Google Git
Sign in
chromium / chromium / src / 07a07d65ffad58feb3c867b69ec562a9156ed3b4^! / . / net / ssl / ssl_server_config.h
commit07a07d65ffad58feb3c867b69ec562a9156ed3b4[log] [tgz]
authorDavid Benjamin <[email protected]>Wed Feb 26 22:26:59 2020
committerCommit Bot <[email protected]>Wed Feb 26 22:26:59 2020
tree86d4b963f0caac8ef592ffcce96e971c7530a025
parent0f709d2282fea83f1612878da3e512ffb5bdbc63 [diff] [blame]
Put 3DES and SHA-1 server signatures behind a fallback

Many servers which negotiate SHA-1 server signatures in TLS 1.2 actually
support SHA-2 but preferentially sign SHA-1 if available. Likewise, some
3DES-negotiating servers support AES if 3DES is removed.

To get more accurate metrics, initially connect with SHA-1 and 3DES
disabled. If this fails, retry with them enabled. This keeps the legacy
algorithms working for now, but they will only appear in metrics and
DevTools if the site relies on them.

Add a feature flag so that if problems arise (e.g. we're not conditioning
on the right error codes), we can turn this off easily.

See
https://groups.google.com/a/chromium.org/forum/m/#!topic/blink-dev/yaJcs4p9LNI
for more details.

Bug: 658905, 691888
Change-Id: I94ad87b2c71cdd6c85060a4372b198e4119ffee8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2063689
Commit-Queue: David Benjamin <[email protected]>
Reviewed-by: Matt Mueller <[email protected]>
Reviewed-by: Brian White <[email protected]>
Cr-Commit-Position: refs/heads/master@{#744825}

diff --git a/net/ssl/ssl_server_config.h b/net/ssl/ssl_server_config.h
index bf3b79b..b3ff437 100644
--- a/net/ssl/ssl_server_config.h
+++ b/net/ssl/ssl_server_config.h

@@ -9,6 +9,7 @@
 
 #include <vector>
 
+#include "base/optional.h"
 #include "net/base/net_export.h"
 #include "net/socket/next_proto.h"
 #include "net/ssl/ssl_config.h"
@@ -67,6 +68,16 @@
   // If true, causes only ECDHE cipher suites to be enabled.
   bool require_ecdhe;
 
+  // cipher_suite_for_testing, if set, causes the server to only support the
+  // specified cipher suite in TLS 1.2 and below. This should only be used in
+  // unit tests.
+  base::Optional<uint16_t> cipher_suite_for_testing;
+
+  // signature_algorithm_for_testing, if set, causes the server to only support
+  // the specified signature algorithm in TLS 1.2 and below. This should only be
+  // used in unit tests.
+  base::Optional<uint16_t> signature_algorithm_for_testing;
+
   // Sets the requirement for client certificates during handshake.
   ClientCertType client_cert_type;