Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(79)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_openssl.cc

Issue 495663002: OpenSSL: Disable ECDSA cipher suites on Windows XP. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Add a test. Created 6 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | net/socket/ssl_client_socket_unittest.cc » ('j') | net/socket/ssl_client_socket_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle
6 // of operation is derived from SSLClientSocketNSS. 6 // of operation is derived from SSLClientSocketNSS.
7 7
8 #include "net/socket/ssl_client_socket_openssl.h" 8 #include "net/socket/ssl_client_socket_openssl.h"
9 9
10 #include <errno.h> 10 #include <errno.h>
(...skipping 13 matching lines...) Expand all
24 #include "net/cert/single_request_cert_verifier.h" 24 #include "net/cert/single_request_cert_verifier.h"
25 #include "net/cert/x509_certificate_net_log_param.h" 25 #include "net/cert/x509_certificate_net_log_param.h"
26 #include "net/http/transport_security_state.h" 26 #include "net/http/transport_security_state.h"
27 #include "net/socket/ssl_error_params.h" 27 #include "net/socket/ssl_error_params.h"
28 #include "net/socket/ssl_session_cache_openssl.h" 28 #include "net/socket/ssl_session_cache_openssl.h"
29 #include "net/ssl/openssl_ssl_util.h" 29 #include "net/ssl/openssl_ssl_util.h"
30 #include "net/ssl/ssl_cert_request_info.h" 30 #include "net/ssl/ssl_cert_request_info.h"
31 #include "net/ssl/ssl_connection_status_flags.h" 31 #include "net/ssl/ssl_connection_status_flags.h"
32 #include "net/ssl/ssl_info.h" 32 #include "net/ssl/ssl_info.h"
33 33
34 #if defined(OS_WIN)
35 #include "base/win/windows_version.h"
36 #endif
37
34 #if defined(USE_OPENSSL_CERTS) 38 #if defined(USE_OPENSSL_CERTS)
35 #include "net/ssl/openssl_client_key_store.h" 39 #include "net/ssl/openssl_client_key_store.h"
36 #else 40 #else
37 #include "net/ssl/openssl_platform_key.h" 41 #include "net/ssl/openssl_platform_key.h"
38 #endif 42 #endif
39 43
40 namespace net { 44 namespace net {
41 45
42 namespace { 46 namespace {
43 47
(...skipping 723 matching lines...) Expand 10 before | Expand all | Expand 10 after
767 ssl_config_.disabled_cipher_suites.end(); 771 ssl_config_.disabled_cipher_suites.end();
768 } 772 }
769 if (disable) { 773 if (disable) {
770 const char* name = SSL_CIPHER_get_name(cipher); 774 const char* name = SSL_CIPHER_get_name(cipher);
771 DVLOG(3) << "Found cipher to remove: '" << name << "', ID: " << id 775 DVLOG(3) << "Found cipher to remove: '" << name << "', ID: " << id
772 << " strength: " << SSL_CIPHER_get_bits(cipher, NULL); 776 << " strength: " << SSL_CIPHER_get_bits(cipher, NULL);
773 command.append(":!"); 777 command.append(":!");
774 command.append(name); 778 command.append(name);
775 } 779 }
776 } 780 }
781
782 // Disable ECDSA cipher suites on platforms that do not support ECDSA
783 // signed certificates, as servers may use the presence of such
784 // ciphersuites as a hint to send an ECDSA certificate.
785 #if defined(OS_WIN)
786 if (base::win::GetVersion() < base::win::VERSION_VISTA)
787 command.append(":!ECDSA");
788 #endif
789
777 int rv = SSL_set_cipher_list(ssl_, command.c_str()); 790 int rv = SSL_set_cipher_list(ssl_, command.c_str());
778 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL. 791 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL.
779 // This will almost certainly result in the socket failing to complete the 792 // This will almost certainly result in the socket failing to complete the
780 // handshake at which point the appropriate error is bubbled up to the client. 793 // handshake at which point the appropriate error is bubbled up to the client.
781 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') " 794 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') "
782 "returned " << rv; 795 "returned " << rv;
783 796
784 if (ssl_config_.version_fallback) 797 if (ssl_config_.version_fallback)
785 SSL_enable_fallback_scsv(ssl_); 798 SSL_enable_fallback_scsv(ssl_);
786 799
(...skipping 832 matching lines...) Expand 10 before | Expand all | Expand 10 after
1619 if (handshake_succeeded_ && marked_session_as_good_) 1632 if (handshake_succeeded_ && marked_session_as_good_)
1620 OnHandshakeCompletion(); 1633 OnHandshakeCompletion();
1621 } 1634 }
1622 1635
1623 scoped_refptr<X509Certificate> 1636 scoped_refptr<X509Certificate>
1624 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { 1637 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const {
1625 return server_cert_; 1638 return server_cert_;
1626 } 1639 }
1627 1640
1628 } // namespace net 1641 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | net/socket/ssl_client_socket_unittest.cc » ('j') | net/socket/ssl_client_socket_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698