1 // Copyright (c) 2006-2009 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_BASE_SSL_CONFIG_SERVICE_H_ 6 #define NET_BASE_SSL_CONFIG_SERVICE_H_ 7 8 #include <vector> 9 10 #include "base/ref_counted.h" 11 #include "net/base/x509_certificate.h" 12 13 namespace net { 14 15 // A collection of SSL-related configuration settings. 16 struct SSLConfig { 17 // Default to revocation checking. 18 // Default to SSL 2.0 off, SSL 3.0 on, and TLS 1.0 on. SSLConfigSSLConfig19 SSLConfig() 20 : rev_checking_enabled(true), ssl2_enabled(false), ssl3_enabled(true), 21 tls1_enabled(true), send_client_cert(false), verify_ev_cert(false), 22 next_protos("\007http1.1") { 23 } 24 25 bool rev_checking_enabled; // True if server certificate revocation 26 // checking is enabled. 27 bool ssl2_enabled; // True if SSL 2.0 is enabled. 28 bool ssl3_enabled; // True if SSL 3.0 is enabled. 29 bool tls1_enabled; // True if TLS 1.0 is enabled. 30 31 // TODO(wtc): move the following members to a new SSLParams structure. They 32 // are not SSL configuration settings. 33 34 struct CertAndStatus { 35 scoped_refptr<X509Certificate> cert; 36 int cert_status; 37 }; 38 39 // Returns true if |cert| is one of the certs in |allowed_bad_certs|. 40 // TODO(wtc): Move this to a .cc file. ssl_config_service.cc is Windows 41 // only right now, so I can't move it there. IsAllowedBadCertSSLConfig42 bool IsAllowedBadCert(X509Certificate* cert) const { 43 for (size_t i = 0; i < allowed_bad_certs.size(); ++i) { 44 if (cert == allowed_bad_certs[i].cert) 45 return true; 46 } 47 return false; 48 } 49 50 // Add any known-bad SSL certificate (with its cert status) to 51 // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when 52 // calling SSLClientSocket::Connect. This would normally be done in 53 // response to the user explicitly accepting the bad certificate. 54 std::vector<CertAndStatus> allowed_bad_certs; 55 56 // True if we should send client_cert to the server. 57 bool send_client_cert; 58 59 bool verify_ev_cert; // True if we should verify the certificate for EV. 60 61 // The list of application level protocols supported. If set, this will 62 // enable Next Protocol Negotiation (if supported). This is a list of 8-bit 63 // length prefixed strings. The order of the protocols doesn't matter expect 64 // for one case: if the server supports Next Protocol Negotiation, but there 65 // is no overlap between the server's and client's protocol sets, then the 66 // first protocol in this list will be requested by the client. 67 std::string next_protos; 68 69 scoped_refptr<X509Certificate> client_cert; 70 }; 71 72 // The interface for retrieving the SSL configuration. This interface 73 // does not cover setting the SSL configuration, as on some systems, the 74 // SSLConfigService objects may not have direct access to the configuration, or 75 // live longer than the configuration preferences. 76 class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> { 77 public: 78 // Create an instance of SSLConfigService which retrieves the configuration 79 // from the system SSL configuration, or an instance of 80 // SSLConfigServiceDefaults if the current system does not have a system SSL 81 // configuration. Note: this does not handle SSLConfigService implementations 82 // that are not native to their platform, such as preference-backed ones. 83 static SSLConfigService* CreateSystemSSLConfigService(); 84 85 // May not be thread-safe, should only be called on the IO thread. 86 virtual void GetSSLConfig(SSLConfig* config) = 0; 87 88 protected: 89 friend class base::RefCountedThreadSafe<SSLConfigService>; 90 ~SSLConfigService()91 virtual ~SSLConfigService() {} 92 }; 93 94 } // namespace net 95 96 #endif // NET_BASE_SSL_CONFIG_SERVICE_H_ 97