diff --git a/rtc_base/openssl_stream_adapter.cc b/rtc_base/openssl_stream_adapter.cc index 353cbbe681..9642674d45 100644 --- a/rtc_base/openssl_stream_adapter.cc +++ b/rtc_base/openssl_stream_adapter.cc @@ -278,21 +278,6 @@ static long stream_ctrl(BIO* b, int cmd, long num, void* ptr) { // OpenSSLStreamAdapter ///////////////////////////////////////////////////////////////////////////// -static std::atomic g_use_legacy_tls_protocols_override(false); -static std::atomic g_allow_legacy_tls_protocols(false); - -void SetAllowLegacyTLSProtocols(const absl::optional& allow) { - g_use_legacy_tls_protocols_override.store(allow.has_value()); - if (allow.has_value()) - g_allow_legacy_tls_protocols.store(allow.value()); -} - -bool ShouldAllowLegacyTLSProtocols() { - return g_use_legacy_tls_protocols_override.load() - ? g_allow_legacy_tls_protocols.load() - : webrtc::field_trial::IsEnabled("WebRTC-LegacyTlsProtocols"); -} - OpenSSLStreamAdapter::OpenSSLStreamAdapter( std::unique_ptr stream, absl::AnyInvocable handshake_error) @@ -306,10 +291,7 @@ OpenSSLStreamAdapter::OpenSSLStreamAdapter( ssl_(nullptr), ssl_ctx_(nullptr), ssl_mode_(SSL_MODE_TLS), - ssl_max_version_(SSL_PROTOCOL_TLS_12), - // Default is to support legacy TLS protocols. - // This will be changed to default non-support in M82 or M83. - support_legacy_tls_protocols_flag_(ShouldAllowLegacyTLSProtocols()) { + ssl_max_version_(SSL_PROTOCOL_TLS_12) { stream_->SignalEvent.connect(this, &OpenSSLStreamAdapter::OnEvent); } @@ -1031,33 +1013,10 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() { return nullptr; } - if (support_legacy_tls_protocols_flag_) { - // TODO(https://bugs.webrtc.org/10261): Completely remove this branch in - // M84. - SSL_CTX_set_min_proto_version( - ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION); - switch (ssl_max_version_) { - case SSL_PROTOCOL_TLS_10: - SSL_CTX_set_max_proto_version( - ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION); - break; - case SSL_PROTOCOL_TLS_11: - SSL_CTX_set_max_proto_version( - ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_1_VERSION); - break; - case SSL_PROTOCOL_TLS_12: - default: - SSL_CTX_set_max_proto_version( - ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION); - break; - } - } else { - // TODO(https://bugs.webrtc.org/10261): Make this the default in M84. - SSL_CTX_set_min_proto_version( - ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION); - SSL_CTX_set_max_proto_version( - ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION); - } + SSL_CTX_set_min_proto_version( + ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION); + SSL_CTX_set_max_proto_version( + ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION); #ifdef OPENSSL_IS_BORINGSSL // SSL_CTX_set_current_time_cb is only supported in BoringSSL. diff --git a/rtc_base/openssl_stream_adapter.h b/rtc_base/openssl_stream_adapter.h index 42fdb08aae..34cadeb06c 100644 --- a/rtc_base/openssl_stream_adapter.h +++ b/rtc_base/openssl_stream_adapter.h @@ -66,12 +66,6 @@ class SSLCertChain; /////////////////////////////////////////////////////////////////////////////// -// If `allow` has a value, its value determines if legacy TLS protocols are -// allowed, overriding the default configuration. -// If `allow` has no value, any previous override is removed and the default -// configuration is restored. -RTC_EXPORT void SetAllowLegacyTLSProtocols(const absl::optional& allow); - class OpenSSLStreamAdapter final : public SSLStreamAdapter, public sigslot::has_slots<> { public: @@ -252,9 +246,6 @@ class OpenSSLStreamAdapter final : public SSLStreamAdapter, // A 50-ms initial timeout ensures rapid setup on fast connections, but may // be too aggressive for low bandwidth links. int dtls_handshake_timeout_ms_ = 50; - - // TODO(https://bugs.webrtc.org/10261): Completely remove this option in M84. - const bool support_legacy_tls_protocols_flag_; }; ///////////////////////////////////////////////////////////////////////////// diff --git a/rtc_base/ssl_stream_adapter_unittest.cc b/rtc_base/ssl_stream_adapter_unittest.cc index 3c2ee8fb86..def4c47c0d 100644 --- a/rtc_base/ssl_stream_adapter_unittest.cc +++ b/rtc_base/ssl_stream_adapter_unittest.cc @@ -1613,11 +1613,14 @@ INSTANTIATE_TEST_SUITE_P( rtc::KeyParams::RSA(1152, 65537), rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)))); -// Tests for enabling / disabling legacy TLS protocols in DTLS. -class SSLStreamAdapterTestDTLSLegacyProtocols +// Tests for enabling the (D)TLS extension permutation which randomizes the +// order of extensions in the client hello. +// These tests are a no-op under OpenSSL. +#ifdef OPENSSL_IS_BORINGSSL +class SSLStreamAdapterTestDTLSExtensionPermutation : public SSLStreamAdapterTestDTLSBase { public: - SSLStreamAdapterTestDTLSLegacyProtocols() + SSLStreamAdapterTestDTLSExtensionPermutation() : SSLStreamAdapterTestDTLSBase(rtc::KeyParams::ECDSA(rtc::EC_NIST_P256), rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)) { } @@ -1656,179 +1659,6 @@ class SSLStreamAdapterTestDTLSLegacyProtocols } }; -// Test getting the used DTLS ciphers. -// DTLS 1.2 enabled for neither client nor server -> DTLS 1.0 will be used. -TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols, TestGetSslCipherSuite) { - ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/"); - ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/"); - SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10); - TestHandshake(); - - int client_cipher; - ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher)); - int server_cipher; - ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher)); - - ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true)); - ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false)); - - ASSERT_EQ(client_cipher, server_cipher); -} - -// Test getting the used DTLS 1.2 ciphers. -// DTLS 1.2 enabled for client and server -> DTLS 1.2 will be used. -TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols, - TestGetSslCipherSuiteDtls12Both) { - ConfigureClient(""); - ConfigureServer(""); - SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12); - TestHandshake(); - - int client_cipher; - ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher)); - int server_cipher; - ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher)); - - ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(true)); - ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(false)); - - ASSERT_EQ(client_cipher, server_cipher); -} - -// DTLS 1.2 enabled for client only -> DTLS 1.0 will be used. -TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols, - TestGetSslCipherSuiteDtls12Client) { - ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/"); - ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/"); - SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12); - TestHandshake(); - - int client_cipher; - ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher)); - int server_cipher; - ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher)); - - ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true)); - ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false)); - - ASSERT_EQ(client_cipher, server_cipher); -} - -// DTLS 1.2 enabled for server only -> DTLS 1.0 will be used. -TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols, - TestGetSslCipherSuiteDtls12Server) { - ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/"); - ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/"); - SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_10); - TestHandshake(); - - int client_cipher; - ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher)); - int server_cipher; - ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher)); - - ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true)); - ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false)); - - ASSERT_EQ(client_cipher, server_cipher); -} - -// Client has legacy TLS versions disabled, server has DTLS 1.0 only. -// This is meant to cause a failure. -TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols, - TestGetSslVersionLegacyDisabledServer10) { - ConfigureClient(""); - ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/"); - SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12); - // Handshake should fail. - TestHandshake(false); -} - -// Both client and server have legacy TLS versions disabled and support -// DTLS 1.2. This should work. -TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols, - TestGetSslVersionLegacyDisabledServer12) { - ConfigureClient(""); - ConfigureServer(""); - SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12); - TestHandshake(); -} - -// Both client and server have legacy TLS versions enabled and support DTLS 1.0. -// This should work. -TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols, - TestGetSslVersionLegacyEnabledClient10Server10) { - ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/"); - ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/"); - SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10); - TestHandshake(); -} - -// Legacy protocols are disabled in the client, max TLS version is 1.0 -// This should be a configuration error, and handshake should fail. -TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols, - TestGetSslVersionLegacyDisabledClient10Server10) { - ConfigureClient(""); - ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/"); - SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10); - TestHandshake(false); -} - -// Both client and server have legacy TLS versions enabled and support DTLS 1.0. -// This should work. -TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols, - TestGetSslVersionLegacyOverrideEnabledClient10Server10) { - rtc::SetAllowLegacyTLSProtocols(true); - ConfigureClient(""); - ConfigureServer(""); - // Remove override. - rtc::SetAllowLegacyTLSProtocols(absl::nullopt); - SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10); - TestHandshake(); -} - -// Client has legacy TLS disabled and server has legacy TLS enabled via -// override. Handshake for DTLS 1.0 should fail. -TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols, - TestGetSslVersionLegacyOverrideDisabledClient10EnabledServer10) { - rtc::SetAllowLegacyTLSProtocols(false); - ConfigureClient(""); - rtc::SetAllowLegacyTLSProtocols(true); - ConfigureServer(""); - // Remove override. - rtc::SetAllowLegacyTLSProtocols(absl::nullopt); - SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10); - TestHandshake(false); -} - -// Client has legacy TLS enabled and server has legacy TLS disabled via -// override. Handshake for DTLS 1.0 should fail. -TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols, - TestGetSslVersionLegacyOverrideEnabledClient10DisabledServer10) { - rtc::SetAllowLegacyTLSProtocols(true); - ConfigureClient(""); - rtc::SetAllowLegacyTLSProtocols(false); - ConfigureServer(""); - // Remove override. - rtc::SetAllowLegacyTLSProtocols(absl::nullopt); - SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10); - TestHandshake(false); -} - -// These tests are a no-op under OpenSSL. -#ifdef OPENSSL_IS_BORINGSSL -// TODO(https://bugs.webrtc.org/10261): when removing -// SSLStreamAdapterTestDTLSLegacyProtocols that this class -// inherits from move the code to this class. -class SSLStreamAdapterTestDTLSExtensionPermutation - : public SSLStreamAdapterTestDTLSLegacyProtocols { - public: - SSLStreamAdapterTestDTLSExtensionPermutation() - : SSLStreamAdapterTestDTLSLegacyProtocols() {} -}; - -// Tests for enabling the (D)TLS extension permutation which randomizes the -// order of extensions in the client hello. TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation, ClientDefaultServerDefault) { ConfigureClient("");