Enable AES_256_GCM ciphers.

Enable AES_256_GCM ciphers.

This results in the following cipher suite order:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA [not offered in initial handshake]
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

I've intentionally excluded DHE_RSA_WITH_AES_256_GCM_SHA384 because we intend
to remove DHE ciphers later.

BUG=591516
Committed: https://crrev.com/b3c2d9730fd1d023b648aa745a2afca569bf9933
Cr-Commit-Position: refs/heads/master@{#380761}

[davidben, 2016-03-08 01:42:15]

davidben@chromium.org changed reviewers:
+ eroman@chromium.org

[davidben, 2016-03-08 01:42:16]

https://codereview.chromium.org/1769393002/diff/1/net/ssl/ssl_config.h
File net/ssl/ssl_config.h (left):

https://codereview.chromium.org/1769393002/diff/1/net/ssl/ssl_config.h#oldcod...
net/ssl/ssl_config.h:101: // implementation will be enabled except for:
This comment isn't terribly meaningful anymore since BoringSSL doesn't implement
most of this to begin with.

[davidben, 2016-03-10 17:46:51]

Description was changed from

==========
Enable AES_256_GCM ciphers.

This results in the following cipher suite order:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

I've intentionally excluded DHE_RSA_WITH_AES_256_GCM_SHA384 because we intend
to remove DHE ciphers later.

BUG=591516
==========

to

==========
Enable AES_256_GCM ciphers.

This results in the following cipher suite order:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA [not offered in initial handshake]
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

I've intentionally excluded DHE_RSA_WITH_AES_256_GCM_SHA384 because we intend
to remove DHE ciphers later.

BUG=591516
==========

[davidben, 2016-03-10 17:47:05]

friendly ping

[eroman, 2016-03-10 17:49:26]

LGTM

Where are the tests for this?

[davidben, 2016-03-10 18:45:34]

On 2016/03/10 17:49:26, eroman wrote:
> LGTM
> 
> Where are the tests for this?

The tests for the cipher itself is in BoringSSL. I don't think we can easily
test anything about this Chromium-side because tlslite is like NSS in not
supporting SHA-384 PRFs. :-/

[davidben, 2016-03-10 19:30:50]

The CQ bit was checked by davidben@chromium.org

[commit-bot: I haz the power, 2016-03-10 19:31:52]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1769393002/1
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1769393002/1

[commit-bot: I haz the power, 2016-03-10 20:42:34]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-03-10 20:42:35]

Try jobs failed on following builders:
  linux_chromium_asan_rel_ng on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[davidben, 2016-03-10 21:11:27]

The CQ bit was checked by davidben@chromium.org

[commit-bot: I haz the power, 2016-03-10 21:11:46]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1769393002/1
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1769393002/1

[commit-bot: I haz the power, 2016-03-10 21:53:38]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-03-10 21:53:39]

Try jobs failed on following builders:
  linux_chromium_chromeos_ozone_rel_ng on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[davidben, 2016-03-10 21:58:45]

On 2016/03/10 21:53:39, commit-bot: I haz the power wrote:
> Try jobs failed on following builders:
>   linux_chromium_chromeos_ozone_rel_ng on tryserver.chromium.linux
(JOB_FAILED,
>
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

I swear, the CQ is just exploding right now...

[davidben, 2016-03-10 21:58:53]

The CQ bit was checked by davidben@chromium.org

[commit-bot: I haz the power, 2016-03-10 21:59:22]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1769393002/1
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1769393002/1

[commit-bot: I haz the power, 2016-03-10 22:27:38]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-03-10 22:27:39]

Try jobs failed on following builders:
  linux_chromium_asan_rel_ng on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
  linux_chromium_chromeos_rel_ng on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[davidben, 2016-03-10 22:43:00]

The CQ bit was checked by davidben@chromium.org

[commit-bot: I haz the power, 2016-03-10 22:44:00]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1769393002/1
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1769393002/1

[commit-bot: I haz the power, 2016-03-10 23:27:22]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-03-10 23:27:23]

Try jobs failed on following builders:
  linux_chromium_chromeos_ozone_rel_ng on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
  linux_chromium_chromeos_rel_ng on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[davidben, 2016-03-11 19:11:43]

The CQ bit was checked by davidben@chromium.org

[commit-bot: I haz the power, 2016-03-11 19:12:42]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1769393002/1
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1769393002/1

[commit-bot: I haz the power, 2016-03-11 20:04:31]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-03-11 20:04:35]

Try jobs failed on following builders:
  linux_chromium_asan_rel_ng on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[davidben, 2016-03-11 20:18:39]

The CQ bit was checked by davidben@chromium.org

[commit-bot: I haz the power, 2016-03-11 20:19:16]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1769393002/1
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1769393002/1

[commit-bot: I haz the power, 2016-03-11 22:36:25]

Description was changed from

==========
Enable AES_256_GCM ciphers.

This results in the following cipher suite order:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA [not offered in initial handshake]
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

I've intentionally excluded DHE_RSA_WITH_AES_256_GCM_SHA384 because we intend
to remove DHE ciphers later.

BUG=591516
==========

to

==========
Enable AES_256_GCM ciphers.

This results in the following cipher suite order:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA [not offered in initial handshake]
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

I've intentionally excluded DHE_RSA_WITH_AES_256_GCM_SHA384 because we intend
to remove DHE ciphers later.

BUG=591516
==========

[commit-bot: I haz the power, 2016-03-11 22:36:26]

Committed patchset #1 (id:1)

[commit-bot: I haz the power, 2016-03-11 22:38:56]

Description was changed from

==========
Enable AES_256_GCM ciphers.

This results in the following cipher suite order:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA [not offered in initial handshake]
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

I've intentionally excluded DHE_RSA_WITH_AES_256_GCM_SHA384 because we intend
to remove DHE ciphers later.

BUG=591516
==========

to

==========
Enable AES_256_GCM ciphers.

This results in the following cipher suite order:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA [not offered in initial handshake]
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA [not offered in initial handshake]
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

I've intentionally excluded DHE_RSA_WITH_AES_256_GCM_SHA384 because we intend
to remove DHE ciphers later.

BUG=591516

Committed: https://crrev.com/b3c2d9730fd1d023b648aa745a2afca569bf9933
Cr-Commit-Position: refs/heads/master@{#380761}
==========

[commit-bot: I haz the power, 2016-03-11 22:38:58]

Patchset 1 (id:??) landed as
https://crrev.com/b3c2d9730fd1d023b648aa745a2afca569bf9933
Cr-Commit-Position: refs/heads/master@{#380761}