Gather metrics classifying the cause of the TLS fallback.

net/ssl/ssl_failure_state.h

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_SSL_SSL_FAILURE_STATE_H_
+#define NET_SSL_SSL_FAILURE_STATE_H_
+
+namespace net {
+
+// Describes the most likely cause for the TLS handshake failure. This is an
+// approximation used to classify the causes of TLS version fallback. These
+// values are used in histograms, so new values must be appended.
+enum SSLFailureState {
+  // The connection was successful.
+  SSL_FAILURE_NONE = 0,
+
+  // The connection failed for unknown reasons.
+  SSL_FAILURE_UNKNOWN = 1,
+
+  // The connection failed after sending ClientHello and before receiving
+  // ServerHello.
+  SSL_FAILURE_CLIENT_HELLO = 2,
+
+  // The connection failed after negotiating TLS_RSA_WITH_AES_128_GCM_SHA256 or
+  // TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and completing the client's second
+  // leg. Some Microsoft IIS servers fail at this point. See
+  // https://crbug.com/433406.
+  SSL_FAILURE_BUGGY_GCM = 3,
+
+  // The connection failed after CertificateVerify was sent. Some servers are
+  // known to incorrectly implement TLS 1.2 client auth.
+  SSL_FAILURE_CLIENT_AUTH = 4,
+
+  // The connection failed because the server attempted to resume a session at
+  // the wrong version. Some versions of OpenSSL may do this in rare
+  // circumstances. See https://crbug.com/441456
+  SSL_FAILURE_SESSION_MISMATCH = 5,
+
+  // The connection failed after sending the NextProto message. Some F5 servers
+  // fail to parse such messages in TLS 1.1 and TLS 1.2, but not 1.0. See
+  // https://crbug.com/466977.
+  SSL_FAILURE_NEXT_PROTO = 6,
+
+  SSL_FAILURE_MAX,
+};
+
+}  // namespace net
+
+#endif  // NET_SSL_SSL_FAILURE_STATE_H_