1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_BASE_SSL_CONFIG_SERVICE_H_ 6 #define NET_BASE_SSL_CONFIG_SERVICE_H_ 7 #pragma once 8 9 #include <vector> 10 11 #include "base/basictypes.h" 12 #include "base/memory/ref_counted.h" 13 #include "base/observer_list.h" 14 #include "net/base/net_export.h" 15 #include "net/base/x509_certificate.h" 16 17 namespace net { 18 19 // A collection of SSL-related configuration settings. 20 struct NET_EXPORT SSLConfig { 21 // Default to revocation checking. 22 // Default to SSL 3.0 on and TLS 1.0 on. 23 SSLConfig(); 24 ~SSLConfig(); 25 26 // Returns true if |cert| is one of the certs in |allowed_bad_certs|. 27 bool IsAllowedBadCert(X509Certificate* cert) const; 28 29 bool rev_checking_enabled; // True if server certificate revocation 30 // checking is enabled. 31 // SSL 2.0 is not supported. 32 bool ssl3_enabled; // True if SSL 3.0 is enabled. 33 bool tls1_enabled; // True if TLS 1.0 is enabled. 34 bool dnssec_enabled; // True if we'll accept DNSSEC chains in certificates. 35 // True if we'll do async checks for certificate provenance using DNS. 36 bool dns_cert_provenance_checking_enabled; 37 38 // Cipher suites which should be explicitly prevented from being used in 39 // addition to those disabled by the net built-in policy -- by default, all 40 // cipher suites supported by the underlying SSL implementation will be 41 // enabled except for: 42 // - Null encryption cipher suites. 43 // - Weak cipher suites: < 80 bits of security strength. 44 // - FORTEZZA cipher suites (obsolete). 45 // - IDEA cipher suites (RFC 5469 explains why). 46 // - Anonymous cipher suites. 47 // The ciphers listed in |disabled_cipher_suites| will be removed in addition 48 // to the above statically defined disable list. 49 // 50 // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in 51 // big-endian form, they should be declared in host byte order, with the 52 // first uint8 occupying the most significant byte. 53 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to 54 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. 55 // 56 // TODO(rsleevi): Not implemented when using Schannel. 57 std::vector<uint16> disabled_cipher_suites; 58 59 bool false_start_enabled; // True if we'll use TLS False Start. 60 61 // TODO(wtc): move the following members to a new SSLParams structure. They 62 // are not SSL configuration settings. 63 64 struct CertAndStatus { 65 CertAndStatus(); 66 ~CertAndStatus(); 67 68 scoped_refptr<X509Certificate> cert; 69 int cert_status; 70 }; 71 72 // Add any known-bad SSL certificate (with its cert status) to 73 // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when 74 // calling SSLClientSocket::Connect. This would normally be done in 75 // response to the user explicitly accepting the bad certificate. 76 std::vector<CertAndStatus> allowed_bad_certs; 77 78 // True if we should send client_cert to the server. 79 bool send_client_cert; 80 81 bool verify_ev_cert; // True if we should verify the certificate for EV. 82 83 bool ssl3_fallback; // True if we are falling back to SSL 3.0 (one still 84 // needs to clear tls1_enabled). 85 86 // The list of application level protocols supported. If set, this will 87 // enable Next Protocol Negotiation (if supported). This is a list of 8-bit 88 // length prefixed strings. The order of the protocols doesn't matter expect 89 // for one case: if the server supports Next Protocol Negotiation, but there 90 // is no overlap between the server's and client's protocol sets, then the 91 // first protocol in this list will be requested by the client. 92 std::string next_protos; 93 94 scoped_refptr<X509Certificate> client_cert; 95 }; 96 97 // The interface for retrieving the SSL configuration. This interface 98 // does not cover setting the SSL configuration, as on some systems, the 99 // SSLConfigService objects may not have direct access to the configuration, or 100 // live longer than the configuration preferences. 101 class NET_EXPORT SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> { 102 public: 103 // Observer is notified when SSL config settings have changed. 104 class NET_EXPORT Observer { 105 public: 106 // Notify observers if SSL settings have changed. We don't check all of the 107 // data in SSLConfig, just those that qualify as a user config change. 108 // The following settings are considered user changes: 109 // rev_checking_enabled 110 // ssl3_enabled 111 // tls1_enabled 112 virtual void OnSSLConfigChanged() = 0; 113 114 protected: ~Observer()115 virtual ~Observer() {} 116 }; 117 118 SSLConfigService(); 119 120 // Create an instance of SSLConfigService which retrieves the configuration 121 // from the system SSL configuration, or an instance of 122 // SSLConfigServiceDefaults if the current system does not have a system SSL 123 // configuration. Note: this does not handle SSLConfigService implementations 124 // that are not native to their platform, such as preference-backed ones. 125 static SSLConfigService* CreateSystemSSLConfigService(); 126 127 // May not be thread-safe, should only be called on the IO thread. 128 virtual void GetSSLConfig(SSLConfig* config) = 0; 129 130 // Returns true if the given hostname is known to be incompatible with TLS 131 // False Start. 132 static bool IsKnownFalseStartIncompatibleServer(const std::string& hostname); 133 134 // Enables the acceptance of self-signed certificates which contain an 135 // embedded DNSSEC chain proving their validity. 136 static void EnableDNSSEC(); 137 static bool dnssec_enabled(); 138 139 // Disables False Start in SSL connections. 140 static void DisableFalseStart(); 141 // True if we use False Start for SSL and TLS. 142 static bool false_start_enabled(); 143 144 // Enables DNS side checks for certificates. 145 static void EnableDNSCertProvenanceChecking(); 146 static bool dns_cert_provenance_checking_enabled(); 147 148 // Add an observer of this service. 149 void AddObserver(Observer* observer); 150 151 // Remove an observer of this service. 152 void RemoveObserver(Observer* observer); 153 154 protected: 155 friend class base::RefCountedThreadSafe<SSLConfigService>; 156 157 virtual ~SSLConfigService(); 158 159 // SetFlags sets the values of several flags based on global configuration. 160 static void SetSSLConfigFlags(SSLConfig* ssl_config); 161 162 // Process before/after config update. 163 void ProcessConfigUpdate(const SSLConfig& orig_config, 164 const SSLConfig& new_config); 165 166 private: 167 ObserverList<Observer> observer_list_; 168 }; 169 170 } // namespace net 171 172 #endif // NET_BASE_SSL_CONFIG_SERVICE_H_ 173