replacements.push_back(base::ASCIIToUTF16("TLS 1.1"));
+  description_replacements.push_back(
+      l10n_util::GetStringUTF16(IDS_SSL_A_STRONG_KEY_EXCHANGE));
+  description_replacements.push_back(base::ASCIIToUTF16("ECDHE_RSA"));
+  description_replacements.push_back(
+      l10n_util::GetStringUTF16(IDS_SSL_AN_OBSOLETE_CIPHER));
+  description_replacements.push_back(
+      base::ASCIIToUTF16("AES_128_CBC with HMAC-SHA1"));
+  base::string16 obsolete_description = l10n_util::GetStringFUTF16(
+      IDS_OBSOLETE_SSL_DESCRIPTION, description_replacements, nullptr);
+
+  EXPECT_EQ(
+      obsolete_description,
+      base::ASCIIToUTF16(
+          observer.latest_explanations().info_explanations[0].description));
 }
 
 // After AddSCTUrlHandler() is called, requests to this hostname
 // will be served with Signed Certificate Timestamps.
 const char kMockHostnameWithSCTs[] = "example-scts.test";
 
 // URLRequestJobWithSCTs mocks a connection that includes a set of dummy
 // SCTs with these statuses.
 const std::vector<net::ct::SCTVerifyStatus> kTestSCTStatuses{
     net::ct::SCT_STATUS_OK, net::ct::SCT_STATUS_LOG_UNKNOWN,
@@ skipping 120 matching lines @@
   ChromeSecurityStateModelClient* model_client =
       ChromeSecurityStateModelClient::FromWebContents(web_contents);
   ASSERT_TRUE(model_client);
   const SecurityStateModel::SecurityInfo& security_info =
       model_client->GetSecurityInfo();
   EXPECT_EQ(SecurityStateModel::SECURE, security_info.security_level);
   EXPECT_EQ(kTestSCTStatuses, security_info.sct_verify_statuses);
 }
 
 }  // namespace