Expose TLS settings in the Security panel overview, and call out individual obsolete settings.

net/ssl/ssl_cipher_suite_names.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_SSL_SSL_CIPHER_SUITE_NAMES_H_
 #define NET_SSL_SSL_CIPHER_SUITE_NAMES_H_
 
 #include <stdint.h>
 
 #include <string>
@@ skipping 29 matching lines @@
 //     suites in this form will not return an error.
 //
 // Returns true if the cipher suite was successfully parsed, storing the
 // result in |cipher_suite|.
 //
 // TODO(rsleevi): Support the full strings defined in the IANA TLS parameters
 // list.
 NET_EXPORT bool ParseSSLCipherString(const std::string& cipher_string,
                                      uint16_t* cipher_suite);
 
-// |cipher_suite| is the IANA id for the cipher suite. What a "secure"
-// cipher suite is arbitrarily determined here. The intent is to indicate what
-// cipher suites meet modern security standards when backwards compatibility can
-// be ignored.
+// Mask definitions for an integer that holds obsolete SSL settingdetails.
+enum NET_EXPORT ObsoleteSSLMask {
+  // Modern SSL
+  OBSOLETE_SSL_NONE = 0,
+  OBSOLETE_SSL_MASK_PROTOCOL = 1 << 0,
+  OBSOLETE_SSL_MASK_KEY_EXCHANGE = 1 << 1,
+  // |OBSOLETE_SSL_CIPHER_SUITE| indicates to an obsolete cipher, possibly with
+  // a MAC. Note that it does NOT indicate anything about the key exchange.
+  OBSOLETE_SSL_MASK_CIPHER_SUITE = 1 << 2,
+};
+
+// Takes the given |connection_status| and returns a bitmask indicating which of
+// the protocol, key exchange, and cipher suite do not meet modern best-practice
+// security standards (when backwards compatibility can be ignored) - that is,
+// which ones are "obsolete".
 //
-// Currently, this function follows these criteria:
-// 1) Only uses ECDHE-based key exchanges authenticated by a certificate
-// 2) Only uses AEADs
-NET_EXPORT bool IsSecureTLSCipherSuite(uint16_t cipher_suite);

[davidben, 2016/04/11 16:47:01]

This function has a ton of callers you need to update.

[lgarron, 2016/04/12 02:25:09]

Yeah, I left them out for this patch because most of them are tests. I've
updated them in the latest patch.

+// Currently, this function follows these criteria to determine what is
+// obsolete:
+//
+// - Protocol: less than TLS 1.2
+// - Key exchange: Does not use ECDHE-based key exchanges authenticated by a
+//   certificate
+// - Cipher suite: not an AEAD cipher
+NET_EXPORT int ObsoleteSSLStatus(int connection_status);
 
 // Returns true if |cipher_suite| is suitable for use with HTTP/2. See
 // https://http2.github.io/http2-spec/#rfc.section.9.2.2.
 NET_EXPORT bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite);
 
 // Returns the static curve name of |key_exchange_info| if the |cipher_suite|
 // is an elliptic curve, and a name is known. Returns nullptr otherwise.
 // Only defined for OpenSSL, returns nullptr otherwise.
 NET_EXPORT const char* ECCurveName(uint16_t cipher_suite,
                                    int key_exchange_info);
 
 }  // namespace net
 
 #endif  // NET_SSL_SSL_CIPHER_SUITE_NAMES_H_