ssl_config_service.h revision 0f1bc08d4cfcc34181b0b5cbf065c40f687bf740 
1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef NET_SSL_SSL_CONFIG_SERVICE_H_
6#define NET_SSL_SSL_CONFIG_SERVICE_H_
7
8#include <vector>
9
10#include "base/basictypes.h"
11#include "base/memory/ref_counted.h"
12#include "base/observer_list.h"
13#include "base/strings/string_piece.h"
14#include "net/base/net_export.h"
15#include "net/cert/cert_status_flags.h"
16#include "net/cert/crl_set.h"
17#include "net/cert/x509_certificate.h"
18
19namespace net {
20
21// Various TLS/SSL ProtocolVersion values encoded as uint16
22//      struct {
23//          uint8 major;
24//          uint8 minor;
25//      } ProtocolVersion;
26// The most significant byte is |major|, and the least significant byte
27// is |minor|.
28enum {
29  SSL_PROTOCOL_VERSION_SSL3 = 0x0300,
30  SSL_PROTOCOL_VERSION_TLS1 = 0x0301,
31  SSL_PROTOCOL_VERSION_TLS1_1 = 0x0302,
32  SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303,
33};
34
35// A collection of SSL-related configuration settings.
36struct NET_EXPORT SSLConfig {
37  // Default to revocation checking.
38  // Default to SSL 3.0 ~ default_version_max() on.
39  SSLConfig();
40  ~SSLConfig();
41
42  // Returns true if |cert| is one of the certs in |allowed_bad_certs|.
43  // The expected cert status is written to |cert_status|. |*cert_status| can
44  // be NULL if user doesn't care about the cert status.
45  bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const;
46
47  // Same as above except works with DER encoded certificates instead
48  // of X509Certificate.
49  bool IsAllowedBadCert(const base::StringPiece& der_cert,
50                        CertStatus* cert_status) const;
51
52  // rev_checking_enabled is true if online certificate revocation checking is
53  // enabled (i.e. OCSP and CRL fetching).
54  //
55  // Regardless of this flag, CRLSet checking is always enabled and locally
56  // cached revocation information will be considered.
57  bool rev_checking_enabled;
58
59  // rev_checking_required_local_anchors is true if revocation checking is
60  // required to succeed when certificates chain to local trust anchors (that
61  // is, non-public CAs). If revocation information cannot be obtained, such
62  // certificates will be treated as revoked ("hard-fail").
63  // Note: This is distinct from rev_checking_enabled. If true, it is
64  // equivalent to also setting rev_checking_enabled, but only when the
65  // certificate chain chains to a local (non-public) trust anchor.
66  bool rev_checking_required_local_anchors;
67
68  // The minimum and maximum protocol versions that are enabled.
69  // SSL 3.0 is 0x0300, TLS 1.0 is 0x0301, TLS 1.1 is 0x0302, and so on.
70  // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.)
71  // SSL 2.0 is not supported. If version_max < version_min, it means no
72  // protocol versions are enabled.
73  uint16 version_min;
74  uint16 version_max;
75
76  // Presorted list of cipher suites which should be explicitly prevented from
77  // being used in addition to those disabled by the net built-in policy.
78  //
79  // By default, all cipher suites supported by the underlying SSL
80  // implementation will be enabled except for:
81  // - Null encryption cipher suites.
82  // - Weak cipher suites: < 80 bits of security strength.
83  // - FORTEZZA cipher suites (obsolete).
84  // - IDEA cipher suites (RFC 5469 explains why).
85  // - Anonymous cipher suites.
86  // - ECDSA cipher suites on platforms that do not support ECDSA signed
87  //   certificates, as servers may use the presence of such ciphersuites as a
88  //   hint to send an ECDSA certificate.
89  // The ciphers listed in |disabled_cipher_suites| will be removed in addition
90  // to the above list.
91  //
92  // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in
93  // big-endian form, they should be declared in host byte order, with the
94  // first uint8 occupying the most significant byte.
95  // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
96  // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
97  std::vector<uint16> disabled_cipher_suites;
98
99  bool cached_info_enabled;  // True if TLS cached info extension is enabled.
100  bool channel_id_enabled;   // True if TLS channel ID extension is enabled.
101  bool false_start_enabled;  // True if we'll use TLS False Start.
102
103  // require_forward_secrecy, if true, causes only (EC)DHE cipher suites to be
104  // enabled. NOTE: this only applies to server sockets currently, although
105  // that could be extended if needed.
106  bool require_forward_secrecy;
107
108  // If |unrestricted_ssl3_fallback_enabled| is true, SSL 3.0 fallback will be
109  // enabled for all sites.
110  // If |unrestricted_ssl3_fallback_enabled| is false, SSL 3.0 fallback will be
111  // disabled for a site pinned to the Google pin list (indicating that it is a
112  // Google site).
113  bool unrestricted_ssl3_fallback_enabled;
114
115  // TODO(wtc): move the following members to a new SSLParams structure.  They
116  // are not SSL configuration settings.
117
118  struct NET_EXPORT CertAndStatus {
119    CertAndStatus();
120    ~CertAndStatus();
121
122    std::string der_cert;
123    CertStatus cert_status;
124  };
125
126  // Add any known-bad SSL certificate (with its cert status) to
127  // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when
128  // calling SSLClientSocket::Connect.  This would normally be done in
129  // response to the user explicitly accepting the bad certificate.
130  std::vector<CertAndStatus> allowed_bad_certs;
131
132  // True if we should send client_cert to the server.
133  bool send_client_cert;
134
135  bool verify_ev_cert;  // True if we should verify the certificate for EV.
136
137  bool version_fallback;  // True if we are falling back to an older protocol
138                          // version (one still needs to decrement
139                          // version_max).
140
141  // If cert_io_enabled is false, then certificate verification will not
142  // result in additional HTTP requests. (For example: to fetch missing
143  // intermediates or to perform OCSP/CRL fetches.) It also implies that online
144  // revocation checking is disabled.
145  // NOTE: Only used by NSS.
146  bool cert_io_enabled;
147
148  // The list of application level protocols supported. If set, this will
149  // enable Next Protocol Negotiation (if supported). The order of the
150  // protocols doesn't matter expect for one case: if the server supports Next
151  // Protocol Negotiation, but there is no overlap between the server's and
152  // client's protocol sets, then the first protocol in this list will be
153  // requested by the client.
154  std::vector<std::string> next_protos;
155
156  scoped_refptr<X509Certificate> client_cert;
157};
158
159// The interface for retrieving the SSL configuration.  This interface
160// does not cover setting the SSL configuration, as on some systems, the
161// SSLConfigService objects may not have direct access to the configuration, or
162// live longer than the configuration preferences.
163class NET_EXPORT SSLConfigService
164    : public base::RefCountedThreadSafe<SSLConfigService> {
165 public:
166  // Observer is notified when SSL config settings have changed.
167  class NET_EXPORT Observer {
168   public:
169    // Notify observers if SSL settings have changed.  We don't check all of the
170    // data in SSLConfig, just those that qualify as a user config change.
171    // The following settings are considered user changes:
172    //     rev_checking_enabled
173    //     version_min
174    //     version_max
175    //     disabled_cipher_suites
176    //     channel_id_enabled
177    //     false_start_enabled
178    //     require_forward_secrecy
179    virtual void OnSSLConfigChanged() = 0;
180
181   protected:
182    virtual ~Observer() {}
183  };
184
185  SSLConfigService();
186
187  // May not be thread-safe, should only be called on the IO thread.
188  virtual void GetSSLConfig(SSLConfig* config) = 0;
189
190  // Sets and gets the current, global CRL set.
191  static void SetCRLSet(scoped_refptr<CRLSet> crl_set);
192  static scoped_refptr<CRLSet> GetCRLSet();
193
194  // Enables the TLS cached info extension, which allows the server to send
195  // just a digest of its certificate chain.
196  static void EnableCachedInfo();
197  static bool cached_info_enabled();
198
199  // Gets the default minimum protocol version.
200  static uint16 default_version_min();
201
202  // Gets the default maximum protocol version.
203  static uint16 default_version_max();
204
205  // Is SNI available in this configuration?
206  static bool IsSNIAvailable(SSLConfigService* service);
207
208  // Add an observer of this service.
209  void AddObserver(Observer* observer);
210
211  // Remove an observer of this service.
212  void RemoveObserver(Observer* observer);
213
214  // Calls the OnSSLConfigChanged method of registered observers. Should only be
215  // called on the IO thread.
216  void NotifySSLConfigChange();
217
218 protected:
219  friend class base::RefCountedThreadSafe<SSLConfigService>;
220
221  virtual ~SSLConfigService();
222
223  // SetFlags sets the values of several flags based on global configuration.
224  static void SetSSLConfigFlags(SSLConfig* ssl_config);
225
226  // Process before/after config update.
227  void ProcessConfigUpdate(const SSLConfig& orig_config,
228                           const SSLConfig& new_config);
229
230 private:
231  ObserverList<Observer> observer_list_;
232};
233
234}  // namespace net
235
236#endif  // NET_SSL_SSL_CONFIG_SERVICE_H_
237