OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <openssl/bio.h> | 8 #include <openssl/bio.h> |
9 #include <openssl/bytestring.h> | 9 #include <openssl/bytestring.h> |
10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
(...skipping 1158 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1169 | 1169 |
1170 int SSLClientSocketImpl::DoHandshakeComplete(int result) { | 1170 int SSLClientSocketImpl::DoHandshakeComplete(int result) { |
1171 if (result < 0) | 1171 if (result < 0) |
1172 return result; | 1172 return result; |
1173 | 1173 |
1174 if (ssl_config_.version_fallback && | 1174 if (ssl_config_.version_fallback && |
1175 ssl_config_.version_max < ssl_config_.version_fallback_min) { | 1175 ssl_config_.version_max < ssl_config_.version_fallback_min) { |
1176 return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION; | 1176 return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION; |
1177 } | 1177 } |
1178 | 1178 |
| 1179 // DHE is offered on the deprecated cipher fallback and then rejected |
| 1180 // afterwards. This is to aid in diagnosing connection failures because a |
| 1181 // server requires DHE ciphers. |
| 1182 // |
| 1183 // TODO(davidben): A few releases after DHE's removal, remove this logic. |
| 1184 if (!ssl_config_.dhe_enabled && |
| 1185 SSL_CIPHER_is_DHE(SSL_get_current_cipher(ssl_))) { |
| 1186 return ERR_SSL_OBSOLETE_CIPHER; |
| 1187 } |
| 1188 |
1179 // Check that if token binding was negotiated, then extended master secret | 1189 // Check that if token binding was negotiated, then extended master secret |
1180 // must also be negotiated. | 1190 // must also be negotiated. |
1181 if (tb_was_negotiated_ && !SSL_get_extms_support(ssl_)) | 1191 if (tb_was_negotiated_ && !SSL_get_extms_support(ssl_)) |
1182 return ERR_SSL_PROTOCOL_ERROR; | 1192 return ERR_SSL_PROTOCOL_ERROR; |
1183 | 1193 |
1184 // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was. | 1194 // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was. |
1185 if (npn_status_ == kNextProtoUnsupported) { | 1195 if (npn_status_ == kNextProtoUnsupported) { |
1186 const uint8_t* alpn_proto = NULL; | 1196 const uint8_t* alpn_proto = NULL; |
1187 unsigned alpn_len = 0; | 1197 unsigned alpn_len = 0; |
1188 SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len); | 1198 SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len); |
(...skipping 1124 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2313 if (rv != OK) { | 2323 if (rv != OK) { |
2314 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 2324 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
2315 return; | 2325 return; |
2316 } | 2326 } |
2317 | 2327 |
2318 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, | 2328 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, |
2319 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); | 2329 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); |
2320 } | 2330 } |
2321 | 2331 |
2322 } // namespace net | 2332 } // namespace net |
OLD | NEW |