New issue
Advanced search Search tips
Starred by 23 users

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug


Sign in to add a comment
link

Issue 630147: Chromium-side TLS 1.3 work

Reported by davidben@chromium.org, Jul 21 2016 Project Member

Issue description

Tracking bug for changes we need to do in Chromium for TLS 1.3.
 

Comment 1 by davidben@chromium.org, Jul 21 2016

Blockedon: 630149

Comment 2 by davidben@chromium.org, Jul 21 2016

Cc: svaldez@chromium.org nhar...@chromium.org

Comment 3 by davidben@chromium.org, Jul 21 2016

Blockedon: 630150

Comment 4 by davidben@chromium.org, Jul 21 2016

Blockedon: 630151

Comment 5 by davidben@chromium.org, Jul 21 2016

Blockedon: 618035

Comment 6 by davidben@chromium.org, Jul 21 2016

Blockedon: 630165

Comment 7 by davidben@chromium.org, Jul 27 2016

Blockedon: 631988

Comment 8 by davidben@chromium.org, Aug 19 2016

Blockedon: 639495

Comment 9 by davidben@chromium.org, Aug 26 2016

Blockedon: 641225

Comment 10 by awhalley@chromium.org, Oct 24 2016

Blockedon: 658863

Comment 11 by awhalley@chromium.org, Oct 24 2016

Labels: M-56

Comment 12 by davidben@chromium.org, Oct 24 2016

Blockedon: boringssl:73

Comment 13 by bugdroid1@chromium.org, Nov 9 2016

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/99ce6308c09c342dbf6cdabda0bdbc1452ee036d

commit 99ce6308c09c342dbf6cdabda0bdbc1452ee036d
Author: davidben <davidben@chromium.org>
Date: Wed Nov 09 17:30:28 2016

Don't maintain a second level of timeouts.

This second level of timeouts is not maintained correctly in the case of
TLS 1.2 ticket renewals. BoringSSL does not extend ticket lifetimes on
ticket renewals because the master secret is unchanged, but BoringSSL's
default is two hours, while SSLClientSessionCache uses one hour. This
meant that TLS 1.2 ticket renewals currently extend the one hour
lifetime up to a two hour non-renewable lifetime.

This makes no sense. Instead, have SSLClientSessionCache query
SSL_SESSION timeout fields. Then configure the SSL_CTX to match the old
timeout to preserve the existing behavior. (Though I suspect one vs two
hours isn't a big difference and we could just leave it at BoringSSL
defaults.)

Do this both to fix our TLS 1.2 ticket renewal policy and prepare for
TLS 1.3 which will involve a more complex timeout policy. (Resumptions
do an ECDH and renewals incorporate that key material, so longer and
renewable lifetimes makes sense, but we will still need a non-renewable
timeout for when we require a fresh signature.)

BUG=630147

Review-Url: https://codereview.chromium.org/2480813002
Cr-Commit-Position: refs/heads/master@{#430961}

[modify] https://crrev.com/99ce6308c09c342dbf6cdabda0bdbc1452ee036d/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/99ce6308c09c342dbf6cdabda0bdbc1452ee036d/net/ssl/ssl_client_session_cache.cc
[modify] https://crrev.com/99ce6308c09c342dbf6cdabda0bdbc1452ee036d/net/ssl/ssl_client_session_cache.h
[modify] https://crrev.com/99ce6308c09c342dbf6cdabda0bdbc1452ee036d/net/ssl/ssl_client_session_cache_unittest.cc

Comment 14 by davidben@chromium.org, Dec 21 2016

Blockedon: 676353

Comment 15 by davidben@chromium.org, Dec 21 2016

Blockedon: 347402

Comment 16 by davidben@chromium.org, Dec 28 2016

Blockedon: 677254

Comment 17 by davidben@chromium.org, Dec 28 2016

Blockedon: 677326

Comment 18 by davidben@chromium.org, Dec 5 2017

Blockedon: 792204

Comment 19 by b...@chromium.org, Jan 30 2018

 Issue 807276  has been merged into this issue.

Comment 20 by davidben@chromium.org, Apr 4 2018

Blockedon: 828965

Comment 21 by bugdroid1@chromium.org, Aug 21

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f27cb7faf5b40e0c8b6f805bba47414da7ec4171

commit f27cb7faf5b40e0c8b6f805bba47414da7ec4171
Author: Steven Valdez <svaldez@chromium.org>
Date: Tue Aug 21 18:34:33 2018

Add TLS 1.3 Final variant flags.

Bug: 630147
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: I3a7c751403c53a4222ed006cad5a08741a2b1e0b
Reviewed-on: https://chromium-review.googlesource.com/1172504
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Gabriel Charette <gab@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Helen Li <xunjieli@chromium.org>
Reviewed-by: David Benjamin <davidben@chromium.org>
Commit-Queue: Steven Valdez <svaldez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#584856}
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/browser/about_flags.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/browser/flag_descriptions.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/browser/flag_descriptions.h
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/browser/prefs/chrome_command_line_pref_store_ssl_manager_unittest.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/browser/ssl/ssl_config_service_manager_pref.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/browser/ssl/ssl_config_service_manager_pref_unittest.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/common/chrome_switches.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/common/chrome_switches.h
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/chrome/common/pref_names.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/net/ssl/ssl_config.h
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/services/network/public/mojom/ssl_config.mojom
[modify] https://crrev.com/f27cb7faf5b40e0c8b6f805bba47414da7ec4171/services/network/ssl_config_type_converter.cc

Comment 22 by bugdroid1@chromium.org, Sep 8

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/eb3d26ae1efe4b239bbe197f7e029566c2535d97

commit eb3d26ae1efe4b239bbe197f7e029566c2535d97
Author: Steven Valdez <svaldez@chromium.org>
Date: Sat Sep 08 22:48:33 2018

Remove TLS 1.3 draft28.

Bug: 630147
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: Iea23b013ad1a2119e964ab5f60d8c9866f23e2c1
Reviewed-on: https://chromium-review.googlesource.com/1213929
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Chris Palmer <palmer@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: David Benjamin <davidben@chromium.org>
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#589788}
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/browser/about_flags.cc
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/browser/flag_descriptions.cc
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/browser/flag_descriptions.h
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/browser/ssl/ssl_config_service_manager_pref.cc
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/browser/ssl/ssl_config_service_manager_pref_unittest.cc
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/common/chrome_switches.cc
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/common/chrome_switches.h
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/chrome/common/pref_names.cc
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/net/ssl/ssl_config.h
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/services/network/public/mojom/ssl_config.mojom
[modify] https://crrev.com/eb3d26ae1efe4b239bbe197f7e029566c2535d97/services/network/ssl_config_type_converter.cc

Comment 23 by svaldez@chromium.org, Nov 12

Blockedon: 904470

Comment 24 by davidben@chromium.org, Nov 19

Blockedon: 906668

Comment 25 by bugdroid1@chromium.org, Nov 19

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0ef94d0c12e1fff886b4434d14d827ad7cad2454

commit 0ef94d0c12e1fff886b4434d14d827ad7cad2454
Author: Steven Valdez <svaldez@chromium.org>
Date: Mon Nov 19 23:28:13 2018

Enable TLS 1.3 by default.

Bug: 630147
Change-Id: I20541f77c7e9e8d5a0085452d2a883e24563083c
Reviewed-on: https://chromium-review.googlesource.com/c/1330069
Commit-Queue: Steven Valdez <svaldez@chromium.org>
Reviewed-by: Adam Langley <agl@chromium.org>
Reviewed-by: Ilya Sherman <isherman@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Ken Rockot <rockot@google.com>
Reviewed-by: David Benjamin <davidben@chromium.org>
Cr-Commit-Position: refs/heads/master@{#609504}
[modify] https://crrev.com/0ef94d0c12e1fff886b4434d14d827ad7cad2454/chrome/browser/extensions/api/socket/tls_socket_unittest.cc
[modify] https://crrev.com/0ef94d0c12e1fff886b4434d14d827ad7cad2454/chrome/browser/ssl/security_state_tab_helper_browsertest.cc
[modify] https://crrev.com/0ef94d0c12e1fff886b4434d14d827ad7cad2454/extensions/browser/api/socket/tcp_socket.cc
[modify] https://crrev.com/0ef94d0c12e1fff886b4434d14d827ad7cad2454/net/http/http_network_transaction_unittest.cc
[modify] https://crrev.com/0ef94d0c12e1fff886b4434d14d827ad7cad2454/net/socket/socket_test_util.cc
[modify] https://crrev.com/0ef94d0c12e1fff886b4434d14d827ad7cad2454/net/socket/ssl_client_socket_pool_unittest.cc
[modify] https://crrev.com/0ef94d0c12e1fff886b4434d14d827ad7cad2454/net/socket/ssl_server_socket_unittest.cc
[modify] https://crrev.com/0ef94d0c12e1fff886b4434d14d827ad7cad2454/net/ssl/ssl_config.cc
[modify] https://crrev.com/0ef94d0c12e1fff886b4434d14d827ad7cad2454/net/url_request/url_request_unittest.cc
[modify] https://crrev.com/0ef94d0c12e1fff886b4434d14d827ad7cad2454/services/network/public/mojom/ssl_config.mojom
[modify] https://crrev.com/0ef94d0c12e1fff886b4434d14d827ad7cad2454/services/network/public/mojom/tls_socket.mojom
[modify] https://crrev.com/0ef94d0c12e1fff886b4434d14d827ad7cad2454/services/network/ssl_config_type_converter.cc
[modify] https://crrev.com/0ef94d0c12e1fff886b4434d14d827ad7cad2454/services/network/url_loader_unittest.cc
[modify] https://crrev.com/0ef94d0c12e1fff886b4434d14d827ad7cad2454/testing/variations/fieldtrial_testing_config.json

Sign in to add a comment