Commit 4d0b082a authored by davidben's avatar davidben Committed by Commit bot
Browse files

Unwind the fallback admin policy knobs.

Part 1 of removing the TLS version fallback code. Later commits will unwind
other pieces.

The admin policy has expired, so there is no need to keep the code around.

BUG=621780

Review-Url: https://codereview.chromium.org/2098723002
Cr-Commit-Position: refs/heads/master@{#402310}
parent c3a4cc42
......@@ -389,9 +389,6 @@ const PolicyToPreferenceMapEntry kSimplePolicyMap[] = {
{ key::kForceEphemeralProfiles,
prefs::kForceEphemeralProfiles,
base::Value::TYPE_BOOLEAN },
{ key::kSSLVersionFallbackMin,
ssl_config::prefs::kSSLVersionFallbackMin,
base::Value::TYPE_STRING },
{ key::kDHEEnabled,
ssl_config::prefs::kDHEEnabled,
base::Value::TYPE_BOOLEAN },
......
......@@ -114,7 +114,6 @@
#include "components/search_engines/template_url.h"
#include "components/search_engines/template_url_service.h"
#include "components/security_interstitials/core/controller_client.h"
#include "components/ssl_config/ssl_config_prefs.h"
#include "components/strings/grit/components_strings.h"
#include "components/translate/core/browser/language_state.h"
#include "components/translate/core/browser/translate_infobar_delegate.h"
......@@ -170,8 +169,6 @@
#include "net/base/net_errors.h"
#include "net/base/url_util.h"
#include "net/http/http_stream_factory.h"
#include "net/ssl/ssl_config.h"
#include "net/ssl/ssl_config_service.h"
#include "net/test/embedded_test_server/embedded_test_server.h"
#include "net/test/url_request/url_request_failed_job.h"
#include "net/test/url_request/url_request_mock_http_job.h"
......@@ -2626,53 +2623,6 @@ IN_PROC_BROWSER_TEST_F(PolicyTest, MAYBE_FileURLBlacklist) {
CheckURLIsBlocked(browser(), file_path2.c_str());
}
namespace {
void GetSSLVersionFallbackMinOnIOThread(
const scoped_refptr<net::SSLConfigService>& config_service,
uint16_t* version_fallback_min) {
net::SSLConfig config;
config_service->GetSSLConfig(&config);
*version_fallback_min = config.version_fallback_min;
}
uint16_t GetSSLVersionFallbackMin(Profile* profile) {
scoped_refptr<net::SSLConfigService> config_service(
profile->GetSSLConfigService());
uint16_t version_fallback_min;
base::RunLoop loop;
BrowserThread::PostTaskAndReply(
BrowserThread::IO, FROM_HERE,
base::Bind(&GetSSLVersionFallbackMinOnIOThread, config_service,
base::Unretained(&version_fallback_min)),
loop.QuitClosure());
loop.Run();
return version_fallback_min;
}
} // namespace
IN_PROC_BROWSER_TEST_F(PolicyTest, SSLVersionFallbackMin) {
PrefService* prefs = g_browser_process->local_state();
const std::string new_value("tls1.1");
const std::string default_value(
prefs->GetString(ssl_config::prefs::kSSLVersionFallbackMin));
EXPECT_NE(default_value, new_value);
EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1_2,
GetSSLVersionFallbackMin(browser()->profile()));
PolicyMap policies;
policies.Set(key::kSSLVersionFallbackMin, POLICY_LEVEL_MANDATORY,
POLICY_SCOPE_USER, POLICY_SOURCE_CLOUD,
base::WrapUnique(new base::StringValue(new_value)), nullptr);
UpdateProviderPolicy(policies);
EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1_1,
GetSSLVersionFallbackMin(browser()->profile()));
}
#if !defined(OS_MACOSX)
IN_PROC_BROWSER_TEST_F(PolicyTest, FullscreenAllowedBrowser) {
PolicyMap policies;
......
......@@ -42,8 +42,6 @@ const CommandLinePrefStore::StringSwitchToPreferenceMapEntry
{ switches::kAuthServerWhitelist, prefs::kAuthServerWhitelist },
{ switches::kSSLVersionMin, ssl_config::prefs::kSSLVersionMin },
{ switches::kSSLVersionMax, ssl_config::prefs::kSSLVersionMax },
{ switches::kSSLVersionFallbackMin,
ssl_config::prefs::kSSLVersionFallbackMin },
#if defined(OS_ANDROID)
{ switches::kAuthAndroidNegotiateAccountType,
prefs::kAuthAndroidNegotiateAccountType },
......
......@@ -1862,9 +1862,6 @@
},
"SSLVersionFallbackMin": {
"os": ["win", "linux", "mac", "chromeos"],
"test_policy": { "SSLVersionFallbackMin": "tls1.2" },
"pref_mappings": []
},
"RC4Enabled": {
......
......@@ -7909,6 +7909,7 @@
'dynamic_refresh': True,
'per_profile': False,
},
'deprecated': True,
'example_value': 'tls1.1',
'id': 280,
'caption': '''Minimum TLS version to fallback to''',
......
......@@ -13,7 +13,6 @@ const char kCertRevocationCheckingRequiredLocalAnchors[] =
"ssl.rev_checking.required_for_local_anchors";
const char kSSLVersionMin[] = "ssl.version_min";
const char kSSLVersionMax[] = "ssl.version_max";
const char kSSLVersionFallbackMin[] = "ssl.version_fallback_min";
const char kCipherSuiteBlacklist[] = "ssl.cipher_suites.blacklist";
const char kDHEEnabled[] = "ssl.dhe_enabled";
......
......@@ -12,7 +12,6 @@ extern const char kCertRevocationCheckingEnabled[];
extern const char kCertRevocationCheckingRequiredLocalAnchors[];
extern const char kSSLVersionMin[];
extern const char kSSLVersionMax[];
extern const char kSSLVersionFallbackMin[];
extern const char kCipherSuiteBlacklist[];
extern const char kDHEEnabled[];
......
......@@ -172,7 +172,6 @@ class SSLConfigServiceManagerPref : public ssl_config::SSLConfigServiceManager {
BooleanPrefMember rev_checking_required_local_anchors_;
StringPrefMember ssl_version_min_;
StringPrefMember ssl_version_max_;
StringPrefMember ssl_version_fallback_min_;
BooleanPrefMember dhe_enabled_;
// The cached list of disabled SSL cipher suites.
......@@ -213,8 +212,6 @@ SSLConfigServiceManagerPref::SSLConfigServiceManagerPref(
local_state_callback);
ssl_version_max_.Init(ssl_config::prefs::kSSLVersionMax, local_state,
local_state_callback);
ssl_version_fallback_min_.Init(ssl_config::prefs::kSSLVersionFallbackMin,
local_state, local_state_callback);
dhe_enabled_.Init(ssl_config::prefs::kDHEEnabled, local_state,
local_state_callback);
......@@ -242,8 +239,6 @@ void SSLConfigServiceManagerPref::RegisterPrefs(PrefRegistrySimple* registry) {
std::string());
registry->RegisterStringPref(ssl_config::prefs::kSSLVersionMax,
std::string());
registry->RegisterStringPref(ssl_config::prefs::kSSLVersionFallbackMin,
std::string());
registry->RegisterListPref(ssl_config::prefs::kCipherSuiteBlacklist);
registry->RegisterBooleanPref(ssl_config::prefs::kDHEEnabled,
default_config.dhe_enabled);
......@@ -282,14 +277,10 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
rev_checking_required_local_anchors_.GetValue();
std::string version_min_str = ssl_version_min_.GetValue();
std::string version_max_str = ssl_version_max_.GetValue();
std::string version_fallback_min_str = ssl_version_fallback_min_.GetValue();
config->version_min = net::kDefaultSSLVersionMin;
config->version_max = net::kDefaultSSLVersionMax;
config->version_fallback_min = net::kDefaultSSLVersionFallbackMin;
uint16_t version_min = SSLProtocolVersionFromString(version_min_str);
uint16_t version_max = SSLProtocolVersionFromString(version_max_str);
uint16_t version_fallback_min =
SSLProtocolVersionFromString(version_fallback_min_str);
if (version_min) {
config->version_min = version_min;
}
......@@ -297,11 +288,6 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
uint16_t supported_version_max = config->version_max;
config->version_max = std::min(supported_version_max, version_max);
}
// Values below TLS 1.1 are invalid.
if (version_fallback_min &&
version_fallback_min >= net::SSL_PROTOCOL_VERSION_TLS1_1) {
config->version_fallback_min = version_fallback_min;
}
config->disabled_cipher_suites = disabled_cipher_suites_;
config->dhe_enabled = dhe_enabled_.GetValue();
}
......
......@@ -178,28 +178,6 @@ TEST_F(SSLConfigServiceManagerPrefTest, NoSSL3) {
EXPECT_LE(net::SSL_PROTOCOL_VERSION_TLS1, ssl_config.version_min);
}
// Tests that fallback beyond TLS 1.0 cannot be re-enabled.
TEST_F(SSLConfigServiceManagerPrefTest, NoTLS1Fallback) {
scoped_refptr<TestingPrefStore> local_state_store(new TestingPrefStore());
TestingPrefServiceSimple local_state;
local_state.SetUserPref(ssl_config::prefs::kSSLVersionFallbackMin,
new base::StringValue("tls1"));
SSLConfigServiceManager::RegisterPrefs(local_state.registry());
std::unique_ptr<SSLConfigServiceManager> config_manager(
SSLConfigServiceManager::CreateDefaultManager(
&local_state, base::ThreadTaskRunnerHandle::Get()));
ASSERT_TRUE(config_manager.get());
scoped_refptr<SSLConfigService> config_service(config_manager->Get());
ASSERT_TRUE(config_service.get());
SSLConfig ssl_config;
config_service->GetSSLConfig(&ssl_config);
// The command-line option must not have been honored.
EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1_2, ssl_config.version_fallback_min);
}
// Tests that DHE may be re-enabled via features.
TEST_F(SSLConfigServiceManagerPrefTest, DHEFeature) {
// Toggle the feature.
......
......@@ -12,12 +12,8 @@ const char kSSLVersionMax[] = "ssl-version-max";
// Specifies the minimum SSL/TLS version ("tls1", "tls1.1", or "tls1.2").
const char kSSLVersionMin[] = "ssl-version-min";
// Specifies the minimum SSL/TLS version ("tls1.1" or "tls1.2") that
// TLS fallback will accept.
const char kSSLVersionFallbackMin[] = "ssl-version-fallback-min";
// These values aren't switches, but rather the values that kSSLVersionMax,
// kSSLVersionMin and kSSLVersionFallbackMin can have.
// These values aren't switches, but rather the values that kSSLVersionMax and
// kSSLVersionMin can have.
const char kSSLVersionTLSv1[] = "tls1";
const char kSSLVersionTLSv11[] = "tls1.1";
const char kSSLVersionTLSv12[] = "tls1.2";
......
......@@ -9,7 +9,6 @@ namespace switches {
extern const char kSSLVersionMax[];
extern const char kSSLVersionMin[];
extern const char kSSLVersionFallbackMin[];
extern const char kSSLVersionTLSv1[];
extern const char kSSLVersionTLSv11[];
extern const char kSSLVersionTLSv12[];
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment