Remove DTLS 1.0 legacy code
which has been enabled by default since M84. This was still available
under an enterprise policy which is gone since M121:
https://chromiumdash.appspot.com/commit/39d28bb7657b482f1fdcab81ca88371d8914809b
BUG=webrtc:10261,chromium:1132854
Change-Id: Icd534342b60799b7862bc3e7edda6825de7ae976
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/317360
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Reviewed-by: Guido Urdaneta <guidou@webrtc.org>
Commit-Queue: Philipp Hancke <phancke@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#41145}
diff --git a/rtc_base/openssl_stream_adapter.cc b/rtc_base/openssl_stream_adapter.cc
index 353cbbe..9642674 100644
--- a/rtc_base/openssl_stream_adapter.cc
+++ b/rtc_base/openssl_stream_adapter.cc
@@ -278,21 +278,6 @@
// OpenSSLStreamAdapter
/////////////////////////////////////////////////////////////////////////////
-static std::atomic<bool> g_use_legacy_tls_protocols_override(false);
-static std::atomic<bool> g_allow_legacy_tls_protocols(false);
-
-void SetAllowLegacyTLSProtocols(const absl::optional<bool>& allow) {
- g_use_legacy_tls_protocols_override.store(allow.has_value());
- if (allow.has_value())
- g_allow_legacy_tls_protocols.store(allow.value());
-}
-
-bool ShouldAllowLegacyTLSProtocols() {
- return g_use_legacy_tls_protocols_override.load()
- ? g_allow_legacy_tls_protocols.load()
- : webrtc::field_trial::IsEnabled("WebRTC-LegacyTlsProtocols");
-}
-
OpenSSLStreamAdapter::OpenSSLStreamAdapter(
std::unique_ptr<StreamInterface> stream,
absl::AnyInvocable<void(SSLHandshakeError)> handshake_error)
@@ -306,10 +291,7 @@
ssl_(nullptr),
ssl_ctx_(nullptr),
ssl_mode_(SSL_MODE_TLS),
- ssl_max_version_(SSL_PROTOCOL_TLS_12),
- // Default is to support legacy TLS protocols.
- // This will be changed to default non-support in M82 or M83.
- support_legacy_tls_protocols_flag_(ShouldAllowLegacyTLSProtocols()) {
+ ssl_max_version_(SSL_PROTOCOL_TLS_12) {
stream_->SignalEvent.connect(this, &OpenSSLStreamAdapter::OnEvent);
}
@@ -1031,33 +1013,10 @@
return nullptr;
}
- if (support_legacy_tls_protocols_flag_) {
- // TODO(https://bugs.webrtc.org/10261): Completely remove this branch in
- // M84.
- SSL_CTX_set_min_proto_version(
- ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION);
- switch (ssl_max_version_) {
- case SSL_PROTOCOL_TLS_10:
- SSL_CTX_set_max_proto_version(
- ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION);
- break;
- case SSL_PROTOCOL_TLS_11:
- SSL_CTX_set_max_proto_version(
- ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_1_VERSION);
- break;
- case SSL_PROTOCOL_TLS_12:
- default:
- SSL_CTX_set_max_proto_version(
- ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
- break;
- }
- } else {
- // TODO(https://bugs.webrtc.org/10261): Make this the default in M84.
- SSL_CTX_set_min_proto_version(
- ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
- SSL_CTX_set_max_proto_version(
- ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
- }
+ SSL_CTX_set_min_proto_version(
+ ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
+ SSL_CTX_set_max_proto_version(
+ ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
#ifdef OPENSSL_IS_BORINGSSL
// SSL_CTX_set_current_time_cb is only supported in BoringSSL.
diff --git a/rtc_base/openssl_stream_adapter.h b/rtc_base/openssl_stream_adapter.h
index 42fdb08..34cadeb 100644
--- a/rtc_base/openssl_stream_adapter.h
+++ b/rtc_base/openssl_stream_adapter.h
@@ -66,12 +66,6 @@
///////////////////////////////////////////////////////////////////////////////
-// If `allow` has a value, its value determines if legacy TLS protocols are
-// allowed, overriding the default configuration.
-// If `allow` has no value, any previous override is removed and the default
-// configuration is restored.
-RTC_EXPORT void SetAllowLegacyTLSProtocols(const absl::optional<bool>& allow);
-
class OpenSSLStreamAdapter final : public SSLStreamAdapter,
public sigslot::has_slots<> {
public:
@@ -252,9 +246,6 @@
// A 50-ms initial timeout ensures rapid setup on fast connections, but may
// be too aggressive for low bandwidth links.
int dtls_handshake_timeout_ms_ = 50;
-
- // TODO(https://bugs.webrtc.org/10261): Completely remove this option in M84.
- const bool support_legacy_tls_protocols_flag_;
};
/////////////////////////////////////////////////////////////////////////////
diff --git a/rtc_base/ssl_stream_adapter_unittest.cc b/rtc_base/ssl_stream_adapter_unittest.cc
index 3c2ee8f..def4c47 100644
--- a/rtc_base/ssl_stream_adapter_unittest.cc
+++ b/rtc_base/ssl_stream_adapter_unittest.cc
@@ -1613,11 +1613,14 @@
rtc::KeyParams::RSA(1152, 65537),
rtc::KeyParams::ECDSA(rtc::EC_NIST_P256))));
-// Tests for enabling / disabling legacy TLS protocols in DTLS.
-class SSLStreamAdapterTestDTLSLegacyProtocols
+// Tests for enabling the (D)TLS extension permutation which randomizes the
+// order of extensions in the client hello.
+// These tests are a no-op under OpenSSL.
+#ifdef OPENSSL_IS_BORINGSSL
+class SSLStreamAdapterTestDTLSExtensionPermutation
: public SSLStreamAdapterTestDTLSBase {
public:
- SSLStreamAdapterTestDTLSLegacyProtocols()
+ SSLStreamAdapterTestDTLSExtensionPermutation()
: SSLStreamAdapterTestDTLSBase(rtc::KeyParams::ECDSA(rtc::EC_NIST_P256),
rtc::KeyParams::ECDSA(rtc::EC_NIST_P256)) {
}
@@ -1656,179 +1659,6 @@
}
};
-// Test getting the used DTLS ciphers.
-// DTLS 1.2 enabled for neither client nor server -> DTLS 1.0 will be used.
-TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols, TestGetSslCipherSuite) {
- ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/");
- ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
- SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
- TestHandshake();
-
- int client_cipher;
- ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
- int server_cipher;
- ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
-
- ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true));
- ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false));
-
- ASSERT_EQ(client_cipher, server_cipher);
-}
-
-// Test getting the used DTLS 1.2 ciphers.
-// DTLS 1.2 enabled for client and server -> DTLS 1.2 will be used.
-TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
- TestGetSslCipherSuiteDtls12Both) {
- ConfigureClient("");
- ConfigureServer("");
- SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12);
- TestHandshake();
-
- int client_cipher;
- ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
- int server_cipher;
- ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
-
- ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(true));
- ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_12, GetSslVersion(false));
-
- ASSERT_EQ(client_cipher, server_cipher);
-}
-
-// DTLS 1.2 enabled for client only -> DTLS 1.0 will be used.
-TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
- TestGetSslCipherSuiteDtls12Client) {
- ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/");
- ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
- SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12);
- TestHandshake();
-
- int client_cipher;
- ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
- int server_cipher;
- ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
-
- ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true));
- ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false));
-
- ASSERT_EQ(client_cipher, server_cipher);
-}
-
-// DTLS 1.2 enabled for server only -> DTLS 1.0 will be used.
-TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
- TestGetSslCipherSuiteDtls12Server) {
- ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/");
- ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
- SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_10);
- TestHandshake();
-
- int client_cipher;
- ASSERT_TRUE(GetSslCipherSuite(true, &client_cipher));
- int server_cipher;
- ASSERT_TRUE(GetSslCipherSuite(false, &server_cipher));
-
- ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(true));
- ASSERT_EQ(rtc::SSL_PROTOCOL_DTLS_10, GetSslVersion(false));
-
- ASSERT_EQ(client_cipher, server_cipher);
-}
-
-// Client has legacy TLS versions disabled, server has DTLS 1.0 only.
-// This is meant to cause a failure.
-TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
- TestGetSslVersionLegacyDisabledServer10) {
- ConfigureClient("");
- ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
- SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12);
- // Handshake should fail.
- TestHandshake(false);
-}
-
-// Both client and server have legacy TLS versions disabled and support
-// DTLS 1.2. This should work.
-TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
- TestGetSslVersionLegacyDisabledServer12) {
- ConfigureClient("");
- ConfigureServer("");
- SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12);
- TestHandshake();
-}
-
-// Both client and server have legacy TLS versions enabled and support DTLS 1.0.
-// This should work.
-TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
- TestGetSslVersionLegacyEnabledClient10Server10) {
- ConfigureClient("WebRTC-LegacyTlsProtocols/Enabled/");
- ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
- SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
- TestHandshake();
-}
-
-// Legacy protocols are disabled in the client, max TLS version is 1.0
-// This should be a configuration error, and handshake should fail.
-TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
- TestGetSslVersionLegacyDisabledClient10Server10) {
- ConfigureClient("");
- ConfigureServer("WebRTC-LegacyTlsProtocols/Enabled/");
- SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
- TestHandshake(false);
-}
-
-// Both client and server have legacy TLS versions enabled and support DTLS 1.0.
-// This should work.
-TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
- TestGetSslVersionLegacyOverrideEnabledClient10Server10) {
- rtc::SetAllowLegacyTLSProtocols(true);
- ConfigureClient("");
- ConfigureServer("");
- // Remove override.
- rtc::SetAllowLegacyTLSProtocols(absl::nullopt);
- SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
- TestHandshake();
-}
-
-// Client has legacy TLS disabled and server has legacy TLS enabled via
-// override. Handshake for DTLS 1.0 should fail.
-TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
- TestGetSslVersionLegacyOverrideDisabledClient10EnabledServer10) {
- rtc::SetAllowLegacyTLSProtocols(false);
- ConfigureClient("");
- rtc::SetAllowLegacyTLSProtocols(true);
- ConfigureServer("");
- // Remove override.
- rtc::SetAllowLegacyTLSProtocols(absl::nullopt);
- SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
- TestHandshake(false);
-}
-
-// Client has legacy TLS enabled and server has legacy TLS disabled via
-// override. Handshake for DTLS 1.0 should fail.
-TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
- TestGetSslVersionLegacyOverrideEnabledClient10DisabledServer10) {
- rtc::SetAllowLegacyTLSProtocols(true);
- ConfigureClient("");
- rtc::SetAllowLegacyTLSProtocols(false);
- ConfigureServer("");
- // Remove override.
- rtc::SetAllowLegacyTLSProtocols(absl::nullopt);
- SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
- TestHandshake(false);
-}
-
-// These tests are a no-op under OpenSSL.
-#ifdef OPENSSL_IS_BORINGSSL
-// TODO(https://bugs.webrtc.org/10261): when removing
-// SSLStreamAdapterTestDTLSLegacyProtocols that this class
-// inherits from move the code to this class.
-class SSLStreamAdapterTestDTLSExtensionPermutation
- : public SSLStreamAdapterTestDTLSLegacyProtocols {
- public:
- SSLStreamAdapterTestDTLSExtensionPermutation()
- : SSLStreamAdapterTestDTLSLegacyProtocols() {}
-};
-
-// Tests for enabling the (D)TLS extension permutation which randomizes the
-// order of extensions in the client hello.
TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation,
ClientDefaultServerDefault) {
ConfigureClient("");
