Move RC4 behind a fallback.

net/http/http_network_transaction.cc

Index: net/http/http_network_transaction.cc
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index 151776832719702e212e131589036d2cc5316323..4af4cd649b70b22161fceaf83a7f6ba6993b2e51 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -106,6 +106,15 @@ base::Value* NetLogSSLVersionFallbackCallback(
   return dict;
 }
 
+base::Value* NetLogSSLCipherFallbackCallback(const GURL* url,
+                                             int net_error,
+                                             NetLog::LogLevel /* log_level */) {
+  base::DictionaryValue* dict = new base::DictionaryValue();
+  dict->SetString("host_and_port", GetHostAndPort(*url));
+  dict->SetInteger("net_error", net_error);
+  return dict;
+}
+
 }  // namespace
 
 //-----------------------------------------------------------------------------
@@ -1240,6 +1249,21 @@ int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
   DCHECK(request_);
   HandleClientAuthError(error);
 
+  // Accept deprecated cipher suites, but only on a fallback. This makes UMA
+  // reflect servers require a deprecated cipher rather than merely prefer
+  // it. This, however, has no security benefit until the ciphers are actually
+  // removed.
+  if (!server_ssl_config_.enable_deprecated_cipher_suites &&
+      (error == ERR_SSL_VERSION_OR_CIPHER_MISMATCH ||
+       error == ERR_CONNECTION_CLOSED || error == ERR_CONNECTION_RESET)) {
+    net_log_.AddEvent(
+        NetLog::TYPE_SSL_CIPHER_FALLBACK,
+        base::Bind(&NetLogSSLCipherFallbackCallback, &request_->url, error));
+    server_ssl_config_.enable_deprecated_cipher_suites = true;
+    ResetConnectionAndRequestForResend();
+    return OK;
+  }
+
   bool should_fallback = false;
   uint16 version_max = server_ssl_config_.version_max;