Disable False Start and clear the SSL client auth cache for HTTPS proxies on failure

net/http/http_stream_request.cc

Index: net/http/http_stream_request.cc
diff --git a/net/http/http_stream_request.cc b/net/http/http_stream_request.cc
index e42bb3342f9c4d02ccbd78d18ab75ac3c76ba367..7c92f1fd959bc40afc7590661e9ea3b15a42db7d 100644
--- a/net/http/http_stream_request.cc
+++ b/net/http/http_stream_request.cc
@@ -887,6 +887,18 @@ scoped_refptr<SSLSocketParams> HttpStreamRequest::GenerateSSLParams(
     ssl_config()->tls1_enabled = false;
   }
 
+  if (proxy_info()->is_https() && ssl_config()->send_client_cert) {
+    // When connecting through an HTTPS proxy, disable TLS False Start so
+    // that client authentication errors can be distinguished between those
+    // originating from the proxy server (ERR_PROXY_CONNECTION_FAILED) and
+    // those originating from the endpoint (ERR_SSL_PROTOCOL_ERROR /
+    // ERR_BAD_SSL_CLIENT_AUTH_CERT).
+    // TODO(rch): This assumes that the HTTPS proxy will only request a
+    // client certificate during the initial handshake.
+    // http://crbug.com/FIXME
+    ssl_config()->false_start_enabled = false;
+  }
+
   UMA_HISTOGRAM_ENUMERATION("Net.ConnectionUsedSSLv3Fallback",
                             static_cast<int>(ssl_config()->ssl3_fallback), 2);
 
@@ -975,6 +987,11 @@ int HttpStreamRequest::ReconsiderProxyAfterError(int error) {
     return error;
   }
 
+  if (proxy_info()->is_https() && ssl_config_->send_client_cert) {
+    session_->ssl_client_auth_cache()->Remove(
+        proxy_info()->proxy_server().host_port_pair().ToString());
+  }
+
   int rv = session_->proxy_service()->ReconsiderProxyAfterError(
       request_info().url, proxy_info(), &io_callback_, &pac_request_,
       net_log_);