1// Copyright 2018 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5module network.mojom; 6 7enum SSLVersion { 8 kTLS1, 9 kTLS11, 10 kTLS12, 11 kTLS13, 12}; 13 14// This is a combination of net::SSLContextConfig and 15// net::CertVerifier::Config's fields. See those two classes for descriptions. 16struct SSLConfig { 17 bool rev_checking_enabled = false; 18 bool rev_checking_required_local_anchors = false; 19 20 bool sha1_local_anchors_enabled = false; 21 bool symantec_enforcement_disabled = false; 22 23 // If true, enables TLS 1.3 downgrade hardening for connections using local 24 // trust anchors. (Hardening for known roots is always enabled.) 25 bool tls13_hardening_for_local_anchors_enabled = false; 26 27 // SSL 2.0 and 3.0 are not supported. Note these lines must be kept in sync 28 // with net/ssl/ssl_config.cc. 29 SSLVersion version_min = kTLS1; 30 // version_min_warn is the minimum protocol version that won't cause cert 31 // errors (e.g., in Chrome we'll show a security interstitial for connections 32 // using a version lower than version_min_warn). 33 SSLVersion version_min_warn = kTLS12; 34 SSLVersion version_max = kTLS13; 35 36 // Though cipher suites are sent in TLS as "uint8_t CipherSuite[2]", in 37 // big-endian form, they should be declared in host byte order, with the 38 // first uint8_t occupying the most significant byte. 39 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to 40 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. 41 array<uint16> disabled_cipher_suites; 42 43 // Patterns for matching hostnames to determine when to allow connection 44 // coalescing when client certificates are also in use. Patterns follow 45 // the rules for host matching from the URL Blacklist filter format: 46 // "example.com" matches "example.com" and all subdomains, while 47 // ".example.net" matches exactly "example.net". Hostnames must be 48 // canonicalized according to the rules used by GURL. 49 array<string> client_cert_pooling_policy; 50}; 51 52// Receives SSL configuration updates. 53interface SSLConfigClient { 54 OnSSLConfigUpdated(SSLConfig ssl_config); 55}; 56