From 9f8479e9d8e56c82871c663f0114bc8044d44a9f Mon Sep 17 00:00:00 2001 From: Robo Date: Tue, 20 Oct 2015 02:26:01 +0530 Subject: [PATCH] browser: flag to diable specified cipher suites --- atom/browser/atom_ssl_config_service.cc | 27 ++++++++++++++++++++++++ atom/common/options_switches.cc | 3 +++ atom/common/options_switches.h | 1 + docs/api/chrome-command-line-switches.md | 4 ++++ 4 files changed, 35 insertions(+) diff --git a/atom/browser/atom_ssl_config_service.cc b/atom/browser/atom_ssl_config_service.cc index f19dbacf7d..0a47067b0a 100644 --- a/atom/browser/atom_ssl_config_service.cc +++ b/atom/browser/atom_ssl_config_service.cc @@ -5,11 +5,14 @@ #include "atom/browser/atom_ssl_config_service.h" #include +#include #include "base/command_line.h" +#include "base/strings/string_split.h" #include "atom/common/options_switches.h" #include "content/public/browser/browser_thread.h" #include "net/socket/ssl_client_socket.h" +#include "net/ssl/ssl_cipher_suite_names.h" namespace atom { @@ -26,6 +29,23 @@ uint16 GetSSLProtocolVersion(const std::string& version_string) { return version; } +std::vector ParseCipherSuites( + const std::vector& cipher_strings) { + std::vector cipher_suites; + cipher_suites.reserve(cipher_strings.size()); + + for (auto& cipher_string : cipher_strings) { + uint16 cipher_suite = 0; + if (!net::ParseSSLCipherString(cipher_string, &cipher_suite)) { + LOG(ERROR) << "Ignoring unrecognised cipher suite : " + << cipher_string; + continue; + } + cipher_suites.push_back(cipher_suite); + } + return cipher_suites; +} + } // namespace AtomSSLConfigService::AtomSSLConfigService() { @@ -35,6 +55,13 @@ AtomSSLConfigService::AtomSSLConfigService() { cmd_line->GetSwitchValueASCII(switches::kSSLVersionFallbackMin); config_.version_fallback_min = GetSSLProtocolVersion(version_string); } + + if (cmd_line->HasSwitch(switches::kCipherSuiteBlacklist)) { + auto cipher_strings = base::SplitString( + cmd_line->GetSwitchValueASCII(switches::kCipherSuiteBlacklist), + ",", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); + config_.disabled_cipher_suites = ParseCipherSuites(cipher_strings); + } } AtomSSLConfigService::~AtomSSLConfigService() { diff --git a/atom/common/options_switches.cc b/atom/common/options_switches.cc index 46687becf8..84d63c29a0 100644 --- a/atom/common/options_switches.cc +++ b/atom/common/options_switches.cc @@ -117,6 +117,9 @@ const char kRegisterStandardSchemes[] = "register-standard-schemes"; // TLS fallback will accept. const char kSSLVersionFallbackMin[] = "ssl-version-fallback-min"; +// Comma-separated list of SSL cipher suites to disable. +const char kCipherSuiteBlacklist[] = "cipher-suite-blacklist"; + // The browser process app model ID const char kAppUserModelId[] = "app-user-model-id"; diff --git a/atom/common/options_switches.h b/atom/common/options_switches.h index 16046d19c8..73312d028d 100644 --- a/atom/common/options_switches.h +++ b/atom/common/options_switches.h @@ -60,6 +60,7 @@ extern const char kPageVisibility[]; extern const char kDisableHttpCache[]; extern const char kRegisterStandardSchemes[]; extern const char kSSLVersionFallbackMin[]; +extern const char kCipherSuiteBlacklist[]; extern const char kAppUserModelId[]; diff --git a/docs/api/chrome-command-line-switches.md b/docs/api/chrome-command-line-switches.md index c2a39126f6..abf8726b68 100644 --- a/docs/api/chrome-command-line-switches.md +++ b/docs/api/chrome-command-line-switches.md @@ -92,6 +92,10 @@ Enables net log events to be saved and writes them to `path`. Sets the minimum SSL/TLS version ("tls1", "tls1.1" or "tls1.2") that TLS fallback will accept. +## --cipher-suite-blacklist=`cipher_suites` + +Specify comma-separated list of SSL cipher suites to disable. + ## --enable-logging Prints Chromium's logging into console.