Expose TLS settings in the Security panel overview, and call out individual obsolete settings.

net/ssl/ssl_cipher_suite_names.h

Index: net/ssl/ssl_cipher_suite_names.h
diff --git a/net/ssl/ssl_cipher_suite_names.h b/net/ssl/ssl_cipher_suite_names.h
index 4651eb188a790bcc6d7e9c92175efc465fff6d55..cabe16b42ac1e04dded0e01ec5c1a123a44f42be 100644
--- a/net/ssl/ssl_cipher_suite_names.h
+++ b/net/ssl/ssl_cipher_suite_names.h
@@ -47,15 +47,37 @@ NET_EXPORT void SSLVersionToString(const char** name, int ssl_version);
 NET_EXPORT bool ParseSSLCipherString(const std::string& cipher_string,
                                      uint16_t* cipher_suite);
 
-// |cipher_suite| is the IANA id for the cipher suite. What a "secure"
-// cipher suite is arbitrarily determined here. The intent is to indicate what
-// cipher suites meet modern security standards when backwards compatibility can
-// be ignored.
+// Mask definitions for an integer that holds obsolete SSL setting details.
+// We use "obsolete" instead of "modern" (the complement) for each bit,
+// to make it very clear that any obsolete bit makes the whole mask obsolete.

[davidben, 2016/04/19 17:47:01]

I wouldn't bother with the second sentence.

[lgarron, 2016/04/25 23:56:54]

Done.

+enum NET_EXPORT ObsoleteSSLMask {
+  // Modern SSL
+  OBSOLETE_SSL_NONE = 0,
+  OBSOLETE_SSL_MASK_PROTOCOL = 1 << 0,
+  OBSOLETE_SSL_MASK_KEY_EXCHANGE = 1 << 1,
+  // |OBSOLETE_SSL_CIPHER_SUITE| indicates to obsolete cipher.

[estark, 2016/04/18 11:46:45]

"to" -> "an", maybe? not sure what it's supposed to say but it doesn't make
sense :)

also looks like it should be |OBSOLETE_SSL_MASK_CIPHER|, not
|OBSOLETE_SSL_CIPHER_SUITE|

[lgarron, 2016/04/25 23:56:54]

This comment was more relevant before I added OBSOLETE_SSL_MASK_PROTOCOL. I've
just gone ahead and removed the comment.

+  // Note that it does NOT indicate anything about the key exchange.
+  OBSOLETE_SSL_MASK_CIPHER = 1 << 2,
+};
+
+// Takes the given |connection_status| and returns a bitmask indicating which of
+// the protocol, key exchange, and cipher suite do not meet modern best-practice
+// security standards (when backwards compatibility can be ignored) - that is,
+// which ones are "obsolete".

[davidben, 2016/04/19 17:47:01]

Nit: no quotes (you already used it without quotes in line 50)

[lgarron, 2016/04/25 23:56:54]

Ack, but I've removed line 50, so I'll keep the quotes here for now.

+//
+// Currently, this function follows these criteria to determine what is
+// obsolete:
 //
-// Currently, this function follows these criteria:
-// 1) Only uses ECDHE-based key exchanges authenticated by a certificate
-// 2) Only uses AEADs
-NET_EXPORT bool IsSecureTLSCipherSuite(uint16_t cipher_suite);
+// - Protocol: less than TLS 1.2
+// - Key exchange: Does not use ECDHE-based key exchanges authenticated by a
+//   certificate
+// - Cipher: not an AEAD cipher
+NET_EXPORT int ObsoleteSSLStatus(int connection_status);
+
+// A convenience function that performs the ObsoleteSSLStatus() checks on just
+// the |cipher_suite| and returns true if either the key exchange of the cipher

[estark, 2016/04/18 11:46:44]

"of the cipher" -> "or the cipher"

[lgarron, 2016/04/25 23:56:54]

Good catch; function is now removed, though.

+// is obsolete.
+NET_EXPORT bool IsObsoleteTLSCipherSuite(int cipher_suite);

[davidben, 2016/04/19 17:47:01]

I realize I was the one who said you needed to add this back, but I didn't
realize how far we were along to killing the NSS code, so I guess it's not
actually going to be needed.

Nit: If you do keep this around, why the negation? IsSecureTLSCipherSuite is a
fine name and IsObsoleteTLSCipherSuite causes an unfortunate negation.

[lgarron, 2016/04/25 23:56:54]

I was struggling with what to call this. Since the file with the only call site
is gone now, this is finally moot. :-)

 
 // Returns true if |cipher_suite| is suitable for use with HTTP/2. See
 // https://http2.github.io/http2-spec/#rfc.section.9.2.2.