Index: net/spdy/spdy_session.cc |
diff --git a/net/spdy/spdy_session.cc b/net/spdy/spdy_session.cc |
index 71c5d8e2f198b9a47b72b00b37b83a580838c197..07a88a60e6115a7eba02a07afebc2a7763399a42 100644 |
--- a/net/spdy/spdy_session.cc |
+++ b/net/spdy/spdy_session.cc |
@@ -40,6 +40,8 @@ |
#include "net/spdy/spdy_session_pool.h" |
#include "net/spdy/spdy_stream.h" |
#include "net/ssl/server_bound_cert_service.h" |
+#include "net/ssl/ssl_cipher_suite_names.h" |
+#include "net/ssl/ssl_connection_status_flags.h" |
namespace net { |
@@ -846,6 +848,34 @@ SpdyMajorVersion SpdySession::GetProtocolVersion() const { |
return buffered_spdy_framer_->protocol_version(); |
} |
+bool SpdySession::HasAcceptableTransportSecurity() const { |
+ // If we're not even using TLS, we have no standards to meet. |
+ if (!is_secure_) { |
+ return true; |
+ } |
+ |
+ // We don't enforce transport security standards for older SPDY versions. |
+ if (GetProtocolVersion() < SPDY4) { |
+ return true; |
+ } |
+ |
+ SSLInfo ssl_info; |
+ CHECK(connection_->socket()->GetSSLInfo(&ssl_info)); |
+ |
+ // HTTP/2 requires TLS 1.2+ |
+ if (SSLConnectionStatusToVersion(ssl_info.connection_status) < |
+ SSL_CONNECTION_VERSION_TLS1_2) { |
+ return false; |
+ } |
+ |
+ if (!IsModernTLSCipherSuite( |
wtc
2014/05/21 21:51:10
The current IsModernTLSCipherSuite code exceeds th
willchan no longer on Chromium
2014/05/21 22:55:22
Yes, that's because agl@ and I feel like being str
agl
2014/05/22 18:04:57
Hopefully we can get HTTP/2 updated to reflect thi
willchan no longer on Chromium
2014/05/22 18:26:43
I will take this to httpbis.
|
+ SSLConnectionStatusToCipherSuite(ssl_info.connection_status))) { |
+ return false; |
+ } |
+ |
+ return true; |
+} |
+ |
base::WeakPtr<SpdySession> SpdySession::GetWeakPtr() { |
return weak_factory_.GetWeakPtr(); |
} |