Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(71)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 493793003: Align SSLClientSocketOpenSSL and SSLClientSocketNSS histograms. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: asvitkine comments Created 6 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | net/socket/ssl_client_socket_openssl.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in 6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8 8
9 /* ***** BEGIN LICENSE BLOCK ***** 9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
(...skipping 2438 matching lines...) Expand 10 before | Expand all | Expand 10 after
2449 &peer_supports_renego_ext); 2449 &peer_supports_renego_ext);
2450 if (ok == SECSuccess) { 2450 if (ok == SECSuccess) {
2451 if (!peer_supports_renego_ext) { 2451 if (!peer_supports_renego_ext) {
2452 nss_handshake_state_.ssl_connection_status |= 2452 nss_handshake_state_.ssl_connection_status |=
2453 SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; 2453 SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
2454 // Log an informational message if the server does not support secure 2454 // Log an informational message if the server does not support secure
2455 // renegotiation (RFC 5746). 2455 // renegotiation (RFC 5746).
2456 VLOG(1) << "The server " << host_and_port_.ToString() 2456 VLOG(1) << "The server " << host_and_port_.ToString()
2457 << " does not support the TLS renegotiation_info extension."; 2457 << " does not support the TLS renegotiation_info extension.";
2458 } 2458 }
2459 UMA_HISTOGRAM_ENUMERATION("Net.RenegotiationExtensionSupported",
2460 peer_supports_renego_ext, 2);
2461
2462 // We would like to eliminate fallback to SSLv3 for non-buggy servers
2463 // because of security concerns. For example, Google offers forward
2464 // secrecy with ECDHE but that requires TLS 1.0. An attacker can block
2465 // TLSv1 connections and force us to downgrade to SSLv3 and remove forward
2466 // secrecy.
2467 //
2468 // Yngve from Opera has suggested using the renegotiation extension as an
2469 // indicator that SSLv3 fallback was mistaken:
2470 // tools.ietf.org/html/draft-pettersen-tls-version-rollback-removal-00 .
2471 //
2472 // As a first step, measure how often clients perform version fallback
2473 // while the server advertises support secure renegotiation.
2474 if (ssl_config_.version_fallback &&
2475 channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_0) {
2476 UMA_HISTOGRAM_BOOLEAN("Net.SSLv3FallbackToRenegoPatchedServer",
2477 peer_supports_renego_ext == PR_TRUE);
2478 }
2479 } 2459 }
2480 2460
2481 if (ssl_config_.version_fallback) { 2461 if (ssl_config_.version_fallback) {
2482 nss_handshake_state_.ssl_connection_status |= 2462 nss_handshake_state_.ssl_connection_status |=
2483 SSL_CONNECTION_VERSION_FALLBACK; 2463 SSL_CONNECTION_VERSION_FALLBACK;
2484 } 2464 }
2485 } 2465 }
2486 2466
2487 void SSLClientSocketNSS::Core::UpdateNextProto() { 2467 void SSLClientSocketNSS::Core::UpdateNextProto() {
2488 uint8 buf[256]; 2468 uint8 buf[256];
(...skipping 1053 matching lines...) Expand 10 before | Expand all | Expand 10 after
3542 scoped_refptr<X509Certificate> 3522 scoped_refptr<X509Certificate>
3543 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { 3523 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
3544 return core_->state().server_cert.get(); 3524 return core_->state().server_cert.get();
3545 } 3525 }
3546 3526
3547 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { 3527 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {
3548 return channel_id_service_; 3528 return channel_id_service_;
3549 } 3529 }
3550 3530
3551 } // namespace net 3531 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | net/socket/ssl_client_socket_openssl.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698