Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(276)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_openssl.cc

Issue 495663002: OpenSSL: Disable ECDSA cipher suites on Windows XP. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: No std::hex Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | net/tools/testserver/testserver.py » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle
6 // of operation is derived from SSLClientSocketNSS. 6 // of operation is derived from SSLClientSocketNSS.
7 7
8 #include "net/socket/ssl_client_socket_openssl.h" 8 #include "net/socket/ssl_client_socket_openssl.h"
9 9
10 #include <errno.h> 10 #include <errno.h>
(...skipping 12 matching lines...) Expand all
23 #include "net/cert/cert_verifier.h" 23 #include "net/cert/cert_verifier.h"
24 #include "net/cert/single_request_cert_verifier.h" 24 #include "net/cert/single_request_cert_verifier.h"
25 #include "net/cert/x509_certificate_net_log_param.h" 25 #include "net/cert/x509_certificate_net_log_param.h"
26 #include "net/http/transport_security_state.h" 26 #include "net/http/transport_security_state.h"
27 #include "net/socket/ssl_session_cache_openssl.h" 27 #include "net/socket/ssl_session_cache_openssl.h"
28 #include "net/ssl/openssl_ssl_util.h" 28 #include "net/ssl/openssl_ssl_util.h"
29 #include "net/ssl/ssl_cert_request_info.h" 29 #include "net/ssl/ssl_cert_request_info.h"
30 #include "net/ssl/ssl_connection_status_flags.h" 30 #include "net/ssl/ssl_connection_status_flags.h"
31 #include "net/ssl/ssl_info.h" 31 #include "net/ssl/ssl_info.h"
32 32
33 #if defined(OS_WIN)
34 #include "base/win/windows_version.h"
35 #endif
36
33 #if defined(USE_OPENSSL_CERTS) 37 #if defined(USE_OPENSSL_CERTS)
34 #include "net/ssl/openssl_client_key_store.h" 38 #include "net/ssl/openssl_client_key_store.h"
35 #else 39 #else
36 #include "net/ssl/openssl_platform_key.h" 40 #include "net/ssl/openssl_platform_key.h"
37 #endif 41 #endif
38 42
39 namespace net { 43 namespace net {
40 44
41 namespace { 45 namespace {
42 46
(...skipping 736 matching lines...) Expand 10 before | Expand all | Expand 10 after
779 ssl_config_.disabled_cipher_suites.end(); 783 ssl_config_.disabled_cipher_suites.end();
780 } 784 }
781 if (disable) { 785 if (disable) {
782 const char* name = SSL_CIPHER_get_name(cipher); 786 const char* name = SSL_CIPHER_get_name(cipher);
783 DVLOG(3) << "Found cipher to remove: '" << name << "', ID: " << id 787 DVLOG(3) << "Found cipher to remove: '" << name << "', ID: " << id
784 << " strength: " << SSL_CIPHER_get_bits(cipher, NULL); 788 << " strength: " << SSL_CIPHER_get_bits(cipher, NULL);
785 command.append(":!"); 789 command.append(":!");
786 command.append(name); 790 command.append(name);
787 } 791 }
788 } 792 }
793
794 // Disable ECDSA cipher suites on platforms that do not support ECDSA
795 // signed certificates, as servers may use the presence of such
796 // ciphersuites as a hint to send an ECDSA certificate.
797 #if defined(OS_WIN)
798 if (base::win::GetVersion() < base::win::VERSION_VISTA)
799 command.append(":!ECDSA");
800 #endif
801
789 int rv = SSL_set_cipher_list(ssl_, command.c_str()); 802 int rv = SSL_set_cipher_list(ssl_, command.c_str());
790 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL. 803 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL.
791 // This will almost certainly result in the socket failing to complete the 804 // This will almost certainly result in the socket failing to complete the
792 // handshake at which point the appropriate error is bubbled up to the client. 805 // handshake at which point the appropriate error is bubbled up to the client.
793 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') " 806 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') "
794 "returned " << rv; 807 "returned " << rv;
795 808
796 if (ssl_config_.version_fallback) 809 if (ssl_config_.version_fallback)
797 SSL_enable_fallback_scsv(ssl_); 810 SSL_enable_fallback_scsv(ssl_);
798 811
(...skipping 857 matching lines...) Expand 10 before | Expand all | Expand 10 after
1656 if (handshake_succeeded_ && marked_session_as_good_) 1669 if (handshake_succeeded_ && marked_session_as_good_)
1657 OnHandshakeCompletion(); 1670 OnHandshakeCompletion();
1658 } 1671 }
1659 1672
1660 scoped_refptr<X509Certificate> 1673 scoped_refptr<X509Certificate>
1661 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { 1674 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const {
1662 return server_cert_; 1675 return server_cert_;
1663 } 1676 }
1664 1677
1665 } // namespace net 1678 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | net/tools/testserver/testserver.py » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698