OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <openssl/bio.h> | 8 #include <openssl/bio.h> |
9 #include <openssl/bytestring.h> | 9 #include <openssl/bytestring.h> |
10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
(...skipping 948 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
959 mode.ConfigureFlag(SSL_MODE_SEND_FALLBACK_SCSV, ssl_config_.version_fallback); | 959 mode.ConfigureFlag(SSL_MODE_SEND_FALLBACK_SCSV, ssl_config_.version_fallback); |
960 | 960 |
961 SSL_set_mode(ssl_, mode.set_mask); | 961 SSL_set_mode(ssl_, mode.set_mask); |
962 SSL_clear_mode(ssl_, mode.clear_mask); | 962 SSL_clear_mode(ssl_, mode.clear_mask); |
963 | 963 |
964 // Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers | 964 // Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers |
965 // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable | 965 // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable |
966 // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not | 966 // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not |
967 // supported. As DHE is being deprecated, don't add a cipher only to remove it | 967 // supported. As DHE is being deprecated, don't add a cipher only to remove it |
968 // immediately. | 968 // immediately. |
969 std::string command( | 969 std::string command; |
970 "DEFAULT:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK:!RC4"); | 970 // These are experimental, non-standard ciphersuites. They are part of an |
agl
2016/06/28 22:14:39
begin line with two spaces.
mab
2016/06/28 22:40:58
(moot)
| |
971 // experiment in post-quantum cryptography. They're not intended to | |
972 // represent a de-facto standard, and will be removed from BoringSSL in | |
973 // ~2018. | |
974 #if !defined(OS_ANDROID) && !defined(OS_IOS) | |
975 if (EVP_has_aes_hardware()) { | |
976 command.append( | |
977 "CECPQ1-RSA-AES256-GCM-SHA384:" | |
978 "CECPQ1-ECDSA-AES256-GCM-SHA384:"); | |
979 } | |
980 command.append( | |
981 "CECPQ1-RSA-CHACHA20-POLY1305-SHA256:" | |
982 "CECPQ1-ECDSA-CHACHA20-POLY1305-SHA256:"); | |
983 if (!EVP_has_aes_hardware()) { | |
984 command.append( | |
985 "CECPQ1-RSA-AES256-GCM-SHA384:" | |
986 "CECPQ1-ECDSA-AES256-GCM-SHA384:"); | |
987 } | |
988 #endif | |
989 command.append("ALL:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK:!RC4"); | |
971 | 990 |
972 if (ssl_config_.require_ecdhe) | 991 if (ssl_config_.require_ecdhe) |
973 command.append(":!kRSA:!kDHE"); | 992 command.append(":!kRSA:!kDHE"); |
974 | 993 |
975 if (!ssl_config_.deprecated_cipher_suites_enabled) { | 994 if (!ssl_config_.deprecated_cipher_suites_enabled) { |
976 // Only offer DHE on the second handshake. https://crbug.com/538690 | 995 // Only offer DHE on the second handshake. https://crbug.com/538690 |
977 command.append(":!kDHE"); | 996 command.append(":!kDHE"); |
978 } | 997 } |
979 | 998 |
980 // Remove any disabled ciphers. | 999 // Remove any disabled ciphers. |
(...skipping 1309 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2290 if (rv != OK) { | 2309 if (rv != OK) { |
2291 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 2310 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
2292 return; | 2311 return; |
2293 } | 2312 } |
2294 | 2313 |
2295 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, | 2314 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, |
2296 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); | 2315 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); |
2297 } | 2316 } |
2298 | 2317 |
2299 } // namespace net | 2318 } // namespace net |
OLD | NEW |