Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3)

Issue 2557803002: Add disabled certificate check support to IceServer PeerConnection API. (Closed)

Created:
4 years ago by hnsl1
Modified:
3 years, 11 months ago
CC:
webrtc-reviews_webrtc.org, the sun, tterriberry_mozilla.com
Target Ref:
refs/heads/master
Project:
webrtc
Visibility:
Public.

Description

Add disabled certificate check support to IceServer PeerConnection API. Refactor "OPT_SSLTCP" renaming it to "OPT_TLS_FAKE", making it clear that it's not actually some kind of SSL over TCP. Also making it clear that it's mutually exclusive with OPT_TLS. Add "OPT_TLS_INSECURE" that implements the new certificate-check disabled TLS mode, which is also mutually exclusive with the other TLS options. PortAllocator: Add a new TLS policy enum TlsCertPolicy which defines the new insecure mode and added it as a RelayCredentials member. TurnPort: Add new TLS policy member with appropriate getter and setter to avoid constructor bloat. Initialize it from the RelayCredentials after the TurnPort is created. Expose the new feature in the PeerConnection API via IceServer.tls_certificate_policy as well as via the Android JNI PeerConnection API. For security reasons we ensure that: 1) The policy is always explicitly initialized to secure. 2) API users have to explicitly integrate with the feature to use it, and will otherwise get no change in behavior. 3) The feature is not immediately exposed in non-native contexts. For example, disabling of certificate validation is not implemented via URI parsing since this would immediately allow it to be used from a web page. BUG=webrtc:6840 Review-Url: https://codereview.webrtc.org/2557803002 Cr-Commit-Position: refs/heads/master@{#15670} Committed: https://chromium.googlesource.com/external/webrtc/+/b0f04fdb9eb8b28424b7f80e38f4936e5c501b7b

Patch Set 1 #

Patch Set 2 : Add disabled certificate check support to IceServer PeerConnection API. #

Total comments: 38

Patch Set 3 : Address review comments. #

Patch Set 4 : New insecure check support patch set with no PROTO refactoring. #

Patch Set 5 : Fix unused tlsOpts with no assert with new atMostOneTLSOptionIsSet() fn. #

Patch Set 6 : Fix unused tlsOpts with no assert, second try with ATTRIBUTE_UNUSED. #

Total comments: 5

Patch Set 7 : JNI API: rename TlsCertificatePolicy -> TlsCertPolicy. #

Patch Set 8 : Get rid of tlsOpts unused warning once and for all by actually using it. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+136 lines, -18 lines) Patch
M webrtc/api/peerconnection.cc View 1 2 3 1 chunk +8 lines, -2 lines 0 comments Download
M webrtc/api/peerconnection_unittest.cc View 1 2 3 3 chunks +23 lines, -0 lines 0 comments Download
M webrtc/api/peerconnectioninterface.h View 1 2 3 1 chunk +14 lines, -1 line 0 comments Download
M webrtc/p2p/base/basicpacketsocketfactory.cc View 1 2 3 4 5 6 7 3 chunks +16 lines, -8 lines 0 comments Download
M webrtc/p2p/base/packetsocketfactory.h View 1 2 3 1 chunk +5 lines, -2 lines 0 comments Download
M webrtc/p2p/base/portallocator.h View 1 2 3 2 chunks +12 lines, -0 lines 0 comments Download
M webrtc/p2p/base/relayport.cc View 1 2 3 1 chunk +3 lines, -2 lines 0 comments Download
M webrtc/p2p/base/tcpport.cc View 1 2 3 1 chunk +1 line, -1 line 0 comments Download
M webrtc/p2p/base/turnport.h View 1 2 3 2 chunks +7 lines, -0 lines 0 comments Download
M webrtc/p2p/base/turnport.cc View 1 2 3 1 chunk +7 lines, -1 line 0 comments Download
M webrtc/p2p/client/basicportallocator.cc View 1 2 3 1 chunk +1 line, -0 lines 0 comments Download
M webrtc/sdk/android/api/org/webrtc/PeerConnection.java View 1 2 3 4 5 6 3 chunks +13 lines, -1 line 0 comments Download
M webrtc/sdk/android/src/jni/classreferenceholder.cc View 1 2 3 4 5 6 1 chunk +1 line, -0 lines 0 comments Download
M webrtc/sdk/android/src/jni/peerconnection_jni.cc View 1 2 3 4 5 6 2 chunks +25 lines, -0 lines 0 comments Download

Messages

Total messages: 58 (29 generated)
hnsl1
Hi, please review this. Note that try bots are failing because they can't patch webrtc/api/android/ ...
4 years ago (2016-12-06 18:33:34 UTC) #7
hnsl1
Adding deadbeef as reviewer due to timeout.
4 years ago (2016-12-07 13:16:42 UTC) #13
pthatcher1
https://codereview.webrtc.org/2557803002/diff/20001/webrtc/api/peerconnection.cc File webrtc/api/peerconnection.cc (right): https://codereview.webrtc.org/2557803002/diff/20001/webrtc/api/peerconnection.cc#newcode316 webrtc/api/peerconnection.cc:316: turn_transport_type, flags)); Attaching flags onto relay servers feels like ...
4 years ago (2016-12-07 21:29:36 UTC) #14
Taylor Brandstetter
Looks good. You have my l-g-t-m after you add comments, add the old RelayServerConfig constructor ...
4 years ago (2016-12-08 01:36:41 UTC) #15
pthatcher1
https://codereview.webrtc.org/2557803002/diff/20001/webrtc/api/peerconnection.cc File webrtc/api/peerconnection.cc (right): https://codereview.webrtc.org/2557803002/diff/20001/webrtc/api/peerconnection.cc#newcode316 webrtc/api/peerconnection.cc:316: turn_transport_type, flags)); Perhaps I misunderstood the use case we're ...
4 years ago (2016-12-08 02:36:13 UTC) #16
Taylor Brandstetter
https://codereview.webrtc.org/2557803002/diff/20001/webrtc/api/peerconnection.cc File webrtc/api/peerconnection.cc (right): https://codereview.webrtc.org/2557803002/diff/20001/webrtc/api/peerconnection.cc#newcode316 webrtc/api/peerconnection.cc:316: turn_transport_type, flags)); On 2016/12/08 02:36:13, pthatcher1 wrote: > Perhaps ...
4 years ago (2016-12-08 18:51:39 UTC) #17
hnsl1
Please review split PROTO_TLS refactor CL here: https://codereview.webrtc.org/2568833002/ This CL will be updated with a ...
4 years ago (2016-12-12 16:08:13 UTC) #18
pthatcher1
https://codereview.webrtc.org/2557803002/diff/20001/webrtc/api/peerconnection.cc File webrtc/api/peerconnection.cc (right): https://codereview.webrtc.org/2557803002/diff/20001/webrtc/api/peerconnection.cc#newcode316 webrtc/api/peerconnection.cc:316: turn_transport_type, flags)); On 2016/12/12 16:08:13, hnsl1 wrote: > On ...
4 years ago (2016-12-12 23:12:29 UTC) #19
hnsl1
On 2016/12/12 23:12:29, pthatcher1 wrote: > > OK, I think I understand the use case. ...
4 years ago (2016-12-13 11:01:01 UTC) #20
hnsl1
Hi, please review my latest patch set which does not include PROTO refactoring and which ...
4 years ago (2016-12-14 14:19:04 UTC) #21
pthatcher1
lgtm
4 years ago (2016-12-14 20:57:24 UTC) #23
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.webrtc.org/2557803002/60001
4 years ago (2016-12-15 11:35:41 UTC) #25
commit-bot: I haz the power
Try jobs failed on following builders: ios_rel on master.tryserver.webrtc (JOB_FAILED, http://build.chromium.org/p/tryserver.webrtc/builders/ios_rel/builds/19750)
4 years ago (2016-12-15 11:38:11 UTC) #27
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.webrtc.org/2557803002/100001
4 years ago (2016-12-15 15:22:21 UTC) #34
commit-bot: I haz the power
Try jobs failed on following builders: presubmit on master.tryserver.webrtc (JOB_FAILED, http://build.chromium.org/p/tryserver.webrtc/builders/presubmit/builds/11479)
4 years ago (2016-12-15 15:26:11 UTC) #36
hnsl1
Magnus, please review changes to webrtc/sdk/android/*.
4 years ago (2016-12-15 15:59:21 UTC) #38
magjed_webrtc
lgtm % comments https://codereview.webrtc.org/2557803002/diff/100001/webrtc/sdk/android/src/jni/classreferenceholder.cc File webrtc/sdk/android/src/jni/classreferenceholder.cc (right): https://codereview.webrtc.org/2557803002/diff/100001/webrtc/sdk/android/src/jni/classreferenceholder.cc#newcode85 webrtc/sdk/android/src/jni/classreferenceholder.cc:85: LoadClass(jni, "org/webrtc/PeerConnection$TlsCertificatePolicy"); There is no need ...
4 years ago (2016-12-16 11:57:54 UTC) #39
hnsl1
magjed: PTAL https://codereview.webrtc.org/2557803002/diff/100001/webrtc/sdk/android/src/jni/classreferenceholder.cc File webrtc/sdk/android/src/jni/classreferenceholder.cc (right): https://codereview.webrtc.org/2557803002/diff/100001/webrtc/sdk/android/src/jni/classreferenceholder.cc#newcode85 webrtc/sdk/android/src/jni/classreferenceholder.cc:85: LoadClass(jni, "org/webrtc/PeerConnection$TlsCertificatePolicy"); On 2016/12/16 11:57:54, magjed_webrtc wrote: ...
4 years ago (2016-12-16 14:18:40 UTC) #40
Taylor Brandstetter
lgtm
4 years ago (2016-12-16 18:33:31 UTC) #41
magjed_webrtc
https://codereview.webrtc.org/2557803002/diff/100001/webrtc/sdk/android/src/jni/classreferenceholder.cc File webrtc/sdk/android/src/jni/classreferenceholder.cc (right): https://codereview.webrtc.org/2557803002/diff/100001/webrtc/sdk/android/src/jni/classreferenceholder.cc#newcode85 webrtc/sdk/android/src/jni/classreferenceholder.cc:85: LoadClass(jni, "org/webrtc/PeerConnection$TlsCertificatePolicy"); On 2016/12/16 14:18:39, hnsl1 wrote: > On ...
4 years ago (2016-12-19 08:54:05 UTC) #42
hnsl1
On 2016/12/19 08:54:05, magjed_webrtc wrote: > You are still using the globally cached FindClass function ...
4 years ago (2016-12-19 08:59:36 UTC) #43
magjed_webrtc
On 2016/12/19 08:59:36, hnsl1 wrote: > On 2016/12/19 08:54:05, magjed_webrtc wrote: > > > You ...
4 years ago (2016-12-19 10:59:20 UTC) #44
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.webrtc.org/2557803002/120001
4 years ago (2016-12-19 11:00:37 UTC) #47
commit-bot: I haz the power
Try jobs failed on following builders: win_baremetal on master.tryserver.webrtc (JOB_FAILED, http://build.chromium.org/p/tryserver.webrtc/builders/win_baremetal/builds/17104)
4 years ago (2016-12-19 11:06:12 UTC) #49
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.webrtc.org/2557803002/140001
4 years ago (2016-12-19 11:50:58 UTC) #52
commit-bot: I haz the power
Committed patchset #8 (id:140001) as https://chromium.googlesource.com/external/webrtc/+/b0f04fdb9eb8b28424b7f80e38f4936e5c501b7b
4 years ago (2016-12-19 12:10:35 UTC) #55
hnsl1
The SSLTCP rename broke chromium, fix on it's way: https://codereview.chromium.org/2585343002 I wonder what those p2p ...
4 years ago (2016-12-19 19:06:53 UTC) #56
magjed_webrtc
A revert of this CL (patchset #8 id:140001) has been created in https://codereview.webrtc.org/2590153002/ by magjed@webrtc.org. ...
4 years ago (2016-12-20 10:21:55 UTC) #57
juberti2
3 years, 11 months ago (2017-01-05 05:56:04 UTC) #58
Message was sent while issue was closed.
On 2016/12/20 10:21:55, magjed_webrtc_OOO_Jan_5 wrote:
> A revert of this CL (patchset #8 id:140001) has been created in
> https://codereview.webrtc.org/2590153002/ by mailto:magjed@webrtc.org.
> 
> The reason for reverting is: This CL broke all Chromium WebRTC FYI bots. A
> roll+fix was attempted here: https://codereview.chromium.org/2590783003/, but
> failed to land. I'm reverting this CL now to make the tree green again. Make
the
> API change gradual when you reland so that we can update Chromium between..

FWIW, OPT_TLS_INSECURE also seems like a confusing name.
OPT_TLS_NO_CERT_VALIDATION (or OPT_TLS_OPPORTUNISTIC, as in "opportunistic
encryption") would be more clear.

Powered by Google App Engine
This is Rietveld 408576698