Add disabled certificate check support to IceServer PeerConnection API.

Add disabled certificate check support to IceServer PeerConnection API.

Refactor "OPT_SSLTCP" renaming it to "OPT_TLS_FAKE", making it clear
that it's not actually some kind of SSL over TCP. Also making it clear
that it's mutually exclusive with OPT_TLS. Maintaining deprecated
backwards compatible support for "OPT_SSLTCP".

Add "OPT_TLS_INSECURE" that implements the new certificate-check
disabled TLS mode, which is also mutually exclusive with the other
TLS options.

PortAllocator: Add a new TLS policy enum TlsCertPolicy which defines
the new insecure mode and added it as a RelayCredentials member.

TurnPort: Add new TLS policy member with appropriate getter and setter
to avoid constructor bloat. Initialize it from the RelayCredentials
after the TurnPort is created.

Expose the new feature in the PeerConnection API via
IceServer.tls_certificate_policy as well as via the Android JNI
PeerConnection API.

For security reasons we ensure that:

	1) The policy is always explicitly initialized to secure.
        2) API users have to explicitly integrate with the feature to
           use it, and will otherwise get no change in behavior.
	3) The feature is not immediately exposed in non-native
	   contexts. For example, disabling of certificate validation
           is not implemented via URI parsing since this would
           immediately allow it to be used from a web page.

This is a second attempt of https://codereview.webrtc.org/2557803002/
which was rolled back in https://codereview.webrtc.org/2590153002/

BUG=webrtc:6840
Review-Url: https://codereview.webrtc.org/2594623002
Cr-Commit-Position: refs/heads/master@{#15967}
Committed: https://chromium.googlesource.com/external/webrtc/+/0483362377fb38556009f2101816fa565885eef9

[hnsl1, 2016-12-20 11:29:07]

Description was changed from

==========
Add disabled certificate check support to IceServer PeerConnection API.

BUG=webrtc:6840
==========

to

==========
Add disabled certificate check support to IceServer PeerConnection API.

Refactor "OPT_SSLTCP" renaming it to "OPT_TLS_FAKE", making it clear
that it's not actually some kind of SSL over TCP. Also making it clear
that it's mutually exclusive with OPT_TLS. Maintaining deprecated
backwards compatible support for "OPT_SSLTCP".

Add "OPT_TLS_INSECURE" that implements the new certificate-check
disabled TLS mode, which is also mutually exclusive with the other
TLS options.

PortAllocator: Add a new TLS policy enum TlsCertPolicy which defines
the new insecure mode and added it as a RelayCredentials member.

TurnPort: Add new TLS policy member with appropriate getter and setter
to avoid constructor bloat. Initialize it from the RelayCredentials
after the TurnPort is created.

Expose the new feature in the PeerConnection API via
IceServer.tls_certificate_policy as well as via the Android JNI
PeerConnection API.

For security reasons we ensure that:

	1) The policy is always explicitly initialized to secure.
        2) API users have to explicitly integrate with the feature to
           use it, and will otherwise get no change in behavior.
	3) The feature is not immediately exposed in non-native
	   contexts. For example, disabling of certificate validation
           is not implemented via URI parsing since this would
           immediately allow it to be used from a web page.

This is a second attempt of https://codereview.webrtc.org/2557803002/
which was rolled back in https://codereview.webrtc.org/2590153002/

BUG=webrtc:6840
==========

[hnsl1, 2016-12-20 11:29:07]

hnsl@webrtc.org changed reviewers:
+ deadbeef@webrtc.org, magjed@webrtc.org, pthatcher@webrtc.org

[hnsl1, 2016-12-20 11:30:38]

Please review this second attempt at https://codereview.webrtc.org/2557803002/
which maintains OPT_SSLTCP backwards compatible. For your convenience, patch set
1 should correspond exactly to what was previously LGTMd.

[magjed_webrtc, 2016-12-20 12:26:55]

lgtm, but next time, use the "Revert patchset" button on the revert CL to
reland, because it will format the CL description more nicely and it's easier to
track.

Also, run some chromium try bots before landing this time.

[hnsl1, 2016-12-20 13:23:21]

On 2016/12/20 12:26:55, magjed_webrtc wrote:
> lgtm, but next time, use the "Revert patchset" button on the revert CL to
> reland, because it will format the CL description more nicely and it's easier
to
> track.
> 
> Also, run some chromium try bots before landing this time.

TIL the default set of try bots is not the same as all try bots. Why not make it
so?

[magjed_webrtc, 2016-12-20 13:49:57]

On 2016/12/20 13:23:21, hnsl1 wrote:
> On 2016/12/20 12:26:55, magjed_webrtc wrote:
> > lgtm, but next time, use the "Revert patchset" button on the revert CL to
> > reland, because it will format the CL description more nicely and it's
easier
> to
> > track.
> > 
> > Also, run some chromium try bots before landing this time.
> 
> TIL the default set of try bots is not the same as all try bots. Why not make
it
> so?

It's being worked on. The functionality to run the chromium FYI bots from here
was added just recently. Previously we had to run the chromium integration tests
locally on our machines.

[Taylor Brandstetter, 2016-12-20 18:10:34]

On 2016/12/20 12:26:55, magjed_webrtc wrote:
> lgtm, but next time, use the "Revert patchset" button on the revert CL to
> reland, because it will format the CL description more nicely and it's easier
to
> track.
> 
> Also, run some chromium try bots before landing this time.

I prefer reopening the original (reverted) CL, and changing the description to
"Relanding: <original description>". That way you have the history from the
original CL, and you don't end up with "revert of: revert of: ...". To each his
own, though.

Also, lgtm.

[hnsl1, 2016-12-21 08:41:27]

The CQ bit was checked by hnsl@webrtc.org to run a CQ dry run

[commit-bot: I haz the power, 2016-12-21 08:41:38]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.webrtc.org/...

[commit-bot: I haz the power, 2016-12-21 09:30:02]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-12-21 09:30:03]

Dry run: This issue passed the CQ dry run.

[hnsl1, 2017-01-09 14:19:06]

The CQ bit was checked by hnsl@webrtc.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-09 14:19:13]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.webrtc.org/...

[commit-bot: I haz the power, 2017-01-09 15:31:58]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-01-09 15:31:59]

Dry run: This issue passed the CQ dry run.

[hnsl1, 2017-01-09 16:33:37]

The CQ bit was checked by hnsl@webrtc.org

[commit-bot: I haz the power, 2017-01-09 16:33:43]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.webrtc.org/...

[commit-bot: I haz the power, 2017-01-09 16:35:46]

CQ is committing da patch.

Bot data: {"patchset_id": 20001, "attempt_start_ts": 1483979617964620,
"parent_rev": "4843dd13aa3426d9a3caee768fc015d8731c5d18", "commit_rev":
"0483362377fb38556009f2101816fa565885eef9"}

[commit-bot: I haz the power, 2017-01-09 16:35:49]

Description was changed from

==========
Add disabled certificate check support to IceServer PeerConnection API.

Refactor "OPT_SSLTCP" renaming it to "OPT_TLS_FAKE", making it clear
that it's not actually some kind of SSL over TCP. Also making it clear
that it's mutually exclusive with OPT_TLS. Maintaining deprecated
backwards compatible support for "OPT_SSLTCP".

Add "OPT_TLS_INSECURE" that implements the new certificate-check
disabled TLS mode, which is also mutually exclusive with the other
TLS options.

PortAllocator: Add a new TLS policy enum TlsCertPolicy which defines
the new insecure mode and added it as a RelayCredentials member.

TurnPort: Add new TLS policy member with appropriate getter and setter
to avoid constructor bloat. Initialize it from the RelayCredentials
after the TurnPort is created.

Expose the new feature in the PeerConnection API via
IceServer.tls_certificate_policy as well as via the Android JNI
PeerConnection API.

For security reasons we ensure that:

	1) The policy is always explicitly initialized to secure.
        2) API users have to explicitly integrate with the feature to
           use it, and will otherwise get no change in behavior.
	3) The feature is not immediately exposed in non-native
	   contexts. For example, disabling of certificate validation
           is not implemented via URI parsing since this would
           immediately allow it to be used from a web page.

This is a second attempt of https://codereview.webrtc.org/2557803002/
which was rolled back in https://codereview.webrtc.org/2590153002/

BUG=webrtc:6840
==========

to

==========
Add disabled certificate check support to IceServer PeerConnection API.

Refactor "OPT_SSLTCP" renaming it to "OPT_TLS_FAKE", making it clear
that it's not actually some kind of SSL over TCP. Also making it clear
that it's mutually exclusive with OPT_TLS. Maintaining deprecated
backwards compatible support for "OPT_SSLTCP".

Add "OPT_TLS_INSECURE" that implements the new certificate-check
disabled TLS mode, which is also mutually exclusive with the other
TLS options.

PortAllocator: Add a new TLS policy enum TlsCertPolicy which defines
the new insecure mode and added it as a RelayCredentials member.

TurnPort: Add new TLS policy member with appropriate getter and setter
to avoid constructor bloat. Initialize it from the RelayCredentials
after the TurnPort is created.

Expose the new feature in the PeerConnection API via
IceServer.tls_certificate_policy as well as via the Android JNI
PeerConnection API.

For security reasons we ensure that:

	1) The policy is always explicitly initialized to secure.
        2) API users have to explicitly integrate with the feature to
           use it, and will otherwise get no change in behavior.
	3) The feature is not immediately exposed in non-native
	   contexts. For example, disabling of certificate validation
           is not implemented via URI parsing since this would
           immediately allow it to be used from a web page.

This is a second attempt of https://codereview.webrtc.org/2557803002/
which was rolled back in https://codereview.webrtc.org/2590153002/

BUG=webrtc:6840

Review-Url: https://codereview.webrtc.org/2594623002
Cr-Commit-Position: refs/heads/master@{#15967}
Committed:
https://chromium.googlesource.com/external/webrtc/+/0483362377fb38556009f2101...
==========

[commit-bot: I haz the power, 2017-01-09 16:35:50]

Committed patchset #2 (id:20001) as
https://chromium.googlesource.com/external/webrtc/+/0483362377fb38556009f2101...