Expose TLS settings in the Security panel overview, and call out individual obsolete settings.

net/ssl/ssl_cipher_suite_names.cc

Index: net/ssl/ssl_cipher_suite_names.cc
diff --git a/net/ssl/ssl_cipher_suite_names.cc b/net/ssl/ssl_cipher_suite_names.cc
index 2bfe72ac93f9e2e0746db4c04c69f5b6111ab5ac..088765cdd059f357a49ef02dca0c85457cbe476f 100644
--- a/net/ssl/ssl_cipher_suite_names.cc
+++ b/net/ssl/ssl_cipher_suite_names.cc
@@ -362,10 +362,22 @@ bool ParseSSLCipherString(const std::string& cipher_string,
   return false;
 }
 
-bool IsSecureTLSCipherSuite(uint16_t cipher_suite) {
+int ObsoleteSSLStatus(int connection_status) {

[lgarron, 2016/04/09 03:22:50]

I think that this is the right level of abstraction (a single function call to
get all 3 mask bits, including protocol).

I would move this function to another file like net/ssl/obsolete_ssl_stats.{h,
cc}, but that requires exposing GetCipherProperties() in
ssl_cipher_suite_names.h. The values in the switch statements would also become
even-more-magic numbers, given that the cipher suite listing is in
ssl_cipher_suite_names.cc

Do you have a preference?

[lgarron, 2016/04/12 02:25:08]

ping

[davidben, 2016/04/19 17:47:01]

I'm a little sad about this connection_status thing, but I don't have a clear
alternate suggestion if you insist on including the protocol.

If not, the protocol check is redundant. Though I suppose we will be happier if
you're TLS 1.2 with an insecure cipher suite than TLS 1.1 since we can get a
tiny bit closer to ridding ourselves of SHA-1.

   int key_exchange, cipher, mac;
-  if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
-    return false;
+  int obsolete_ssl = OBSOLETE_SSL_NONE;
+
+  int ssl_version = SSLConnectionStatusToVersion(connection_status);
+  if (ssl_version < SSL_CONNECTION_VERSION_TLS1_2) {
+    obsolete_ssl |= OBSOLETE_SSL_MASK_PROTOCOL;
+  }
+
+  uint16_t cipher_suite = SSLConnectionStatusToCipherSuite(connection_status);
+  if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) {
+    // Cannot determine/unknown cipher suite. Err on the side of caution.
+    obsolete_ssl |= OBSOLETE_SSL_MASK_KEY_EXCHANGE;
+    obsolete_ssl |= OBSOLETE_SSL_MASK_CIPHER_SUITE;
+    return obsolete_ssl;
+  }
 
   // Only allow ECDHE key exchanges.
   switch (key_exchange) {
@@ -373,7 +385,7 @@ bool IsSecureTLSCipherSuite(uint16_t cipher_suite) {
     case 16:  // ECDHE_RSA
       break;
     default:
-      return false;
+      obsolete_ssl |= OBSOLETE_SSL_MASK_KEY_EXCHANGE;
   }
 
   switch (cipher) {
@@ -382,14 +394,14 @@ bool IsSecureTLSCipherSuite(uint16_t cipher_suite) {
     case 17:  // CHACHA20_POLY1305
       break;
     default:
-      return false;
+      obsolete_ssl |= OBSOLETE_SSL_MASK_CIPHER_SUITE;
   }
 
   // Only AEADs allowed.
   if (mac != kAEADMACValue)
-    return false;
+    obsolete_ssl |= OBSOLETE_SSL_MASK_CIPHER_SUITE;
 
-  return true;
+  return obsolete_ssl;
 }
 
 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) {