Issue 2613533004: Only disable SHA-1 for local trust anchors if there's a PrefService

Issue 2613533004: Only disable SHA-1 for local trust anchors if there's a PrefService (Closed)

Created:
3 years, 11 months ago by Ryan Sleevi

Modified:
3 years, 11 months ago

Reviewers:
eroman

CC:
chromium-reviews, cbentzel+watch_chromium.org

Target Ref:
refs/pending/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

Only disable SHA-1 for local trust anchors if there's a PrefService SHA-1 is being phased out, and beginning with M57, SHA-1 certificates signed by locally installed trust anchors is being disabled by default. To re-enable, Enterprises should set an EnableSha1ForLocalAnchors policy to allow it. However, for platforms without enterprise policies, or for embedders, this raises a question about what the default state should be - enabled or disabled. As Chrome itself expects there to be non-trivial impact (thus, the policy, supported until 1 Jan 2019), it is safer to leave the current behaviour, enabling SHA-1 for these certs, on by default, and leave it to embedders to disable (via the SSLConfig/SSLConfigService). If embedders support preferences, that's seen as sufficient support to enable some degree of run-time control/flexibility, thus the default is moved from //net to //components/ssl_config. Embedders using //net will continue to support SHA-1 anchors by default, while embedders that include //components/ssl_config (and use it) will disable it by default. BUG=673036 Committed: https://crrev.com/f344fae16403754aab4567c1edb158ee658a8b07 Cr-Commit-Position: refs/heads/master@{#441481}

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+52 lines, -2 lines)			Patch
M	components/ssl_config/ssl_config_service_manager_pref.cc	View		1 chunk	+1 line, -1 line	0 comments	Download
M	components/ssl_config/ssl_config_service_manager_pref_unittest.cc	View	1 2	1 chunk	+50 lines, -0 lines	0 comments	Download
M	net/ssl/ssl_config.cc	View		1 chunk	+1 line, -1 line	0 comments	Download

Messages

Total messages: 12 (5 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

Ryan Sleevi

Still debating the best way to test this, but take a look.

3 years, 11 months ago (2017-01-04 01:37:08 UTC) #2

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2613533004/40001

3 years, 11 months ago (2017-01-04 21:12:23 UTC) #7

commit-bot: I haz the power

Description was changed from ========== Only disable SHA-1 for local trust anchors if there's a ...

3 years, 11 months ago (2017-01-04 22:09:22 UTC) #9

Message was sent while issue was closed.

Description was changed from

==========
Only disable SHA-1 for local trust anchors if there's a PrefService

SHA-1 is being phased out, and beginning with M57, SHA-1 certificates
signed by locally installed trust anchors is being disabled by default.
To re-enable, Enterprises should set an EnableSha1ForLocalAnchors policy
to allow it.

However, for platforms without enterprise policies, or for embedders,
this raises a question about what the default state should be - enabled
or disabled. As Chrome itself expects there to be non-trivial impact
(thus, the policy, supported until 1 Jan 2019), it is safer to leave
the current behaviour, enabling SHA-1 for these certs, on by default,
and leave it to embedders to disable (via the
SSLConfig/SSLConfigService).

If embedders support preferences, that's seen as sufficient support to
enable some degree of run-time control/flexibility, thus the default
is moved from //net to //components/ssl_config. Embedders using
//net will continue to support SHA-1 anchors by default, while embedders
that include //components/ssl_config (and use it) will disable it by
default.

BUG=673036
==========

to

==========
Only disable SHA-1 for local trust anchors if there's a PrefService

SHA-1 is being phased out, and beginning with M57, SHA-1 certificates
signed by locally installed trust anchors is being disabled by default.
To re-enable, Enterprises should set an EnableSha1ForLocalAnchors policy
to allow it.

However, for platforms without enterprise policies, or for embedders,
this raises a question about what the default state should be - enabled
or disabled. As Chrome itself expects there to be non-trivial impact
(thus, the policy, supported until 1 Jan 2019), it is safer to leave
the current behaviour, enabling SHA-1 for these certs, on by default,
and leave it to embedders to disable (via the
SSLConfig/SSLConfigService).

If embedders support preferences, that's seen as sufficient support to
enable some degree of run-time control/flexibility, thus the default
is moved from //net to //components/ssl_config. Embedders using
//net will continue to support SHA-1 anchors by default, while embedders
that include //components/ssl_config (and use it) will disable it by
default.

BUG=673036

Review-Url: https://codereview.chromium.org/2613533004
==========

commit-bot: I haz the power

Description was changed from ========== Only disable SHA-1 for local trust anchors if there's a ...

3 years, 11 months ago (2017-01-04 22:11:23 UTC) #11

Message was sent while issue was closed.

Description was changed from

==========
Only disable SHA-1 for local trust anchors if there's a PrefService

SHA-1 is being phased out, and beginning with M57, SHA-1 certificates
signed by locally installed trust anchors is being disabled by default.
To re-enable, Enterprises should set an EnableSha1ForLocalAnchors policy
to allow it.

However, for platforms without enterprise policies, or for embedders,
this raises a question about what the default state should be - enabled
or disabled. As Chrome itself expects there to be non-trivial impact
(thus, the policy, supported until 1 Jan 2019), it is safer to leave
the current behaviour, enabling SHA-1 for these certs, on by default,
and leave it to embedders to disable (via the
SSLConfig/SSLConfigService).

If embedders support preferences, that's seen as sufficient support to
enable some degree of run-time control/flexibility, thus the default
is moved from //net to //components/ssl_config. Embedders using
//net will continue to support SHA-1 anchors by default, while embedders
that include //components/ssl_config (and use it) will disable it by
default.

BUG=673036

Review-Url: https://codereview.chromium.org/2613533004
==========

to

==========
Only disable SHA-1 for local trust anchors if there's a PrefService

SHA-1 is being phased out, and beginning with M57, SHA-1 certificates
signed by locally installed trust anchors is being disabled by default.
To re-enable, Enterprises should set an EnableSha1ForLocalAnchors policy
to allow it.

However, for platforms without enterprise policies, or for embedders,
this raises a question about what the default state should be - enabled
or disabled. As Chrome itself expects there to be non-trivial impact
(thus, the policy, supported until 1 Jan 2019), it is safer to leave
the current behaviour, enabling SHA-1 for these certs, on by default,
and leave it to embedders to disable (via the
SSLConfig/SSLConfigService).

If embedders support preferences, that's seen as sufficient support to
enable some degree of run-time control/flexibility, thus the default
is moved from //net to //components/ssl_config. Embedders using
//net will continue to support SHA-1 anchors by default, while embedders
that include //components/ssl_config (and use it) will disable it by
default.

BUG=673036

Committed: https://crrev.com/f344fae16403754aab4567c1edb158ee658a8b07
Cr-Commit-Position: refs/heads/master@{#441481}
==========

commit-bot: I haz the power

3 years, 11 months ago (2017-01-04 22:11:24 UTC) #12

Message was sent while issue was closed.

Patchset 3 (id:??) landed as
https://crrev.com/f344fae16403754aab4567c1edb158ee658a8b07
Cr-Commit-Position: refs/heads/master@{#441481}

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages