Chromium Embedded Framework Forum

by **ivop** » Thu Nov 06, 2014 11:19 am

Hi all,

Due to this advisory: https://zmap.io/sslv3/browsers.html#chrome-windows

I have followed the mechanism described here:

https://code.google.com/p/chromiumembed ... _Arguments

to implement OnBeforeCommandLineProcessing() in my CEF app and append the command-line switch to set the "ssl-version-min" to "tls1"

Seems the setting is not carried through though? I visit the test page https://www.poodletest.com and "vulnerable" printed before and after the change.

I see the same behavior if I use the bare-bones cef_client project as well.

I am using CEF 1650.

Any ideas or suggestions why this might not be working?
Is this expected behavior due to this Chrome switch not being implemented?

Thank you,

- Ivo

by **magreenblatt** » Fri Nov 07, 2014 11:04 am

It is not implemented in CEF.

by **ivop** » Fri Nov 07, 2014 12:42 pm

Thanks for the reply confirming this.

Is there a suggested/proper mechanism for disabling the ssl v3 fallback per the advisory?

I would have expected this or a similar question having been asked but did not find it last I checked.
Is this because this isn't a concern in CEF-based projects?

by **magreenblatt** » Fri Nov 07, 2014 1:09 pm

ivop wrote:Is there a suggested/proper mechanism for disabling the ssl v3 fallback per the advisory?

The fallback capability will be removed in upcoming Chromium versions. CEF will pick up the change at that time.

ivop wrote:Is this because this isn't a concern in CEF-based projects?

You are the first person to ask about it, so I guess so

. In any case you are using a very old branch (1650) and if we added support for the flag it would only be in current branches (2171+).

by **ivop** » Fri Nov 07, 2014 4:03 pm

In any case you are using a very old branch (1650) and if we added support for the flag it would only be in current branches (2171+).

That would explain it. I just recently started on this specific project & thought it was a more recent version of CEF. Thanks for letting me know!

by **olegkalosha** » Tue Jun 05, 2018 8:18 pm

It appears that even in Cef branch 3282, which corresponds to Chromium 64, "ssl-version-min" and "ssl-version-max" are not carried through in Cef.

This becomes real issue for us, as with PCI requirements disabling SSL is not enough, we need to be able to restrict min version to ideally 1.2.

What is the way of filing / prioritizing this issue?

Thanks

by **magreenblatt** » Tue Jun 05, 2018 9:00 pm

The implementation of this flag uses the same code path as https://bitbucket.org/chromiumembedded/ ... for-tls-13. PRs welcome.

Chromium Embedded Framework Forum

Command-line param 'ssl-version-min' not carried through?

Command-line param 'ssl-version-min' not carried through?

Re: Command-line param 'ssl-version-min' not carried through

Re: Command-line param 'ssl-version-min' not carried through

Re: Command-line param 'ssl-version-min' not carried through

Re: Command-line param 'ssl-version-min' not carried through

Re: Command-line param 'ssl-version-min' not carried through

Re: Command-line param 'ssl-version-min' not carried through

Who is online