Expose TLS settings in the Security panel overview, and call out individual obsolete settings.

net/ssl/ssl_cipher_suite_names.cc

Index: net/ssl/ssl_cipher_suite_names.cc
diff --git a/net/ssl/ssl_cipher_suite_names.cc b/net/ssl/ssl_cipher_suite_names.cc
index 2bfe72ac93f9e2e0746db4c04c69f5b6111ab5ac..db62e572dc952fbe2de6a9730c9a9fbd11578952 100644
--- a/net/ssl/ssl_cipher_suite_names.cc
+++ b/net/ssl/ssl_cipher_suite_names.cc
@@ -296,6 +296,50 @@ bool GetCipherProperties(uint16_t cipher_suite,
   return true;
 }
 
+int ObsoleteSSLStatusForProtocol(int ssl_version) {
+  int obsolete_ssl = net::OBSOLETE_SSL_NONE;
+  if (ssl_version < net::SSL_CONNECTION_VERSION_TLS1_2) {

[estark, 2016/04/18 11:46:44]

nit: no curly braces

[lgarron, 2016/04/25 23:56:54]

Done.

+    obsolete_ssl |= net::OBSOLETE_SSL_MASK_PROTOCOL;
+  }
+  return obsolete_ssl;
+}
+
+int ObsoleteSSLStatusForCipherSuite(uint16_t cipher_suite) {
+  int obsolete_ssl = net::OBSOLETE_SSL_NONE;
+
+  int key_exchange, cipher, mac;
+  if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) {
+    // Cannot determine/unknown cipher suite. Err on the side of caution.
+    obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE;
+    obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
+    return obsolete_ssl;
+  }
+
+  // Only allow ECDHE key exchanges.
+  switch (key_exchange) {
+    case 14:  // ECDHE_ECDSA
+    case 16:  // ECDHE_RSA
+      break;
+    default:
+      obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE;
+  }
+
+  switch (cipher) {
+    case 13:  // AES_128_GCM
+    case 14:  // AES_256_GCM
+    case 17:  // CHACHA20_POLY1305
+      break;
+    default:
+      obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
+  }
+
+  // Only AEADs allowed.
+  if (mac != kAEADMACValue)
+    obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
+
+  return obsolete_ssl;
+}
+
 }  // namespace
 
 namespace net {
@@ -362,34 +406,20 @@ bool ParseSSLCipherString(const std::string& cipher_string,
   return false;
 }
 
-bool IsSecureTLSCipherSuite(uint16_t cipher_suite) {
-  int key_exchange, cipher, mac;
-  if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
-    return false;
+int ObsoleteSSLStatus(int connection_status) {
+  int obsolete_ssl = OBSOLETE_SSL_NONE;
 
-  // Only allow ECDHE key exchanges.
-  switch (key_exchange) {
-    case 14:  // ECDHE_ECDSA
-    case 16:  // ECDHE_RSA
-      break;
-    default:
-      return false;
-  }
+  int ssl_version = SSLConnectionStatusToVersion(connection_status);
+  obsolete_ssl |= ObsoleteSSLStatusForProtocol(ssl_version);
 
-  switch (cipher) {
-    case 13:  // AES_128_GCM
-    case 14:  // AES_256_GCM
-    case 17:  // CHACHA20_POLY1305
-      break;
-    default:
-      return false;
-  }
+  uint16_t cipher_suite = SSLConnectionStatusToCipherSuite(connection_status);
+  obsolete_ssl |= ObsoleteSSLStatusForCipherSuite(cipher_suite);
 
-  // Only AEADs allowed.
-  if (mac != kAEADMACValue)
-    return false;
+  return obsolete_ssl;
+}
 
-  return true;
+bool IsObsoleteTLSCipherSuite(int cipher_suite) {
+  return ObsoleteSSLStatusForCipherSuite(cipher_suite) != OBSOLETE_SSL_NONE;
 }
 
 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) {