Do not roll back to SSL 3.0 for Google properties.

net/ssl/ssl_config_service.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_SSL_SSL_CONFIG_SERVICE_H_
 #define NET_SSL_SSL_CONFIG_SERVICE_H_
 
 #include <vector>
 
 #include "base/basictypes.h"
@@ skipping 31 matching lines @@
   // Returns true if |cert| is one of the certs in |allowed_bad_certs|.
   // The expected cert status is written to |cert_status|. |*cert_status| can
   // be NULL if user doesn't care about the cert status.
   bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const;
 
   // Same as above except works with DER encoded certificates instead
   // of X509Certificate.
   bool IsAllowedBadCert(const base::StringPiece& der_cert,
                         CertStatus* cert_status) const;
 
+  // Returns the string representation of an SSL protocol version. Returns an
+  // empty string on error.
+  static std::string SSLProtocolVersionToString(uint16 version);
+
+  // Returns the SSL protocol version (as a uint16) represented by a string.
+  // Returns 0 if the string is invalid.
+  static uint16 SSLProtocolVersionFromString(const std::string& version_str);
+
   // rev_checking_enabled is true if online certificate revocation checking is
   // enabled (i.e. OCSP and CRL fetching).
   //
   // Regardless of this flag, CRLSet checking is always enabled and locally
   // cached revocation information will be considered.
   bool rev_checking_enabled;
 
   // The minimum and maximum protocol versions that are enabled.
   // SSL 3.0 is 0x0300, TLS 1.0 is 0x0301, TLS 1.1 is 0x0302, and so on.
   // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.)
@@ skipping 22 matching lines @@
   // big-endian form, they should be declared in host byte order, with the
   // first uint8 occupying the most significant byte.
   // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
   // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
   std::vector<uint16> disabled_cipher_suites;
 
   bool cached_info_enabled;  // True if TLS cached info extension is enabled.
   bool channel_id_enabled;  // True if TLS channel ID extension is enabled.
   bool false_start_enabled;  // True if we'll use TLS False Start.
 
+  // True if we want to disable enforcement of minimum SSL version for
+  // preloaded HSTS entries.

[Ryan Sleevi, 2013/04/15 18:03:28]

Comment nit: Chromium comments discourage the use of pronouns - see
https://groups.google.com/a/chromium.org/d/topic/chromium-dev/NH-S6KCkr2M/dis...


"True if the enforcement of the minimum SSL/TLS version for preloaded HSTS
entries is disabled."

+  bool ssl_version_min_preloaded_disabled;
+
   // TODO(wtc): move the following members to a new SSLParams structure.  They
   // are not SSL configuration settings.
 
   struct NET_EXPORT CertAndStatus {
     CertAndStatus();
     ~CertAndStatus();
 
     std::string der_cert;
     CertStatus cert_status;
   };
@@ skipping 101 matching lines @@
   void ProcessConfigUpdate(const SSLConfig& orig_config,
                            const SSLConfig& new_config);
 
  private:
   ObserverList<Observer> observer_list_;
 };
 
 }  // namespace net
 
 #endif  // NET_SSL_SSL_CONFIG_SERVICE_H_