New issue
Advanced search Search tips

Issue 630147 link

Starred by 23 users

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug


Sign in to add a comment

Chromium-side TLS 1.3 work

Project Member Reported by davidben@chromium.org, Jul 21 2016

Issue description

Tracking bug for changes we need to do in Chromium for TLS 1.3.
 
Blockedon: 630149
Cc: svaldez@chromium.org nhar...@chromium.org
Blockedon: 630150
Blockedon: 630151
Blockedon: 618035
Blockedon: 630165
Blockedon: 631988
Blockedon: 639495
Blockedon: 641225
Blockedon: 658863
Labels: M-56
Blockedon: boringssl:73
Project Member

Comment 13 by bugdroid1@chromium.org, Nov 9 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/99ce6308c09c342dbf6cdabda0bdbc1452ee036d

commit 99ce6308c09c342dbf6cdabda0bdbc1452ee036d
Author: davidben <davidben@chromium.org>
Date: Wed Nov 09 17:30:28 2016

Don't maintain a second level of timeouts.

This second level of timeouts is not maintained correctly in the case of
TLS 1.2 ticket renewals. BoringSSL does not extend ticket lifetimes on
ticket renewals because the master secret is unchanged, but BoringSSL's
default is two hours, while SSLClientSessionCache uses one hour. This
meant that TLS 1.2 ticket renewals currently extend the one hour
lifetime up to a two hour non-renewable lifetime.

This makes no sense. Instead, have SSLClientSessionCache query
SSL_SESSION timeout fields. Then configure the SSL_CTX to match the old
timeout to preserve the existing behavior. (Though I suspect one vs two
hours isn't a big difference and we could just leave it at BoringSSL
defaults.)

Do this both to fix our TLS 1.2 ticket renewal policy and prepare for
TLS 1.3 which will involve a more complex timeout policy. (Resumptions
do an ECDH and renewals incorporate that key material, so longer and
renewable lifetimes makes sense, but we will still need a non-renewable
timeout for when we require a fresh signature.)

BUG=630147

Review-Url: https://codereview.chromium.org/2480813002
Cr-Commit-Position: refs/heads/master@{#430961}

[modify] https://crrev.com/99ce6308c09c342dbf6cdabda0bdbc1452ee036d/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/99ce6308c09c342dbf6cdabda0bdbc1452ee036d/net/ssl/ssl_client_session_cache.cc
[modify] https://crrev.com/99ce6308c09c342dbf6cdabda0bdbc1452ee036d/net/ssl/ssl_client_session_cache.h
[modify] https://crrev.com/99ce6308c09c342dbf6cdabda0bdbc1452ee036d/net/ssl/ssl_client_session_cache_unittest.cc

Blockedon: 676353
Blockedon: 347402
Blockedon: 677254
Blockedon: 677326
Blockedon: 792204

Comment 19 by b...@chromium.org, Jan 30 2018

 Issue 807276  has been merged into this issue.
Blockedon: 828965
Project Member

Comment 21 by bugdroid1@chromium.org, Aug 21

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f27cb7faf5b40e0c8b6f805bba47414da7ec4171

commit f27cb7faf5b40e0c8b6f805bba47414da7ec4171
Author: Steven Valdez <svaldez@chromium.org>
Date: Tue Aug 21 18:34:33 2018

Add TLS 1.3 Final variant flags.

Bug: 630147
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: I3a7c751403c53a4222ed006cad5a08741a2b1e0b
Reviewed-on: https://chromium-review.googlesource.com/1172504
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Gabriel Charette <gab@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Helen Li <xunjieli@chromium.org>
Reviewed-by: David Benjamin <davidben@chromium.org>
Commit-Queue: Steven Valdez <svaldez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#584856}
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/browser/about_flags.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/browser/flag_descriptions.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/browser/flag_descriptions.h
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/browser/prefs/chrome_command_line_pref_store_ssl_manager_unittest.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/browser/ssl/ssl_config_service_manager_pref.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/browser/ssl/ssl_config_service_manager_pref_unittest.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/common/chrome_switches.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/common/chrome_switches.h
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/common/pref_names.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/net/ssl/ssl_config.h
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/services/network/public/mojom/ssl_config.mojom
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/services/network/ssl_config_type_converter.cc

Project Member

Comment 22 by bugdroid1@chromium.org, Sep 8

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/eb3d26ae1efe4b239bbe197f7e029566c2535d97

commit eb3d26ae1efe4b239bbe197f7e029566c2535d97
Author: Steven Valdez <svaldez@chromium.org>
Date: Sat Sep 08 22:48:33 2018

Remove TLS 1.3 draft28.

Bug: 630147
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: Iea23b013ad1a2119e964ab5f60d8c9866f23e2c1
Reviewed-on: https://chromium-review.googlesource.com/1213929
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Chris Palmer <palmer@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: David Benjamin <davidben@chromium.org>
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#589788}
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/browser/about_flags.cc
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/browser/flag_descriptions.cc
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/browser/flag_descriptions.h
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/browser/ssl/ssl_config_service_manager_pref.cc
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/browser/ssl/ssl_config_service_manager_pref_unittest.cc
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/common/chrome_switches.cc
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/common/chrome_switches.h
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/common/pref_names.cc
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/net/ssl/ssl_config.h
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/services/network/public/mojom/ssl_config.mojom
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/services/network/ssl_config_type_converter.cc

Sign in to add a comment