OLD | NEW |
| (Empty) |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef NET_SSL_SSL_CONFIG_H_ | |
6 #define NET_SSL_SSL_CONFIG_H_ | |
7 | |
8 #include "base/basictypes.h" | |
9 #include "base/memory/ref_counted.h" | |
10 #include "net/base/net_export.h" | |
11 #include "net/cert/x509_certificate.h" | |
12 #include "net/socket/next_proto.h" | |
13 | |
14 namespace net { | |
15 | |
16 // Various TLS/SSL ProtocolVersion values encoded as uint16 | |
17 // struct { | |
18 // uint8 major; | |
19 // uint8 minor; | |
20 // } ProtocolVersion; | |
21 // The most significant byte is |major|, and the least significant byte | |
22 // is |minor|. | |
23 enum { | |
24 SSL_PROTOCOL_VERSION_SSL3 = 0x0300, | |
25 SSL_PROTOCOL_VERSION_TLS1 = 0x0301, | |
26 SSL_PROTOCOL_VERSION_TLS1_1 = 0x0302, | |
27 SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303, | |
28 }; | |
29 | |
30 // Default minimum protocol version. | |
31 NET_EXPORT extern const uint16 kDefaultSSLVersionMin; | |
32 | |
33 // For maximum supported protocol version, use | |
34 // SSLClientSocket::GetMaxSupportedSSLVersion(). | |
35 | |
36 // Default minimum protocol version that it's acceptable to fallback to. | |
37 NET_EXPORT extern const uint16 kDefaultSSLVersionFallbackMin; | |
38 | |
39 // A collection of SSL-related configuration settings. | |
40 struct NET_EXPORT SSLConfig { | |
41 // Default to revocation checking. | |
42 // Default to SSL 3.0 ~ default_version_max() on. | |
43 SSLConfig(); | |
44 ~SSLConfig(); | |
45 | |
46 // Returns true if |cert| is one of the certs in |allowed_bad_certs|. | |
47 // The expected cert status is written to |cert_status|. |*cert_status| can | |
48 // be NULL if user doesn't care about the cert status. | |
49 bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const; | |
50 | |
51 // Same as above except works with DER encoded certificates instead | |
52 // of X509Certificate. | |
53 bool IsAllowedBadCert(const base::StringPiece& der_cert, | |
54 CertStatus* cert_status) const; | |
55 | |
56 // rev_checking_enabled is true if online certificate revocation checking is | |
57 // enabled (i.e. OCSP and CRL fetching). | |
58 // | |
59 // Regardless of this flag, CRLSet checking is always enabled and locally | |
60 // cached revocation information will be considered. | |
61 bool rev_checking_enabled; | |
62 | |
63 // rev_checking_required_local_anchors is true if revocation checking is | |
64 // required to succeed when certificates chain to local trust anchors (that | |
65 // is, non-public CAs). If revocation information cannot be obtained, such | |
66 // certificates will be treated as revoked ("hard-fail"). | |
67 // Note: This is distinct from rev_checking_enabled. If true, it is | |
68 // equivalent to also setting rev_checking_enabled, but only when the | |
69 // certificate chain chains to a local (non-public) trust anchor. | |
70 bool rev_checking_required_local_anchors; | |
71 | |
72 // The minimum and maximum protocol versions that are enabled. | |
73 // SSL 3.0 is 0x0300, TLS 1.0 is 0x0301, TLS 1.1 is 0x0302, and so on. | |
74 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.) | |
75 // SSL 2.0 is not supported. If version_max < version_min, it means no | |
76 // protocol versions are enabled. | |
77 uint16 version_min; | |
78 uint16 version_max; | |
79 | |
80 // version_fallback_min contains the minimum version that is acceptable to | |
81 // fallback to. Versions before this may be tried to see whether they would | |
82 // have succeeded and thus to give a better message to the user, but the | |
83 // resulting connection won't be used in these cases. | |
84 uint16 version_fallback_min; | |
85 | |
86 // Presorted list of cipher suites which should be explicitly prevented from | |
87 // being used in addition to those disabled by the net built-in policy. | |
88 // | |
89 // By default, all cipher suites supported by the underlying SSL | |
90 // implementation will be enabled except for: | |
91 // - Null encryption cipher suites. | |
92 // - Weak cipher suites: < 80 bits of security strength. | |
93 // - FORTEZZA cipher suites (obsolete). | |
94 // - IDEA cipher suites (RFC 5469 explains why). | |
95 // - Anonymous cipher suites. | |
96 // - ECDSA cipher suites on platforms that do not support ECDSA signed | |
97 // certificates, as servers may use the presence of such ciphersuites as a | |
98 // hint to send an ECDSA certificate. | |
99 // The ciphers listed in |disabled_cipher_suites| will be removed in addition | |
100 // to the above list. | |
101 // | |
102 // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in | |
103 // big-endian form, they should be declared in host byte order, with the | |
104 // first uint8 occupying the most significant byte. | |
105 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to | |
106 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. | |
107 std::vector<uint16> disabled_cipher_suites; | |
108 | |
109 bool channel_id_enabled; // True if TLS channel ID extension is enabled. | |
110 bool false_start_enabled; // True if we'll use TLS False Start. | |
111 // True if the Certificate Transparency signed_certificate_timestamp | |
112 // TLS extension is enabled. | |
113 bool signed_cert_timestamps_enabled; | |
114 | |
115 // require_forward_secrecy, if true, causes only (EC)DHE cipher suites to be | |
116 // enabled. NOTE: this only applies to server sockets currently, although | |
117 // that could be extended if needed. | |
118 bool require_forward_secrecy; | |
119 | |
120 // TODO(wtc): move the following members to a new SSLParams structure. They | |
121 // are not SSL configuration settings. | |
122 | |
123 struct NET_EXPORT CertAndStatus { | |
124 CertAndStatus(); | |
125 ~CertAndStatus(); | |
126 | |
127 std::string der_cert; | |
128 CertStatus cert_status; | |
129 }; | |
130 | |
131 // Add any known-bad SSL certificate (with its cert status) to | |
132 // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when | |
133 // calling SSLClientSocket::Connect. This would normally be done in | |
134 // response to the user explicitly accepting the bad certificate. | |
135 std::vector<CertAndStatus> allowed_bad_certs; | |
136 | |
137 // True if we should send client_cert to the server. | |
138 bool send_client_cert; | |
139 | |
140 bool verify_ev_cert; // True if we should verify the certificate for EV. | |
141 | |
142 bool version_fallback; // True if we are falling back to an older protocol | |
143 // version (one still needs to decrement | |
144 // version_max). | |
145 | |
146 // If cert_io_enabled is false, then certificate verification will not | |
147 // result in additional HTTP requests. (For example: to fetch missing | |
148 // intermediates or to perform OCSP/CRL fetches.) It also implies that online | |
149 // revocation checking is disabled. | |
150 // NOTE: Only used by NSS. | |
151 bool cert_io_enabled; | |
152 | |
153 // The list of application level protocols supported. If set, this will | |
154 // enable Next Protocol Negotiation (if supported). The order of the | |
155 // protocols doesn't matter expect for one case: if the server supports Next | |
156 // Protocol Negotiation, but there is no overlap between the server's and | |
157 // client's protocol sets, then the first protocol in this list will be | |
158 // requested by the client. | |
159 NextProtoVector next_protos; | |
160 | |
161 scoped_refptr<X509Certificate> client_cert; | |
162 | |
163 // Information about how to proceed with fastradio padding. | |
164 // |fastradio_padding_enabled| determines if the feature is enabled globally. | |
165 // |fastradio_padding_eligible| determines if the endpoint associated with | |
166 // this config should use it. | |
167 // |fastradio_padding_eligible| can be true when |fastradio_padding_enabled| | |
168 // is false: in this case, fastradio padding would not be enabled, but | |
169 // metrics can be collected for experiments. | |
170 bool fastradio_padding_enabled; | |
171 bool fastradio_padding_eligible; | |
172 }; | |
173 | |
174 } // namespace net | |
175 | |
176 #endif // NET_SSL_SSL_CONFIG_H_ | |
OLD | NEW |