| Index: net/socket/ssl_client_socket_nss.cc
|
| diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
|
| index 3651e8d62466696169433993af5f4cd92d62b67b..2ed254388892560b98ca073981ed4d52bb4ecc40 100644
|
| --- a/net/socket/ssl_client_socket_nss.cc
|
| +++ b/net/socket/ssl_client_socket_nss.cc
|
| @@ -972,9 +972,18 @@ bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket,
|
|
|
| SECStatus rv = SECSuccess;
|
|
|
| +#if !defined(CKM_AES_GCM)
|
| +#define CKM_AES_GCM 0x00001087
|
| +#endif
|
| +
|
| if (!ssl_config_.next_protos.empty()) {
|
| - std::vector<uint8_t> wire_protos =
|
| - SerializeNextProtos(ssl_config_.next_protos);
|
| + // On platforms using NSS, AES-GCM is the only mechanism that satisfies the
|
| + // security requirements of HTTP/2.
|
| + // TODO(bnc): Check if ssl_config_.disabled_cipher_suites contains all
|
| + // AES-GCM ciphersuites.
|
| + std::vector<uint8_t> wire_protos = SerializeNextProtos(
|
| + ssl_config_.next_protos, PK11_TokenExists(CKM_AES_GCM) &&
|
| + IsTLSVersionAdequateForHTTP2(ssl_config_));
|
| rv = SSL_SetNextProtoNego(
|
| nss_fd_, wire_protos.empty() ? NULL : &wire_protos[0],
|
| wire_protos.size());
|
|
|
Chromium Code Reviews
Issue 757033004:
Do not use HTTP/2 without adequate security. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master