Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(669)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/ssl/ssl_cipher_suite_names.h

Issue 1727133002: Expose TLS settings in the Security panel overview, and call out individual obsolete settings. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Always expose TLS settings. Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« chrome/browser/ui/browser.cc ('K') | « content/public/browser/security_style_explanations.h ('k') | net/ssl/ssl_cipher_suite_names.cc » ('j') | net/ssl/ssl_cipher_suite_names.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/ssl/ssl_cipher_suite_names.h
diff --git a/net/ssl/ssl_cipher_suite_names.h b/net/ssl/ssl_cipher_suite_names.h
index 4651eb188a790bcc6d7e9c92175efc465fff6d55..9ab44ac6c40e09b7f88439dc1fabbba21546ffde 100644
--- a/net/ssl/ssl_cipher_suite_names.h
+++ b/net/ssl/ssl_cipher_suite_names.h
@@ -47,15 +47,30 @@ NET_EXPORT void SSLVersionToString(const char** name, int ssl_version);
NET_EXPORT bool ParseSSLCipherString(const std::string& cipher_string,
uint16_t* cipher_suite);
-// |cipher_suite| is the IANA id for the cipher suite. What a "secure"
-// cipher suite is arbitrarily determined here. The intent is to indicate what
-// cipher suites meet modern security standards when backwards compatibility can
-// be ignored.
+// Mask definitions for an integer that holds obsolete SSL settingdetails.
+enum NET_EXPORT ObsoleteSSLMask {
+ // Modern SSL
+ OBSOLETE_SSL_NONE = 0,
+ OBSOLETE_SSL_MASK_PROTOCOL = 1 << 0,
+ OBSOLETE_SSL_MASK_KEY_EXCHANGE = 1 << 1,
+ // |OBSOLETE_SSL_CIPHER_SUITE| indicates to an obsolete cipher, possibly with
+ // a MAC. Note that it does NOT indicate anything about the key exchange.
+ OBSOLETE_SSL_MASK_CIPHER_SUITE = 1 << 2,
+};
+
+// Takes the given |connection_status| and returns a bitmask indicating which of
+// the protocol, key exchange, and cipher suite do not meet modern best-practice
+// security standards (when backwards compatibility can be ignored) - that is,
+// which ones are "obsolete".
+//
+// Currently, this function follows these criteria to determine what is
+// obsolete:
//
-// Currently, this function follows these criteria:
-// 1) Only uses ECDHE-based key exchanges authenticated by a certificate
-// 2) Only uses AEADs
-NET_EXPORT bool IsSecureTLSCipherSuite(uint16_t cipher_suite);
davidben 2016/04/11 16:47:01 This function has a ton of callers you need to upd
lgarron 2016/04/12 02:25:09 Yeah, I left them out for this patch because most
+// - Protocol: less than TLS 1.2
+// - Key exchange: Does not use ECDHE-based key exchanges authenticated by a
+// certificate
+// - Cipher suite: not an AEAD cipher
+NET_EXPORT int ObsoleteSSLStatus(int connection_status);
// Returns true if |cipher_suite| is suitable for use with HTTP/2. See
// https://http2.github.io/http2-spec/#rfc.section.9.2.2.
« chrome/browser/ui/browser.cc ('K') | « content/public/browser/security_style_explanations.h ('k') | net/ssl/ssl_cipher_suite_names.cc » ('j') | net/ssl/ssl_cipher_suite_names.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698