Do not use HTTP/2 without adequate security.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 954 matching lines @@
                                     memio_Private* buffers) {
   DCHECK(OnNetworkTaskRunner());
   DCHECK(!nss_fd_);
   DCHECK(!nss_bufs_);
 
   nss_fd_ = socket;
   nss_bufs_ = buffers;
 
   SECStatus rv = SECSuccess;
 
+#if !defined(CKM_AES_GCM)
+#define CKM_AES_GCM 0x00001087
+#endif

[Ryan Sleevi, 2014/12/12 21:33:28]

Don't mix #defines in bodies like this. This block should go on line 151 -
immediately after the headers, before any code - because this is effectively a
"control for older headers" check.

[Bence, 2014/12/12 22:08:43]

Done.

+
   if (!ssl_config_.next_protos.empty()) {
-    std::vector<uint8_t> wire_protos =
-        SerializeNextProtos(ssl_config_.next_protos);
+    // On platforms using NSS, AES-GCM is the only mechanism that satisfies the
+    // security requirements of HTTP/2.
+    // TODO(bnc): Check if ssl_config_.disabled_cipher_suites contains all
+    // AES-GCM ciphersuites.
+    std::vector<uint8_t> wire_protos = SerializeNextProtos(
+        ssl_config_.next_protos, PK11_TokenExists(CKM_AES_GCM));

[Ryan Sleevi, 2014/12/12 21:33:28]

I'm fine with the simplified form - the death of NSS will make this easier.

However, I think we can make this a little more robust for the edge cases:

For bulk encryption:
(PK11_TokenExists(CKM_AES_GCM) || PK11_TokenExists(CKM_NSS_CHACHA20_POLY1305))

Will need to ifdef dance to CKM_NSS_CHACHA20_POLY1305 to (CKM_NSS + 26)

For key agreement:
(PK11_TokenExists(CKM_DH_PKCS_DERIVE) || PK11_TokenExists(CKM_ECDH1_DERIVE))

Shouldn't need to #ifdef dance this

The reason for also checking key agreement is that some distros (Fedora, Red
Hat, and, IIRC, Debian) also disable ECC. If that's the case, then they're
leaving the key agreement alg to DH, which some disable by policy.

The word you're looking for is "yay"

Put together:

((PK11_TokenExists(CKM_AES_GCM) || PK11_TokenExists(CKM_NSS_CHACHA20_POLY1305))
&& (PK11_TokenExists(CKM_DH_PKCS_DERIVE) || PK11_TokenExists(CKM_ECDH1_DERIVE)))

Finally, it doesn't seem like you're checking for TLS1.2 support here. 
IsSecurityAdequateForHTTP2 does, but you don't call that here, so you should
also be testing that (in the ssl_config_, presumably)

[davidben, 2014/12/12 21:56:22]

Wait, seriously, we can't do ECDH on Fedora, Red Hat, and Debian?
Note that this still doesn't absolve us of assuming the server implements 9.2.2.
Google servers will speak RSA and ECDHE_RSA, but not DHE_RSA.

[Bence, 2014/12/12 22:08:43]

Done.

     rv = SSL_SetNextProtoNego(
         nss_fd_, wire_protos.empty() ? NULL : &wire_protos[0],
         wire_protos.size());
     if (rv != SECSuccess)
       LogFailedNSSFunction(*weak_net_log_, "SSL_SetNextProtoNego", "");
     rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_ALPN, PR_TRUE);
     if (rv != SECSuccess)
       LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_ALPN");
     rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_NPN, PR_TRUE);
     if (rv != SECSuccess)
@@ skipping 2630 matching lines @@
 scoped_refptr<X509Certificate>
 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
   return core_->state().server_cert.get();
 }
 
 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {
   return channel_id_service_;
 }
 
 }  // namespace net