Revert "Disable DTLS 1.0, TLS 1.0 and TLS 1.1 downgrade in WebRTC."

This reverts commit 7276b974b78ea4f409d8738b1b6f1515f7a8968e.

Reason for revert: Changing to a later Chrome release.

Original change's description:
> Disable DTLS 1.0, TLS 1.0 and TLS 1.1 downgrade in WebRTC.
>
> This change disables DTLS 1.0, TLS 1.0 and TLS 1.1 in WebRTC by default. This
> is part of a larger effort at Google to remove old TLS protocols:
> https://security.googleblog.com/2018/10/modernizing-transport-security.html
>
> For the M74 timeline I have added a disabled by default field trial
> WebRTC-LegacyTlsProtocols which can be enabled to support these cipher suites
> as consumers move away from these legacy cipher protocols but it will be off
> in Chrome.
>
> This is compliant with the webrtc-security-arch specification which states:
>
>    All Implementations MUST implement DTLS 1.2 with the
>    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and the P-256
>    curve [FIPS186].  Earlier drafts of this specification required DTLS
>    1.0 with the cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, and
>    at the time of this writing some implementations do not support DTLS
>    1.2; endpoints which support only DTLS 1.2 might encounter
>    interoperability issues.  The DTLS-SRTP protection profile
>    SRTP_AES128_CM_HMAC_SHA1_80 MUST be supported for SRTP.
>    Implementations MUST favor cipher suites which support (Perfect
>    Forward Secrecy) PFS over non-PFS cipher suites and SHOULD favor AEAD
>    over non-AEAD cipher suites.
>
> Bug: webrtc:10261
> Change-Id: I847c567592911cc437f095376ad67585b4355fc0
> Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/125141
> Commit-Queue: Benjamin Wright <benwright@webrtc.org>
> Reviewed-by: David Benjamin <davidben@webrtc.org>
> Reviewed-by: Qingsi Wang <qingsi@webrtc.org>
> Cr-Commit-Position: refs/heads/master@{#27006}

TBR=steveanton@webrtc.org,davidben@webrtc.org,qingsi@webrtc.org,benwright@webrtc.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: webrtc:10261
Change-Id: I34727e65c069e1fb2ad71838828ad0a22b5fe811
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/130367
Commit-Queue: Benjamin Wright <benwright@webrtc.org>
Reviewed-by: Benjamin Wright <benwright@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#27403}

This commit is contained in:

Benjamin Wright

2019-04-01 18:25:23 +00:00

committed by

Commit Bot

parent ae4b62318d

commit af1f8655b2

5 changed files with 46 additions and 129 deletions

									
										3

rtc_base/openssl_stream_adapter.h
									
												View File
												
				@ -217,9 +217,6 @@ class OpenSSLStreamAdapter final : public SSLStreamAdapter {

				  // A 50-ms initial timeout ensures rapid setup on fast connections, but may

				  // be too aggressive for low bandwidth links.

				  int dtls_handshake_timeout_ms_ = 50;

				  // TODO(https://bugs.webrtc.org/10261): Completely remove this option in M75.

				  const bool support_legacy_tls_protocols_flag_;

				};

				/////////////////////////////////////////////////////////////////////////////

Revert "Disable DTLS 1.0, TLS 1.0 and TLS 1.1 downgrade in WebRTC."

3 rtc_base/openssl_stream_adapter.h Unescape Escape View File

3

rtc_base/openssl_stream_adapter.h

View File