// Copyright 2015 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef NET_SSL_SSL_SERVER_CONFIG_H_ #define NET_SSL_SSL_SERVER_CONFIG_H_ #include #include #include "net/base/net_export.h" #include "net/ssl/ssl_config.h" namespace net { class ClientCertVerifier; // A collection of server-side SSL-related configuration settings. struct NET_EXPORT SSLServerConfig { enum ClientCertType { NO_CLIENT_CERT, OPTIONAL_CLIENT_CERT, REQUIRE_CLIENT_CERT, }; // Defaults SSLServerConfig(); SSLServerConfig(const SSLServerConfig& other); ~SSLServerConfig(); // The minimum and maximum protocol versions that are enabled. // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined in ssl_config.h) // SSL 2.0 and SSL 3.0 are not supported. If version_max < version_min, it // means no protocol versions are enabled. uint16_t version_min; uint16_t version_max; // Whether early data is enabled on this connection. The caller is obligated // to reject early data that is non-safe to be replayed. bool early_data_enabled; // Presorted list of cipher suites which should be explicitly prevented from // being used in addition to those disabled by the net built-in policy. // // By default, all cipher suites supported by the underlying SSL // implementation will be enabled except for: // - Null encryption cipher suites. // - Weak cipher suites: < 80 bits of security strength. // - FORTEZZA cipher suites (obsolete). // - IDEA cipher suites (RFC 5469 explains why). // - Anonymous cipher suites. // - ECDSA cipher suites on platforms that do not support ECDSA signed // certificates, as servers may use the presence of such ciphersuites as a // hint to send an ECDSA certificate. // The ciphers listed in |disabled_cipher_suites| will be removed in addition // to the above list. // // Though cipher suites are sent in TLS as "uint8_t CipherSuite[2]", in // big-endian form, they should be declared in host byte order, with the // first uint8_t occupying the most significant byte. // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. std::vector disabled_cipher_suites; // If true, causes only ECDHE cipher suites to be enabled. bool require_ecdhe; // Sets the requirement for client certificates during handshake. ClientCertType client_cert_type; // List of DER-encoded X.509 DistinguishedName of certificate authorities // to be included in the CertificateRequest handshake message, // if client certificates are required. std::vector cert_authorities_; // Provides the ClientCertVerifier that is to be used to verify // client certificates during the handshake. // The |client_cert_verifier| continues to be owned by the caller, // and must outlive any sockets spawned from this SSLServerContext. // This field is meaningful only if client certificates are requested. // If a verifier is not provided then all certificates are accepted. ClientCertVerifier* client_cert_verifier; }; } // namespace net #endif // NET_SSL_SSL_SERVER_CONFIG_H_