Do not roll back to SSL 3.0 for Google properties.

net/ssl/ssl_config_service.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_SSL_SSL_CONFIG_SERVICE_H_
 #define NET_SSL_SSL_CONFIG_SERVICE_H_
 
 #include <vector>
 
 #include "base/basictypes.h"
@@ skipping 31 matching lines @@
   // Returns true if |cert| is one of the certs in |allowed_bad_certs|.
   // The expected cert status is written to |cert_status|. |*cert_status| can
   // be NULL if user doesn't care about the cert status.
   bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const;
 
   // Same as above except works with DER encoded certificates instead
   // of X509Certificate.
   bool IsAllowedBadCert(const base::StringPiece& der_cert,
                         CertStatus* cert_status) const;
 
+  // Returns the string representation of an SSL protocol version. Returns an
+  // empty string on error.
+  static std::string SSLProtocolVersionToString(uint16 version);
+
+  // Returns the SSL protocol version (as a uint16) represented by a string.
+  // Returns 0 if the string is invalid.
+  static uint16 SSLProtocolVersionFromString(const std::string& version_str);

[Ryan Sleevi, 2013/04/16 19:55:26]

This seems like a really awkward place to put this, given that we already have
net::SSLVersionToString in
http://src.chromium.org/viewvc/chrome/trunk/src/net/ssl/ssl_cipher_suite_name...

Seems like these should live there?

[thaidn_google, 2013/04/17 00:46:17]

It turns out that I don't need them here anymore. I just move them back to their
original place.

On 2013/04/16 19:55:26, Ryan Sleevi wrote:

+
   // rev_checking_enabled is true if online certificate revocation checking is
   // enabled (i.e. OCSP and CRL fetching).
   //
   // Regardless of this flag, CRLSet checking is always enabled and locally
   // cached revocation information will be considered.
   bool rev_checking_enabled;
 
   // The minimum and maximum protocol versions that are enabled.
   // SSL 3.0 is 0x0300, TLS 1.0 is 0x0301, TLS 1.1 is 0x0302, and so on.
   // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.)
@@ skipping 22 matching lines @@
   // big-endian form, they should be declared in host byte order, with the
   // first uint8 occupying the most significant byte.
   // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
   // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
   std::vector<uint16> disabled_cipher_suites;
 
   bool cached_info_enabled;  // True if TLS cached info extension is enabled.
   bool channel_id_enabled;  // True if TLS channel ID extension is enabled.
   bool false_start_enabled;  // True if we'll use TLS False Start.
 
+  // True if the enforcement of minimum SSL version for preloaded HSTS
+  // entries is disabled.
+  bool ssl_version_min_preloaded_disabled;
+
   // TODO(wtc): move the following members to a new SSLParams structure.  They
   // are not SSL configuration settings.
 
   struct NET_EXPORT CertAndStatus {
     CertAndStatus();
     ~CertAndStatus();
 
     std::string der_cert;
     CertStatus cert_status;
   };
@@ skipping 101 matching lines @@
   void ProcessConfigUpdate(const SSLConfig& orig_config,
                            const SSLConfig& new_config);
 
  private:
   ObserverList<Observer> observer_list_;
 };
 
 }  // namespace net
 
 #endif  // NET_SSL_SSL_CONFIG_SERVICE_H_