Fail the SPDY transaction if it does not meet TLS base requirements.

net/ssl/ssl_cipher_suite_names.h

Index: net/ssl/ssl_cipher_suite_names.h
diff --git a/net/ssl/ssl_cipher_suite_names.h b/net/ssl/ssl_cipher_suite_names.h
index 5145fb24c5ee1393511b3c1ca0f5f40741a39349..f8cdd9b39dafd0492d230c2a1394138322c30a69 100644
--- a/net/ssl/ssl_cipher_suite_names.h
+++ b/net/ssl/ssl_cipher_suite_names.h
@@ -46,6 +46,13 @@ NET_EXPORT void SSLVersionToString(const char** name, int ssl_version);
 NET_EXPORT bool ParseSSLCipherString(const std::string& cipher_string,
                                      uint16* cipher_suite);
 
+// |cipher_suite| is the IANA id for the cipher suite. What a "modern"
+// cipher suite is arbitrarily determined here. The intent is to indicate what
+// cipher suites meet modern security standards when backwards compatibility can
+// be ignored. Notably, HTTP/2 requires/encourages this sort of validation of
+// cipher suites: https://http2.github.io/http2-spec/#TLSUsage.
+NET_EXPORT_PRIVATE bool IsModernTLSCipherSuite(uint16 cipher_suite);

[wtc, 2014/05/21 21:51:10]

1. Nit: it seems that this function should be renamed "IsSecureTLSCipherSuite".

Update: after I read the .cc file, I knew what you meant by "modern" and
"backwards compatibility can be ignored". So I have a new suggestion. See the
next comment.

Update2: after I saw how this function is used, I wonder if it should be renamed
"IsTLSCipherSuiteAcceptableToHTTP2".

2. IMPORTANT: I am afraid that we need to document the criteria of this function
here. When I read the .cc file, I found that the criteria weren't what I
expected. So this function isn't usable unless one knows exactly what its
criteria are.

[willchan no longer on Chromium, 2014/05/21 22:55:22]

I've renamed to IsSecureTLSCipherSuite and added the criteria to the comments.

On 2014/05/21 21:51:10, wtc wrote:

+
 }  // namespace net
 
 #endif  // NET_SSL_SSL_CIPHER_SUITE_NAMES_H_