AU: Restrict SSL ciphers to HIGH in official builds.
BUG=6407
TEST=unit tests, tested on device with the update server
Change-Id: I72de989003c9177f23b1afddde051d9b8d8efa68
Review URL: http://codereview.chromium.org/5085002
diff --git a/libcurl_http_fetcher.cc b/libcurl_http_fetcher.cc
index 8af9d45..d5358bd 100644
--- a/libcurl_http_fetcher.cc
+++ b/libcurl_http_fetcher.cc
@@ -101,20 +101,24 @@
CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_MAXREDIRS, kMaxRedirects),
CURLE_OK);
- // Makes sure that peer certificate verification is enabled and restricts the
- // set of trusted certificates.
- CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_VERIFYPEER, 1), CURLE_OK);
- CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_CAPATH, kCACertificatesPath),
- CURLE_OK);
-
- // Restrict protocols to HTTPS in official builds.
+ // Security lock-down in official builds: makes sure that peer certificate
+ // verification is enabled, restricts the set of trusted certificates,
+ // restricts protocols to HTTPS, restricts ciphers to HIGH.
if (IsOfficialBuild()) {
+ CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_VERIFYPEER, 1),
+ CURLE_OK);
+ CHECK_EQ(curl_easy_setopt(curl_handle_,
+ CURLOPT_CAPATH,
+ kCACertificatesPath),
+ CURLE_OK);
CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS),
CURLE_OK);
CHECK_EQ(curl_easy_setopt(curl_handle_,
CURLOPT_REDIR_PROTOCOLS,
CURLPROTO_HTTPS),
CURLE_OK);
+ CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_CIPHER_LIST, "HIGH"),
+ CURLE_OK);
}
CHECK_EQ(curl_multi_add_handle(curl_multi_handle_, curl_handle_), CURLM_OK);