New issue
Advanced search Search tips

Issue 831240 link

Starred by 1 user
Status: Verified
Owner:
rsleevi@chromium.org
Closed: Apr 2018
Cc:
ios-bugs@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , iOS , Chrome , Mac
Pri: 3
Type: Task



Sign in to add a comment

Make sha1_local_anchors_enabled false by default

Project Member Reported by rsleevi@chromium.org, Apr 10 2018 
Right now, SSLConfig defaults sha1_local_anchors_enabled to true, while the SSLConfigServiceManagerPref defaults it to false (and instead allows a preference override).

This was originally done because Android WebView did not set its own SSLConfigService explicitly, and the desire was to ensure that WebView would match the system defaults. In https://crrev.com/bd9ca31194ec20fdd4faa80518aa4c01a6ca4d89 , a WebView-specific implementation was added for overrides for the Symantec distrust. This can now be used to disable SHA-1 by default, and allow embedders supplying the SSLConfigService for the URLRequestContext to override it if they want to support overrides (implicitly or explicitly).
Project Member

Comment 1 by bugdroid1@chromium.org, Apr 11 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e4fe0fb45e055073dca560354951d53128504cfc

commit e4fe0fb45e055073dca560354951d53128504cfc
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Wed Apr 11 16:57:42 2018

Disable SHA-1 support for Local Anchors by default

net::SSLConfig exposes a policy for configuring whether
or not to accept SHA-1 certificates issued by
locally-trusted (as opposed to publicly trusted) trust
anchors. The default for this policy was to accept these
certificates, while anything creating an
SSLConfigServiceManager under //components/ssl_config
would have these disabled by default, unless overridden
by preferences.

Change the default to be secure-by-default, as embedders
can supply an SSLConfigService that best reflects their
desired behaviours (if they do not wish the defaults) as
part of the URLRequestContext(Builder,Getter).

BUG= 831240 

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: I0bcb3474458ca4e0f3e0a554054eec3046a103bb
Reviewed-on: https://chromium-review.googlesource.com/1005416
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Richard Coles <torne@chromium.org>
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#549910}
[modify] https://crrev.com/e4fe0fb45e055073dca560354951d53128504cfc/android_webview/browser/net/aw_url_request_context_getter.cc
[modify] https://crrev.com/e4fe0fb45e055073dca560354951d53128504cfc/android_webview/browser/net/aw_url_request_context_getter_unittest.cc
[modify] https://crrev.com/e4fe0fb45e055073dca560354951d53128504cfc/components/ssl_config/ssl_config_service_manager_pref_unittest.cc
[modify] https://crrev.com/e4fe0fb45e055073dca560354951d53128504cfc/net/ssl/ssl_config.cc
[modify] https://crrev.com/e4fe0fb45e055073dca560354951d53128504cfc/testing/buildbot/filters/mojo.fyi.network_browser_tests.filter

Comment 2 by rsleevi@chromium.org, Apr 11 2018

Labels: M-67
Status: Verified (was: Assigned)

Sign in to add a comment