1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_BASE_SSL_CONFIG_SERVICE_H_ 6 #define NET_BASE_SSL_CONFIG_SERVICE_H_ 7 #pragma once 8 9 #include <vector> 10 11 #include "base/basictypes.h" 12 #include "base/memory/ref_counted.h" 13 #include "base/observer_list.h" 14 #include "net/base/x509_certificate.h" 15 16 namespace net { 17 18 // A collection of SSL-related configuration settings. 19 struct SSLConfig { 20 // Default to revocation checking. 21 // Default to SSL 3.0 on and TLS 1.0 on. 22 SSLConfig(); 23 ~SSLConfig(); 24 25 // Returns true if |cert| is one of the certs in |allowed_bad_certs|. 26 bool IsAllowedBadCert(X509Certificate* cert) const; 27 28 bool rev_checking_enabled; // True if server certificate revocation 29 // checking is enabled. 30 // SSL 2.0 is not supported. 31 bool ssl3_enabled; // True if SSL 3.0 is enabled. 32 bool tls1_enabled; // True if TLS 1.0 is enabled. 33 bool dnssec_enabled; // True if we'll accept DNSSEC chains in certificates. 34 // True if we'll do async checks for certificate provenance using DNS. 35 bool dns_cert_provenance_checking_enabled; 36 37 // Cipher suites which should be explicitly prevented from being used in 38 // addition to those disabled by the net built-in policy -- by default, all 39 // cipher suites supported by the underlying SSL implementation will be 40 // enabled except for: 41 // - Null encryption cipher suites. 42 // - Weak cipher suites: < 80 bits of security strength. 43 // - FORTEZZA cipher suites (obsolete). 44 // - IDEA cipher suites (RFC 5469 explains why). 45 // - Anonymous cipher suites. 46 // The ciphers listed in |disabled_cipher_suites| will be removed in addition 47 // to the above statically defined disable list. 48 // 49 // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in 50 // big-endian form, they should be declared in host byte order, with the 51 // first uint8 occupying the most significant byte. 52 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to 53 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. 54 // 55 // TODO(rsleevi): Not implemented when using Schannel. 56 std::vector<uint16> disabled_cipher_suites; 57 58 bool false_start_enabled; // True if we'll use TLS False Start. 59 60 // TODO(wtc): move the following members to a new SSLParams structure. They 61 // are not SSL configuration settings. 62 63 struct CertAndStatus { 64 CertAndStatus(); 65 ~CertAndStatus(); 66 67 scoped_refptr<X509Certificate> cert; 68 int cert_status; 69 }; 70 71 // Add any known-bad SSL certificate (with its cert status) to 72 // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when 73 // calling SSLClientSocket::Connect. This would normally be done in 74 // response to the user explicitly accepting the bad certificate. 75 std::vector<CertAndStatus> allowed_bad_certs; 76 77 // True if we should send client_cert to the server. 78 bool send_client_cert; 79 80 bool verify_ev_cert; // True if we should verify the certificate for EV. 81 82 bool ssl3_fallback; // True if we are falling back to SSL 3.0 (one still 83 // needs to clear tls1_enabled). 84 85 // The list of application level protocols supported. If set, this will 86 // enable Next Protocol Negotiation (if supported). This is a list of 8-bit 87 // length prefixed strings. The order of the protocols doesn't matter expect 88 // for one case: if the server supports Next Protocol Negotiation, but there 89 // is no overlap between the server's and client's protocol sets, then the 90 // first protocol in this list will be requested by the client. 91 std::string next_protos; 92 93 scoped_refptr<X509Certificate> client_cert; 94 }; 95 96 // The interface for retrieving the SSL configuration. This interface 97 // does not cover setting the SSL configuration, as on some systems, the 98 // SSLConfigService objects may not have direct access to the configuration, or 99 // live longer than the configuration preferences. 100 class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> { 101 public: 102 // Observer is notified when SSL config settings have changed. 103 class Observer { 104 public: 105 // Notify observers if SSL settings have changed. We don't check all of the 106 // data in SSLConfig, just those that qualify as a user config change. 107 // The following settings are considered user changes: 108 // rev_checking_enabled 109 // ssl3_enabled 110 // tls1_enabled 111 virtual void OnSSLConfigChanged() = 0; 112 113 protected: ~Observer()114 virtual ~Observer() {} 115 }; 116 117 SSLConfigService(); 118 119 // Create an instance of SSLConfigService which retrieves the configuration 120 // from the system SSL configuration, or an instance of 121 // SSLConfigServiceDefaults if the current system does not have a system SSL 122 // configuration. Note: this does not handle SSLConfigService implementations 123 // that are not native to their platform, such as preference-backed ones. 124 static SSLConfigService* CreateSystemSSLConfigService(); 125 126 // May not be thread-safe, should only be called on the IO thread. 127 virtual void GetSSLConfig(SSLConfig* config) = 0; 128 129 // Returns true if the given hostname is known to be incompatible with TLS 130 // False Start. 131 static bool IsKnownFalseStartIncompatibleServer(const std::string& hostname); 132 133 // Enables the acceptance of self-signed certificates which contain an 134 // embedded DNSSEC chain proving their validity. 135 static void EnableDNSSEC(); 136 static bool dnssec_enabled(); 137 138 // Disables False Start in SSL connections. 139 static void DisableFalseStart(); 140 // True if we use False Start for SSL and TLS. 141 static bool false_start_enabled(); 142 143 // Enables DNS side checks for certificates. 144 static void EnableDNSCertProvenanceChecking(); 145 static bool dns_cert_provenance_checking_enabled(); 146 147 // Add an observer of this service. 148 void AddObserver(Observer* observer); 149 150 // Remove an observer of this service. 151 void RemoveObserver(Observer* observer); 152 153 protected: 154 friend class base::RefCountedThreadSafe<SSLConfigService>; 155 156 virtual ~SSLConfigService(); 157 158 // SetFlags sets the values of several flags based on global configuration. 159 static void SetSSLConfigFlags(SSLConfig* ssl_config); 160 161 // Process before/after config update. 162 void ProcessConfigUpdate(const SSLConfig& orig_config, 163 const SSLConfig& new_config); 164 165 private: 166 ObserverList<Observer> observer_list_; 167 }; 168 169 } // namespace net 170 171 #endif // NET_BASE_SSL_CONFIG_SERVICE_H_ 172