zqz/platform-external-webrtc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Disable DTLS 1.0, TLS 1.0 and TLS 1.1 downgrade in WebRTC.

Browse Source 
This change disables DTLS 1.0, TLS 1.0 and TLS 1.1 in WebRTC by default. This
is part of a larger effort at Google to remove old TLS protocols:
https://security.googleblog.com/2018/10/modernizing-transport-security.html

For the M74 timeline I have added a disabled by default field trial
WebRTC-LegacyTlsProtocols which can be enabled to support these cipher suites
as consumers move away from these legacy cipher protocols but it will be off
in Chrome.

This is compliant with the webrtc-security-arch specification which states:

   All Implementations MUST implement DTLS 1.2 with the
   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and the P-256
   curve [FIPS186].  Earlier drafts of this specification required DTLS
   1.0 with the cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, and
   at the time of this writing some implementations do not support DTLS
   1.2; endpoints which support only DTLS 1.2 might encounter
   interoperability issues.  The DTLS-SRTP protection profile
   SRTP_AES128_CM_HMAC_SHA1_80 MUST be supported for SRTP.
   Implementations MUST favor cipher suites which support (Perfect
   Forward Secrecy) PFS over non-PFS cipher suites and SHOULD favor AEAD
   over non-AEAD cipher suites.

Bug: webrtc:10261
Change-Id: I847c567592911cc437f095376ad67585b4355fc0
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/125141
Commit-Queue: Benjamin Wright <benwright@webrtc.org>
Reviewed-by: David Benjamin <davidben@webrtc.org>
Reviewed-by: Qingsi Wang <qingsi@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#27006}
This commit is contained in:
Benjamin Wright
2019-03-06 11:51:34 -08:00
committed by Commit Bot
parent 4423c36448
commit 7276b974b7
5 changed files with 129 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
rtc_base/ssl_stream_adapter.h
View File

@ -90,6 +90,11 @@ bool IsGcmCryptoSuiteName(const std::string& crypto_suite);
enum SSLRole { SSL_CLIENT, SSL_SERVER };
enum SSLMode { SSL_MODE_TLS, SSL_MODE_DTLS };
// Note: By default TLS_10, TLS_11, and DTLS_10 will all be upgraded to DTLS1_2
// unless the trial flag WebRTC-LegacyTlsProtocols/Enabled/ is passed in. These
// protocol versions will be completely removed in M75
// TODO(https://bugs.webrtc.org/10261).
enum SSLProtocolVersion {
SSL_PROTOCOL_TLS_10,
SSL_PROTOCOL_TLS_11,