net: remove forced renegotiation checks

net/base/ssl_config_service.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_SSL_CONFIG_SERVICE_H_
 #define NET_BASE_SSL_CONFIG_SERVICE_H_
 #pragma once
 
 #include <vector>
 
@@ skipping 38 matching lines @@
   //
   // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in
   // big-endian form, they should be declared in host byte order, with the
   // first uint8 occupying the most significant byte.
   // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
   // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
   //
   // TODO(rsleevi): Not implemented when using Schannel.
   std::vector<uint16> disabled_cipher_suites;
 
-  // True if we allow this connection to be MITM attacked. This sounds a little
-  // worse than it is: large networks sometimes MITM attack all SSL connections
-  // on egress. We want to know this because we might not have the end-to-end
-  // connection that we believe that we have based on the hostname. Therefore,
-  // certain certificate checks can't be performed and we can't use outside
-  // knowledge about whether the server has the renegotiation extension.
-  bool mitm_proxies_allowed;
-
   bool false_start_enabled;  // True if we'll use TLS False Start.
 
   // TODO(wtc): move the following members to a new SSLParams structure.  They
   // are not SSL configuration settings.
 
   struct CertAndStatus {
     CertAndStatus();
     ~CertAndStatus();
 
     scoped_refptr<X509Certificate> cert;
@@ skipping 51 matching lines @@
   // Create an instance of SSLConfigService which retrieves the configuration
   // from the system SSL configuration, or an instance of
   // SSLConfigServiceDefaults if the current system does not have a system SSL
   // configuration.  Note: this does not handle SSLConfigService implementations
   // that are not native to their platform, such as preference-backed ones.
   static SSLConfigService* CreateSystemSSLConfigService();
 
   // May not be thread-safe, should only be called on the IO thread.
   virtual void GetSSLConfig(SSLConfig* config) = 0;
 
-  // Returns true if the given hostname is known to be 'strict'. This means
-  // that we will require the renegotiation extension and will always use TLS
-  // (no SSLv3 fallback).
-  //
-  // If you wish to add an element to this list, file a bug at
-  // http://crbug.com and email the link to agl AT chromium DOT org.
-  static bool IsKnownStrictTLSServer(const std::string& hostname);
-
   // Returns true if the given hostname is known to be incompatible with TLS
   // False Start.
   static bool IsKnownFalseStartIncompatibleServer(const std::string& hostname);
 
   // Enables the acceptance of self-signed certificates which contain an
   // embedded DNSSEC chain proving their validity.
   static void EnableDNSSEC();
   static bool dnssec_enabled();
 
   // Enables Snap Start, an experiemental SSL/TLS extension for zero round
   // trip handshakes.
   static void EnableSnapStart();
   static bool snap_start_enabled();
 
-  // Sets a global flag which allows SSL connections to be MITM attacked. See
-  // the comment about this flag in |SSLConfig|.
-  static void AllowMITMProxies();
-  static bool mitm_proxies_allowed();
-
   // Disables False Start in SSL connections.
   static void DisableFalseStart();
   // True if we use False Start for SSL and TLS.
   static bool false_start_enabled();
 
   // Enables DNS side checks for certificates.
   static void EnableDNSCertProvenanceChecking();
   static bool dns_cert_provenance_checking_enabled();
 
   // Add an observer of this service.
@@ skipping 14 matching lines @@
   void ProcessConfigUpdate(const SSLConfig& orig_config,
                            const SSLConfig& new_config);
 
  private:
   ObserverList<Observer> observer_list_;
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_SSL_CONFIG_SERVICE_H_