net: also do TLS 1.1 -> 1.0 fallback on ERR_CONNECTION_ABORTED.

net/socket/ssl_client_socket_nss.cc

Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index b631b91c0a7b9aa4385e9916d5ed05d4f269bb92..3702666778603194242f7262f33552441f26266d 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1904,15 +1904,18 @@ int SSLClientSocketNSS::Core::DoHandshake() {
     // inject TCP reset packets to break the connections when they see
     // TLS 1.1 in ClientHello or ServerHello. See http://crbug.com/130293.
     //
-    // Only allow ERR_CONNECTION_RESET to trigger a TLS 1.1 -> TLS 1.0
-    // fallback. We don't lose much in this fallback because the explicit
-    // IV for CBC mode in TLS 1.1 is approximated by record splitting in
-    // TLS 1.0.
+    // Only allow ERR_CONNECTION_RESET/ABORTED to trigger a TLS 1.1 -> TLS 1.0
+    // fallback. We don't lose much in this fallback because the explicit IV
+    // for CBC mode in TLS 1.1 is approximated by record splitting in TLS 1.0.
     //
-    // ERR_CONNECTION_RESET is a common network error, so we don't want it
-    // to trigger a version fallback in general, especially the TLS 1.0 ->
+    // ERR_CONNECTION_RESET/ABORTED are common network errors, so we don't want
+    // them to trigger a version fallback in general, especially the TLS 1.0 ->
     // SSL 3.0 fallback, which would drop TLS extensions.
-    if (prerr == PR_CONNECT_RESET_ERROR &&
+    //
+    // ERR_CONNECTION_ABORTED was added because we sometimes get it instead of
+    // RESET on Windows. See crbug.com/178672.

[wtc, 2013/03/04 23:51:27]

I found one change to tcp_client_socket_win.cc in Chrome 25
that could explain the ERR_CONNECTION_RESET to
ERR_CONNECTION_ABORTED change. rsleevi changed how
SSLClientSocket reads from the TCPClientSocket, but his change
(r174136) is cross-platform and is in Chrome 26 only
(Chrome 25 branched at revision 173683). So I think
pmeenan's change to tcp_client_socket_win.cc (r165170)
is the most likely cause for the error code change on
Windows.

[wtc, 2013/03/05 18:27:10]

We can replace "sometimes" with something like "if non-blocking
reads instead of async/overlapped reads are used"

[agl, 2013/03/05 18:48:20]

Done.

+    if ((prerr == PR_CONNECT_RESET_ERROR ||
+         prerr == PR_CONNECT_ABORTED_ERROR) &&

[wtc, 2013/03/04 20:55:49]

Perhaps only allow PR_CONNECT_ABORTED_ERROR for OS_WIN?
It would require some ugly #ifdef. Not sure if that's worth
it.

[agl, 2013/03/04 21:01:13]

I would tend not to have different behaviours on different platforms unless it's
clearly warranted, and I'm not sure that it is here. Maybe we have a subtle
issue on all platforms that's only just showing through on some Windows boxes.

         ssl_config_.version_max == SSL_PROTOCOL_VERSION_TLS1_1) {
       net_error = ERR_SSL_PROTOCOL_ERROR;
     }