diff --git a/chrome/browser/policy/configuration_policy_handler_list_factory.cc b/chrome/browser/policy/configuration_policy_handler_list_factory.cc index 121975c1309f1..633dbea78840e 100644 --- a/chrome/browser/policy/configuration_policy_handler_list_factory.cc +++ b/chrome/browser/policy/configuration_policy_handler_list_factory.cc @@ -369,6 +369,9 @@ const PolicyToPreferenceMapEntry kSimplePolicyMap[] = { { key::kSSLVersionMin, prefs::kSSLVersionMin, base::Value::TYPE_STRING }, + { key::kSSLVersionFallbackMin, + prefs::kSSLVersionFallbackMin, + base::Value::TYPE_STRING }, #if !defined(OS_MACOSX) && !defined(OS_IOS) { key::kFullscreenAllowed, diff --git a/chrome/browser/policy/policy_browsertest.cc b/chrome/browser/policy/policy_browsertest.cc index 965f6100caa0c..b4332684629f6 100644 --- a/chrome/browser/policy/policy_browsertest.cc +++ b/chrome/browser/policy/policy_browsertest.cc @@ -2295,6 +2295,35 @@ IN_PROC_BROWSER_TEST_F(PolicyTest, SSLVersionMin) { EXPECT_TRUE(IsMinSSLVersionTLS12(browser()->profile())); } +static bool IsMinSSLFallbackVersionTLS12(Profile* profile) { + scoped_refptr config_service( + profile->GetSSLConfigService()); + net::SSLConfig config; + config_service->GetSSLConfig(&config); + return config.version_fallback_min == net::SSL_PROTOCOL_VERSION_TLS1_2; +} + +IN_PROC_BROWSER_TEST_F(PolicyTest, SSLVersionFallbackMin) { + PrefService* prefs = g_browser_process->local_state(); + + const std::string new_value("tls1.2"); + const std::string default_value( + prefs->GetString(prefs::kSSLVersionFallbackMin)); + + EXPECT_NE(default_value, new_value); + EXPECT_FALSE(IsMinSSLFallbackVersionTLS12(browser()->profile())); + + PolicyMap policies; + policies.Set(key::kSSLVersionFallbackMin, + POLICY_LEVEL_MANDATORY, + POLICY_SCOPE_USER, + new base::StringValue(new_value), + NULL); + UpdateProviderPolicy(policies); + + EXPECT_TRUE(IsMinSSLFallbackVersionTLS12(browser()->profile())); +} + #if !defined(OS_MACOSX) IN_PROC_BROWSER_TEST_F(PolicyTest, FullscreenAllowedBrowser) { PolicyMap policies; diff --git a/chrome/test/data/policy/policy_test_cases.json b/chrome/test/data/policy/policy_test_cases.json index 52453960e14e9..3ad037d421ffe 100644 --- a/chrome/test/data/policy/policy_test_cases.json +++ b/chrome/test/data/policy/policy_test_cases.json @@ -1710,6 +1710,12 @@ "pref_mappings": [] }, + "SSLVersionFallbackMin": { + "os": ["win", "linux", "mac", "chromeos"], + "test_policy": { "SSLVersionFallbackMin": "tls1.2" }, + "pref_mappings": [] + }, + "----- Chrome OS policies ------------------------------------------------": {}, "ChromeOsLockOnIdleSuspend": { diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json index 51bd259333ad5..86184b5471cc8 100644 --- a/components/policy/resources/policy_templates.json +++ b/components/policy/resources/policy_templates.json @@ -123,7 +123,7 @@ # persistent IDs for all fields (but not for groups!) are needed. These are # specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs, # because doing so would break the deployed wire format! -# For your editing convenience: highest ID currently used: 279 +# For your editing convenience: highest ID currently used: 280 # # Placeholders: # The following placeholder strings are automatically substituted: @@ -6842,6 +6842,63 @@ Otherwise it may be set to one of the following values: "sslv3", "tls1", "tls1.1" or "tls1.2". When set, $1Google Chrome will not use SSL/TLS versions less than the specified version. An unrecognized value will be ignored. + Note that, despite the number, "sslv3" is an earier version than "tls1".''', + }, + { + 'name': 'SSLVersionFallbackMin', + 'type': 'string-enum', + 'schema': { + 'type': 'string', + 'enum': [ + 'ssl3', + 'tls1', + 'tls1.1', + 'tls1.2', + ], + }, + 'items': [ + { + 'name': 'SSLv3', + 'value': 'ssl3', + 'caption': 'SSL 3.0', + }, + { + 'name': 'TLSv1', + 'value': 'tls1', + 'caption': 'TLS 1.0', + }, + { + 'name': 'TLSv1.1', + 'value': 'tls1.1', + 'caption': 'TLS 1.1', + }, + { + 'name': 'TLSv1.2', + 'value': 'tls1.2', + 'caption': 'TLS 1.2', + }, + ], + 'supported_on': [ + 'chrome.*:39-', + 'chrome_os:39-', + 'android:39-', + 'ios:39-', + ], + 'features': { + 'dynamic_refresh': True, + 'per_profile': False, + }, + 'example_value': 'tls1', + 'id': 280, + 'caption': '''Minimum SSL version to fallback to''', + 'desc': '''When an SSL/TLS handshake fails, $1Google Chrome will retry the connection with a lesser version of SSL/TLS in order to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly then this setting doesn't apply and SSLVersionMin controls. + + If this policy is not configured then $1Google Chrome will use a default minimum version, which was SSLv3 in Chrome 38 but is TLS 1.0 in Chrome 39. + + Otherwise it may be set to one of the following values: "sslv3", "tls1", "tls1.1" or "tls1.2". A setting of "tls1" protects against attacks on SSLv3 but is already the default. A more likely situation is that compatibility with a buggy server must be maintained and thus this needs to be set to "sslv3". That potentially opens up all connections to SSLv3 attacks since a network attacker can induce fallbacks. Thus this is a stopgap measure and the server should be rapidly fixed. + + A setting of "tls1.2" disables all fallback but this may have a significant compatibility impact. + Note that, despite the number, "sslv3" is an earier version than "tls1".''', }, ], diff --git a/tools/metrics/histograms/histograms.xml b/tools/metrics/histograms/histograms.xml index 5a05ca5288e34..28379dbe5ac9b 100644 --- a/tools/metrics/histograms/histograms.xml +++ b/tools/metrics/histograms/histograms.xml @@ -41799,6 +41799,7 @@ Therefore, the affected-histogram name has to have at least one dot in it. label="Import autofill form data from default browser on first run"/> +