Home | History | Annotate | Download | only in ssl 
      1 // Copyright 2014 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef NET_SSL_SSL_CONFIG_H_
      6 #define NET_SSL_SSL_CONFIG_H_
      7 
      8 #include "base/basictypes.h"
      9 #include "base/memory/ref_counted.h"
     10 #include "net/base/net_export.h"
     11 #include "net/cert/x509_certificate.h"
     12 
     13 namespace net {
     14 
     15 // Various TLS/SSL ProtocolVersion values encoded as uint16
     16 //      struct {
     17 //          uint8 major;
     18 //          uint8 minor;
     19 //      } ProtocolVersion;
     20 // The most significant byte is |major|, and the least significant byte
     21 // is |minor|.
     22 enum {
     23   SSL_PROTOCOL_VERSION_SSL3 = 0x0300,
     24   SSL_PROTOCOL_VERSION_TLS1 = 0x0301,
     25   SSL_PROTOCOL_VERSION_TLS1_1 = 0x0302,
     26   SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303,
     27 };
     28 
     29 // Default minimum protocol version.
     30 NET_EXPORT extern const uint16 kDefaultSSLVersionMin;
     31 
     32 // Default maximum protocol version.
     33 NET_EXPORT extern const uint16 kDefaultSSLVersionMax;
     34 
     35 // Default minimum protocol version that it's acceptable to fallback to.
     36 NET_EXPORT extern const uint16 kDefaultSSLVersionFallbackMin;
     37 
     38 // A collection of SSL-related configuration settings.
     39 struct NET_EXPORT SSLConfig {
     40   // Default to revocation checking.
     41   // Default to SSL 3.0 ~ default_version_max() on.
     42   SSLConfig();
     43   ~SSLConfig();
     44 
     45   // Returns true if |cert| is one of the certs in |allowed_bad_certs|.
     46   // The expected cert status is written to |cert_status|. |*cert_status| can
     47   // be NULL if user doesn't care about the cert status.
     48   bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const;
     49 
     50   // Same as above except works with DER encoded certificates instead
     51   // of X509Certificate.
     52   bool IsAllowedBadCert(const base::StringPiece& der_cert,
     53                         CertStatus* cert_status) const;
     54 
     55   // rev_checking_enabled is true if online certificate revocation checking is
     56   // enabled (i.e. OCSP and CRL fetching).
     57   //
     58   // Regardless of this flag, CRLSet checking is always enabled and locally
     59   // cached revocation information will be considered.
     60   bool rev_checking_enabled;
     61 
     62   // rev_checking_required_local_anchors is true if revocation checking is
     63   // required to succeed when certificates chain to local trust anchors (that
     64   // is, non-public CAs). If revocation information cannot be obtained, such
     65   // certificates will be treated as revoked ("hard-fail").
     66   // Note: This is distinct from rev_checking_enabled. If true, it is
     67   // equivalent to also setting rev_checking_enabled, but only when the
     68   // certificate chain chains to a local (non-public) trust anchor.
     69   bool rev_checking_required_local_anchors;
     70 
     71   // The minimum and maximum protocol versions that are enabled.
     72   // SSL 3.0 is 0x0300, TLS 1.0 is 0x0301, TLS 1.1 is 0x0302, and so on.
     73   // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.)
     74   // SSL 2.0 is not supported. If version_max < version_min, it means no
     75   // protocol versions are enabled.
     76   uint16 version_min;
     77   uint16 version_max;
     78 
     79   // version_fallback_min contains the minimum version that is acceptable to
     80   // fallback to. Versions before this may be tried to see whether they would
     81   // have succeeded and thus to give a better message to the user, but the
     82   // resulting connection won't be used in these cases.
     83   uint16 version_fallback_min;
     84 
     85   // Presorted list of cipher suites which should be explicitly prevented from
     86   // being used in addition to those disabled by the net built-in policy.
     87   //
     88   // By default, all cipher suites supported by the underlying SSL
     89   // implementation will be enabled except for:
     90   // - Null encryption cipher suites.
     91   // - Weak cipher suites: < 80 bits of security strength.
     92   // - FORTEZZA cipher suites (obsolete).
     93   // - IDEA cipher suites (RFC 5469 explains why).
     94   // - Anonymous cipher suites.
     95   // - ECDSA cipher suites on platforms that do not support ECDSA signed
     96   //   certificates, as servers may use the presence of such ciphersuites as a
     97   //   hint to send an ECDSA certificate.
     98   // The ciphers listed in |disabled_cipher_suites| will be removed in addition
     99   // to the above list.
    100   //
    101   // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in
    102   // big-endian form, they should be declared in host byte order, with the
    103   // first uint8 occupying the most significant byte.
    104   // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
    105   // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
    106   std::vector<uint16> disabled_cipher_suites;
    107 
    108   bool channel_id_enabled;   // True if TLS channel ID extension is enabled.
    109   bool false_start_enabled;  // True if we'll use TLS False Start.
    110   // True if the Certificate Transparency signed_certificate_timestamp
    111   // TLS extension is enabled.
    112   bool signed_cert_timestamps_enabled;
    113 
    114   // require_forward_secrecy, if true, causes only (EC)DHE cipher suites to be
    115   // enabled. NOTE: this only applies to server sockets currently, although
    116   // that could be extended if needed.
    117   bool require_forward_secrecy;
    118 
    119   // TODO(wtc): move the following members to a new SSLParams structure.  They
    120   // are not SSL configuration settings.
    121 
    122   struct NET_EXPORT CertAndStatus {
    123     CertAndStatus();
    124     ~CertAndStatus();
    125 
    126     std::string der_cert;
    127     CertStatus cert_status;
    128   };
    129 
    130   // Add any known-bad SSL certificate (with its cert status) to
    131   // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when
    132   // calling SSLClientSocket::Connect.  This would normally be done in
    133   // response to the user explicitly accepting the bad certificate.
    134   std::vector<CertAndStatus> allowed_bad_certs;
    135 
    136   // True if we should send client_cert to the server.
    137   bool send_client_cert;
    138 
    139   bool verify_ev_cert;  // True if we should verify the certificate for EV.
    140 
    141   bool version_fallback;  // True if we are falling back to an older protocol
    142                           // version (one still needs to decrement
    143                           // version_max).
    144 
    145   // If cert_io_enabled is false, then certificate verification will not
    146   // result in additional HTTP requests. (For example: to fetch missing
    147   // intermediates or to perform OCSP/CRL fetches.) It also implies that online
    148   // revocation checking is disabled.
    149   // NOTE: Only used by NSS.
    150   bool cert_io_enabled;
    151 
    152   // The list of application level protocols supported. If set, this will
    153   // enable Next Protocol Negotiation (if supported). The order of the
    154   // protocols doesn't matter expect for one case: if the server supports Next
    155   // Protocol Negotiation, but there is no overlap between the server's and
    156   // client's protocol sets, then the first protocol in this list will be
    157   // requested by the client.
    158   std::vector<std::string> next_protos;
    159 
    160   scoped_refptr<X509Certificate> client_cert;
    161 };
    162 
    163 }  // namespace net
    164 
    165 #endif  // NET_SSL_SSL_CONFIG_H_
    166