1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/ssl/ssl_config.h"
7 #include "net/cert/cert_verifier.h"
8 #include "net/socket/ssl_client_socket.h"
12 const uint16 kDefaultSSLVersionMin
= SSL_PROTOCOL_VERSION_TLS1
;
14 const uint16 kDefaultSSLVersionFallbackMin
= SSL_PROTOCOL_VERSION_TLS1_1
;
16 SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {}
18 SSLConfig::CertAndStatus::~CertAndStatus() {}
20 SSLConfig::SSLConfig()
21 : rev_checking_enabled(false),
22 rev_checking_required_local_anchors(false),
23 version_min(kDefaultSSLVersionMin
),
24 version_max(SSLClientSocket::GetMaxSupportedSSLVersion()),
25 version_fallback_min(kDefaultSSLVersionFallbackMin
),
26 enable_deprecated_cipher_suites(false),
27 channel_id_enabled(true),
28 false_start_enabled(true),
29 signed_cert_timestamps_enabled(true),
31 send_client_cert(false),
32 verify_ev_cert(false),
33 version_fallback(false),
34 cert_io_enabled(true),
35 renego_allowed_default(false) {}
37 SSLConfig::~SSLConfig() {}
39 bool SSLConfig::IsAllowedBadCert(X509Certificate
* cert
,
40 CertStatus
* cert_status
) const {
42 if (!X509Certificate::GetDEREncoded(cert
->os_cert_handle(), &der_cert
))
44 return IsAllowedBadCert(der_cert
, cert_status
);
47 bool SSLConfig::IsAllowedBadCert(const base::StringPiece
& der_cert
,
48 CertStatus
* cert_status
) const {
49 for (size_t i
= 0; i
< allowed_bad_certs
.size(); ++i
) {
50 if (der_cert
== allowed_bad_certs
[i
].der_cert
) {
52 *cert_status
= allowed_bad_certs
[i
].cert_status
;
59 int SSLConfig::GetCertVerifyFlags() const {
61 if (rev_checking_enabled
)
62 flags
|= CertVerifier::VERIFY_REV_CHECKING_ENABLED
;
64 flags
|= CertVerifier::VERIFY_EV_CERT
;
66 flags
|= CertVerifier::VERIFY_CERT_IO_ENABLED
;
67 if (rev_checking_required_local_anchors
)
68 flags
|= CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS
;