Add Enterprise policy option to control minimum SSL fallback level.

r299567 disabled SSLv3 fallback. This change adds an enterprise policy option to control this value so that enterprises can reenable the fallback if they need it. This option is in contrast to the one added in r299755. That one allows enterprises to be more aggressive in disabling SSLv3, while this one is intended for those who need to more slower that Chrome's default. BUG=418848,419870 Review URL: https://codereview.chromium.org/644913008 Cr-Commit-Position: refs/heads/master@{#300178}
crosswalk-project · Oct 17, 2014 · 33369a4 · 33369a4
1 parent a84d8e6
commit 33369a4
Show file tree

Hide file tree

Showing 5 changed files with 97 additions and 1 deletion.
diff --git a/chrome/browser/policy/configuration_policy_handler_list_factory.cc b/chrome/browser/policy/configuration_policy_handler_list_factory.cc
@@ -369,6 +369,9 @@ const PolicyToPreferenceMapEntry kSimplePolicyMap[] = {
   { key::kSSLVersionMin,
     prefs::kSSLVersionMin,
     base::Value::TYPE_STRING },
+  { key::kSSLVersionFallbackMin,
+    prefs::kSSLVersionFallbackMin,
+    base::Value::TYPE_STRING },
 
 #if !defined(OS_MACOSX) && !defined(OS_IOS)
   { key::kFullscreenAllowed,

diff --git a/chrome/browser/policy/policy_browsertest.cc b/chrome/browser/policy/policy_browsertest.cc
@@ -2295,6 +2295,35 @@ IN_PROC_BROWSER_TEST_F(PolicyTest, SSLVersionMin) {
   EXPECT_TRUE(IsMinSSLVersionTLS12(browser()->profile()));
 }
 
+static bool IsMinSSLFallbackVersionTLS12(Profile* profile) {
+  scoped_refptr<net::SSLConfigService> config_service(
+      profile->GetSSLConfigService());
+  net::SSLConfig config;
+  config_service->GetSSLConfig(&config);
+  return config.version_fallback_min == net::SSL_PROTOCOL_VERSION_TLS1_2;
+}
+
+IN_PROC_BROWSER_TEST_F(PolicyTest, SSLVersionFallbackMin) {
+  PrefService* prefs = g_browser_process->local_state();
+
+  const std::string new_value("tls1.2");
+  const std::string default_value(
+      prefs->GetString(prefs::kSSLVersionFallbackMin));
+
+  EXPECT_NE(default_value, new_value);
+  EXPECT_FALSE(IsMinSSLFallbackVersionTLS12(browser()->profile()));
+
+  PolicyMap policies;
+  policies.Set(key::kSSLVersionFallbackMin,
+               POLICY_LEVEL_MANDATORY,
+               POLICY_SCOPE_USER,
+               new base::StringValue(new_value),
+               NULL);
+  UpdateProviderPolicy(policies);
+
+  EXPECT_TRUE(IsMinSSLFallbackVersionTLS12(browser()->profile()));
+}
+
 #if !defined(OS_MACOSX)
 IN_PROC_BROWSER_TEST_F(PolicyTest, FullscreenAllowedBrowser) {
   PolicyMap policies;

diff --git a/chrome/test/data/policy/policy_test_cases.json b/chrome/test/data/policy/policy_test_cases.json
@@ -1710,6 +1710,12 @@
     "pref_mappings": []
   },
 
+  "SSLVersionFallbackMin": {
+    "os": ["win", "linux", "mac", "chromeos"],
+    "test_policy": { "SSLVersionFallbackMin": "tls1.2" },
+    "pref_mappings": []
+  },
+
   "----- Chrome OS policies ------------------------------------------------": {},
 
   "ChromeOsLockOnIdleSuspend": {

diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json
@@ -123,7 +123,7 @@
 #   persistent IDs for all fields (but not for groups!) are needed. These are
 #   specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
 #   because doing so would break the deployed wire format!
-#   For your editing convenience: highest ID currently used: 279
+#   For your editing convenience: highest ID currently used: 280
 #
 # Placeholders:
 #   The following placeholder strings are automatically substituted:
@@ -6842,6 +6842,63 @@
 
       Otherwise it may be set to one of the following values: "sslv3", "tls1", "tls1.1" or "tls1.2". When set, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not use SSL/TLS versions less than the specified version. An unrecognized value will be ignored.
 
+      Note that, despite the number, "sslv3" is an earier version than "tls1".''',
+    },
+    {
+      'name': 'SSLVersionFallbackMin',
+      'type': 'string-enum',
+      'schema': {
+        'type': 'string',
+        'enum': [
+          'ssl3',
+          'tls1',
+          'tls1.1',
+          'tls1.2',
+        ],
+      },
+      'items': [
+        {
+          'name': 'SSLv3',
+          'value': 'ssl3',
+          'caption': 'SSL 3.0',
+        },
+        {
+          'name': 'TLSv1',
+          'value': 'tls1',
+          'caption': 'TLS 1.0',
+        },
+        {
+          'name': 'TLSv1.1',
+          'value': 'tls1.1',
+          'caption': 'TLS 1.1',
+        },
+        {
+          'name': 'TLSv1.2',
+          'value': 'tls1.2',
+          'caption': 'TLS 1.2',
+        },
+      ],
+      'supported_on': [
+        'chrome.*:39-',
+        'chrome_os:39-',
+        'android:39-',
+        'ios:39-',
+      ],
+      'features': {
+        'dynamic_refresh': True,
+        'per_profile': False,
+      },
+      'example_value': 'tls1',
+      'id': 280,
+      'caption': '''Minimum SSL version to fallback to''',
+      'desc': '''When an SSL/TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will retry the connection with a lesser version of SSL/TLS in order to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly then this setting doesn't apply and SSLVersionMin controls.
+
+      If this policy is not configured then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use a default minimum version, which was SSLv3 in Chrome 38 but is TLS 1.0 in Chrome 39.
+
+      Otherwise it may be set to one of the following values: "sslv3", "tls1", "tls1.1" or "tls1.2". A setting of "tls1" protects against attacks on SSLv3 but is already the default. A more likely situation is that compatibility with a buggy server must be maintained and thus this needs to be set to "sslv3". That potentially opens up all connections to SSLv3 attacks since a network attacker can induce fallbacks. Thus this is a stopgap measure and the server should be rapidly fixed.
+
+      A setting of "tls1.2" disables all fallback but this may have a significant compatibility impact.
+
       Note that, despite the number, "sslv3" is an earier version than "tls1".''',
     },
   ],

diff --git a/tools/metrics/histograms/histograms.xml b/tools/metrics/histograms/histograms.xml
@@ -41799,6 +41799,7 @@ Therefore, the affected-histogram name has to have at least one dot in it.
       label="Import autofill form data from default browser on first run"/>
   <int value="278" label="Extension Settings"/>
   <int value="279" label="SSL minimum version"/>
+  <int value="280" label="SSL fallback minimum version"/>
 </enum>
 
 <enum name="EnterprisePolicyInvalidations" type="int">