Chromium Code Reviews Chromium Code Reviews
Issue 693963003:
Add minimum TLS version control to about:flags and Finch gate it. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 #include "chrome/browser/net/ssl_config_service_manager.h" | 4 #include "chrome/browser/net/ssl_config_service_manager.h" |
| 5 | 5 |
| 6 #include <algorithm> | 6 #include <algorithm> |
| 7 #include <string> | 7 #include <string> |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include "base/basictypes.h" | 10 #include "base/basictypes.h" |
| 11 #include "base/bind.h" | 11 #include "base/bind.h" |
| 12 #include "base/metrics/field_trial.h" | |
| 12 #include "base/prefs/pref_change_registrar.h" | 13 #include "base/prefs/pref_change_registrar.h" |
| 13 #include "base/prefs/pref_member.h" | 14 #include "base/prefs/pref_member.h" |
| 14 #include "base/prefs/pref_registry_simple.h" | 15 #include "base/prefs/pref_registry_simple.h" |
| 15 #include "base/prefs/pref_service.h" | 16 #include "base/prefs/pref_service.h" |
| 16 #include "chrome/browser/chrome_notification_types.h" | 17 #include "chrome/browser/chrome_notification_types.h" |
| 18 #include "chrome/common/chrome_switches.h" | |
| 17 #include "chrome/common/pref_names.h" | 19 #include "chrome/common/pref_names.h" |
| 18 #include "components/content_settings/core/browser/content_settings_utils.h" | 20 #include "components/content_settings/core/browser/content_settings_utils.h" |
| 19 #include "components/content_settings/core/common/content_settings.h" | 21 #include "components/content_settings/core/common/content_settings.h" |
| 20 #include "content/public/browser/browser_thread.h" | 22 #include "content/public/browser/browser_thread.h" |
| 21 #include "net/ssl/ssl_cipher_suite_names.h" | 23 #include "net/ssl/ssl_cipher_suite_names.h" |
| 22 #include "net/ssl/ssl_config_service.h" | 24 #include "net/ssl/ssl_config_service.h" |
| 23 | 25 |
| 24 using content::BrowserThread; | 26 using content::BrowserThread; |
| 25 | 27 |
| 26 namespace { | 28 namespace { |
| (...skipping 28 matching lines...) Expand all Loading... | |
| 55 LOG(ERROR) << "Ignoring unrecognized or unparsable cipher suite: " | 57 LOG(ERROR) << "Ignoring unrecognized or unparsable cipher suite: " |
| 56 << *it; | 58 << *it; |
| 57 continue; | 59 continue; |
| 58 } | 60 } |
| 59 cipher_suites.push_back(cipher_suite); | 61 cipher_suites.push_back(cipher_suite); |
| 60 } | 62 } |
| 61 std::sort(cipher_suites.begin(), cipher_suites.end()); | 63 std::sort(cipher_suites.begin(), cipher_suites.end()); |
| 62 return cipher_suites; | 64 return cipher_suites; |
| 63 } | 65 } |
| 64 | 66 |
| 65 // Returns the string representation of an SSL protocol version. Returns an | |
| 66 // empty string on error. | |
| 67 std::string SSLProtocolVersionToString(uint16 version) { | |
| 68 switch (version) { | |
| 69 case net::SSL_PROTOCOL_VERSION_SSL3: | |
| 70 return "ssl3"; | |
| 71 case net::SSL_PROTOCOL_VERSION_TLS1: | |
| 72 return "tls1"; | |
| 73 case net::SSL_PROTOCOL_VERSION_TLS1_1: | |
| 74 return "tls1.1"; | |
| 75 case net::SSL_PROTOCOL_VERSION_TLS1_2: | |
| 76 return "tls1.2"; | |
| 77 default: | |
| 78 NOTREACHED(); | |
| 79 return std::string(); | |
| 80 } | |
| 81 } | |
| 82 | |
| 83 // Returns the SSL protocol version (as a uint16) represented by a string. | 67 // Returns the SSL protocol version (as a uint16) represented by a string. |
| 84 // Returns 0 if the string is invalid. | 68 // Returns 0 if the string is invalid. |
| 85 uint16 SSLProtocolVersionFromString(const std::string& version_str) { | 69 uint16 SSLProtocolVersionFromString(const std::string& version_str) { |
| 86 uint16 version = 0; // Invalid. | 70 uint16 version = 0; // Invalid. |
| 87 if (version_str == "ssl3") { | 71 if (version_str == switches::kSSLVersionSSLv3) { |
| 88 version = net::SSL_PROTOCOL_VERSION_SSL3; | 72 version = net::SSL_PROTOCOL_VERSION_SSL3; |
| 89 } else if (version_str == "tls1") { | 73 } else if (version_str == switches::kSSLVersionTLSv1) { |
| 90 version = net::SSL_PROTOCOL_VERSION_TLS1; | 74 version = net::SSL_PROTOCOL_VERSION_TLS1; |
| 91 } else if (version_str == "tls1.1") { | 75 } else if (version_str == switches::kSSLVersionTLSv11) { |
| 92 version = net::SSL_PROTOCOL_VERSION_TLS1_1; | 76 version = net::SSL_PROTOCOL_VERSION_TLS1_1; |
| 93 } else if (version_str == "tls1.2") { | 77 } else if (version_str == switches::kSSLVersionTLSv12) { |
| 94 version = net::SSL_PROTOCOL_VERSION_TLS1_2; | 78 version = net::SSL_PROTOCOL_VERSION_TLS1_2; |
| 95 } | 79 } |
| 96 return version; | 80 return version; |
| 97 } | 81 } |
| 98 | 82 |
| 99 } // namespace | 83 } // namespace |
| 100 | 84 |
| 101 //////////////////////////////////////////////////////////////////////////////// | 85 //////////////////////////////////////////////////////////////////////////////// |
| 102 // SSLConfigServicePref | 86 // SSLConfigServicePref |
| 103 | 87 |
| (...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 222 } | 206 } |
| 223 | 207 |
| 224 // static | 208 // static |
| 225 void SSLConfigServiceManagerPref::RegisterPrefs(PrefRegistrySimple* registry) { | 209 void SSLConfigServiceManagerPref::RegisterPrefs(PrefRegistrySimple* registry) { |
| 226 net::SSLConfig default_config; | 210 net::SSLConfig default_config; |
| 227 registry->RegisterBooleanPref(prefs::kCertRevocationCheckingEnabled, | 211 registry->RegisterBooleanPref(prefs::kCertRevocationCheckingEnabled, |
| 228 default_config.rev_checking_enabled); | 212 default_config.rev_checking_enabled); |
| 229 registry->RegisterBooleanPref( | 213 registry->RegisterBooleanPref( |
| 230 prefs::kCertRevocationCheckingRequiredLocalAnchors, | 214 prefs::kCertRevocationCheckingRequiredLocalAnchors, |
| 231 default_config.rev_checking_required_local_anchors); | 215 default_config.rev_checking_required_local_anchors); |
| 232 std::string version_min_str = | 216 registry->RegisterStringPref(prefs::kSSLVersionMin, ""); |
| 233 SSLProtocolVersionToString(default_config.version_min); | 217 registry->RegisterStringPref(prefs::kSSLVersionMax, ""); |
| 234 std::string version_max_str = | 218 registry->RegisterStringPref(prefs::kSSLVersionFallbackMin, ""); |
| 235 SSLProtocolVersionToString(default_config.version_max); | |
| 236 std::string version_fallback_min_str = | |
| 237 SSLProtocolVersionToString(default_config.version_fallback_min); | |
| 238 registry->RegisterStringPref(prefs::kSSLVersionMin, version_min_str); | |
| 239 registry->RegisterStringPref(prefs::kSSLVersionMax, version_max_str); | |
| 240 registry->RegisterStringPref(prefs::kSSLVersionFallbackMin, | |
| 241 version_fallback_min_str); | |
| 242 registry->RegisterBooleanPref(prefs::kDisableSSLRecordSplitting, | 219 registry->RegisterBooleanPref(prefs::kDisableSSLRecordSplitting, |
| 243 !default_config.false_start_enabled); | 220 !default_config.false_start_enabled); |
| 244 registry->RegisterListPref(prefs::kCipherSuiteBlacklist); | 221 registry->RegisterListPref(prefs::kCipherSuiteBlacklist); |
| 245 } | 222 } |
| 246 | 223 |
| 247 net::SSLConfigService* SSLConfigServiceManagerPref::Get() { | 224 net::SSLConfigService* SSLConfigServiceManagerPref::Get() { |
| 248 return ssl_config_service_.get(); | 225 return ssl_config_service_.get(); |
| 249 } | 226 } |
| 250 | 227 |
| 251 void SSLConfigServiceManagerPref::OnPreferenceChanged( | 228 void SSLConfigServiceManagerPref::OnPreferenceChanged( |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 290 uint16 version_max = SSLProtocolVersionFromString(version_max_str); | 267 uint16 version_max = SSLProtocolVersionFromString(version_max_str); |
| 291 uint16 version_fallback_min = | 268 uint16 version_fallback_min = |
| 292 SSLProtocolVersionFromString(version_fallback_min_str); | 269 SSLProtocolVersionFromString(version_fallback_min_str); |
| 293 if (version_min) { | 270 if (version_min) { |
| 294 // TODO(wtc): get the minimum SSL protocol version supported by the | 271 // TODO(wtc): get the minimum SSL protocol version supported by the |
| 295 // SSLClientSocket class. Right now it happens to be the same as the | 272 // SSLClientSocket class. Right now it happens to be the same as the |
| 296 // default minimum SSL protocol version because we enable all supported | 273 // default minimum SSL protocol version because we enable all supported |
| 297 // versions by default. | 274 // versions by default. |
| 298 uint16 supported_version_min = config->version_min; | 275 uint16 supported_version_min = config->version_min; |
| 299 config->version_min = std::max(supported_version_min, version_min); | 276 config->version_min = std::max(supported_version_min, version_min); |
| 277 } else { | |
| 278 const std::string group = | |
| 279 base::FieldTrialList::FindFullName("SSLv3"); | |
|
Ryan Hamilton
2014/11/03 23:02:52
Nit: it looks like this will all fit on one line?
agl
2014/11/04 19:00:32
Done.
| |
| 280 if (group == "Enabled") { | |
| 281 config->version_min = net::SSL_PROTOCOL_VERSION_SSL3; | |
| 282 } | |
| 300 } | 283 } |
| 301 if (version_max) { | 284 if (version_max) { |
| 302 // TODO(wtc): get the maximum SSL protocol version supported by the | 285 // TODO(wtc): get the maximum SSL protocol version supported by the |
| 303 // SSLClientSocket class. | 286 // SSLClientSocket class. |
| 304 uint16 supported_version_max = config->version_max; | 287 uint16 supported_version_max = config->version_max; |
| 305 config->version_max = std::min(supported_version_max, version_max); | 288 config->version_max = std::min(supported_version_max, version_max); |
| 306 } | 289 } |
| 307 if (version_fallback_min) { | 290 if (version_fallback_min) { |
| 308 config->version_fallback_min = version_fallback_min; | 291 config->version_fallback_min = version_fallback_min; |
| 309 } | 292 } |
| (...skipping 15 matching lines...) Expand all Loading... | |
| 325 // static | 308 // static |
| 326 SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager( | 309 SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager( |
| 327 PrefService* local_state) { | 310 PrefService* local_state) { |
| 328 return new SSLConfigServiceManagerPref(local_state); | 311 return new SSLConfigServiceManagerPref(local_state); |
| 329 } | 312 } |
| 330 | 313 |
| 331 // static | 314 // static |
| 332 void SSLConfigServiceManager::RegisterPrefs(PrefRegistrySimple* registry) { | 315 void SSLConfigServiceManager::RegisterPrefs(PrefRegistrySimple* registry) { |
| 333 SSLConfigServiceManagerPref::RegisterPrefs(registry); | 316 SSLConfigServiceManagerPref::RegisterPrefs(registry); |
| 334 } | 317 } |
| OLD | NEW |
