Chromium Code Reviews Chromium Code Reviews
Issue 6120002:
Disable False Start and clear the SSL client auth cache for HTTPS proxies on failure (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/http_stream_request.h" | 5 #include "net/http/http_stream_request.h" |
| 6 | 6 |
| 7 #include "base/stl_util-inl.h" | 7 #include "base/stl_util-inl.h" |
| 8 #include "base/string_number_conversions.h" | 8 #include "base/string_number_conversions.h" |
| 9 #include "base/string_util.h" | 9 #include "base/string_util.h" |
| 10 #include "base/stringprintf.h" | 10 #include "base/stringprintf.h" |
| (...skipping 869 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 880 const HostPortPair& host_and_port, | 880 const HostPortPair& host_and_port, |
| 881 bool want_spdy_over_npn) { | 881 bool want_spdy_over_npn) { |
| 882 | 882 |
| 883 if (factory_->IsTLSIntolerantServer(request_info().url)) { | 883 if (factory_->IsTLSIntolerantServer(request_info().url)) { |
| 884 LOG(WARNING) << "Falling back to SSLv3 because host is TLS intolerant: " | 884 LOG(WARNING) << "Falling back to SSLv3 because host is TLS intolerant: " |
| 885 << GetHostAndPort(request_info().url); | 885 << GetHostAndPort(request_info().url); |
| 886 ssl_config()->ssl3_fallback = true; | 886 ssl_config()->ssl3_fallback = true; |
| 887 ssl_config()->tls1_enabled = false; | 887 ssl_config()->tls1_enabled = false; |
| 888 } | 888 } |
| 889 | 889 |
| 890 if (proxy_info()->proxy_server().scheme() == ProxyServer::SCHEME_HTTPS && | |
|
Ryan Hamilton
2011/01/07 17:25:50
proxy_info()->is_https()
Ryan Sleevi
2011/01/09 08:47:33
Already changed in patchset #2, as I noticed immed
| |
| 891 ssl_config()->send_client_cert) { | |
| 892 // When connecting through an HTTPS proxy, disable TLS False Start so | |
| 893 // that client authentication errors can be distinguished between those | |
| 894 // originating from the proxy server (ERR_PROXY_CONNECTION_FAILED) and | |
| 895 // those originating from the endpoint (ERR_SSL_PROTOCOL_ERROR / | |
| 896 // ERR_BAD_SSL_CLIENT_AUTH_CERT). | |
| 897 // TODO(rch): This assumes that the HTTPS proxy will only request a | |
| 898 // client certificate during the initial handshake. | |
| 899 // http://crbug.com/FIXME | |
| 900 ssl_config()->false_start_enabled = false; | |
| 901 } | |
| 902 | |
| 890 UMA_HISTOGRAM_ENUMERATION("Net.ConnectionUsedSSLv3Fallback", | 903 UMA_HISTOGRAM_ENUMERATION("Net.ConnectionUsedSSLv3Fallback", |
| 891 static_cast<int>(ssl_config()->ssl3_fallback), 2); | 904 static_cast<int>(ssl_config()->ssl3_fallback), 2); |
| 892 | 905 |
| 893 int load_flags = request_info().load_flags; | 906 int load_flags = request_info().load_flags; |
| 894 if (HttpStreamFactory::ignore_certificate_errors()) | 907 if (HttpStreamFactory::ignore_certificate_errors()) |
| 895 load_flags |= LOAD_IGNORE_ALL_CERT_ERRORS; | 908 load_flags |= LOAD_IGNORE_ALL_CERT_ERRORS; |
| 896 if (request_info().load_flags & LOAD_VERIFY_EV_CERT) | 909 if (request_info().load_flags & LOAD_VERIFY_EV_CERT) |
| 897 ssl_config()->verify_ev_cert = true; | 910 ssl_config()->verify_ev_cert = true; |
| 898 | 911 |
| 899 if (proxy_info()->proxy_server().scheme() == ProxyServer::SCHEME_HTTP || | 912 if (proxy_info()->proxy_server().scheme() == ProxyServer::SCHEME_HTTP || |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 968 // ERR_ADDRESS_UNREACHABLE. | 981 // ERR_ADDRESS_UNREACHABLE. |
| 969 return ERR_ADDRESS_UNREACHABLE; | 982 return ERR_ADDRESS_UNREACHABLE; |
| 970 default: | 983 default: |
| 971 return error; | 984 return error; |
| 972 } | 985 } |
| 973 | 986 |
| 974 if (request_info().load_flags & LOAD_BYPASS_PROXY) { | 987 if (request_info().load_flags & LOAD_BYPASS_PROXY) { |
| 975 return error; | 988 return error; |
| 976 } | 989 } |
| 977 | 990 |
| 991 if (proxy_info()->is_https() && ssl_config_->send_client_cert) { | |
| 992 session_->ssl_client_auth_cache()->Remove( | |
| 993 proxy_info()->proxy_server().host_port_pair().ToString()); | |
| 994 } | |
| 995 | |
| 978 int rv = session_->proxy_service()->ReconsiderProxyAfterError( | 996 int rv = session_->proxy_service()->ReconsiderProxyAfterError( |
| 979 request_info().url, proxy_info(), &io_callback_, &pac_request_, | 997 request_info().url, proxy_info(), &io_callback_, &pac_request_, |
| 980 net_log_); | 998 net_log_); |
| 981 if (rv == OK || rv == ERR_IO_PENDING) { | 999 if (rv == OK || rv == ERR_IO_PENDING) { |
| 982 // If the error was during connection setup, there is no socket to | 1000 // If the error was during connection setup, there is no socket to |
| 983 // disconnect. | 1001 // disconnect. |
| 984 if (connection_->socket()) | 1002 if (connection_->socket()) |
| 985 connection_->socket()->Disconnect(); | 1003 connection_->socket()->Disconnect(); |
| 986 connection_->Reset(); | 1004 connection_->Reset(); |
| 987 next_state_ = STATE_RESOLVE_PROXY_COMPLETE; | 1005 next_state_ = STATE_RESOLVE_PROXY_COMPLETE; |
| (...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1054 base::TimeDelta::FromMinutes(6), | 1072 base::TimeDelta::FromMinutes(6), |
| 1055 100); | 1073 100); |
| 1056 break; | 1074 break; |
| 1057 default: | 1075 default: |
| 1058 NOTREACHED(); | 1076 NOTREACHED(); |
| 1059 break; | 1077 break; |
| 1060 } | 1078 } |
| 1061 } | 1079 } |
| 1062 | 1080 |
| 1063 } // namespace net | 1081 } // namespace net |
| OLD | NEW |
