Fail the SPDY transaction if it does not meet TLS base requirements.

net/spdy/spdy_session.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/spdy/spdy_session.h"
 
 #include <algorithm>
 #include <map>
 
 #include "base/basictypes.h"
@@ skipping 22 matching lines @@
 #include "net/http/http_network_session.h"
 #include "net/http/http_server_properties.h"
 #include "net/http/http_util.h"
 #include "net/spdy/spdy_buffer_producer.h"
 #include "net/spdy/spdy_frame_builder.h"
 #include "net/spdy/spdy_http_utils.h"
 #include "net/spdy/spdy_protocol.h"
 #include "net/spdy/spdy_session_pool.h"
 #include "net/spdy/spdy_stream.h"
 #include "net/ssl/server_bound_cert_service.h"
+#include "net/ssl/ssl_cipher_suite_names.h"
+#include "net/ssl/ssl_connection_status_flags.h"
 
 namespace net {
 
 namespace {
 
 const int kReadBufferSize = 8 * 1024;
 const int kDefaultConnectionAtRiskOfLossSeconds = 10;
 const int kHungIntervalSeconds = 10;
 
 // As we always act as the client, start at 1 for the first stream id.
@@ skipping 786 matching lines @@
 
 void SpdySession::AddPooledAlias(const SpdySessionKey& alias_key) {
   pooled_aliases_.insert(alias_key);
 }
 
 SpdyMajorVersion SpdySession::GetProtocolVersion() const {
   DCHECK(buffered_spdy_framer_.get());
   return buffered_spdy_framer_->protocol_version();
 }
 
+bool SpdySession::HasAcceptableTransportSecurity() const {
+  // If we're not even using TLS, we have no standards to meet.
+  if (!is_secure_) {
+    return true;
+  }
+
+  // We don't enforce transport security standards for older SPDY versions.
+  if (GetProtocolVersion() < SPDY4) {
+    return true;
+  }
+
+  SSLInfo ssl_info;
+  CHECK(connection_->socket()->GetSSLInfo(&ssl_info));
+
+  // HTTP/2 requires TLS 1.2+
+  if (SSLConnectionStatusToVersion(ssl_info.connection_status) <
+      SSL_CONNECTION_VERSION_TLS1_2) {
+    return false;
+  }
+
+  if (!IsModernTLSCipherSuite(

[wtc, 2014/05/21 21:51:10]

The current IsModernTLSCipherSuite code exceeds the requirements of
https://http2.github.io/http2-spec/#TLSUsage. For example,
IsModernTLSCipherSuite disallows AES_128_CBC, but
https://http2.github.io/http2-spec/#TLSUsage allows it.

[willchan no longer on Chromium, 2014/05/21 22:55:22]

Yes, that's because agl@ and I feel like being stricter than HTTP/2 requires.
I've updated the CL description to note this.

[agl, 2014/05/22 18:04:57]

Hopefully we can get HTTP/2 updated to reflect this. Otherwise site operators
won't have a single place to learn what is needed to safely enable the new
HTTP/2 version.

[willchan no longer on Chromium, 2014/05/22 18:26:43]

I will take this to httpbis.

+          SSLConnectionStatusToCipherSuite(ssl_info.connection_status))) {
+    return false;
+  }
+
+  return true;
+}
+
 base::WeakPtr<SpdySession> SpdySession::GetWeakPtr() {
   return weak_factory_.GetWeakPtr();
 }
 
 bool SpdySession::CloseOneIdleConnection() {
   CHECK(!in_io_loop_);
   DCHECK_NE(availability_state_, STATE_CLOSED);
   DCHECK(pool_);
   if (!active_streams_.empty())
     return false;
@@ skipping 2216 matching lines @@
     if (!queue->empty()) {
       SpdyStreamId stream_id = queue->front();
       queue->pop_front();
       return stream_id;
     }
   }
   return 0;
 }
 
 }  // namespace net