Blink roll 173193:173208
[chromium-blink-merge.git] / net / ssl / ssl_config.h
blob27312147f0f5beff209c1afc2044e2d12d1fbe74
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_SSL_SSL_CONFIG_H_
6 #define NET_SSL_SSL_CONFIG_H_
8 #include "base/basictypes.h"
9 #include "base/memory/ref_counted.h"
10 #include "net/base/net_export.h"
11 #include "net/cert/x509_certificate.h"
13 namespace net {
15 // Various TLS/SSL ProtocolVersion values encoded as uint16
16 // struct {
17 // uint8 major;
18 // uint8 minor;
19 // } ProtocolVersion;
20 // The most significant byte is |major|, and the least significant byte
21 // is |minor|.
22 enum {
23 SSL_PROTOCOL_VERSION_SSL3 = 0x0300,
24 SSL_PROTOCOL_VERSION_TLS1 = 0x0301,
25 SSL_PROTOCOL_VERSION_TLS1_1 = 0x0302,
26 SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303,
29 // Default minimum protocol version.
30 NET_EXPORT extern const uint16 kDefaultSSLVersionMin;
32 // Default maximum protocol version.
33 NET_EXPORT extern const uint16 kDefaultSSLVersionMax;
35 // A collection of SSL-related configuration settings.
36 struct NET_EXPORT SSLConfig {
37 // Default to revocation checking.
38 // Default to SSL 3.0 ~ default_version_max() on.
39 SSLConfig();
40 ~SSLConfig();
42 // Returns true if |cert| is one of the certs in |allowed_bad_certs|.
43 // The expected cert status is written to |cert_status|. |*cert_status| can
44 // be NULL if user doesn't care about the cert status.
45 bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const;
47 // Same as above except works with DER encoded certificates instead
48 // of X509Certificate.
49 bool IsAllowedBadCert(const base::StringPiece& der_cert,
50 CertStatus* cert_status) const;
52 // rev_checking_enabled is true if online certificate revocation checking is
53 // enabled (i.e. OCSP and CRL fetching).
55 // Regardless of this flag, CRLSet checking is always enabled and locally
56 // cached revocation information will be considered.
57 bool rev_checking_enabled;
59 // rev_checking_required_local_anchors is true if revocation checking is
60 // required to succeed when certificates chain to local trust anchors (that
61 // is, non-public CAs). If revocation information cannot be obtained, such
62 // certificates will be treated as revoked ("hard-fail").
63 // Note: This is distinct from rev_checking_enabled. If true, it is
64 // equivalent to also setting rev_checking_enabled, but only when the
65 // certificate chain chains to a local (non-public) trust anchor.
66 bool rev_checking_required_local_anchors;
68 // The minimum and maximum protocol versions that are enabled.
69 // SSL 3.0 is 0x0300, TLS 1.0 is 0x0301, TLS 1.1 is 0x0302, and so on.
70 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.)
71 // SSL 2.0 is not supported. If version_max < version_min, it means no
72 // protocol versions are enabled.
73 uint16 version_min;
74 uint16 version_max;
76 // Presorted list of cipher suites which should be explicitly prevented from
77 // being used in addition to those disabled by the net built-in policy.
79 // By default, all cipher suites supported by the underlying SSL
80 // implementation will be enabled except for:
81 // - Null encryption cipher suites.
82 // - Weak cipher suites: < 80 bits of security strength.
83 // - FORTEZZA cipher suites (obsolete).
84 // - IDEA cipher suites (RFC 5469 explains why).
85 // - Anonymous cipher suites.
86 // - ECDSA cipher suites on platforms that do not support ECDSA signed
87 // certificates, as servers may use the presence of such ciphersuites as a
88 // hint to send an ECDSA certificate.
89 // The ciphers listed in |disabled_cipher_suites| will be removed in addition
90 // to the above list.
92 // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in
93 // big-endian form, they should be declared in host byte order, with the
94 // first uint8 occupying the most significant byte.
95 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
96 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
97 std::vector<uint16> disabled_cipher_suites;
99 bool channel_id_enabled; // True if TLS channel ID extension is enabled.
100 bool false_start_enabled; // True if we'll use TLS False Start.
101 // True if the Certificate Transparency signed_certificate_timestamp
102 // TLS extension is enabled.
103 bool signed_cert_timestamps_enabled;
105 // require_forward_secrecy, if true, causes only (EC)DHE cipher suites to be
106 // enabled. NOTE: this only applies to server sockets currently, although
107 // that could be extended if needed.
108 bool require_forward_secrecy;
110 // TODO(wtc): move the following members to a new SSLParams structure. They
111 // are not SSL configuration settings.
113 struct NET_EXPORT CertAndStatus {
114 CertAndStatus();
115 ~CertAndStatus();
117 std::string der_cert;
118 CertStatus cert_status;
121 // Add any known-bad SSL certificate (with its cert status) to
122 // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when
123 // calling SSLClientSocket::Connect. This would normally be done in
124 // response to the user explicitly accepting the bad certificate.
125 std::vector<CertAndStatus> allowed_bad_certs;
127 // True if we should send client_cert to the server.
128 bool send_client_cert;
130 bool verify_ev_cert; // True if we should verify the certificate for EV.
132 bool version_fallback; // True if we are falling back to an older protocol
133 // version (one still needs to decrement
134 // version_max).
136 // If cert_io_enabled is false, then certificate verification will not
137 // result in additional HTTP requests. (For example: to fetch missing
138 // intermediates or to perform OCSP/CRL fetches.) It also implies that online
139 // revocation checking is disabled.
140 // NOTE: Only used by NSS.
141 bool cert_io_enabled;
143 // The list of application level protocols supported. If set, this will
144 // enable Next Protocol Negotiation (if supported). The order of the
145 // protocols doesn't matter expect for one case: if the server supports Next
146 // Protocol Negotiation, but there is no overlap between the server's and
147 // client's protocol sets, then the first protocol in this list will be
148 // requested by the client.
149 std::vector<std::string> next_protos;
151 scoped_refptr<X509Certificate> client_cert;
154 } // namespace net
156 #endif // NET_SSL_SSL_CONFIG_H_