Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(135)

Issue 2735733003: Disable commonName matching for certificates (Closed)

Created:
3 years, 9 months ago by Ryan Sleevi
Modified:
3 years, 9 months ago
Reviewers:
CC:
chromium-reviews
Target Ref:
refs/pending/branch-heads/3029
Project:
chromium
Visibility:
Public.

Description

Disable commonName matching for certificates Matching the commonName has been deprecated for nearly 20 years, as it's a fallback path for certificates that don't have a subjectAltName. Disable the matching by default, but introduce an enterprise policy that allows it to be enabled for certificates that chain to local trust anchors. This policy is similar to the SHA-1 deprecation policy, and is named EnableCommonNameFallbackForLocalAnchors. For systems without enterprise policies (meaning they aren't using SSLConfigManagerPref), the default is to keep the insecure behaviour, which is most compatible with legacy, but is not secure. BUG=308330 Review-Url: https://codereview.chromium.org/2719273002 Cr-Commit-Position: refs/heads/master@{#454752} (cherry picked from commit 0f9bfb00c432d594504502728b8a1405a0ff2cf1) Review-Url: https://codereview.chromium.org/2735733003 . Cr-Commit-Position: refs/branch-heads/3029@{#23} Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471} Committed: https://chromium.googlesource.com/chromium/src/+/b166233e0fb8edd9fd4e67bc4a6bfb8e35b79144

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+2127 lines, -1893 lines) Patch
M chrome/browser/chromeos/login/test/https_forwarder.py View 2 chunks +25 lines, -1 line 0 comments Download
M chrome/browser/policy/configuration_policy_handler_list_factory.cc View 1 chunk +3 lines, -0 lines 0 comments Download
M chrome/test/data/extensions/api_test/platform_keys/ca.cnf View 2 chunks +2 lines, -1 line 0 comments Download
M chrome/test/data/extensions/api_test/platform_keys/l1_interm.der View Binary file 0 comments Download
M chrome/test/data/extensions/api_test/platform_keys/l1_leaf.der View Binary file 0 comments Download
M chrome/test/data/extensions/api_test/platform_keys/l2_leaf.der View Binary file 0 comments Download
M chrome/test/data/extensions/api_test/platform_keys/root.pem View 1 chunk +17 lines, -17 lines 0 comments Download
M chrome/test/data/policy/policy_test_cases.json View 1 chunk +10 lines, -0 lines 0 comments Download
M components/policy/resources/policy_templates.json View 2 chunks +20 lines, -1 line 0 comments Download
M components/ssl_config/ssl_config_prefs.h View 1 chunk +1 line, -0 lines 0 comments Download
M components/ssl_config/ssl_config_prefs.cc View 1 chunk +2 lines, -0 lines 0 comments Download
M components/ssl_config/ssl_config_service_manager_pref.cc View 4 chunks +8 lines, -0 lines 0 comments Download
M net/cert/cert_verifier.h View 1 chunk +5 lines, -0 lines 0 comments Download
M net/cert/cert_verify_proc.cc View 1 chunk +4 lines, -9 lines 0 comments Download
M net/cert/cert_verify_proc_android.cc View 1 chunk +1 line, -0 lines 0 comments Download
M net/cert/cert_verify_proc_ios.cc View 1 chunk +3 lines, -0 lines 0 comments Download
M net/cert/cert_verify_proc_mac.cc View 1 chunk +2 lines, -2 lines 0 comments Download
M net/cert/cert_verify_proc_openssl.cc View 1 chunk +1 line, -0 lines 0 comments Download
M net/cert/cert_verify_proc_unittest.cc View 1 chunk +67 lines, -0 lines 0 comments Download
M net/cert/internal/path_builder_unittest.cc View 1 chunk +1 line, -1 line 0 comments Download
M net/cert/x509_certificate.h View 2 chunks +8 lines, -8 lines 0 comments Download
M net/cert/x509_certificate.cc View 4 chunks +13 lines, -9 lines 0 comments Download
M net/cert/x509_certificate_unittest.cc View 5 chunks +20 lines, -12 lines 0 comments Download
M net/data/cert_issuer_source_aia_unittest/generate-certs.py View 1 chunk +9 lines, -0 lines 0 comments Download
M net/data/cert_issuer_source_aia_unittest/i.pem View 2 chunks +50 lines, -50 lines 0 comments Download
M net/data/cert_issuer_source_aia_unittest/i2.pem View 2 chunks +50 lines, -50 lines 0 comments Download
M net/data/cert_issuer_source_aia_unittest/i3.pem View 2 chunks +50 lines, -50 lines 0 comments Download
M net/data/cert_issuer_source_aia_unittest/root.pem View 2 chunks +50 lines, -50 lines 0 comments Download
M net/data/cert_issuer_source_aia_unittest/target_file_aia.pem View 2 chunks +53 lines, -51 lines 0 comments Download
M net/data/cert_issuer_source_aia_unittest/target_file_and_http_aia.pem View 2 chunks +56 lines, -53 lines 0 comments Download
M net/data/cert_issuer_source_aia_unittest/target_invalid_and_http_aia.pem View 2 chunks +53 lines, -50 lines 0 comments Download
M net/data/cert_issuer_source_aia_unittest/target_invalid_url_aia.pem View 2 chunks +53 lines, -50 lines 0 comments Download
M net/data/cert_issuer_source_aia_unittest/target_no_aia.pem View 2 chunks +53 lines, -51 lines 0 comments Download
M net/data/cert_issuer_source_aia_unittest/target_one_aia.pem View 2 chunks +53 lines, -51 lines 0 comments Download
M net/data/cert_issuer_source_aia_unittest/target_six_aia.pem View 2 chunks +53 lines, -51 lines 0 comments Download
M net/data/cert_issuer_source_aia_unittest/target_three_aia.pem View 2 chunks +53 lines, -51 lines 0 comments Download
M net/data/cert_issuer_source_aia_unittest/target_two_aia.pem View 2 chunks +56 lines, -54 lines 0 comments Download
M net/data/ssl/certificates/aia-cert.pem View 2 chunks +55 lines, -52 lines 0 comments Download
M net/data/ssl/certificates/aia-intermediate.der View Binary file 0 comments Download
M net/data/ssl/certificates/aia-root.pem View 1 chunk +54 lines, -54 lines 0 comments Download
M net/data/ssl/certificates/explicit-policy-chain.pem View 4 chunks +156 lines, -154 lines 0 comments Download
M net/data/ssl/certificates/multi-root.keychain View Binary file 0 comments Download
M net/data/ssl/certificates/multi-root-A-by-B.pem View 2 chunks +81 lines, -79 lines 0 comments Download
M net/data/ssl/certificates/multi-root-B-by-C.pem View 1 chunk +47 lines, -47 lines 0 comments Download
M net/data/ssl/certificates/multi-root-B-by-F.pem View 1 chunk +47 lines, -47 lines 0 comments Download
M net/data/ssl/certificates/multi-root-BFE.keychain View Binary file 0 comments Download
M net/data/ssl/certificates/multi-root-C-by-D.pem View 1 chunk +47 lines, -47 lines 0 comments Download
M net/data/ssl/certificates/multi-root-C-by-E.pem View 1 chunk +47 lines, -47 lines 0 comments Download
M net/data/ssl/certificates/multi-root-D-by-D.pem View 1 chunk +48 lines, -48 lines 0 comments Download
M net/data/ssl/certificates/multi-root-E-by-E.pem View 1 chunk +48 lines, -48 lines 0 comments Download
M net/data/ssl/certificates/multi-root-F-by-E.pem View 1 chunk +47 lines, -47 lines 0 comments Download
M net/data/ssl/certificates/multi-root-chain1.pem View 4 chunks +198 lines, -196 lines 0 comments Download
M net/data/ssl/certificates/multi-root-chain2.pem View 4 chunks +198 lines, -196 lines 0 comments Download
M net/data/ssl/certificates/multi-root-crlset-C.raw View Binary file 0 comments Download
M net/data/ssl/certificates/multi-root-crlset-CD-and-FE.raw View Binary file 0 comments Download
M net/data/ssl/certificates/multi-root-crlset-D-and-E.raw View Binary file 0 comments Download
M net/data/ssl/certificates/multi-root-crlset-E.raw View Binary file 0 comments Download
M net/data/ssl/certificates/multi-root-crlset-unrelated.raw View Binary file 0 comments Download
M net/data/ssl/certificates/reject_intranet_hosts.pem View 1 chunk +55 lines, -52 lines 0 comments Download
M net/data/ssl/scripts/aia-test.cnf View 2 chunks +2 lines, -0 lines 0 comments Download
M net/data/ssl/scripts/ee.cnf View 1 chunk +3 lines, -0 lines 0 comments Download
M net/data/ssl/scripts/generate-aia-certs.sh View 1 chunk +1 line, -0 lines 0 comments Download
M net/data/ssl/scripts/generate-policy-certs.sh View 1 chunk +1 line, -0 lines 0 comments Download
M net/data/ssl/scripts/generate-test-certs.sh View 1 chunk +1 line, -1 line 0 comments Download
M net/data/ssl/scripts/policy.cnf View 2 chunks +2 lines, -0 lines 0 comments Download
M net/data/ssl/scripts/redundant-ca.cnf View 1 chunk +1 line, -0 lines 0 comments Download
M net/quic/chromium/quic_network_transaction_unittest.cc View 5 chunks +14 lines, -19 lines 0 comments Download
M net/quic/chromium/quic_stream_factory_test.cc View 5 chunks +13 lines, -17 lines 0 comments Download
M net/quic/test_tools/mock_crypto_client_stream.cc View 1 chunk +1 line, -2 lines 0 comments Download
M net/spdy/spdy_session.cc View 1 chunk +1 line, -2 lines 0 comments Download
M net/ssl/ssl_config.h View 1 chunk +6 lines, -0 lines 0 comments Download
M net/ssl/ssl_config.cc View 2 chunks +3 lines, -0 lines 0 comments Download
M net/ssl/ssl_config_service.cc View 1 chunk +13 lines, -11 lines 0 comments Download
M net/ssl/ssl_config_service_unittest.cc View 2 chunks +5 lines, -0 lines 0 comments Download
M net/tools/testserver/minica.py View 4 chunks +25 lines, -3 lines 0 comments Download
M tools/metrics/histograms/histograms.xml View 2 chunks +2 lines, -1 line 0 comments Download

Messages

Total messages: 2 (1 generated)
Ryan Sleevi
3 years, 9 months ago (2017-03-06 19:19:54 UTC) #2
Message was sent while issue was closed.
Committed patchset #1 (id:1) manually as
b166233e0fb8edd9fd4e67bc4a6bfb8e35b79144.

Powered by Google App Engine
This is Rietveld 408576698