Merge pull request #3147 from deepak1556/cipher_suite_disable_patch

browser: flag to disable specified cipher suites
2015-10-20 10:29:49 +08:00 · 2015-10-20 10:29:49 +08:00 · bb8bb3dbea
commit bb8bb3dbea
parent 0afefe13f6 9f8479e9d8
4 changed files with 35 additions and 0 deletions
--- a/atom/browser/atom_ssl_config_service.cc
+++ b/atom/browser/atom_ssl_config_service.cc
@ -5,11 +5,14 @@
 #include "atom/browser/atom_ssl_config_service.h"

 #include <string>
+#include <vector>

 #include "base/command_line.h"
+#include "base/strings/string_split.h"
 #include "atom/common/options_switches.h"
 #include "content/public/browser/browser_thread.h"
 #include "net/socket/ssl_client_socket.h"
+#include "net/ssl/ssl_cipher_suite_names.h"

 namespace atom {

@ -26,6 +29,23 @@ uint16 GetSSLProtocolVersion(const std::string& version_string) {
  return version;
 }

+std::vector<uint16> ParseCipherSuites(
+    const std::vector<std::string>& cipher_strings) {
+  std::vector<uint16> cipher_suites;
+  cipher_suites.reserve(cipher_strings.size());
+
+  for (auto& cipher_string : cipher_strings) {
+    uint16 cipher_suite = 0;
+    if (!net::ParseSSLCipherString(cipher_string, &cipher_suite)) {
+      LOG(ERROR) << "Ignoring unrecognised cipher suite : "
+                 << cipher_string;
+      continue;
+    }
+    cipher_suites.push_back(cipher_suite);
+  }
+  return cipher_suites;
+}
+
 }  // namespace

 AtomSSLConfigService::AtomSSLConfigService() {
@ -35,6 +55,13 @@ AtomSSLConfigService::AtomSSLConfigService() {
        cmd_line->GetSwitchValueASCII(switches::kSSLVersionFallbackMin);
    config_.version_fallback_min = GetSSLProtocolVersion(version_string);
  }
+
+  if (cmd_line->HasSwitch(switches::kCipherSuiteBlacklist)) {
+    auto cipher_strings = base::SplitString(
+        cmd_line->GetSwitchValueASCII(switches::kCipherSuiteBlacklist),
+        ",", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
+    config_.disabled_cipher_suites = ParseCipherSuites(cipher_strings);
+  }
 }

 AtomSSLConfigService::~AtomSSLConfigService() {
--- a/atom/common/options_switches.cc
+++ b/atom/common/options_switches.cc
@ -116,6 +116,9 @@ const char kRegisterStandardSchemes[] = "register-standard-schemes";
 // TLS fallback will accept.
 const char kSSLVersionFallbackMin[] = "ssl-version-fallback-min";

+// Comma-separated list of SSL cipher suites to disable.
+const char kCipherSuiteBlacklist[] = "cipher-suite-blacklist";
+
 // The browser process app model ID
 const char kAppUserModelId[] = "app-user-model-id";

--- a/atom/common/options_switches.h
+++ b/atom/common/options_switches.h
@ -59,6 +59,7 @@ extern const char kPageVisibility[];
 extern const char kDisableHttpCache[];
 extern const char kRegisterStandardSchemes[];
 extern const char kSSLVersionFallbackMin[];
+extern const char kCipherSuiteBlacklist[];

 extern const char kAppUserModelId[];

--- a/docs/api/chrome-command-line-switches.md
+++ b/docs/api/chrome-command-line-switches.md
@ -92,6 +92,10 @@ Enables net log events to be saved and writes them to `path`.
 Sets the minimum SSL/TLS version ("tls1", "tls1.1" or "tls1.2") that TLS
 fallback will accept.

+## --cipher-suite-blacklist=`cipher_suites`
+
+Specify comma-separated list of SSL cipher suites to disable.
+
 ## --enable-logging

 Prints Chromium's logging into console.