Gather metrics classifying the cause of the TLS fallback.

net/http/http_network_transaction.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_network_transaction.h"
 
 #include <set>
 #include <vector>
 
 #include "base/bind.h"
@@ skipping 77 matching lines @@
   session->http_stream_factory()->ProcessAlternateProtocol(
       session->http_server_properties(),
       alternate_protocol_values,
       http_host_port_pair,
       *session);
 }
 
 base::Value* NetLogSSLVersionFallbackCallback(
     const GURL* url,
     int net_error,
+    SSLFailureState ssl_failure_state,
     uint16 version_before,
     uint16 version_after,
     NetLogCaptureMode /* capture_mode */) {
   base::DictionaryValue* dict = new base::DictionaryValue();
   dict->SetString("host_and_port", GetHostAndPort(*url));
   dict->SetInteger("net_error", net_error);
+  dict->SetInteger("ssl_failure_state", ssl_failure_state);
   dict->SetInteger("version_before", version_before);
   dict->SetInteger("version_after", version_after);
   return dict;
 }
 
 base::Value* NetLogSSLCipherFallbackCallback(
     const GURL* url,
     int net_error,
     NetLogCaptureMode /* capture_mode */) {
   base::DictionaryValue* dict = new base::DictionaryValue();
   dict->SetString("host_and_port", GetHostAndPort(*url));
   dict->SetInteger("net_error", net_error);
   return dict;
 }
 
 }  // namespace
 
 //-----------------------------------------------------------------------------
 
 HttpNetworkTransaction::HttpNetworkTransaction(RequestPriority priority,
                                                HttpNetworkSession* session)
     : pending_auth_target_(HttpAuth::AUTH_NONE),
       io_callback_(base::Bind(&HttpNetworkTransaction::OnIOComplete,
                               base::Unretained(this))),
       session_(session),
       request_(NULL),
       priority_(priority),
       headers_valid_(false),
+      server_ssl_failure_state_(kSSLFailureNone),
       fallback_error_code_(ERR_SSL_INAPPROPRIATE_FALLBACK),
+      fallback_failure_state_(kSSLFailureNone),
       request_headers_(),
       read_buf_len_(0),
       total_received_bytes_(0),
       next_state_(STATE_NONE),
       establishing_tunnel_(false),
       websocket_handshake_stream_base_create_helper_(NULL) {
   session->ssl_config_service()->GetSSLConfig(&server_ssl_config_);
   session->GetNextProtos(&server_ssl_config_.next_protos);
   proxy_ssl_config_ = server_ssl_config_;
 }
@@ skipping 352 matching lines @@
 }
 
 void HttpNetworkTransaction::OnWebSocketHandshakeStreamReady(
     const SSLConfig& used_ssl_config,
     const ProxyInfo& used_proxy_info,
     WebSocketHandshakeStreamBase* stream) {
   OnStreamReady(used_ssl_config, used_proxy_info, stream);
 }
 
 void HttpNetworkTransaction::OnStreamFailed(int result,
-                                            const SSLConfig& used_ssl_config) {
+                                            const SSLConfig& used_ssl_config,
+                                            SSLFailureState ssl_failure_state) {
   DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
   DCHECK_NE(OK, result);
   DCHECK(stream_request_.get());
   DCHECK(!stream_.get());
   server_ssl_config_ = used_ssl_config;
+  server_ssl_failure_state_ = ssl_failure_state;
 
   OnIOComplete(result);
 }
 
 void HttpNetworkTransaction::OnCertificateError(
     int result,
     const SSLConfig& used_ssl_config,
     const SSLInfo& ssl_info) {
   DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
   DCHECK_NE(OK, result);
@@ skipping 823 matching lines @@
       // could trigger ERR_SSL_INAPPROPRIATE_FALLBACK with the initial
       // connection. |fallback_error_code_| is initialised to
       // ERR_SSL_INAPPROPRIATE_FALLBACK to catch this case.
       error = fallback_error_code_;
       break;
   }
 
   if (should_fallback) {
     net_log_.AddEvent(
         NetLog::TYPE_SSL_VERSION_FALLBACK,
-        base::Bind(&NetLogSSLVersionFallbackCallback,
-                   &request_->url, error, server_ssl_config_.version_max,
+        base::Bind(&NetLogSSLVersionFallbackCallback, &request_->url, error,
+                   server_ssl_failure_state_, server_ssl_config_.version_max,
                    version_max));
     fallback_error_code_ = error;
+    fallback_failure_state_ = server_ssl_failure_state_;
     server_ssl_config_.version_max = version_max;
     server_ssl_config_.version_fallback = true;
     ResetConnectionAndRequestForResend();
     error = OK;
   }
 
   return error;
 }
 
 // This method determines whether it is safe to resend the request after an
@@ skipping 98 matching lines @@
   // This helps estimate intolerant locally-configured SSL MITMs.
   const std::string& host = request_->url.host();
   if (EndsWith(host, "google.com", true) &&
       (host.size() == 10 || host[host.size() - 11] == '.')) {
     UMA_HISTOGRAM_ENUMERATION("Net.GoogleConnectionUsedSSLVersionFallback2",
                               fallback, FALLBACK_MAX);
   }
 
   UMA_HISTOGRAM_BOOLEAN("Net.ConnectionUsedSSLDeprecatedCipherFallback2",
                         server_ssl_config_.enable_deprecated_cipher_suites);
+
+  if (server_ssl_config_.version_fallback) {
+    // Record the error code which triggered the fallback and the state the
+    // handshake was in.
+    UMA_HISTOGRAM_CUSTOM_ENUMERATION("Net.SSLFallbackErrorCode",
+                                     -fallback_error_code_,
+                                     net::GetAllErrorCodesForUma());

[Alexei Svitkine (slow), 2015/05/15 14:39:36]

It's more efficient to use UMA_HISTOGRAM_SPARSE_SLOWLY() in this case, instead
of allocating an array to hold all possible bucket values.

[davidben, 2015/05/15 18:00:23]

Done.

In that case should we switch all code that currently uses
net::GetAllErrorCodesForUma() or is that incompatible? There's a few places. I
can do it in a follow-up if SPARSE_SLOWLY is preferred.

https://code.google.com/p/chromium/codesearch#search/&q=GetAllErrorCodesForUm...

[Alexei Svitkine (slow), 2015/05/15 18:05:22]

Yes, preferably all the places should be switched.

+    UMA_HISTOGRAM_ENUMERATION("Net.SSLFallbackFailureState",
+                              fallback_failure_state_, kSSLFailureMax);
+  }
 }
 
 HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const {
   return response_.headers.get();
 }
 
 bool HttpNetworkTransaction::ShouldResendRequest() const {
   bool connection_is_proven = stream_->IsConnectionReused();
   bool has_received_headers = GetResponseHeaders() != NULL;
 
@@ skipping 136 matching lines @@
   DCHECK(stream_request_);
 
   // Since the transaction can restart with auth credentials, it may create a
   // stream more than once. Accumulate all of the connection attempts across
   // those streams by appending them to the vector:
   for (const auto& attempt : stream_request_->connection_attempts())
     connection_attempts_.push_back(attempt);
 }
 
 }  // namespace net