Skip to content

GitLab

T
tangled
Commit a6194ed1 authored by agl@chromium.org's avatar agl@chromium.org
Browse files
Options

net: disable ECDSA ciphersuites on platforms where we can't support it. 

BUG=142782

https://chromiumcodereview.appspot.com/10830326/

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@151845 0039d316-1c4b-4281-b951-d872f2087c98
parent 32080ab8
Hide whitespace changes
Inline Side-by-side
Showing with 34 additions and 0 deletions
net/base/ssl_config_service.h
View file @ a6194ed1
...@@ -74,6 +74,9 @@ struct NET_EXPORT SSLConfig { ...@@ -74,6 +74,9 @@ struct NET_EXPORT SSLConfig {
// - FORTEZZA cipher suites (obsolete). // - FORTEZZA cipher suites (obsolete).
// - IDEA cipher suites (RFC 5469 explains why). // - IDEA cipher suites (RFC 5469 explains why).
// - Anonymous cipher suites. // - Anonymous cipher suites.
// - ECDSA cipher suites on platforms that do not support ECDSA signed
// certificates, as servers may use the presence of such ciphersuites as a
// hint to send an ECDSA certificate.
// The ciphers listed in |disabled_cipher_suites| will be removed in addition // The ciphers listed in |disabled_cipher_suites| will be removed in addition
// to the above list. // to the above list.
// //
......
net/socket/nss_ssl_util.cc
View file @ a6194ed1
...@@ -25,10 +25,17 @@ bool IsOSSnowLeopardOrLater() { return true; } ...@@ -25,10 +25,17 @@ bool IsOSSnowLeopardOrLater() { return true; }
#include "base/memory/singleton.h" #include "base/memory/singleton.h"
#include "base/threading/thread_restrictions.h" #include "base/threading/thread_restrictions.h"
#include "base/values.h" #include "base/values.h"
#include "build/build_config.h"
#include "crypto/nss_util.h" #include "crypto/nss_util.h"
#include "net/base/net_errors.h" #include "net/base/net_errors.h"
#include "net/base/net_log.h" #include "net/base/net_log.h"
#if defined(OS_WIN)
#include "base/win/windows_version.h"
#elif defined(OS_MACOSX)
#include "base/mac/mac_util.h"
#endif
namespace net { namespace net {
class NSSSSLInitSingleton { class NSSSSLInitSingleton {
...@@ -68,6 +75,17 @@ class NSSSSLInitSingleton { ...@@ -68,6 +75,17 @@ class NSSSSLInitSingleton {
// Enable SSL. // Enable SSL.
SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
// Disable ECDSA cipher suites on platforms that do not support ECDSA
// signed certificates, as servers may use the presence of such
// ciphersuites as a hint to send an ECDSA certificate.
#if defined(OS_WIN)
if (base::win::GetVersion() < base::win::VERSION_VISTA)
DisableECDSA();
#elif defined(OS_MACOSX)
if (!base::mac::IsOSSnowLeopardOrLater())
DisableECDSA();
#endif
// All other SSL options are set per-session by SSLClientSocket and // All other SSL options are set per-session by SSLClientSocket and
// SSLServerSocket. // SSLServerSocket.
} }
...@@ -76,6 +94,19 @@ class NSSSSLInitSingleton { ...@@ -76,6 +94,19 @@ class NSSSSLInitSingleton {
// Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY. // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY.
SSL_ClearSessionCache(); SSL_ClearSessionCache();
} }
void DisableECDSA() {
const PRUint16* ciphersuites = SSL_GetImplementedCiphers();
const unsigned num_ciphersuites = SSL_GetNumImplementedCiphers();
SECStatus rv;
SSLCipherSuiteInfo info;
for (unsigned i = 0; i < num_ciphersuites; i++) {
rv = SSL_GetCipherSuiteInfo(ciphersuites[i], &info, sizeof(info));
if (rv == SECSuccess && info.authAlgorithm == ssl_auth_ecdsa)
SSL_CipherPrefSetDefault(ciphersuites[i], PR_FALSE);
}
}
}; };
static base::LazyInstance<NSSSSLInitSingleton> g_nss_ssl_init_singleton = static base::LazyInstance<NSSSSLInitSingleton> g_nss_ssl_init_singleton =
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment