net/socket/ssl_client_socket_impl.cc - Issue 2653773003: Remove remnants of DHE support.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/socket/ssl_client_socket_impl.cc

Issue 2653773003: Remove remnants of DHE support. (Closed)

Patch Set: adjust tests Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/socket/ssl_client_socket_impl.cc

diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc

index 4be80d76f56120d554204cdb41592a77e91709a8..c993fa8fb23da2d1d58c35731b3801a19283ff11 100644

--- a/net/socket/ssl_client_socket_impl.cc

+++ b/net/socket/ssl_client_socket_impl.cc

@@ -993,24 +993,12 @@ int SSLClientSocketImpl::Init() {

SSL_clear_mode(ssl_.get(), mode.clear_mask);

// Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers

- // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable

- // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not

- // supported. As DHE is being deprecated, don't add a cipher only to remove

- // it immediately.

- //

- // TODO(davidben): Remove the DHE_RSA_WITH_AES_256_GCM_SHA384 exclusion when

- // the DHEEnabled administrative policy expires.

- std::string command(

- "ALL:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK:!RC4");

+ // (note that SHA256 and SHA384 only select legacy CBC ciphers).

+ std::string command("ALL:!SHA256:!SHA384:!kDHE:!aPSK:!RC4");

if (ssl_config_.require_ecdhe)

command.append(":!kRSA:!kDHE");

- if (!ssl_config_.deprecated_cipher_suites_enabled) {

- // Only offer DHE on the second handshake. https://crbug.com/538690

- command.append(":!kDHE");

- }

// Additionally disable HMAC-SHA1 ciphers in ECDSA. These are the remaining

// CBC-mode ECDSA ciphers.

if (!AreLegacyECDSACiphersEnabled())

@@ -1161,16 +1149,6 @@ int SSLClientSocketImpl::DoHandshakeComplete(int result) {

ssl_session_cache_lookup_count_, 20);

}

- // DHE is offered on the deprecated cipher fallback and then rejected

- // afterwards. This is to aid in diagnosing connection failures because a

- // server requires DHE ciphers.

- //

- // TODO(davidben): A few releases after DHE's removal, remove this logic.

- if (!ssl_config_.dhe_enabled &&

- SSL_CIPHER_is_DHE(SSL_get_current_cipher(ssl_.get()))) {

- return ERR_SSL_OBSOLETE_CIPHER;

- }

// Check that if token binding was negotiated, then extended master secret

// and renegotiation indication must also be negotiated.

if (tb_was_negotiated_ &&

« no previous file with comments | « components/ssl_config/ssl_config_service_manager_pref.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »