| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <openssl/bio.h> | 8 #include <openssl/bio.h> |
| 9 #include <openssl/bytestring.h> | 9 #include <openssl/bytestring.h> |
| 10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
| (...skipping 970 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 981 | 981 |
| 982 SSL_set_mode(ssl_, mode.set_mask); | 982 SSL_set_mode(ssl_, mode.set_mask); |
| 983 SSL_clear_mode(ssl_, mode.clear_mask); | 983 SSL_clear_mode(ssl_, mode.clear_mask); |
| 984 | 984 |
| 985 // Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers | 985 // Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers |
| 986 // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable | 986 // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable |
| 987 // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not | 987 // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not |
| 988 // supported. As DHE is being deprecated, don't add a cipher only to remove it | 988 // supported. As DHE is being deprecated, don't add a cipher only to remove it |
| 989 // immediately. | 989 // immediately. |
| 990 std::string command( | 990 std::string command( |
| 991 "DEFAULT:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK"); | 991 "DEFAULT:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK:!RC4"); |
| 992 | 992 |
| 993 if (ssl_config_.require_ecdhe) | 993 if (ssl_config_.require_ecdhe) |
| 994 command.append(":!kRSA:!kDHE"); | 994 command.append(":!kRSA:!kDHE"); |
| 995 | 995 |
| 996 if (!(ssl_config_.rc4_enabled && | |
| 997 ssl_config_.deprecated_cipher_suites_enabled)) { | |
| 998 command.append(":!RC4"); | |
| 999 } | |
| 1000 | |
| 1001 if (!ssl_config_.deprecated_cipher_suites_enabled) { | 996 if (!ssl_config_.deprecated_cipher_suites_enabled) { |
| 1002 // Only offer DHE on the second handshake. https://crbug.com/538690 | 997 // Only offer DHE on the second handshake. https://crbug.com/538690 |
| 1003 command.append(":!kDHE"); | 998 command.append(":!kDHE"); |
| 1004 } | 999 } |
| 1005 | 1000 |
| 1006 // Remove any disabled ciphers. | 1001 // Remove any disabled ciphers. |
| 1007 for (uint16_t id : ssl_config_.disabled_cipher_suites) { | 1002 for (uint16_t id : ssl_config_.disabled_cipher_suites) { |
| 1008 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id); | 1003 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id); |
| 1009 if (cipher) { | 1004 if (cipher) { |
| 1010 command.append(":!"); | 1005 command.append(":!"); |
| (...skipping 1325 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2336 if (rv != OK) { | 2331 if (rv != OK) { |
| 2337 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 2332 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
| 2338 return; | 2333 return; |
| 2339 } | 2334 } |
| 2340 | 2335 |
| 2341 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, | 2336 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, |
| 2342 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); | 2337 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); |
| 2343 } | 2338 } |
| 2344 | 2339 |
| 2345 } // namespace net | 2340 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2030263002:
Remove the last vestiges of RC4. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master