net/base/ssl_config_service.cc - Issue 6792032: net: remove forced renegotiation checks

Side by Side Diff: net/base/ssl_config_service.cc

Issue 6792032: net: remove forced renegotiation checks (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 9 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/base/ssl_config_service.h"	5 #include "net/base/ssl_config_service.h"

6 #include "net/base/ssl_false_start_blacklist.h"	6 #include "net/base/ssl_false_start_blacklist.h"

7	7

8 #if defined(OS_WIN)	8 #if defined(OS_WIN)

9 #include "net/base/ssl_config_service_win.h"	9 #include "net/base/ssl_config_service_win.h"

10 #elif defined(OS_MACOSX)	10 #elif defined(OS_MACOSX)

11 #include "net/base/ssl_config_service_mac.h"	11 #include "net/base/ssl_config_service_mac.h"

12 #else	12 #else

13 #include "net/base/ssl_config_service_defaults.h"	13 #include "net/base/ssl_config_service_defaults.h"

14 #endif	14 #endif

15	15

16 namespace net {	16 namespace net {

17	17

18 SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {}	18 SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {}

19	19

20 SSLConfig::CertAndStatus::~CertAndStatus() {}	20 SSLConfig::CertAndStatus::~CertAndStatus() {}

21	21

22 SSLConfig::SSLConfig()	22 SSLConfig::SSLConfig()

23 : rev_checking_enabled(true), ssl3_enabled(true),	23 : rev_checking_enabled(true), ssl3_enabled(true),

24 tls1_enabled(true), dnssec_enabled(false), snap_start_enabled(false),	24 tls1_enabled(true), dnssec_enabled(false), snap_start_enabled(false),

25 dns_cert_provenance_checking_enabled(false),	25 dns_cert_provenance_checking_enabled(false),

26 mitm_proxies_allowed(false), false_start_enabled(true),	26 false_start_enabled(true),

27 send_client_cert(false), verify_ev_cert(false), ssl3_fallback(false) {	27 send_client_cert(false), verify_ev_cert(false), ssl3_fallback(false) {

28 }	28 }

29	29

30 SSLConfig::~SSLConfig() {	30 SSLConfig::~SSLConfig() {

31 }	31 }

32	32

33 bool SSLConfig::IsAllowedBadCert(X509Certificate* cert) const {	33 bool SSLConfig::IsAllowedBadCert(X509Certificate* cert) const {

34 for (size_t i = 0; i < allowed_bad_certs.size(); ++i) {	34 for (size_t i = 0; i < allowed_bad_certs.size(); ++i) {

35 if (cert->Equals(allowed_bad_certs[i].cert))	35 if (cert->Equals(allowed_bad_certs[i].cert))

36 return true;	36 return true;

(...skipping 10 matching lines...) Expand all Loading...
47 #if defined(OS_WIN)	47 #if defined(OS_WIN)

48 return new SSLConfigServiceWin;	48 return new SSLConfigServiceWin;

49 #elif defined(OS_MACOSX)	49 #elif defined(OS_MACOSX)

50 return new SSLConfigServiceMac;	50 return new SSLConfigServiceMac;

51 #else	51 #else

52 return new SSLConfigServiceDefaults;	52 return new SSLConfigServiceDefaults;

53 #endif	53 #endif

54 }	54 }

55	55

56 // static	56 // static

57 bool SSLConfigService::IsKnownStrictTLSServer(const std::string& hostname) {

58 // If you wish to add an entry to this list, please contact agl AT chromium

59 // DOT org.

60 //

61 // If this list starts growing, it'll need to be something more efficient

62 // than a linear list.

63 static const char kStrictServers[][22] = {

64 "www.google.com",

65 "mail.google.com",

66 "www.gmail.com",

67 "docs.google.com",

68 "clients1.google.com",

69 "sunshinepress.org",

70 "www.sunshinepress.org",

71

72 // Removed until we update the XMPP servers with the renegotiation

73 // extension.

74 // "gmail.com",

75 };

76

77 for (size_t i = 0; i < arraysize(kStrictServers); i++) {

78 // Note that the hostname is normalised to lower-case by this point.

79 if (strcmp(hostname.c_str(), kStrictServers[i]) == 0)

80 return true;

81 }

82

83 return false;

84 }

85

86 // static

87 bool SSLConfigService::IsKnownFalseStartIncompatibleServer(	57 bool SSLConfigService::IsKnownFalseStartIncompatibleServer(

88 const std::string& hostname) {	58 const std::string& hostname) {

89 return SSLFalseStartBlacklist::IsMember(hostname.c_str());	59 return SSLFalseStartBlacklist::IsMember(hostname.c_str());

90 }	60 }

91	61

92 static bool g_dnssec_enabled = false;	62 static bool g_dnssec_enabled = false;

93 static bool g_false_start_enabled = true;	63 static bool g_false_start_enabled = true;

94 static bool g_mitm_proxies_allowed = false;

95 static bool g_snap_start_enabled = false;	64 static bool g_snap_start_enabled = false;

96 static bool g_dns_cert_provenance_checking = false;	65 static bool g_dns_cert_provenance_checking = false;

97	66

98 // static	67 // static

99 void SSLConfigService::EnableDNSSEC() {	68 void SSLConfigService::EnableDNSSEC() {

100 g_dnssec_enabled = true;	69 g_dnssec_enabled = true;

101 }	70 }

102	71

103 // static	72 // static

104 bool SSLConfigService::dnssec_enabled() {	73 bool SSLConfigService::dnssec_enabled() {

105 return g_dnssec_enabled;	74 return g_dnssec_enabled;

106 }	75 }

107	76

108 // static	77 // static

109 void SSLConfigService::EnableSnapStart() {	78 void SSLConfigService::EnableSnapStart() {

110 g_snap_start_enabled = true;	79 g_snap_start_enabled = true;

111 }	80 }

112	81

113 // static	82 // static

114 bool SSLConfigService::snap_start_enabled() {	83 bool SSLConfigService::snap_start_enabled() {

115 return g_snap_start_enabled;	84 return g_snap_start_enabled;

116 }	85 }

117	86

118 // static	87 // static

119 void SSLConfigService::AllowMITMProxies() {

120 g_mitm_proxies_allowed = true;

121 }

122

123 // static

124 bool SSLConfigService::mitm_proxies_allowed() {

125 return g_mitm_proxies_allowed;

126 }

127

128 // static

129 void SSLConfigService::DisableFalseStart() {	88 void SSLConfigService::DisableFalseStart() {

130 g_false_start_enabled = false;	89 g_false_start_enabled = false;

131 }	90 }

132	91

133 // static	92 // static

134 bool SSLConfigService::false_start_enabled() {	93 bool SSLConfigService::false_start_enabled() {

135 return g_false_start_enabled;	94 return g_false_start_enabled;

136 }	95 }

137	96

138 // static	97 // static

(...skipping 14 matching lines...) Expand all Loading...
153 observer_list_.RemoveObserver(observer);	112 observer_list_.RemoveObserver(observer);

154 }	113 }

155	114

156 SSLConfigService::~SSLConfigService() {	115 SSLConfigService::~SSLConfigService() {

157 }	116 }

158	117

159 // static	118 // static

160 void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) {	119 void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) {

161 ssl_config->dnssec_enabled = g_dnssec_enabled;	120 ssl_config->dnssec_enabled = g_dnssec_enabled;

162 ssl_config->false_start_enabled = g_false_start_enabled;	121 ssl_config->false_start_enabled = g_false_start_enabled;

163 ssl_config->mitm_proxies_allowed = g_mitm_proxies_allowed;

164 ssl_config->snap_start_enabled = g_snap_start_enabled;	122 ssl_config->snap_start_enabled = g_snap_start_enabled;

165 ssl_config->dns_cert_provenance_checking_enabled =	123 ssl_config->dns_cert_provenance_checking_enabled =

166 g_dns_cert_provenance_checking;	124 g_dns_cert_provenance_checking;

167 }	125 }

168	126

169 void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,	127 void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,

170 const SSLConfig& new_config) {	128 const SSLConfig& new_config) {

171 if (orig_config.rev_checking_enabled != new_config.rev_checking_enabled \|\|	129 if (orig_config.rev_checking_enabled != new_config.rev_checking_enabled \|\|

172 orig_config.ssl3_enabled != new_config.ssl3_enabled \|\|	130 orig_config.ssl3_enabled != new_config.ssl3_enabled \|\|

173 orig_config.tls1_enabled != new_config.tls1_enabled) {	131 orig_config.tls1_enabled != new_config.tls1_enabled) {

174 FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged());	132 FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged());

175 }	133 }

176 }	134 }

177	135

178 } // namespace net	136 } // namespace net

OLD	NEW

« no previous file with comments | « net/base/ssl_config_service.h ('k') | net/http/http_network_transaction.cc » ('j') | net/http/http_stream_factory_impl_job.cc » ('J')