net/socket/ssl_client_socket_nss.cc - Issue 493793003: Align SSLClientSocketOpenSSL and SSLClientSocketNSS histograms.

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 493793003: Align SSLClientSocketOpenSSL and SSLClientSocketNSS histograms. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 6 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived	5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived

6 // from AuthCertificateCallback() in	6 // from AuthCertificateCallback() in

7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.	7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.

8	8

9 /* *** BEGIN LICENSE BLOCK ***	9 /* *** BEGIN LICENSE BLOCK ***

10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1	10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1

(...skipping 2438 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2449 &peer_supports_renego_ext);	2449 &peer_supports_renego_ext);

2450 if (ok == SECSuccess) {	2450 if (ok == SECSuccess) {

2451 if (!peer_supports_renego_ext) {	2451 if (!peer_supports_renego_ext) {

2452 nss_handshake_state_.ssl_connection_status \|=	2452 nss_handshake_state_.ssl_connection_status \|=

2453 SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;	2453 SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;

2454 // Log an informational message if the server does not support secure	2454 // Log an informational message if the server does not support secure

2455 // renegotiation (RFC 5746).	2455 // renegotiation (RFC 5746).

2456 VLOG(1) << "The server " << host_and_port_.ToString()	2456 VLOG(1) << "The server " << host_and_port_.ToString()

2457 << " does not support the TLS renegotiation_info extension.";	2457 << " does not support the TLS renegotiation_info extension.";

2458 }	2458 }

2459 UMA_HISTOGRAM_ENUMERATION("Net.RenegotiationExtensionSupported",

2460 peer_supports_renego_ext, 2);

2461

2462 // We would like to eliminate fallback to SSLv3 for non-buggy servers

2463 // because of security concerns. For example, Google offers forward

2464 // secrecy with ECDHE but that requires TLS 1.0. An attacker can block

2465 // TLSv1 connections and force us to downgrade to SSLv3 and remove forward

2466 // secrecy.

2467 //

2468 // Yngve from Opera has suggested using the renegotiation extension as an

2469 // indicator that SSLv3 fallback was mistaken:

2470 // tools.ietf.org/html/draft-pettersen-tls-version-rollback-removal-00 .

2471 //

2472 // As a first step, measure how often clients perform version fallback

2473 // while the server advertises support secure renegotiation.

2474 if (ssl_config_.version_fallback &&

2475 channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_0) {

2476 UMA_HISTOGRAM_BOOLEAN("Net.SSLv3FallbackToRenegoPatchedServer",

2477 peer_supports_renego_ext == PR_TRUE);
Ryan Sleevi 2014/08/20 19:58:12 Adam should comment on this. I think I'm fine remo Adam should comment on this. I think I'm fine removing this, in light of the fallback scsv. agl 2014/08/22 18:26:32 LGTM. I don't that we need to worry about this any Show quoted text On 2014/08/20 19:58:12, Ryan Sleevi wrote: > Adam should comment on this. I think I'm fine removing this, in light of the > fallback scsv. LGTM. I don't that we need to worry about this any more - the numbers suggest that it's never going to work.
2478 }

2479 }	2459 }

2480	2460

2481 if (ssl_config_.version_fallback) {	2461 if (ssl_config_.version_fallback) {

2482 nss_handshake_state_.ssl_connection_status \|=	2462 nss_handshake_state_.ssl_connection_status \|=

2483 SSL_CONNECTION_VERSION_FALLBACK;	2463 SSL_CONNECTION_VERSION_FALLBACK;

2484 }	2464 }

2485 }	2465 }

2486	2466

2487 void SSLClientSocketNSS::Core::UpdateNextProto() {	2467 void SSLClientSocketNSS::Core::UpdateNextProto() {

2488 uint8 buf[256];	2468 uint8 buf[256];

(...skipping 1053 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
3542 scoped_refptr<X509Certificate>	3522 scoped_refptr<X509Certificate>

3543 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {	3523 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {

3544 return core_->state().server_cert.get();	3524 return core_->state().server_cert.get();

3545 }	3525 }

3546	3526

3547 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {	3527 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {

3548 return channel_id_service_;	3528 return channel_id_service_;

3549 }	3529 }

3550	3530

3551 } // namespace net	3531 } // namespace net

OLD	NEW

« no previous file with comments | « no previous file | net/socket/ssl_client_socket_openssl.h » ('j') | net/socket/ssl_client_socket_openssl.cc » ('J')