Skip to content

feat: allow setting SSL config #25461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jkleinsc merged 5 commits into from
Sep 23, 2020
Merged

feat: allow setting SSL config #25461

jkleinsc merged 5 commits into from
Sep 23, 2020

Conversation

@nornagon
Copy link
Contributor

@nornagon nornagon commented Sep 14, 2020

Description of Change

This allows apps to configure min and max supported SSL versions. Chromium currently uses a minimum of TLS1.2 by default, whereas Electron defaults to TLS1.0 by default. This gives apps the ability to control supported TLS versions according to their needs.

Checklist

Release Notes

Notes: Added session.setSSLConfig() to allow configuring SSL.

@nornagon nornagon requested a review from deepak1556 September 14, 2020 23:16
@electron-cation electron-cation bot added the new-pr 🌱 PR opened recently label Sep 14, 2020
@nornagon nornagon added api-review/requested 🗳 semver/minor backwards-compatible functionality labels Sep 14, 2020
deepak1556
deepak1556 approved these changes Sep 15, 2020
View reviewed changes
Copy link
Member

@deepak1556 deepak1556 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implementation looks good.

One thing to make sure is that system network context code path is fine without this change, before network s13n the system network context was dependency for network fetching code of OCSP/CRL/AIA data but now the code path has been modified to use per-profile network context https://bugs.chromium.org/p/chromium/issues/detail?id=829029, so it should not be an issue. The only other use cases of system network context I was able to find was the one used for device_service (for fetching geolocation data) and creating tcp connection for viz devtools, both of which are fine without this change. Might want to ensure any other code paths I might have missed.

@nornagon
Copy link
Contributor Author

nornagon commented Sep 15, 2020

@deepak1556 hm, I'm not sure what I should be searching for. Can you give me some pointers?

Do you think we should add a session.setDefaultSSLConfig() method as well/instead?

@deepak1556
Copy link
Member

deepak1556 commented Sep 15, 2020
edited
Loading

I'm not sure what I should be searching for. Can you give me some pointers?

Checking for the usages of these apis https://github.com/electron/electron/blob/master/shell/browser/net/system_network_context_manager.h#L72-L82 should do.

Do you think we should add a session.setDefaultSSLConfig() method as well/instead?

If there is no usage other than the ones I mentioned then its not required to add this, geolocation service is a google maps endpoint which the app doesn't have to control.

@electron-cation electron-cation bot removed the new-pr 🌱 PR opened recently label Sep 15, 2020
@nornagon
Copy link
Contributor Author

nornagon commented Sep 16, 2020

I looked and I could only find those two as well.

As a precaution, what do you think about setting up the system network context to support the same TLS versions that Chrome does (without adding a new API to edit them)? i.e. min_version = TLS1.2.

@deepak1556
Copy link
Member

deepak1556 commented Sep 17, 2020

yeah that would be a good thing to do

@jkleinsc
Copy link
Member

jkleinsc commented Sep 22, 2020

The API WG approved this at the Sept 21, 2020 meeting.

jkleinsc
jkleinsc requested changes Sep 22, 2020
View reviewed changes
Copy link
Member

@jkleinsc jkleinsc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a small nit - can we note in the documentation what the defaults are if you do not set this config?

@nornagon
Copy link
Contributor Author

nornagon commented Sep 22, 2020

@jkleinsc NB. these defaults are set by a mojom file inside chromium and we don't have tests that will notify us if they change. So this documentation may go out of date.

@jkleinsc
Copy link
Member

jkleinsc commented Sep 23, 2020

Merging as WOA failure is flake unrelated to this change.

@jkleinsc jkleinsc merged commit 27ea3fc into master Sep 23, 2020
@release-clerk
Copy link

release-clerk bot commented Sep 23, 2020

Release Notes Persisted

Added session.setSSLConfig() to allow configuring SSL.

@jkleinsc jkleinsc deleted the ssl-config branch September 23, 2020 20:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkleinsc jkleinsc jkleinsc approved these changes

@deepak1556 deepak1556 deepak1556 approved these changes

@MarshallOfSound MarshallOfSound MarshallOfSound approved these changes

Assignees

No one assigned

Labels

api-review/approved ✅ semver/minor backwards-compatible functionality

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@nornagon @deepak1556 @jkleinsc @MarshallOfSound