Chromium Code Reviews Chromium Code Reviews
Issue 619463002:
net: disable SSLv3 fallback. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| (...skipping 889 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 900 int rv = SSL_CTX_remove_session(SSL_get_SSL_CTX(ssl_), session); | 900 int rv = SSL_CTX_remove_session(SSL_get_SSL_CTX(ssl_), session); |
| 901 LOG_IF(WARNING, !rv) << "Couldn't invalidate SSL session: " << session; | 901 LOG_IF(WARNING, !rv) << "Couldn't invalidate SSL session: " << session; |
| 902 } | 902 } |
| 903 } | 903 } |
| 904 } else if (rv == 1) { | 904 } else if (rv == 1) { |
| 905 if (trying_cached_session_ && logging::DEBUG_MODE) { | 905 if (trying_cached_session_ && logging::DEBUG_MODE) { |
| 906 DVLOG(2) << "Result of session reuse for " << host_and_port_.ToString() | 906 DVLOG(2) << "Result of session reuse for " << host_and_port_.ToString() |
| 907 << " is: " << (SSL_session_reused(ssl_) ? "Success" : "Fail"); | 907 << " is: " << (SSL_session_reused(ssl_) ? "Success" : "Fail"); |
| 908 } | 908 } |
| 909 | 909 |
| 910 if (ssl_config_.version_fallback && | |
| 911 ssl_config_.version_max < ssl_config_.version_fallback_min) { | |
| 912 return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION; | |
|
davidben
2014/10/07 22:06:30
Ditto for the NSS comment. We should avoid resumin
| |
| 913 } | |
| 914 | |
| 910 // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was. | 915 // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was. |
| 911 if (npn_status_ == kNextProtoUnsupported) { | 916 if (npn_status_ == kNextProtoUnsupported) { |
| 912 const uint8_t* alpn_proto = NULL; | 917 const uint8_t* alpn_proto = NULL; |
| 913 unsigned alpn_len = 0; | 918 unsigned alpn_len = 0; |
| 914 SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len); | 919 SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len); |
| 915 if (alpn_len > 0) { | 920 if (alpn_len > 0) { |
| 916 npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len); | 921 npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len); |
| 917 npn_status_ = kNextProtoNegotiated; | 922 npn_status_ = kNextProtoNegotiated; |
| 918 } | 923 } |
| 919 } | 924 } |
| (...skipping 844 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1764 ct::SCT_STATUS_LOG_UNKNOWN)); | 1769 ct::SCT_STATUS_LOG_UNKNOWN)); |
| 1765 } | 1770 } |
| 1766 } | 1771 } |
| 1767 | 1772 |
| 1768 scoped_refptr<X509Certificate> | 1773 scoped_refptr<X509Certificate> |
| 1769 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1774 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
| 1770 return server_cert_; | 1775 return server_cert_; |
| 1771 } | 1776 } |
| 1772 | 1777 |
| 1773 } // namespace net | 1778 } // namespace net |
| OLD | NEW |
