1 // Copyright 2014 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_SSL_SSL_CONFIG_H_ 6 #define NET_SSL_SSL_CONFIG_H_ 7 8 #include <stdint.h> 9 10 #include "base/containers/flat_map.h" 11 #include "base/memory/scoped_refptr.h" 12 #include "net/base/net_export.h" 13 #include "net/base/network_anonymization_key.h" 14 #include "net/base/privacy_mode.h" 15 #include "net/cert/cert_status_flags.h" 16 #include "net/cert/x509_certificate.h" 17 #include "net/socket/next_proto.h" 18 #include "third_party/abseil-cpp/absl/types/optional.h" 19 20 namespace net { 21 22 // Supported TLS ProtocolVersion values encoded as uint16_t. 23 enum { 24 SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303, 25 SSL_PROTOCOL_VERSION_TLS1_3 = 0x0304, 26 }; 27 28 // Default minimum protocol version. 29 NET_EXPORT extern const uint16_t kDefaultSSLVersionMin; 30 31 // Default maximum protocol version. 32 NET_EXPORT extern const uint16_t kDefaultSSLVersionMax; 33 34 // A collection of SSL-related configuration settings. 35 struct NET_EXPORT SSLConfig { 36 using ApplicationSettings = base::flat_map<NextProto, std::vector<uint8_t>>; 37 38 // Default to revocation checking. 39 SSLConfig(); 40 SSLConfig(const SSLConfig& other); 41 ~SSLConfig(); 42 43 // Returns true if |cert| is one of the certs in |allowed_bad_certs|. 44 // The expected cert status is written to |cert_status|. |*cert_status| can 45 // be NULL if user doesn't care about the cert status. 46 bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const; 47 48 // Returns the set of flags to use for certificate verification, which is a 49 // bitwise OR of CertVerifier::VerifyFlags that represent this SSLConfig's 50 // configuration. 51 int GetCertVerifyFlags() const; 52 53 // If specified, the minimum and maximum protocol versions that are enabled. 54 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.) If 55 // unspecified, values from the SSLConfigService are used. 56 absl::optional<uint16_t> version_min_override; 57 absl::optional<uint16_t> version_max_override; 58 59 // Whether early data is enabled on this connection. Note that early data has 60 // weaker security properties than normal data and changes the 61 // SSLClientSocket's behavior. The caller must only send replayable data prior 62 // to handshake confirmation. See StreamSocket::ConfirmHandshake for details. 63 // 64 // Additionally, early data may be rejected by the server, resulting in some 65 // socket operation failing with ERR_EARLY_DATA_REJECTED or 66 // ERR_WRONG_VERSION_ON_EARLY_DATA before any data is returned from the 67 // server. The caller must handle these cases, typically by retrying the 68 // high-level operation. 69 // 70 // If unsure, do not enable this option. 71 bool early_data_enabled = false; 72 73 // If true, causes only ECDHE cipher suites to be enabled. 74 bool require_ecdhe = false; 75 76 // If true, causes SHA-1 signatures to be rejected from servers during 77 // a TLS handshake. 78 bool disable_sha1_server_signatures = false; 79 80 // TODO(wtc): move the following members to a new SSLParams structure. They 81 // are not SSL configuration settings. 82 83 struct NET_EXPORT CertAndStatus { 84 CertAndStatus(); 85 CertAndStatus(scoped_refptr<X509Certificate> cert, CertStatus status); 86 CertAndStatus(const CertAndStatus&); 87 ~CertAndStatus(); 88 89 scoped_refptr<X509Certificate> cert; 90 CertStatus cert_status = 0; 91 }; 92 93 // Add any known-bad SSL certificate (with its cert status) to 94 // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when 95 // calling SSLClientSocket::Connect. This would normally be done in 96 // response to the user explicitly accepting the bad certificate. 97 std::vector<CertAndStatus> allowed_bad_certs; 98 99 // True if all certificate errors should be ignored. 100 bool ignore_certificate_errors = false; 101 102 // True if, for a single connection, any dependent network fetches should 103 // be disabled. This can be used to avoid triggering re-entrancy in the 104 // network layer. For example, fetching a PAC script over HTTPS may cause 105 // AIA, OCSP, or CRL fetches to block on retrieving the PAC script, while 106 // the PAC script fetch is waiting for those dependent fetches, creating a 107 // deadlock. 108 bool disable_cert_verification_network_fetches = false; 109 110 // The list of application level protocols supported with ALPN (Application 111 // Layer Protocol Negotiation), in decreasing order of preference. Protocols 112 // will be advertised in this order during TLS handshake. 113 NextProtoVector alpn_protos; 114 115 // True if renegotiation should be allowed for the default application-level 116 // protocol when the peer does not negotiate ALPN. 117 bool renego_allowed_default = false; 118 119 // The list of application-level protocols to enable renegotiation for. 120 NextProtoVector renego_allowed_for_protos; 121 122 // ALPS TLS extension is enabled and corresponding data is sent to server 123 // for each NextProto in |application_settings|. Data might be empty. 124 ApplicationSettings application_settings; 125 126 // If the PartitionSSLSessionsByNetworkIsolationKey feature is enabled, the 127 // session cache is partitioned by this value. 128 NetworkAnonymizationKey network_anonymization_key; 129 130 // If non-empty, a serialized ECHConfigList to use to encrypt the ClientHello. 131 // If this field is non-empty, callers should handle |ERR_ECH_NOT_NEGOTIATED| 132 // errors from Connect() by calling GetECHRetryConfigs() to determine how to 133 // retry the connection. 134 std::vector<uint8_t> ech_config_list; 135 136 // An additional boolean to partition the session cache by. 137 // 138 // TODO(https://crbug.com/775438, https://crbug.com/951205): This should 139 // additionally disable client certificates, once client certificate handling 140 // is moved into SSLClientContext. With client certificates are disabled, the 141 // current session cache partitioning behavior will be needed to correctly 142 // implement it. For now, it acts as an incomplete version of 143 // PartitionSSLSessionsByNetworkIsolationKey. 144 PrivacyMode privacy_mode = PRIVACY_MODE_DISABLED; 145 146 // True if the post-handshake peeking of the transport should be skipped. This 147 // logic ensures tickets are resolved early, but can interfere with some unit 148 // tests. 149 bool disable_post_handshake_peek_for_testing = false; 150 }; 151 152 } // namespace net 153 154 #endif // NET_SSL_SSL_CONFIG_H_ 155