net/socket/ssl_client_socket_openssl.cc - Issue 757033004: Do not use HTTP/2 without adequate security.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/socket/ssl_client_socket_openssl.cc

Issue 757033004: Do not use HTTP/2 without adequate security. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Remove incorrect comment. Created 6 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

Index: net/socket/ssl_client_socket_openssl.cc

diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc

index 5415755f2327dd9b4d488fba87ebf22e8d7ead61..c78a9742bf8324c3cc1d8e138c7e04589b89e4f7 100644

--- a/net/socket/ssl_client_socket_openssl.cc

+++ b/net/socket/ssl_client_socket_openssl.cc

@@ -788,8 +788,8 @@ int SSLClientSocketOpenSSL::Init() {

// disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256

// and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384

// as the handshake hash.

- std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA:!SRP:!SHA256:!SHA384:"

- "!aECDH:!AESGCM+AES256");

+ std::string command(

+ "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK");

// Walk through all the installed ciphers, seeing if any need to be

// appended to the cipher removal |command|.

for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {

@@ -838,8 +838,20 @@ int SSLClientSocketOpenSSL::Init() {

}

if (!ssl_config_.next_protos.empty()) {

+ // Get list of ciphers that are enabled.

+ STACK_OF(SSL_CIPHER)* enabled_ciphers = SSL_get_ciphers(ssl_);

+ DCHECK(enabled_ciphers);

+ std::vector<uint16> enabled_ciphers_vector;

+ for (size_t i = 0; i < sk_SSL_CIPHER_num(enabled_ciphers); ++i) {

+ const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(enabled_ciphers, i);

+ const uint16 id = static_cast<uint16>(SSL_CIPHER_get_id(cipher));

+ enabled_ciphers_vector.push_back(id);

+ }

std::vector<uint8_t> wire_protos =

- SerializeNextProtos(ssl_config_.next_protos);

+ SerializeNextProtos(ssl_config_.next_protos,

+ HasCipherAdequateForHTTP2(enabled_ciphers_vector) &&

+ IsTLSVersionAdequateForHTTP2(ssl_config_));

SSL_set_alpn_protos(ssl_, wire_protos.empty() ? NULL : &wire_protos[0],

wire_protos.size());

}

« no previous file with comments | « net/socket/ssl_client_socket_nss.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »