1 // Copyright 2014 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_SSL_SSL_CONFIG_H_ 6 #define NET_SSL_SSL_CONFIG_H_ 7 8 #include "base/basictypes.h" 9 #include "base/memory/ref_counted.h" 10 #include "net/base/net_export.h" 11 #include "net/cert/x509_certificate.h" 12 13 namespace net { 14 15 // Various TLS/SSL ProtocolVersion values encoded as uint16 16 // struct { 17 // uint8 major; 18 // uint8 minor; 19 // } ProtocolVersion; 20 // The most significant byte is |major|, and the least significant byte 21 // is |minor|. 22 enum { 23 SSL_PROTOCOL_VERSION_SSL3 = 0x0300, 24 SSL_PROTOCOL_VERSION_TLS1 = 0x0301, 25 SSL_PROTOCOL_VERSION_TLS1_1 = 0x0302, 26 SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303, 27 }; 28 29 // Default minimum protocol version. 30 NET_EXPORT extern const uint16 kDefaultSSLVersionMin; 31 32 // Default maximum protocol version. 33 NET_EXPORT extern const uint16 kDefaultSSLVersionMax; 34 35 // Default minimum protocol version that it's acceptable to fallback to. 36 NET_EXPORT extern const uint16 kDefaultSSLVersionFallbackMin; 37 38 // A collection of SSL-related configuration settings. 39 struct NET_EXPORT SSLConfig { 40 // Default to revocation checking. 41 // Default to SSL 3.0 ~ default_version_max() on. 42 SSLConfig(); 43 ~SSLConfig(); 44 45 // Returns true if |cert| is one of the certs in |allowed_bad_certs|. 46 // The expected cert status is written to |cert_status|. |*cert_status| can 47 // be NULL if user doesn't care about the cert status. 48 bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const; 49 50 // Same as above except works with DER encoded certificates instead 51 // of X509Certificate. 52 bool IsAllowedBadCert(const base::StringPiece& der_cert, 53 CertStatus* cert_status) const; 54 55 // rev_checking_enabled is true if online certificate revocation checking is 56 // enabled (i.e. OCSP and CRL fetching). 57 // 58 // Regardless of this flag, CRLSet checking is always enabled and locally 59 // cached revocation information will be considered. 60 bool rev_checking_enabled; 61 62 // rev_checking_required_local_anchors is true if revocation checking is 63 // required to succeed when certificates chain to local trust anchors (that 64 // is, non-public CAs). If revocation information cannot be obtained, such 65 // certificates will be treated as revoked ("hard-fail"). 66 // Note: This is distinct from rev_checking_enabled. If true, it is 67 // equivalent to also setting rev_checking_enabled, but only when the 68 // certificate chain chains to a local (non-public) trust anchor. 69 bool rev_checking_required_local_anchors; 70 71 // The minimum and maximum protocol versions that are enabled. 72 // SSL 3.0 is 0x0300, TLS 1.0 is 0x0301, TLS 1.1 is 0x0302, and so on. 73 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.) 74 // SSL 2.0 is not supported. If version_max < version_min, it means no 75 // protocol versions are enabled. 76 uint16 version_min; 77 uint16 version_max; 78 79 // version_fallback_min contains the minimum version that is acceptable to 80 // fallback to. Versions before this may be tried to see whether they would 81 // have succeeded and thus to give a better message to the user, but the 82 // resulting connection won't be used in these cases. 83 uint16 version_fallback_min; 84 85 // Presorted list of cipher suites which should be explicitly prevented from 86 // being used in addition to those disabled by the net built-in policy. 87 // 88 // By default, all cipher suites supported by the underlying SSL 89 // implementation will be enabled except for: 90 // - Null encryption cipher suites. 91 // - Weak cipher suites: < 80 bits of security strength. 92 // - FORTEZZA cipher suites (obsolete). 93 // - IDEA cipher suites (RFC 5469 explains why). 94 // - Anonymous cipher suites. 95 // - ECDSA cipher suites on platforms that do not support ECDSA signed 96 // certificates, as servers may use the presence of such ciphersuites as a 97 // hint to send an ECDSA certificate. 98 // The ciphers listed in |disabled_cipher_suites| will be removed in addition 99 // to the above list. 100 // 101 // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in 102 // big-endian form, they should be declared in host byte order, with the 103 // first uint8 occupying the most significant byte. 104 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to 105 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. 106 std::vector<uint16> disabled_cipher_suites; 107 108 bool channel_id_enabled; // True if TLS channel ID extension is enabled. 109 bool false_start_enabled; // True if we'll use TLS False Start. 110 // True if the Certificate Transparency signed_certificate_timestamp 111 // TLS extension is enabled. 112 bool signed_cert_timestamps_enabled; 113 114 // require_forward_secrecy, if true, causes only (EC)DHE cipher suites to be 115 // enabled. NOTE: this only applies to server sockets currently, although 116 // that could be extended if needed. 117 bool require_forward_secrecy; 118 119 // TODO(wtc): move the following members to a new SSLParams structure. They 120 // are not SSL configuration settings. 121 122 struct NET_EXPORT CertAndStatus { 123 CertAndStatus(); 124 ~CertAndStatus(); 125 126 std::string der_cert; 127 CertStatus cert_status; 128 }; 129 130 // Add any known-bad SSL certificate (with its cert status) to 131 // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when 132 // calling SSLClientSocket::Connect. This would normally be done in 133 // response to the user explicitly accepting the bad certificate. 134 std::vector<CertAndStatus> allowed_bad_certs; 135 136 // True if we should send client_cert to the server. 137 bool send_client_cert; 138 139 bool verify_ev_cert; // True if we should verify the certificate for EV. 140 141 bool version_fallback; // True if we are falling back to an older protocol 142 // version (one still needs to decrement 143 // version_max). 144 145 // If cert_io_enabled is false, then certificate verification will not 146 // result in additional HTTP requests. (For example: to fetch missing 147 // intermediates or to perform OCSP/CRL fetches.) It also implies that online 148 // revocation checking is disabled. 149 // NOTE: Only used by NSS. 150 bool cert_io_enabled; 151 152 // The list of application level protocols supported. If set, this will 153 // enable Next Protocol Negotiation (if supported). The order of the 154 // protocols doesn't matter expect for one case: if the server supports Next 155 // Protocol Negotiation, but there is no overlap between the server's and 156 // client's protocol sets, then the first protocol in this list will be 157 // requested by the client. 158 std::vector<std::string> next_protos; 159 160 scoped_refptr<X509Certificate> client_cert; 161 }; 162 163 } // namespace net 164 165 #endif // NET_SSL_SSL_CONFIG_H_ 166