net: disable SSLv3.

BUG=419870,427671 R=davidben@chromium.org, felt@chromium.org, rsleevi@chromium.org Review URL: https://codereview.chromium.org/649413004 Change-Id: I9c600e76603e84b593d809a1c407d7758e08f110 Cr-Commit-Position: refs/heads/master@{#302315}
CyanogenMod · Jun 29, 2015 · dc36a2d · dc36a2d
1 parent 6502fd5
commit dc36a2d
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 3 deletions.
diff --git a/chrome/app/generated_resources.grd b/chrome/app/generated_resources.grd
@@ -8981,6 +8981,26 @@ Keep your key file in a safe place. You will need it to create new versions of y
         SSL protocol error.
       </message>
 
+      <message name="IDS_ERRORPAGES_HEADING_SSL_FALLBACK_BEYOND_MINIMUM_VERSION" desc="Heading in the error page for SSL fallback errors.">
+        SSL server probably obsolete.
+      </message>
+      <message name="IDS_ERRORPAGES_SUMMARY_SSL_FALLBACK_BEYOND_MINIMUM_VERSION" desc="Summary in the error page for SSL fallback errors.">
+        Unable to connect securely to the server. This website may have worked previously, but connecting to such sites has now been shown to cause security risks to all users and thus has been disabled for your safety.
+      </message>
+      <message name="IDS_ERRORPAGES_DETAILS_SSL_FALLBACK_BEYOND_MINIMUM_VERSION" desc="The error message displayed for SSL fallback errors.">
+        An SSLv3 fallback was able to handshake with the server, but we no longer accept SSLv3 fallbacks due to new attacks against the protocol. The server needs to be updated to support a minimum of TLS 1.0 and preferably TLS 1.2.
+      </message>
+
+      <message name="IDS_ERRORPAGES_HEADING_SSL_VERSION_OR_CIPHER_MISMATCH" desc="Heading in the error page for SSL cipher and version errors.">
+        This webpage is not available
+      </message>
+      <message name="IDS_ERRORPAGES_SUMMARY_SSL_VERSION_OR_CIPHER_MISMATCH" desc="Summary in the error page for SSL cipher and version errors.">
+        A secure connection cannot be established because this site uses an unsupported protocol.
+      </message>
+      <message name="IDS_ERRORPAGES_DETAILS_SSL_VERSION_OR_CIPHER_MISMATCH" desc="The error message displayed for SSL cipher and version errors.">
+        The client and server don't support a common SSL protocol version or cipher suite. This is usually caused when the server needs SSLv3 support, which has been removed.
+      </message>
+
       <message name="IDS_ERRORPAGES_HEADING_PINNING_FAILURE" desc="Title of the error page for a certificate which doesn't match the built-in pins for that name">
         Incorrect certificate for host.
       </message>

diff --git a/chrome/browser/net/ssl_config_service_manager_pref_unittest.cc b/chrome/browser/net/ssl_config_service_manager_pref_unittest.cc
@@ -127,7 +127,7 @@ TEST_F(SSLConfigServiceManagerPrefTest, BadDisabledCipherSuites) {
 }
 
 // Test that without command-line settings for minimum and maximum SSL versions,
-// SSL 3.0 ~ kDefaultSSLVersionMax are enabled.
+// TLS 1.0 ~ kDefaultSSLVersionMax are enabled.
 TEST_F(SSLConfigServiceManagerPrefTest, NoCommandLinePrefs) {
   scoped_refptr<TestingPrefStore> local_state_store(new TestingPrefStore());
 
@@ -148,7 +148,7 @@ TEST_F(SSLConfigServiceManagerPrefTest, NoCommandLinePrefs) {
   config_service->GetSSLConfig(&ssl_config);
   // The default value in the absence of command-line options is that
   // SSL 3.0 ~ kDefaultSSLVersionMax are enabled.
-  EXPECT_EQ(net::SSL_PROTOCOL_VERSION_SSL3, ssl_config.version_min);
+  EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1, ssl_config.version_min);
   EXPECT_EQ(net::kDefaultSSLVersionMax, ssl_config.version_max);
 
   // The settings should not be added to the local_state.

diff --git a/chrome/common/localized_error.cc b/chrome/common/localized_error.cc
@@ -301,6 +301,20 @@ const LocalizedErrorMap net_error_options[] = {
    IDS_ERRORPAGES_DETAILS_BLOCKED_ENROLLMENT_CHECK_PENDING,
    SUGGEST_CHECK_CONNECTION,
   },
+  {net::ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION,
+   IDS_ERRORPAGES_TITLE_LOAD_FAILED,
+   IDS_ERRORPAGES_HEADING_SSL_FALLBACK_BEYOND_MINIMUM_VERSION,
+   IDS_ERRORPAGES_SUMMARY_SSL_FALLBACK_BEYOND_MINIMUM_VERSION,
+   IDS_ERRORPAGES_DETAILS_SSL_FALLBACK_BEYOND_MINIMUM_VERSION,
+   SUGGEST_LEARNMORE,
+  },
+  {net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH,
+   IDS_ERRORPAGES_TITLE_LOAD_FAILED,
+   IDS_ERRORPAGES_HEADING_SSL_VERSION_OR_CIPHER_MISMATCH,
+   IDS_ERRORPAGES_SUMMARY_SSL_VERSION_OR_CIPHER_MISMATCH,
+   IDS_ERRORPAGES_DETAILS_SSL_VERSION_OR_CIPHER_MISMATCH,
+   SUGGEST_NONE,
+  },
 };
 
 // Special error page to be used in the case of navigating back to a page

diff --git a/net/ssl/ssl_config.cc b/net/ssl/ssl_config.cc
@@ -10,7 +10,7 @@
 
 namespace net {
 
-const uint16 kDefaultSSLVersionMin = SSL_PROTOCOL_VERSION_SSL3;
+const uint16 kDefaultSSLVersionMin = SSL_PROTOCOL_VERSION_TLS1;
 
 const uint16 kDefaultSSLVersionMax =
 #if defined(USE_OPENSSL)