New issue
Advanced search Search tips
Starred by 67 users

Issue metadata

Status: Verified
Owner:
Closed: Oct 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Exp-Leadership: ----
Launch-Leadership: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: 53-Stable
Launch-Privacy: ----
Launch-Security: ----
Launch-Test: ----
Launch-UI: ----
Rollout-Type: ----



Sign in to add a comment

Remove DHE-based ciphers

Project Member Reported by davidben@chromium.org, Jun 10 2016

Issue description

(See http://www.chromium.org/blink#launch-process for an overview)

Change description:
Stop accepting DHE-based ciphers in Chrome.

Changes to API surface:

- TLS servers must support non-DHE ciphers.

Links:
Public standards discussion: None

Support in other browsers:
Internet Explorer: DHE is still supported (but not as many as we advertise)
Firefox: DHE is still supported (but not as many as we advertise)
Safari: DHE has been removed

*Make sure to fill in any labels with a -?, including all OSes this change
affects. Feel free to leave other labels at the defaults.

 
The removal intent thread (https://groups.google.com/a/chromium.org/d/msg/blink-dev/ShRaCsYx4lk/46rD81AsBwAJ) now has the three requisite LGTMs from API_OWNERS (dglazkov, chrishtr, rbyers).
Labels: Launch-M-Target-53-Stable Launch-Status-Review-Requested
I think these are the right new settings. (awhalley, could you confirm?)
Project Member

Comment 3 by bugdroid1@chromium.org, Jun 24 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b4c25b632a7078d2c3346a37b51034bb853b24b3

commit b4c25b632a7078d2c3346a37b51034bb853b24b3
Author: davidben <davidben@chromium.org>
Date: Fri Jun 24 02:39:27 2016

Remove DHE.

Connections to sites which require DHE will, for the moment,
return ERR_SSL_OBSOLETE_CIPHER. As always, there is an admin policy
to temporarily re-enable and field trial to back out of it if
needed.

BUG= 619194 
TEST=https://dh1024.badssl.com fails with ERR_SSL_OBSOLETE_CIPHER.

Review-Url: https://codereview.chromium.org/2056343006
Cr-Commit-Position: refs/heads/master@{#401793}

[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/chrome/browser/policy/configuration_policy_handler_list_factory.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/chrome/test/data/policy/policy_test_cases.json
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/components/error_page/common/localized_error.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/components/policy/resources/policy_templates.json
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/components/ssl_config/ssl_config_prefs.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/components/ssl_config/ssl_config_prefs.h
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/components/ssl_config/ssl_config_service_manager_pref.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/components/ssl_config/ssl_config_service_manager_pref_unittest.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/net/base/net_error_list.h
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/net/socket/ssl_client_socket_unittest.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/net/ssl/ssl_config.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/net/ssl/ssl_config.h
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/net/url_request/url_request_unittest.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/tools/metrics/histograms/histograms.xml

Cc: pucchakayala@chromium.org songsuk@chromium.org
 Issue 630730  has been merged into this issue.
User experiences the ERR_SSL_OBSOLETE_CIPHER problem following this link: www.centronews.com
Test cases listed on https://badssl.com/ also contain https://dh2048.badssl.com/. It uses safe, 2048-bit dhparam, so it's marked as green (perfectly OK from technical point of view). And it fails now since Chrome 53 - dh1024 test case was fixed, but dh2048 test case was broken.

I understand why it happened (discussed within  issue 640166 ), but maybe Chromium team should do something about dh2048 test case, as a maintainer of badssl.com. If it's green - it shouldn't fail, and if it fails - it shouldn't be green. Be consistent.
pisarevden: Thanks! I'll reach out to the affected site.
(Anything else that needs to be done here launch-process-wise? The change is already in stable.)
Status: Verified (was: Assigned)
Project Member

Comment 10 by bugdroid1@chromium.org, Oct 28 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d6b73e400dd0d62664f7fe178d506032b881b2ad

commit d6b73e400dd0d62664f7fe178d506032b881b2ad
Author: davidben <davidben@chromium.org>
Date: Fri Oct 28 20:55:22 2016

Remove DHECiphers feature flag.

This was an emergency off switch should the DHE removal not stick. That
went through fine, so remove the feature glue. The remaining glue is
still needed and will be deleted in a few cycles when the admin policy
expires.

BUG= 619194 

Review-Url: https://codereview.chromium.org/2458123003
Cr-Commit-Position: refs/heads/master@{#428485}

[modify] https://crrev.com/d6b73e400dd0d62664f7fe178d506032b881b2ad/components/ssl_config/ssl_config_service_manager_pref.cc
[modify] https://crrev.com/d6b73e400dd0d62664f7fe178d506032b881b2ad/components/ssl_config/ssl_config_service_manager_pref_unittest.cc

Project Member

Comment 11 by bugdroid1@chromium.org, Jan 25 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6b4943bfc61acc877f92b183b849922edbe85e8d

commit 6b4943bfc61acc877f92b183b849922edbe85e8d
Author: davidben <davidben@chromium.org>
Date: Wed Jan 25 17:33:57 2017

Remove remnants of DHE support.

The admin policy has now expired, so we can unwind all code relating to
it.

The deprecated cipher fallback will be removed in a follow-up, tracked
by  https://crbug.com/684730 .

BUG= 619194 

Review-Url: https://codereview.chromium.org/2653773003
Cr-Commit-Position: refs/heads/master@{#446049}

[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/chrome/browser/policy/configuration_policy_handler_list_factory.cc
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/chrome/test/data/policy/policy_test_cases.json
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/components/policy/resources/policy_templates.json
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/components/ssl_config/ssl_config_prefs.cc
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/components/ssl_config/ssl_config_prefs.h
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/components/ssl_config/ssl_config_service_manager_pref.cc
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/net/socket/ssl_client_socket_unittest.cc
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/net/ssl/ssl_config.cc
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/net/ssl/ssl_config.h
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/net/url_request/url_request_unittest.cc

что что что?

2017-01-25 20:42 GMT+03:00 bugdro… via monorail <
monorail+v2.3275348242@chromium.org>:
Project Member

Comment 13 by bugdroid1@chromium.org, Jan 26 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8533a15e602b656ccac9d4779c7ca479c32ed954

commit 8533a15e602b656ccac9d4779c7ca479c32ed954
Author: kjellander <kjellander@chromium.org>
Date: Thu Jan 26 06:18:06 2017

Revert of Remove remnants of DHE support. (patchset #3 id:40001 of https://codereview.chromium.org/2653773003/ )

Reason for revert:
I suspect this breaks https://build.chromium.org/p/chromium.win/builders/Win7%20Tests%20%281%29/builds/62851 since the trybot that ran (and passed) was a Win x64 config (win_chromium_x64_rel_ng).
The x64 windows bot doesn't break post-commit.
This was the only CL in the blame list touching encryption IIUC.

Original issue's description:
> Remove remnants of DHE support.
>
> The admin policy has now expired, so we can unwind all code relating to
> it.
>
> The deprecated cipher fallback will be removed in a follow-up, tracked
> by  https://crbug.com/684730 .
>
> BUG= 619194 
>
> Review-Url: https://codereview.chromium.org/2653773003
> Cr-Commit-Position: refs/heads/master@{#446049}
> Committed: https://chromium.googlesource.com/chromium/src/+/6b4943bfc61acc877f92b183b849922edbe85e8d

TBR=svaldez@chromium.org,pastarmovj@chromium.org,davidben@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= 619194 

Review-Url: https://codereview.chromium.org/2656953002
Cr-Commit-Position: refs/heads/master@{#446249}

[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/chrome/browser/policy/configuration_policy_handler_list_factory.cc
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/chrome/test/data/policy/policy_test_cases.json
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/components/policy/resources/policy_templates.json
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/components/ssl_config/ssl_config_prefs.cc
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/components/ssl_config/ssl_config_prefs.h
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/components/ssl_config/ssl_config_service_manager_pref.cc
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/net/socket/ssl_client_socket_unittest.cc
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/net/ssl/ssl_config.cc
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/net/ssl/ssl_config.h
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/net/url_request/url_request_unittest.cc

зачем отправляете мне это?

2017-01-26 9:19 GMT+03:00 bugdro… via monorail <
monorail+v2.3275348242@chromium.org>:
Project Member

Comment 15 by bugdroid1@chromium.org, Jan 26 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1ae83a08f3b0b6831e5dbdaae12635010367b246

commit 1ae83a08f3b0b6831e5dbdaae12635010367b246
Author: kjellander <kjellander@chromium.org>
Date: Thu Jan 26 07:35:09 2017

Reland of move remnants of DHE support. (patchset #1 id:1 of https://codereview.chromium.org/2656953002/ )

Reason for revert:
Did not solve the failing test: https://build.chromium.org/p/chromium.win/builders/Win7%20Tests%20%281%29/builds/62881

Original issue's description:
> Revert of Remove remnants of DHE support. (patchset #3 id:40001 of https://codereview.chromium.org/2653773003/ )
>
> Reason for revert:
> I suspect this breaks https://build.chromium.org/p/chromium.win/builders/Win7%20Tests%20%281%29/builds/62851 since the trybot that ran (and passed) was a Win x64 config (win_chromium_x64_rel_ng).
> The x64 windows bot doesn't break post-commit.
> This was the only CL in the blame list touching encryption IIUC.
>
> Original issue's description:
> > Remove remnants of DHE support.
> >
> > The admin policy has now expired, so we can unwind all code relating to
> > it.
> >
> > The deprecated cipher fallback will be removed in a follow-up, tracked
> > by  https://crbug.com/684730 .
> >
> > BUG= 619194 
> >
> > Review-Url: https://codereview.chromium.org/2653773003
> > Cr-Commit-Position: refs/heads/master@{#446049}
> > Committed: https://chromium.googlesource.com/chromium/src/+/6b4943bfc61acc877f92b183b849922edbe85e8d
>
> TBR=svaldez@chromium.org,pastarmovj@chromium.org,davidben@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG= 619194 
>
> Review-Url: https://codereview.chromium.org/2656953002
> Cr-Commit-Position: refs/heads/master@{#446249}
> Committed: https://chromium.googlesource.com/chromium/src/+/8533a15e602b656ccac9d4779c7ca479c32ed954

TBR=svaldez@chromium.org,pastarmovj@chromium.org,davidben@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= 619194 

Review-Url: https://codereview.chromium.org/2651303003
Cr-Commit-Position: refs/heads/master@{#446269}

[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/chrome/browser/policy/configuration_policy_handler_list_factory.cc
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/chrome/test/data/policy/policy_test_cases.json
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/components/policy/resources/policy_templates.json
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/components/ssl_config/ssl_config_prefs.cc
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/components/ssl_config/ssl_config_prefs.h
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/components/ssl_config/ssl_config_service_manager_pref.cc
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/net/socket/ssl_client_socket_unittest.cc
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/net/ssl/ssl_config.cc
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/net/ssl/ssl_config.h
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/net/url_request/url_request_unittest.cc

Comment 16 by voa...@gmail.com, Jun 3 2017

Система ХР хром не обновлялся, следовательно чето произошло не на компе...

https://c.secudatago.com/?a=47834&c=144069&p=r&E=VABJK5dPD9s%3d&s1=28090_0&s3=https%3A%2F%2Fru.aliexpress.com%2Fstore%2Fproduct%2Ffree-shipping-door-operator-Small-electric-locks-drawer-cabinet-electronic-locks-electromechanical-locks-house-office-hardware%2F1261280_2037837445.html

Этот сайт не может обеспечить безопасное соединение

На сайте c.secudatago.com используется неподдерживаемый протокол.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
https://getfox.ru/
Same problem

Sign in to add a comment