Do not roll back to SSL 3.0 for Google properties.

chrome/browser/net/transport_security_persister.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/net/transport_security_persister.h"
 
 #include "base/base64.h"
 #include "base/bind.h"
 #include "base/file_util.h"
 #include "base/files/file_path.h"
@@ skipping 60 matching lines @@
 const char kExpiry[] = "expiry";
 const char kDynamicSPKIHashesExpiry[] = "dynamic_spki_hashes_expiry";
 const char kStaticSPKIHashes[] = "static_spki_hashes";
 const char kPreloadedSPKIHashes[] = "preloaded_spki_hashes";
 const char kDynamicSPKIHashes[] = "dynamic_spki_hashes";
 const char kForceHTTPS[] = "force-https";
 const char kStrict[] = "strict";
 const char kDefault[] = "default";
 const char kPinningOnly[] = "pinning-only";
 const char kCreated[] = "created";
+const char kSSLVersionMin[] = "ssl_version_min";
+const char kSSLVersion30[] = "sslv3.0";

[agl, 2013/04/11 13:48:57]

We already have a convention for these strings I'm afraid: "ssl3", "tls1",
"tls1.1", "tls1.2".

+const char kTLSVersion10[] = "tlsv1.0";
+const char kTLSVersion11[] = "tlsv1.1";
+const char kTLSVersion12[] = "tlsv1.2";
 
 }  // namespace
 
 class TransportSecurityPersister::Loader {
  public:
   Loader(const base::WeakPtr<TransportSecurityPersister>& persister,
          const base::FilePath& path)
       : persister_(persister),
         path_(path),
         state_valid_(false) {
@@ skipping 76 matching lines @@
         state.domain_state();
 
     DictionaryValue* serialized = new DictionaryValue;
     serialized->SetBoolean(kIncludeSubdomains,
                            domain_state.include_subdomains);
     serialized->SetDouble(kCreated, domain_state.created.ToDoubleT());
     serialized->SetDouble(kExpiry, domain_state.upgrade_expiry.ToDoubleT());
     serialized->SetDouble(kDynamicSPKIHashesExpiry,
                           domain_state.dynamic_spki_hashes_expiry.ToDoubleT());
 
+    switch (domain_state.ssl_version_min) {
+      case net::SSL_CONNECTION_VERSION_SSL3:
+        serialized->SetString(kSSLVersionMin, "sslv3.0");
+        break;
+      case net::SSL_CONNECTION_VERSION_TLS1:
+        serialized->SetString(kSSLVersionMin, "tlsv1.0");
+        break;
+      case net::SSL_CONNECTION_VERSION_TLS1_1:
+        serialized->SetString(kSSLVersionMin, "tlsv1.1");
+        break;
+      case net::SSL_CONNECTION_VERSION_TLS1_2:
+        serialized->SetString(kSSLVersionMin, "tlsv1.2");
+        break;
+      default:
+        NOTREACHED() << "DomainState with unknown ssl_version_min";
+        delete serialized;
+        continue;
+    }
+
     switch (domain_state.upgrade_mode) {
       case TransportSecurityState::DomainState::MODE_FORCE_HTTPS:
         serialized->SetString(kMode, kForceHTTPS);
         break;
       case TransportSecurityState::DomainState::MODE_DEFAULT:
         serialized->SetString(kMode, kDefault);
         break;
       default:
         NOTREACHED() << "DomainState with unknown mode";
         delete serialized;
@@ skipping 75 matching lines @@
     const ListValue* pins_list = NULL;
     // preloaded_spki_hashes is a legacy synonym for static_spki_hashes.
     if (parsed->GetList(kStaticSPKIHashes, &pins_list))
       SPKIHashesFromListValue(*pins_list, &domain_state.static_spki_hashes);
     else if (parsed->GetList(kPreloadedSPKIHashes, &pins_list))
       SPKIHashesFromListValue(*pins_list, &domain_state.static_spki_hashes);
 
     if (parsed->GetList(kDynamicSPKIHashes, &pins_list))
       SPKIHashesFromListValue(*pins_list, &domain_state.dynamic_spki_hashes);
 
+    std::string ssl_version_min;
+    if (parsed->GetString(kSSLVersionMin, &ssl_version_min)) {
+      if (ssl_version_min == kSSLVersion30) {
+        domain_state.ssl_version_min = net::SSL_CONNECTION_VERSION_SSL3;
+      } else if (ssl_version_min == kTLSVersion10) {
+        domain_state.ssl_version_min = net::SSL_CONNECTION_VERSION_TLS1;
+      } else if (ssl_version_min == kTLSVersion11) {
+        domain_state.ssl_version_min = net::SSL_CONNECTION_VERSION_TLS1_1;
+      } else if (ssl_version_min == kTLSVersion12) {
+        domain_state.ssl_version_min = net::SSL_CONNECTION_VERSION_TLS1_2;
+      }
+    }
+
     if (mode_string == kForceHTTPS || mode_string == kStrict) {
       domain_state.upgrade_mode =
           TransportSecurityState::DomainState::MODE_FORCE_HTTPS;
     } else if (mode_string == kDefault || mode_string == kPinningOnly) {
       domain_state.upgrade_mode =
           TransportSecurityState::DomainState::MODE_DEFAULT;
     } else {
       LOG(WARNING) << "Unknown TransportSecurityState mode string "
                    << mode_string << " found for entry " << i.key()
                    << "; skipping entry";
@@ skipping 39 matching lines @@
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
 
   bool dirty = false;
   if (!LoadEntries(state, &dirty)) {
     LOG(ERROR) << "Failed to deserialize state: " << state;
     return;
   }
   if (dirty)
     StateIsDirty(transport_security_state_);
 }