Google Git
Sign in
webrtc / src / / 7276b974b78ea4f409d8738b1b6f1515f7a8968e
commit7276b974b78ea4f409d8738b1b6f1515f7a8968e[log] [tgz]
authorBenjamin Wright <benwright@webrtc.org>Wed Mar 06 19:51:34 2019
committerCommit Bot <commit-bot@chromium.org>Wed Mar 06 20:44:41 2019
treeca18775463ab3850bf2982cecb9e998fa3d25f33
parent4423c36448f58fef925204871de940b4e8771ef6 [diff]
Disable DTLS 1.0, TLS 1.0 and TLS 1.1 downgrade in WebRTC.

This change disables DTLS 1.0, TLS 1.0 and TLS 1.1 in WebRTC by default. This
is part of a larger effort at Google to remove old TLS protocols:
https://security.googleblog.com/2018/10/modernizing-transport-security.html

For the M74 timeline I have added a disabled by default field trial
WebRTC-LegacyTlsProtocols which can be enabled to support these cipher suites
as consumers move away from these legacy cipher protocols but it will be off
in Chrome.

This is compliant with the webrtc-security-arch specification which states:

   All Implementations MUST implement DTLS 1.2 with the
   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and the P-256
   curve [FIPS186].  Earlier drafts of this specification required DTLS
   1.0 with the cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, and
   at the time of this writing some implementations do not support DTLS
   1.2; endpoints which support only DTLS 1.2 might encounter
   interoperability issues.  The DTLS-SRTP protection profile
   SRTP_AES128_CM_HMAC_SHA1_80 MUST be supported for SRTP.
   Implementations MUST favor cipher suites which support (Perfect
   Forward Secrecy) PFS over non-PFS cipher suites and SHOULD favor AEAD
   over non-AEAD cipher suites.

Bug: webrtc:10261
Change-Id: I847c567592911cc437f095376ad67585b4355fc0
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/125141
Commit-Queue: Benjamin Wright <benwright@webrtc.org>
Reviewed-by: David Benjamin <davidben@webrtc.org>
Reviewed-by: Qingsi Wang <qingsi@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#27006}
5 files changed
tree: ca18775463ab3850bf2982cecb9e998fa3d25f33
  1. api/
  2. audio/
  3. build_overrides/
  4. call/
  5. common_audio/
  6. common_video/
  7. data/
  8. examples/
  9. logging/
  10. media/
  11. modules/
  12. p2p/
  13. pc/
  14. resources/
  15. rtc_base/
  16. rtc_tools/
  17. sdk/
  18. stats/
  19. style-guide/
  20. system_wrappers/
  21. test/
  22. tools_webrtc/
  23. video/
  24. .clang-format
  25. .git-blame-ignore-revs
  26. .gitignore
  27. .gn
  28. .vpython
  29. abseil-in-webrtc.md
  30. AUTHORS
  31. BUILD.gn
  32. CODE_OF_CONDUCT.md
  33. codereview.settings
  34. common_types.h
  35. DEPS
  36. ENG_REVIEW_OWNERS
  37. LICENSE
  38. license_template.txt
  39. native-api.md
  40. OWNERS
  41. PATENTS
  42. PRESUBMIT.py
  43. presubmit_test.py
  44. presubmit_test_mocks.py
  45. pylintrc
  46. README.chromium
  47. README.md
  48. style-guide.md
  49. WATCHLISTS
  50. webrtc.gni
  51. whitespace.txt
README.md

WebRTC is a free, open software project that provides browsers and mobile applications with Real-Time Communications (RTC) capabilities via simple APIs. The WebRTC components have been optimized to best serve this purpose.

Our mission: To enable rich, high-quality RTC applications to be developed for the browser, mobile platforms, and IoT devices, and allow them all to communicate via a common set of protocols.

The WebRTC initiative is a project supported by Google, Mozilla and Opera, amongst others.

Development

See http://www.webrtc.org/native-code/development for instructions on how to get started developing with the native code.

Authoritative list of directories that contain the native API header files.

More info