| // Copyright 2018 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| module network.mojom; |
| |
| enum SSLVersion { |
| kTLS12, |
| kTLS13, |
| }; |
| |
| // Controls the named groups for key agreement configured in supported_groups |
| // and key_share. |
| enum SSLNamedGroupsPreset { |
| // The basic defaults for Chromium. |
| // |
| // Supported groups: |
| // X25519MLKEM768 (0x11EC), |
| // X25519 (0x001D), |
| // Secp256r1 (0x0017), |
| // Secp384r1 (0x0018). |
| // Key shares: |
| // X25519MLKEM768 (0x11EC), |
| // X25519 (0x001D). |
| kDefault, |
| |
| // A non-default configuration for supported groups intended to satisfy the |
| // requirements of the Commercial National Security Algorithm Suite 2.0 (CNSA |
| // 2.0). |
| // |
| // Supported groups: |
| // MLKEM1024 (0x0202), |
| // X25519MLKEM768 (0x11EC), |
| // Secp384r1 (0x0018), |
| // Secp256r1 (0x0017), |
| // X25519 (0x001D). |
| // Key shares: |
| // X25519MLKEM768 (0x11EC), |
| // X25519 (0x001D). |
| kCnsa2, |
| }; |
| |
| // This is a combination of net::SSLContextConfig and |
| // net::CertVerifier::Config's fields. See those two classes for descriptions. |
| struct SSLConfig { |
| bool rev_checking_enabled = false; |
| bool rev_checking_required_local_anchors = false; |
| |
| bool sha1_local_anchors_enabled = false; |
| |
| // SSL 2.0/3.0 and TLS 1.0/1.1 are not supported. Note these lines must be |
| // kept in sync with net/ssl/ssl_config.cc. |
| SSLVersion version_min = kTLS12; |
| SSLVersion version_max = kTLS13; |
| |
| // Though cipher suites are sent in TLS as "uint8_t CipherSuite[2]", in |
| // big-endian form, they should be declared in host byte order, with the |
| // first uint8_t occupying the most significant byte. |
| // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to |
| // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. |
| array<uint16> disabled_cipher_suites; |
| |
| // This configures a compliance policy that sets cipher preferences for |
| // TLS 1.3 to prefer AES-256-GCM over AES-128-GCM over ChaCha20-Poly1305. |
| bool tls13_cipher_prefer_aes_256 = false; |
| |
| // Patterns for matching hostnames to determine when to allow connection |
| // coalescing when client certificates are also in use. Patterns follow |
| // the rules for host matching from the URL Blocklist filter format: |
| // "example.com" matches "example.com" and all subdomains, while |
| // ".example.net" matches exactly "example.net". Hostnames must be |
| // canonicalized according to the rules used by GURL. |
| array<string> client_cert_pooling_policy; |
| |
| // Controls the named groups for key agreement configured in supported_groups |
| // and key_share. See comments on the enum values for details of what each |
| // preset configures. |
| SSLNamedGroupsPreset named_groups_preset = kDefault; |
| |
| // Controls whether post-quantum key agreement in TLS connections is allowed. |
| bool post_quantum_key_agreement_enabled = true; |
| |
| // If false, disables TLS Encrypted ClientHello (ECH). If true, the feature |
| // may be enabled or disabled, depending on feature flags. |
| bool ech_enabled = true; |
| |
| // TLS Trust Anchor IDs that are configured as trusted, each in binary |
| // representation. |
| array<array<uint8>> trust_anchor_ids; |
| |
| // Merkle Tree Certificate TLS Trust Anchor IDs that are configured as |
| // trusted, each in binary representation. |
| array<array<uint8>> mtc_trust_anchor_ids; |
| }; |
| |
| // Receives SSL configuration updates. |
| interface SSLConfigClient { |
| OnSSLConfigUpdated(SSLConfig ssl_config); |
| }; |
