)]}' { "commit": "7276b974b78ea4f409d8738b1b6f1515f7a8968e", "tree": "ca18775463ab3850bf2982cecb9e998fa3d25f33", "parents": [ "4423c36448f58fef925204871de940b4e8771ef6" ], "author": { "name": "Benjamin Wright", "email": "benwright@webrtc.org", "time": "Wed Mar 06 19:51:34 2019" }, "committer": { "name": "Commit Bot", "email": "commit-bot@chromium.org", "time": "Wed Mar 06 20:44:41 2019" }, "message": "Disable DTLS 1.0, TLS 1.0 and TLS 1.1 downgrade in WebRTC.\n\nThis change disables DTLS 1.0, TLS 1.0 and TLS 1.1 in WebRTC by default. This\nis part of a larger effort at Google to remove old TLS protocols:\nhttps://security.googleblog.com/2018/10/modernizing-transport-security.html\n\nFor the M74 timeline I have added a disabled by default field trial\nWebRTC-LegacyTlsProtocols which can be enabled to support these cipher suites\nas consumers move away from these legacy cipher protocols but it will be off\nin Chrome.\n\nThis is compliant with the webrtc-security-arch specification which states:\n\n All Implementations MUST implement DTLS 1.2 with the\n TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and the P-256\n curve [FIPS186]. Earlier drafts of this specification required DTLS\n 1.0 with the cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, and\n at the time of this writing some implementations do not support DTLS\n 1.2; endpoints which support only DTLS 1.2 might encounter\n interoperability issues. The DTLS-SRTP protection profile\n SRTP_AES128_CM_HMAC_SHA1_80 MUST be supported for SRTP.\n Implementations MUST favor cipher suites which support (Perfect\n Forward Secrecy) PFS over non-PFS cipher suites and SHOULD favor AEAD\n over non-AEAD cipher suites.\n\nBug: webrtc:10261\nChange-Id: I847c567592911cc437f095376ad67585b4355fc0\nReviewed-on: https://webrtc-review.googlesource.com/c/src/+/125141\nCommit-Queue: Benjamin Wright \u003cbenwright@webrtc.org\u003e\nReviewed-by: David Benjamin \u003cdavidben@webrtc.org\u003e\nReviewed-by: Qingsi Wang \u003cqingsi@webrtc.org\u003e\nCr-Commit-Position: refs/heads/master@{#27006}", "tree_diff": [ { "type": "modify", "old_id": "831e43772989c9d12f4176acab1817a476318da0", "old_mode": 33188, "old_path": "rtc_base/BUILD.gn", "new_id": "951865dde1fd0db564a3d389be193d9c3862fe53", "new_mode": 33188, "new_path": "rtc_base/BUILD.gn" }, { "type": "modify", "old_id": "e80efd1ffd4ee9ca579a56c788e3d509fd761ea4", "old_mode": 33188, "old_path": "rtc_base/openssl_stream_adapter.cc", "new_id": "5131b30ef92d73e90f42b7c89c23ae25f25df71e", "new_mode": 33188, "new_path": "rtc_base/openssl_stream_adapter.cc" }, { "type": "modify", "old_id": "40d17795aa0b0fae9a085f68d73469c97443f10a", "old_mode": 33188, "old_path": "rtc_base/openssl_stream_adapter.h", "new_id": "bca2fde1e7611532795a7b723589701a0862b18c", "new_mode": 33188, "new_path": "rtc_base/openssl_stream_adapter.h" }, { "type": "modify", "old_id": "04d0fc5dd48345b0cbbf4cbc54e9ba4287071d8a", "old_mode": 33188, "old_path": "rtc_base/ssl_stream_adapter.h", "new_id": "99345ac7a97ef8313c598c7813da3886927ef284", "new_mode": 33188, "new_path": "rtc_base/ssl_stream_adapter.h" }, { "type": "modify", "old_id": "700cb1f009c2de9d14e33f3158cf014418f2e9e2", "old_mode": 33188, "old_path": "rtc_base/ssl_stream_adapter_unittest.cc", "new_id": "abf98804629b57a6422daed936c473178025cc5e", "new_mode": 33188, "new_path": "rtc_base/ssl_stream_adapter_unittest.cc" } ] }