OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
(...skipping 12 matching lines...) Expand all Loading... |
23 #include "net/cert/cert_verifier.h" | 23 #include "net/cert/cert_verifier.h" |
24 #include "net/cert/single_request_cert_verifier.h" | 24 #include "net/cert/single_request_cert_verifier.h" |
25 #include "net/cert/x509_certificate_net_log_param.h" | 25 #include "net/cert/x509_certificate_net_log_param.h" |
26 #include "net/http/transport_security_state.h" | 26 #include "net/http/transport_security_state.h" |
27 #include "net/socket/ssl_session_cache_openssl.h" | 27 #include "net/socket/ssl_session_cache_openssl.h" |
28 #include "net/ssl/openssl_ssl_util.h" | 28 #include "net/ssl/openssl_ssl_util.h" |
29 #include "net/ssl/ssl_cert_request_info.h" | 29 #include "net/ssl/ssl_cert_request_info.h" |
30 #include "net/ssl/ssl_connection_status_flags.h" | 30 #include "net/ssl/ssl_connection_status_flags.h" |
31 #include "net/ssl/ssl_info.h" | 31 #include "net/ssl/ssl_info.h" |
32 | 32 |
| 33 #if defined(OS_WIN) |
| 34 #include "base/win/windows_version.h" |
| 35 #endif |
| 36 |
33 #if defined(USE_OPENSSL_CERTS) | 37 #if defined(USE_OPENSSL_CERTS) |
34 #include "net/ssl/openssl_client_key_store.h" | 38 #include "net/ssl/openssl_client_key_store.h" |
35 #else | 39 #else |
36 #include "net/ssl/openssl_platform_key.h" | 40 #include "net/ssl/openssl_platform_key.h" |
37 #endif | 41 #endif |
38 | 42 |
39 namespace net { | 43 namespace net { |
40 | 44 |
41 namespace { | 45 namespace { |
42 | 46 |
(...skipping 736 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
779 ssl_config_.disabled_cipher_suites.end(); | 783 ssl_config_.disabled_cipher_suites.end(); |
780 } | 784 } |
781 if (disable) { | 785 if (disable) { |
782 const char* name = SSL_CIPHER_get_name(cipher); | 786 const char* name = SSL_CIPHER_get_name(cipher); |
783 DVLOG(3) << "Found cipher to remove: '" << name << "', ID: " << id | 787 DVLOG(3) << "Found cipher to remove: '" << name << "', ID: " << id |
784 << " strength: " << SSL_CIPHER_get_bits(cipher, NULL); | 788 << " strength: " << SSL_CIPHER_get_bits(cipher, NULL); |
785 command.append(":!"); | 789 command.append(":!"); |
786 command.append(name); | 790 command.append(name); |
787 } | 791 } |
788 } | 792 } |
| 793 |
| 794 // Disable ECDSA cipher suites on platforms that do not support ECDSA |
| 795 // signed certificates, as servers may use the presence of such |
| 796 // ciphersuites as a hint to send an ECDSA certificate. |
| 797 #if defined(OS_WIN) |
| 798 if (base::win::GetVersion() < base::win::VERSION_VISTA) |
| 799 command.append(":!ECDSA"); |
| 800 #endif |
| 801 |
789 int rv = SSL_set_cipher_list(ssl_, command.c_str()); | 802 int rv = SSL_set_cipher_list(ssl_, command.c_str()); |
790 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL. | 803 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL. |
791 // This will almost certainly result in the socket failing to complete the | 804 // This will almost certainly result in the socket failing to complete the |
792 // handshake at which point the appropriate error is bubbled up to the client. | 805 // handshake at which point the appropriate error is bubbled up to the client. |
793 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') " | 806 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') " |
794 "returned " << rv; | 807 "returned " << rv; |
795 | 808 |
796 if (ssl_config_.version_fallback) | 809 if (ssl_config_.version_fallback) |
797 SSL_enable_fallback_scsv(ssl_); | 810 SSL_enable_fallback_scsv(ssl_); |
798 | 811 |
(...skipping 857 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1656 if (handshake_succeeded_ && marked_session_as_good_) | 1669 if (handshake_succeeded_ && marked_session_as_good_) |
1657 OnHandshakeCompletion(); | 1670 OnHandshakeCompletion(); |
1658 } | 1671 } |
1659 | 1672 |
1660 scoped_refptr<X509Certificate> | 1673 scoped_refptr<X509Certificate> |
1661 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1674 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
1662 return server_cert_; | 1675 return server_cert_; |
1663 } | 1676 } |
1664 | 1677 |
1665 } // namespace net | 1678 } // namespace net |
OLD | NEW |