Commit 4554e58c authored by wtc@chromium.org's avatar wtc@chromium.org

Add a preference for enabling the TLS origin-bound certificates extension.

The preference is controlled by the command line and enterprise policy.

R=mattm@chromium.org,mnissler@chromium.org
BUG=106077
TEST=Existing policy unit tests are updated.

Review URL: http://codereview.chromium.org/8772014

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@112848 0039d316-1c4b-4281-b951-d872f2087c98
parent 4ad5d77d
...@@ -100,7 +100,7 @@ ...@@ -100,7 +100,7 @@
# persistent IDs for all fields (but not for groups!) are needed. These are # persistent IDs for all fields (but not for groups!) are needed. These are
# specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs, # specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
# because doing so would break the deployed wire format! # because doing so would break the deployed wire format!
# For your editing convenience: highest ID currently used: 113 # For your editing convenience: highest ID currently used: 114
# #
# Placeholders: # Placeholders:
# The following placeholder strings are automatically substituted: # The following placeholder strings are automatically substituted:
...@@ -429,7 +429,7 @@ ...@@ -429,7 +429,7 @@
'example_value': True, 'example_value': True,
'id': 13, 'id': 13,
'caption': '''Enable <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> proxy''', 'caption': '''Enable <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> proxy''',
'desc': ''' Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to act as a proxy between <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> and legacy printers connected to the machine. 'desc': '''Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to act as a proxy between <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> and legacy printers connected to the machine.
If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account.
...@@ -2097,7 +2097,7 @@ ...@@ -2097,7 +2097,7 @@
'example_value': True, 'example_value': True,
'id': 109, 'id': 109,
'caption': '''Enable submission of documents to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph>''', 'caption': '''Enable submission of documents to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph>''',
'desc': ''' Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to submit documents to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> for printing. NOTE: This only affects <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> support in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. It does not prevent users from submitting print jobs on web sites. 'desc': '''Enables <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> to submit documents to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> for printing. NOTE: This only affects <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> support in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. It does not prevent users from submitting print jobs on web sites.
If this setting is enabled or not configured, users can print to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> from the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> print dialog. If this setting is enabled or not configured, users can print to <ph name="CLOUD_PRINT_NAME">Google Cloud Print</ph> from the <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> print dialog.
...@@ -2129,6 +2129,19 @@ ...@@ -2129,6 +2129,19 @@
If this setting is disabled, the enterprise web store app (if it exists) will be labeled with its URL.''', If this setting is disabled, the enterprise web store app (if it exists) will be labeled with its URL.''',
}, },
{
'name': 'EnableOriginBoundCerts',
'type': 'main',
'supported_on': ['chrome.*:17-'],
'features': {'dynamic_refresh': 1},
'future': True,
'example_value': True,
'id': 114,
'caption': '''Enable TLS origin-bound certificates extension''',
'desc': '''Specifies whether the TLS origin-bound certificates extension should be enabled.
This setting is used to enable the TLS origin-bound certificates extension for testing. This experimental setting will be removed in the future.''',
},
], ],
'messages': { 'messages': {
# Messages that are not associated to any policies. # Messages that are not associated to any policies.
......
...@@ -140,6 +140,7 @@ class SSLConfigServiceManagerPref ...@@ -140,6 +140,7 @@ class SSLConfigServiceManagerPref
BooleanPrefMember rev_checking_enabled_; BooleanPrefMember rev_checking_enabled_;
BooleanPrefMember ssl3_enabled_; BooleanPrefMember ssl3_enabled_;
BooleanPrefMember tls1_enabled_; BooleanPrefMember tls1_enabled_;
BooleanPrefMember origin_bound_certs_enabled_;
// The cached list of disabled SSL cipher suites. // The cached list of disabled SSL cipher suites.
std::vector<uint16> disabled_cipher_suites_; std::vector<uint16> disabled_cipher_suites_;
...@@ -158,6 +159,8 @@ SSLConfigServiceManagerPref::SSLConfigServiceManagerPref( ...@@ -158,6 +159,8 @@ SSLConfigServiceManagerPref::SSLConfigServiceManagerPref(
local_state, this); local_state, this);
ssl3_enabled_.Init(prefs::kSSL3Enabled, local_state, this); ssl3_enabled_.Init(prefs::kSSL3Enabled, local_state, this);
tls1_enabled_.Init(prefs::kTLS1Enabled, local_state, this); tls1_enabled_.Init(prefs::kTLS1Enabled, local_state, this);
origin_bound_certs_enabled_.Init(prefs::kEnableOriginBoundCerts,
local_state, this);
pref_change_registrar_.Init(local_state); pref_change_registrar_.Init(local_state);
pref_change_registrar_.Add(prefs::kCipherSuiteBlacklist, this); pref_change_registrar_.Add(prefs::kCipherSuiteBlacklist, this);
...@@ -176,6 +179,8 @@ void SSLConfigServiceManagerPref::RegisterPrefs(PrefService* prefs) { ...@@ -176,6 +179,8 @@ void SSLConfigServiceManagerPref::RegisterPrefs(PrefService* prefs) {
default_config.ssl3_enabled); default_config.ssl3_enabled);
prefs->RegisterBooleanPref(prefs::kTLS1Enabled, prefs->RegisterBooleanPref(prefs::kTLS1Enabled,
default_config.tls1_enabled); default_config.tls1_enabled);
prefs->RegisterBooleanPref(prefs::kEnableOriginBoundCerts,
default_config.origin_bound_certs_enabled);
prefs->RegisterListPref(prefs::kCipherSuiteBlacklist); prefs->RegisterListPref(prefs::kCipherSuiteBlacklist);
// The Options menu used to allow changing the ssl.ssl3.enabled and // The Options menu used to allow changing the ssl.ssl3.enabled and
// ssl.tls1.enabled preferences, so some users' Local State may have // ssl.tls1.enabled preferences, so some users' Local State may have
...@@ -221,6 +226,7 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs( ...@@ -221,6 +226,7 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
config->ssl3_enabled = ssl3_enabled_.GetValue(); config->ssl3_enabled = ssl3_enabled_.GetValue();
config->tls1_enabled = tls1_enabled_.GetValue(); config->tls1_enabled = tls1_enabled_.GetValue();
config->disabled_cipher_suites = disabled_cipher_suites_; config->disabled_cipher_suites = disabled_cipher_suites_;
config->origin_bound_certs_enabled = origin_bound_certs_enabled_.GetValue();
SSLConfigServicePref::SetSSLConfigFlags(config); SSLConfigServicePref::SetSSLConfigFlags(config);
} }
......
...@@ -124,6 +124,8 @@ const PolicyToPreferenceMapEntry kSimplePolicyMap[] = { ...@@ -124,6 +124,8 @@ const PolicyToPreferenceMapEntry kSimplePolicyMap[] = {
prefs::kManagedDefaultNotificationsSetting }, prefs::kManagedDefaultNotificationsSetting },
{ Value::TYPE_INTEGER, kPolicyDefaultGeolocationSetting, { Value::TYPE_INTEGER, kPolicyDefaultGeolocationSetting,
prefs::kManagedDefaultGeolocationSetting }, prefs::kManagedDefaultGeolocationSetting },
{ Value::TYPE_BOOLEAN, kPolicyEnableOriginBoundCerts,
prefs::kEnableOriginBoundCerts },
{ Value::TYPE_STRING, kPolicyAuthSchemes, { Value::TYPE_STRING, kPolicyAuthSchemes,
prefs::kAuthSchemes }, prefs::kAuthSchemes },
{ Value::TYPE_BOOLEAN, kPolicyDisableAuthNegotiateCnameLookup, { Value::TYPE_BOOLEAN, kPolicyDisableAuthNegotiateCnameLookup,
......
...@@ -215,6 +215,8 @@ INSTANTIATE_TEST_CASE_P( ...@@ -215,6 +215,8 @@ INSTANTIATE_TEST_CASE_P(
prefs::kSavingBrowserHistoryDisabled), prefs::kSavingBrowserHistoryDisabled),
TypeAndName(kPolicySavingBrowserHistoryDisabled, TypeAndName(kPolicySavingBrowserHistoryDisabled,
prefs::kSavingBrowserHistoryDisabled), prefs::kSavingBrowserHistoryDisabled),
TypeAndName(kPolicyEnableOriginBoundCerts,
prefs::kEnableOriginBoundCerts),
TypeAndName(kPolicyDisableAuthNegotiateCnameLookup, TypeAndName(kPolicyDisableAuthNegotiateCnameLookup,
prefs::kDisableAuthNegotiateCnameLookup), prefs::kDisableAuthNegotiateCnameLookup),
TypeAndName(kPolicyEnableAuthNegotiatePort, TypeAndName(kPolicyEnableAuthNegotiatePort,
......
...@@ -46,6 +46,8 @@ const CommandLinePrefStore::BooleanSwitchToPreferenceMapEntry ...@@ -46,6 +46,8 @@ const CommandLinePrefStore::BooleanSwitchToPreferenceMapEntry
prefs::kAllowCrossOriginAuthPrompt, true }, prefs::kAllowCrossOriginAuthPrompt, true },
{ switches::kDisableSSL3, prefs::kSSL3Enabled, false }, { switches::kDisableSSL3, prefs::kSSL3Enabled, false },
{ switches::kDisableTLS1, prefs::kTLS1Enabled, false }, { switches::kDisableTLS1, prefs::kTLS1Enabled, false },
{ switches::kEnableOriginBoundCerts, prefs::kEnableOriginBoundCerts,
true },
}; };
const CommandLinePrefStore::IntegerSwitchToPreferenceMapEntry const CommandLinePrefStore::IntegerSwitchToPreferenceMapEntry
......
...@@ -901,6 +901,7 @@ const char kCertRevocationCheckingEnabled[] = "ssl.rev_checking.enabled"; ...@@ -901,6 +901,7 @@ const char kCertRevocationCheckingEnabled[] = "ssl.rev_checking.enabled";
const char kSSL3Enabled[] = "ssl.ssl3.enabled"; const char kSSL3Enabled[] = "ssl.ssl3.enabled";
const char kTLS1Enabled[] = "ssl.tls1.enabled"; const char kTLS1Enabled[] = "ssl.tls1.enabled";
const char kCipherSuiteBlacklist[] = "ssl.cipher_suites.blacklist"; const char kCipherSuiteBlacklist[] = "ssl.cipher_suites.blacklist";
const char kEnableOriginBoundCerts[] = "ssl.origin_bound_certs.enabled";
// The metrics client GUID and session ID. // The metrics client GUID and session ID.
const char kMetricsClientID[] = "user_experience_metrics.client_id"; const char kMetricsClientID[] = "user_experience_metrics.client_id";
......
...@@ -318,6 +318,7 @@ extern const char kCertRevocationCheckingEnabled[]; ...@@ -318,6 +318,7 @@ extern const char kCertRevocationCheckingEnabled[];
extern const char kSSL3Enabled[]; extern const char kSSL3Enabled[];
extern const char kTLS1Enabled[]; extern const char kTLS1Enabled[];
extern const char kCipherSuiteBlacklist[]; extern const char kCipherSuiteBlacklist[];
extern const char kEnableOriginBoundCerts[];
extern const char kMetricsClientID[]; extern const char kMetricsClientID[];
extern const char kMetricsSessionID[]; extern const char kMetricsSessionID[];
......
...@@ -22,6 +22,7 @@ ...@@ -22,6 +22,7 @@
"DnsPrefetchingEnabled": false, "DnsPrefetchingEnabled": false,
"EditBookmarksEnabled":false, "EditBookmarksEnabled":false,
"EnableAuthNegotiatePort": true, "EnableAuthNegotiatePort": true,
"EnableOriginBoundCerts": true,
"HomepageIsNewTabPage": false, "HomepageIsNewTabPage": false,
"HomepageLocation": "http://chromium.org", "HomepageLocation": "http://chromium.org",
"IncognitoEnabled": false, "IncognitoEnabled": false,
......
...@@ -38,6 +38,7 @@ ...@@ -38,6 +38,7 @@
"DownloadDirectory": "Downloads", "DownloadDirectory": "Downloads",
"EditBookmarksEnabled": true, "EditBookmarksEnabled": true,
"EnableAuthNegotiatePort": false, "EnableAuthNegotiatePort": false,
"EnableOriginBoundCerts": false,
"EnabledPlugins": ["Java"], "EnabledPlugins": ["Java"],
"ExtensionInstallBlacklist": ["extension_id1", "extension_id2"], "ExtensionInstallBlacklist": ["extension_id1", "extension_id2"],
"ExtensionInstallForcelist": ["extension_id1;https://clients2.google.com/service/update2/crx"], "ExtensionInstallForcelist": ["extension_id1;https://clients2.google.com/service/update2/crx"],
......
...@@ -120,6 +120,7 @@ class PolicyPrefsUITest(policy_base.PolicyTestBase): ...@@ -120,6 +120,7 @@ class PolicyPrefsUITest(policy_base.PolicyTestBase):
'ProxyPacUrl': ('http://localhost:8080/proxy.pac', [], 'ProxyPacUrl': ('http://localhost:8080/proxy.pac', [],
[ 'win', 'mac', 'linux' ]), [ 'win', 'mac', 'linux' ]),
'ProxyBypassList': ('localhost', [], [ 'win', 'mac', 'linux' ]), 'ProxyBypassList': ('localhost', [], [ 'win', 'mac', 'linux' ]),
'EnableOriginBoundCerts': (False, []),
'AuthSchemes': ('AuthSchemes', []), 'AuthSchemes': ('AuthSchemes', []),
'DisableAuthNegotiateCnameLookup': (True, []), 'DisableAuthNegotiateCnameLookup': (True, []),
'EnableAuthNegotiatePort': (False, []), 'EnableAuthNegotiatePort': (False, []),
......
...@@ -241,8 +241,6 @@ void BrowserMainLoop::EarlyInitialization() { ...@@ -241,8 +241,6 @@ void BrowserMainLoop::EarlyInitialization() {
net::SSLConfigService::DisableFalseStart(); net::SSLConfigService::DisableFalseStart();
if (parsed_command_line_.HasSwitch(switches::kEnableSSLCachedInfo)) if (parsed_command_line_.HasSwitch(switches::kEnableSSLCachedInfo))
net::SSLConfigService::EnableCachedInfo(); net::SSLConfigService::EnableCachedInfo();
if (parsed_command_line_.HasSwitch(switches::kEnableOriginBoundCerts))
net::SSLConfigService::EnableOriginBoundCerts();
if (parsed_command_line_.HasSwitch( if (parsed_command_line_.HasSwitch(
switches::kEnableDNSCertProvenanceChecking)) { switches::kEnableDNSCertProvenanceChecking)) {
net::SSLConfigService::EnableDNSCertProvenanceChecking(); net::SSLConfigService::EnableDNSCertProvenanceChecking();
......
...@@ -59,7 +59,6 @@ bool SSLConfigService::IsKnownFalseStartIncompatibleServer( ...@@ -59,7 +59,6 @@ bool SSLConfigService::IsKnownFalseStartIncompatibleServer(
} }
static bool g_cached_info_enabled = false; static bool g_cached_info_enabled = false;
static bool g_origin_bound_certs_enabled = false;
static bool g_false_start_enabled = true; static bool g_false_start_enabled = true;
static bool g_dns_cert_provenance_checking = false; static bool g_dns_cert_provenance_checking = false;
base::LazyInstance<scoped_refptr<CRLSet>, base::LazyInstance<scoped_refptr<CRLSet>,
...@@ -105,16 +104,6 @@ bool SSLConfigService::cached_info_enabled() { ...@@ -105,16 +104,6 @@ bool SSLConfigService::cached_info_enabled() {
return g_cached_info_enabled; return g_cached_info_enabled;
} }
// static
void SSLConfigService::EnableOriginBoundCerts() {
g_origin_bound_certs_enabled = true;
}
// static
bool SSLConfigService::origin_bound_certs_enabled() {
return g_origin_bound_certs_enabled;
}
void SSLConfigService::AddObserver(Observer* observer) { void SSLConfigService::AddObserver(Observer* observer) {
observer_list_.AddObserver(observer); observer_list_.AddObserver(observer);
} }
...@@ -132,7 +121,6 @@ void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) { ...@@ -132,7 +121,6 @@ void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) {
ssl_config->dns_cert_provenance_checking_enabled = ssl_config->dns_cert_provenance_checking_enabled =
g_dns_cert_provenance_checking; g_dns_cert_provenance_checking;
ssl_config->cached_info_enabled = g_cached_info_enabled; ssl_config->cached_info_enabled = g_cached_info_enabled;
ssl_config->origin_bound_certs_enabled = g_origin_bound_certs_enabled;
} }
void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config, void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
...@@ -142,7 +130,9 @@ void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config, ...@@ -142,7 +130,9 @@ void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
(orig_config.ssl3_enabled != new_config.ssl3_enabled) || (orig_config.ssl3_enabled != new_config.ssl3_enabled) ||
(orig_config.tls1_enabled != new_config.tls1_enabled) || (orig_config.tls1_enabled != new_config.tls1_enabled) ||
(orig_config.disabled_cipher_suites != (orig_config.disabled_cipher_suites !=
new_config.disabled_cipher_suites); new_config.disabled_cipher_suites) ||
(orig_config.origin_bound_certs_enabled !=
new_config.origin_bound_certs_enabled);
if (config_changed) if (config_changed)
FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged()); FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged());
......
...@@ -159,10 +159,6 @@ class NET_EXPORT SSLConfigService ...@@ -159,10 +159,6 @@ class NET_EXPORT SSLConfigService
static void EnableCachedInfo(); static void EnableCachedInfo();
static bool cached_info_enabled(); static bool cached_info_enabled();
// Enables the TLS origin bound cert extension.
static void EnableOriginBoundCerts();
static bool origin_bound_certs_enabled();
// Is SNI available in this configuration? // Is SNI available in this configuration?
static bool IsSNIAvailable(SSLConfigService* service); static bool IsSNIAvailable(SSLConfigService* service);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment