net/ssl/ssl_config.h

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_SSL_SSL_CONFIG_H_
   6 #define NET_SSL_SSL_CONFIG_H_
   7
   8 #include "base/basictypes.h"
   9 #include "base/memory/ref_counted.h"
  10 #include "net/base/net_export.h"
  11 #include "net/cert/x509_certificate.h"
  12 #include "net/socket/next_proto.h"
  13
  14 namespace net {
  15
  16 // Various TLS/SSL ProtocolVersion values encoded as uint16
  17 //      struct {
  18 //          uint8 major;
  19 //          uint8 minor;
  20 //      } ProtocolVersion;
  21 // The most significant byte is |major|, and the least significant byte
  22 // is |minor|.
  23 enum {
  24   SSL_PROTOCOL_VERSION_SSL3 = 0x0300,
  25   SSL_PROTOCOL_VERSION_TLS1 = 0x0301,
  26   SSL_PROTOCOL_VERSION_TLS1_1 = 0x0302,
  27   SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303,
  28 };
  29
  30 // Default minimum protocol version.
  31 NET_EXPORT extern const uint16 kDefaultSSLVersionMin;
  32
  33 // For maximum supported protocol version, use
  34 // SSLClientSocket::GetMaxSupportedSSLVersion().
  35
  36 // Default minimum protocol version that it's acceptable to fallback to.
  37 NET_EXPORT extern const uint16 kDefaultSSLVersionFallbackMin;
  38
  39 // A collection of SSL-related configuration settings.
  40 struct NET_EXPORT SSLConfig {
  41   // Default to revocation checking.
  42   // Default to SSL 3.0 ~ default_version_max() on.
  43   SSLConfig();
  44   ~SSLConfig();
  45
  46   // Returns true if |cert| is one of the certs in |allowed_bad_certs|.
  47   // The expected cert status is written to |cert_status|. |*cert_status| can
  48   // be NULL if user doesn't care about the cert status.
  49   bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const;
  50
  51   // Same as above except works with DER encoded certificates instead
  52   // of X509Certificate.
  53   bool IsAllowedBadCert(const base::StringPiece& der_cert,
  54                         CertStatus* cert_status) const;
  55
  56   // rev_checking_enabled is true if online certificate revocation checking is
  57   // enabled (i.e. OCSP and CRL fetching).
  58   //
  59   // Regardless of this flag, CRLSet checking is always enabled and locally
  60   // cached revocation information will be considered.
  61   bool rev_checking_enabled;
  62
  63   // rev_checking_required_local_anchors is true if revocation checking is
  64   // required to succeed when certificates chain to local trust anchors (that
  65   // is, non-public CAs). If revocation information cannot be obtained, such
  66   // certificates will be treated as revoked ("hard-fail").
  67   // Note: This is distinct from rev_checking_enabled. If true, it is
  68   // equivalent to also setting rev_checking_enabled, but only when the
  69   // certificate chain chains to a local (non-public) trust anchor.
  70   bool rev_checking_required_local_anchors;
  71
  72   // The minimum and maximum protocol versions that are enabled.
  73   // SSL 3.0 is 0x0300, TLS 1.0 is 0x0301, TLS 1.1 is 0x0302, and so on.
  74   // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.)
  75   // SSL 2.0 is not supported. If version_max < version_min, it means no
  76   // protocol versions are enabled.
  77   uint16 version_min;
  78   uint16 version_max;
  79
  80   // version_fallback_min contains the minimum version that is acceptable to
  81   // fallback to. Versions before this may be tried to see whether they would
  82   // have succeeded and thus to give a better message to the user, but the
  83   // resulting connection won't be used in these cases.
  84   uint16 version_fallback_min;
  85
  86   // Presorted list of cipher suites which should be explicitly prevented from
  87   // being used in addition to those disabled by the net built-in policy.
  88   //
  89   // By default, all cipher suites supported by the underlying SSL
  90   // implementation will be enabled except for:
  91   // - Null encryption cipher suites.
  92   // - Weak cipher suites: < 80 bits of security strength.
  93   // - FORTEZZA cipher suites (obsolete).
  94   // - IDEA cipher suites (RFC 5469 explains why).
  95   // - Anonymous cipher suites.
  96   // - ECDSA cipher suites on platforms that do not support ECDSA signed
  97   //   certificates, as servers may use the presence of such ciphersuites as a
  98   //   hint to send an ECDSA certificate.
  99   // The ciphers listed in |disabled_cipher_suites| will be removed in addition
 100   // to the above list.
 101   //
 102   // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in
 103   // big-endian form, they should be declared in host byte order, with the
 104   // first uint8 occupying the most significant byte.
 105   // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
 106   // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
 107   std::vector<uint16> disabled_cipher_suites;
 108
 109   bool channel_id_enabled;   // True if TLS channel ID extension is enabled.
 110   bool false_start_enabled;  // True if we'll use TLS False Start.
 111   // True if the Certificate Transparency signed_certificate_timestamp
 112   // TLS extension is enabled.
 113   bool signed_cert_timestamps_enabled;
 114
 115   // require_forward_secrecy, if true, causes only (EC)DHE cipher suites to be
 116   // enabled. NOTE: this only applies to server sockets currently, although
 117   // that could be extended if needed.
 118   bool require_forward_secrecy;
 119
 120   // TODO(wtc): move the following members to a new SSLParams structure.  They
 121   // are not SSL configuration settings.
 122
 123   struct NET_EXPORT CertAndStatus {
 124     CertAndStatus();
 125     ~CertAndStatus();
 126
 127     std::string der_cert;
 128     CertStatus cert_status;
 129   };
 130
 131   // Add any known-bad SSL certificate (with its cert status) to
 132   // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when
 133   // calling SSLClientSocket::Connect.  This would normally be done in
 134   // response to the user explicitly accepting the bad certificate.
 135   std::vector<CertAndStatus> allowed_bad_certs;
 136
 137   // True if we should send client_cert to the server.
 138   bool send_client_cert;
 139
 140   bool verify_ev_cert;  // True if we should verify the certificate for EV.
 141
 142   bool version_fallback;  // True if we are falling back to an older protocol
 143                           // version (one still needs to decrement
 144                           // version_max).
 145
 146   // If cert_io_enabled is false, then certificate verification will not
 147   // result in additional HTTP requests. (For example: to fetch missing
 148   // intermediates or to perform OCSP/CRL fetches.) It also implies that online
 149   // revocation checking is disabled.
 150   // NOTE: Only used by NSS.
 151   bool cert_io_enabled;
 152
 153   // The list of application level protocols supported. If set, this will
 154   // enable Next Protocol Negotiation (if supported). The order of the
 155   // protocols doesn't matter expect for one case: if the server supports Next
 156   // Protocol Negotiation, but there is no overlap between the server's and
 157   // client's protocol sets, then the first protocol in this list will be
 158   // requested by the client.
 159   NextProtoVector next_protos;
 160
 161   scoped_refptr<X509Certificate> client_cert;
 162 };
 163
 164 }  // namespace net
 165
 166 #endif  // NET_SSL_SSL_CONFIG_H_