Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(402)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/spdy/spdy_session.cc

Issue 291093002: Fail the SPDY transaction if it does not meet TLS base requirements. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Rebase Created 6 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/spdy/spdy_session.h ('k') | net/ssl/ssl_cipher_suite_names.h » ('j') | net/ssl/ssl_cipher_suite_names.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/spdy/spdy_session.cc
diff --git a/net/spdy/spdy_session.cc b/net/spdy/spdy_session.cc
index 71c5d8e2f198b9a47b72b00b37b83a580838c197..07a88a60e6115a7eba02a07afebc2a7763399a42 100644
--- a/net/spdy/spdy_session.cc
+++ b/net/spdy/spdy_session.cc
@@ -40,6 +40,8 @@
#include "net/spdy/spdy_session_pool.h"
#include "net/spdy/spdy_stream.h"
#include "net/ssl/server_bound_cert_service.h"
+#include "net/ssl/ssl_cipher_suite_names.h"
+#include "net/ssl/ssl_connection_status_flags.h"
namespace net {
@@ -846,6 +848,34 @@ SpdyMajorVersion SpdySession::GetProtocolVersion() const {
return buffered_spdy_framer_->protocol_version();
}
+bool SpdySession::HasAcceptableTransportSecurity() const {
+ // If we're not even using TLS, we have no standards to meet.
+ if (!is_secure_) {
+ return true;
+ }
+
+ // We don't enforce transport security standards for older SPDY versions.
+ if (GetProtocolVersion() < SPDY4) {
+ return true;
+ }
+
+ SSLInfo ssl_info;
+ CHECK(connection_->socket()->GetSSLInfo(&ssl_info));
+
+ // HTTP/2 requires TLS 1.2+
+ if (SSLConnectionStatusToVersion(ssl_info.connection_status) <
+ SSL_CONNECTION_VERSION_TLS1_2) {
+ return false;
+ }
+
+ if (!IsModernTLSCipherSuite(
wtc 2014/05/21 21:51:10 The current IsModernTLSCipherSuite code exceeds th
willchan no longer on Chromium 2014/05/21 22:55:22 Yes, that's because agl@ and I feel like being str
agl 2014/05/22 18:04:57 Hopefully we can get HTTP/2 updated to reflect thi
willchan no longer on Chromium 2014/05/22 18:26:43 I will take this to httpbis.
+ SSLConnectionStatusToCipherSuite(ssl_info.connection_status))) {
+ return false;
+ }
+
+ return true;
+}
+
base::WeakPtr<SpdySession> SpdySession::GetWeakPtr() {
return weak_factory_.GetWeakPtr();
}
« no previous file with comments | « net/spdy/spdy_session.h ('k') | net/ssl/ssl_cipher_suite_names.h » ('j') | net/ssl/ssl_cipher_suite_names.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698