Disable False Start and clear the SSL client auth cache for HTTPS proxies on failure

net/http/http_stream_request.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_stream_request.h"
 
 #include "base/stl_util-inl.h"
 #include "base/string_number_conversions.h"
 #include "base/string_util.h"
 #include "base/stringprintf.h"
@@ skipping 891 matching lines @@
     const HostPortPair& host_and_port,
     bool want_spdy_over_npn) {
 
   if (factory_->IsTLSIntolerantServer(request_info().url)) {
     LOG(WARNING) << "Falling back to SSLv3 because host is TLS intolerant: "
         << GetHostAndPort(request_info().url);
     ssl_config()->ssl3_fallback = true;
     ssl_config()->tls1_enabled = false;
   }
 
+  if (proxy_info()->is_https() && ssl_config()->send_client_cert) {
+    // When connecting through an HTTPS proxy, disable TLS False Start so
+    // that client authentication errors can be distinguished between those
+    // originating from the proxy server (ERR_PROXY_CONNECTION_FAILED) and
+    // those originating from the endpoint (ERR_SSL_PROTOCOL_ERROR /
+    // ERR_BAD_SSL_CLIENT_AUTH_CERT).
+    // TODO(rch): This assumes that the HTTPS proxy will only request a
+    // client certificate during the initial handshake.
+    // http://crbug.com/FIXME

[wtc, 2011/01/11 23:31:36]

Please replace "FIXME" with the bug number.

Is ssl_config() the SSL config for the destination server
or the HTTPS proxy?  I believe it is the SSL config for
the destination server.  If so, we should open a bug for
adding an SSL config for HTTPS proxy, or convince ourselves
that the destination server and HTTPS proxy can share SSL
config.

+    ssl_config()->false_start_enabled = false;
+  }
+
   UMA_HISTOGRAM_ENUMERATION("Net.ConnectionUsedSSLv3Fallback",
                             static_cast<int>(ssl_config()->ssl3_fallback), 2);
 
   int load_flags = request_info().load_flags;
   if (HttpStreamFactory::ignore_certificate_errors())
     load_flags |= LOAD_IGNORE_ALL_CERT_ERRORS;
   if (request_info().load_flags & LOAD_VERIFY_EV_CERT)
     ssl_config()->verify_ev_cert = true;
 
   if (proxy_info()->proxy_server().scheme() == ProxyServer::SCHEME_HTTP ||
@@ skipping 68 matching lines @@
       // ERR_ADDRESS_UNREACHABLE.
       return ERR_ADDRESS_UNREACHABLE;
     default:
       return error;
   }
 
   if (request_info().load_flags & LOAD_BYPASS_PROXY) {
     return error;
   }
 
+  if (proxy_info()->is_https() && ssl_config_->send_client_cert) {

[wtc, 2011/01/11 23:31:36]

Why don't you test for ERR_PROXY_CONNECTION_FAILED here?

Perhaps we should add a new error code
ERR_PROXY_SSL_CLIENT_AUTH_CERT_NEEDED for this case?

Or perhaps we should move the manipulation of
ssl_client_auth_cache to the SSLClientSocket class, rather
than spreading across HttpNetworkTransaction and
HttpStreamRequest?  That seems like the best long-term
solution.

+    session_->ssl_client_auth_cache()->Remove(
+        proxy_info()->proxy_server().host_port_pair().ToString());
+  }
+
   int rv = session_->proxy_service()->ReconsiderProxyAfterError(
       request_info().url, proxy_info(), &io_callback_, &pac_request_,
       net_log_);
   if (rv == OK || rv == ERR_IO_PENDING) {
     // If the error was during connection setup, there is no socket to
     // disconnect.
     if (connection_->socket())
       connection_->socket()->Disconnect();
     connection_->Reset();
     next_state_ = STATE_RESOLVE_PROXY_COMPLETE;
@@ skipping 66 matching lines @@
                                  base::TimeDelta::FromMinutes(6),
                                  100);
       break;
     default:
       NOTREACHED();
       break;
   }
 }
 
 }  // namespace net