Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 619194 Remove DHE-based ciphers
Starred by 32 users Project Member Reported by davidben@chromium.org, Jun 10 2016 Back to list
Status: Verified
Owner:
davidben@chromium.org
Closed: Oct 12
Cc:
pucchakayala@chromium.org
songsuk@chromium.org
awhalley@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: 53-Stable
Launch-Privacy: ----
Launch-Security: ----
Launch-Status: Review-Requested
Launch-Test: ----
Launch-UI: ----



Sign in to add a comment
 
(See http://www.chromium.org/blink#launch-process for an overview)

Change description:
Stop accepting DHE-based ciphers in Chrome.

Changes to API surface:

- TLS servers must support non-DHE ciphers.

Links:
Public standards discussion: None

Support in other browsers:
Internet Explorer: DHE is still supported (but not as many as we advertise)
Firefox: DHE is still supported (but not as many as we advertise)
Safari: DHE has been removed

*Make sure to fill in any labels with a -?, including all OSes this change
affects. Feel free to leave other labels at the defaults.
Comment 1 by awhalley@chromium.org, Jun 22 2016 
The removal intent thread (https://groups.google.com/a/chromium.org/d/msg/blink-dev/ShRaCsYx4lk/46rD81AsBwAJ) now has the three requisite LGTMs from API_OWNERS (dglazkov, chrishtr, rbyers).
Comment 2 by davidben@chromium.org, Jun 23 2016
Labels: Launch-M-Target-53-Stable Launch-Status-Review-Requested
I think these are the right new settings. (awhalley, could you confirm?)
Project Member Comment 3 by bugdroid1@chromium.org, Jun 24 2016 
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b4c25b632a7078d2c3346a37b51034bb853b24b3

commit b4c25b632a7078d2c3346a37b51034bb853b24b3
Author: davidben <davidben@chromium.org>
Date: Fri Jun 24 02:39:27 2016

Remove DHE.

Connections to sites which require DHE will, for the moment,
return ERR_SSL_OBSOLETE_CIPHER. As always, there is an admin policy
to temporarily re-enable and field trial to back out of it if
needed.

BUG= 619194 
TEST=https://dh1024.badssl.com fails with ERR_SSL_OBSOLETE_CIPHER.

Review-Url: https://codereview.chromium.org/2056343006
Cr-Commit-Position: refs/heads/master@{#401793}

[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/chrome/browser/policy/configuration_policy_handler_list_factory.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/chrome/test/data/policy/policy_test_cases.json
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/components/error_page/common/localized_error.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/components/policy/resources/policy_templates.json
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/components/ssl_config/ssl_config_prefs.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/components/ssl_config/ssl_config_prefs.h
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/components/ssl_config/ssl_config_service_manager_pref.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/components/ssl_config/ssl_config_service_manager_pref_unittest.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/net/base/net_error_list.h
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/net/socket/ssl_client_socket_unittest.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/net/ssl/ssl_config.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/net/ssl/ssl_config.h
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/net/url_request/url_request_unittest.cc
[modify] https://crrev.com/b4c25b632a7078d2c3346a37b51034bb853b24b3/tools/metrics/histograms/histograms.xml
Comment 4 by songsuk@chromium.org, Jul 22 2016
Cc: pucchakayala@chromium.org songsuk@chromium.org
Issue 630730 has been merged into this issue.
Comment 5 by pisarev...@gmail.com, Sep 13 
User experiences the ERR_SSL_OBSOLETE_CIPHER problem following this link: www.centronews.com
Comment 6 by m.star...@cinkciarz.pl, Sep 13 
Test cases listed on https://badssl.com/ also contain https://dh2048.badssl.com/. It uses safe, 2048-bit dhparam, so it's marked as green (perfectly OK from technical point of view). And it fails now since Chrome 53 - dh1024 test case was fixed, but dh2048 test case was broken.

I understand why it happened (discussed within issue 640166), but maybe Chromium team should do something about dh2048 test case, as a maintainer of badssl.com. If it's green - it shouldn't fail, and if it fails - it shouldn't be green. Be consistent.
Comment 7 by davidben@chromium.org, Sep 13 
pisarevden: Thanks! I'll reach out to the affected site.
Comment 8 by davidben@chromium.org, Sep 19 
(Anything else that needs to be done here launch-process-wise? The change is already in stable.)
Comment 9 by awhalley@chromium.org, Oct 12
Status: Verified
Project Member Comment 10 by bugdroid1@chromium.org, Oct 28 
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d6b73e400dd0d62664f7fe178d506032b881b2ad

commit d6b73e400dd0d62664f7fe178d506032b881b2ad
Author: davidben <davidben@chromium.org>
Date: Fri Oct 28 20:55:22 2016

Remove DHECiphers feature flag.

This was an emergency off switch should the DHE removal not stick. That
went through fine, so remove the feature glue. The remaining glue is
still needed and will be deleted in a few cycles when the admin policy
expires.

BUG= 619194 

Review-Url: https://codereview.chromium.org/2458123003
Cr-Commit-Position: refs/heads/master@{#428485}

[modify] https://crrev.com/d6b73e400dd0d62664f7fe178d506032b881b2ad/components/ssl_config/ssl_config_service_manager_pref.cc
[modify] https://crrev.com/d6b73e400dd0d62664f7fe178d506032b881b2ad/components/ssl_config/ssl_config_service_manager_pref_unittest.cc
Project Member Comment 11 by bugdroid1@chromium.org, Jan 25 
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6b4943bfc61acc877f92b183b849922edbe85e8d

commit 6b4943bfc61acc877f92b183b849922edbe85e8d
Author: davidben <davidben@chromium.org>
Date: Wed Jan 25 17:33:57 2017

Remove remnants of DHE support.

The admin policy has now expired, so we can unwind all code relating to
it.

The deprecated cipher fallback will be removed in a follow-up, tracked
by https://crbug.com/684730.

BUG= 619194 

Review-Url: https://codereview.chromium.org/2653773003
Cr-Commit-Position: refs/heads/master@{#446049}

[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/chrome/browser/policy/configuration_policy_handler_list_factory.cc
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/chrome/test/data/policy/policy_test_cases.json
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/components/policy/resources/policy_templates.json
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/components/ssl_config/ssl_config_prefs.cc
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/components/ssl_config/ssl_config_prefs.h
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/components/ssl_config/ssl_config_service_manager_pref.cc
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/net/socket/ssl_client_socket_unittest.cc
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/net/ssl/ssl_config.cc
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/net/ssl/ssl_config.h
[modify] https://crrev.com/6b4943bfc61acc877f92b183b849922edbe85e8d/net/url_request/url_request_unittest.cc
Comment 12 by arigunov...@gmail.com, Jan 26 
что что что?

2017-01-25 20:42 GMT+03:00 bugdro… via monorail <
monorail+v2.3275348242@chromium.org>:
Project Member Comment 13 by bugdroid1@chromium.org, Jan 26 
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8533a15e602b656ccac9d4779c7ca479c32ed954

commit 8533a15e602b656ccac9d4779c7ca479c32ed954
Author: kjellander <kjellander@chromium.org>
Date: Thu Jan 26 06:18:06 2017

Revert of Remove remnants of DHE support. (patchset #3 id:40001 of https://codereview.chromium.org/2653773003/ )

Reason for revert:
I suspect this breaks https://build.chromium.org/p/chromium.win/builders/Win7%20Tests%20%281%29/builds/62851 since the trybot that ran (and passed) was a Win x64 config (win_chromium_x64_rel_ng).
The x64 windows bot doesn't break post-commit.
This was the only CL in the blame list touching encryption IIUC.

Original issue's description:
> Remove remnants of DHE support.
>
> The admin policy has now expired, so we can unwind all code relating to
> it.
>
> The deprecated cipher fallback will be removed in a follow-up, tracked
> by https://crbug.com/684730.
>
> BUG= 619194 
>
> Review-Url: https://codereview.chromium.org/2653773003
> Cr-Commit-Position: refs/heads/master@{#446049}
> Committed: https://chromium.googlesource.com/chromium/src/+/6b4943bfc61acc877f92b183b849922edbe85e8d

TBR=svaldez@chromium.org,pastarmovj@chromium.org,davidben@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= 619194 

Review-Url: https://codereview.chromium.org/2656953002
Cr-Commit-Position: refs/heads/master@{#446249}

[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/chrome/browser/policy/configuration_policy_handler_list_factory.cc
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/chrome/test/data/policy/policy_test_cases.json
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/components/policy/resources/policy_templates.json
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/components/ssl_config/ssl_config_prefs.cc
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/components/ssl_config/ssl_config_prefs.h
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/components/ssl_config/ssl_config_service_manager_pref.cc
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/net/socket/ssl_client_socket_unittest.cc
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/net/ssl/ssl_config.cc
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/net/ssl/ssl_config.h
[modify] https://crrev.com/8533a15e602b656ccac9d4779c7ca479c32ed954/net/url_request/url_request_unittest.cc
Comment 14 by arigunov...@gmail.com, Jan 26 
зачем отправляете мне это?

2017-01-26 9:19 GMT+03:00 bugdro… via monorail <
monorail+v2.3275348242@chromium.org>:
Project Member Comment 15 by bugdroid1@chromium.org, Jan 26 
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1ae83a08f3b0b6831e5dbdaae12635010367b246

commit 1ae83a08f3b0b6831e5dbdaae12635010367b246
Author: kjellander <kjellander@chromium.org>
Date: Thu Jan 26 07:35:09 2017

Reland of move remnants of DHE support. (patchset #1 id:1 of https://codereview.chromium.org/2656953002/ )

Reason for revert:
Did not solve the failing test: https://build.chromium.org/p/chromium.win/builders/Win7%20Tests%20%281%29/builds/62881

Original issue's description:
> Revert of Remove remnants of DHE support. (patchset #3 id:40001 of https://codereview.chromium.org/2653773003/ )
>
> Reason for revert:
> I suspect this breaks https://build.chromium.org/p/chromium.win/builders/Win7%20Tests%20%281%29/builds/62851 since the trybot that ran (and passed) was a Win x64 config (win_chromium_x64_rel_ng).
> The x64 windows bot doesn't break post-commit.
> This was the only CL in the blame list touching encryption IIUC.
>
> Original issue's description:
> > Remove remnants of DHE support.
> >
> > The admin policy has now expired, so we can unwind all code relating to
> > it.
> >
> > The deprecated cipher fallback will be removed in a follow-up, tracked
> > by https://crbug.com/684730.
> >
> > BUG= 619194 
> >
> > Review-Url: https://codereview.chromium.org/2653773003
> > Cr-Commit-Position: refs/heads/master@{#446049}
> > Committed: https://chromium.googlesource.com/chromium/src/+/6b4943bfc61acc877f92b183b849922edbe85e8d
>
> TBR=svaldez@chromium.org,pastarmovj@chromium.org,davidben@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG= 619194 
>
> Review-Url: https://codereview.chromium.org/2656953002
> Cr-Commit-Position: refs/heads/master@{#446249}
> Committed: https://chromium.googlesource.com/chromium/src/+/8533a15e602b656ccac9d4779c7ca479c32ed954

TBR=svaldez@chromium.org,pastarmovj@chromium.org,davidben@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= 619194 

Review-Url: https://codereview.chromium.org/2651303003
Cr-Commit-Position: refs/heads/master@{#446269}

[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/chrome/browser/policy/configuration_policy_handler_list_factory.cc
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/chrome/test/data/policy/policy_test_cases.json
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/components/policy/resources/policy_templates.json
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/components/ssl_config/ssl_config_prefs.cc
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/components/ssl_config/ssl_config_prefs.h
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/components/ssl_config/ssl_config_service_manager_pref.cc
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/net/socket/ssl_client_socket_unittest.cc
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/net/ssl/ssl_config.cc
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/net/ssl/ssl_config.h
[modify] https://crrev.com/1ae83a08f3b0b6831e5dbdaae12635010367b246/net/url_request/url_request_unittest.cc
Sign in to add a comment