Do not roll back to SSL 3.0 for Google properties.

chrome/browser/net/ssl_config_service_manager_pref.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #include "chrome/browser/net/ssl_config_service_manager.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
 #include "base/basictypes.h"
@@ skipping 46 matching lines @@
       continue;
     }
     cipher_suites.push_back(cipher_suite);
   }
   std::sort(cipher_suites.begin(), cipher_suites.end());
   return cipher_suites;
 }
 
 // Returns the string representation of an SSL protocol version. Returns an
 // empty string on error.
-std::string SSLProtocolVersionToString(uint16 version) {
+std::string SSLConfig::SSLProtocolVersionToString(uint16 version) {

[Ryan Sleevi, 2013/04/17 18:01:27]

I believe you should revert these changes - it's no longer a member of
SSLConfig::.

[thaidn_google, 2013/04/17 20:14:40]

Oh right. Good catch! This should be caught if I was able to compile unit_tests
(it failed for some unrelated reasons).

On 2013/04/17 18:01:27, Ryan Sleevi wrote:

   switch (version) {
     case net::SSL_PROTOCOL_VERSION_SSL3:
       return "ssl3";
     case net::SSL_PROTOCOL_VERSION_TLS1:
       return "tls1";
     case net::SSL_PROTOCOL_VERSION_TLS1_1:
       return "tls1.1";
     case net::SSL_PROTOCOL_VERSION_TLS1_2:
       return "tls1.2";
     default:
       NOTREACHED();
       return std::string();
   }
 }
 
 // Returns the SSL protocol version (as a uint16) represented by a string.
 // Returns 0 if the string is invalid.
-uint16 SSLProtocolVersionFromString(const std::string& version_str) {
+uint16 SSLConfig::SSLProtocolVersionFromString(const std::string& version_str) {
   uint16 version = 0;  // Invalid.
   if (version_str == "ssl3") {
     version = net::SSL_PROTOCOL_VERSION_SSL3;
   } else if (version_str == "tls1") {
     version = net::SSL_PROTOCOL_VERSION_TLS1;
   } else if (version_str == "tls1.1") {
     version = net::SSL_PROTOCOL_VERSION_TLS1_1;
   } else if (version_str == "tls1.2") {
     version = net::SSL_PROTOCOL_VERSION_TLS1_2;
   }
@@ skipping 77 matching lines @@
 
   PrefChangeRegistrar local_state_change_registrar_;
   PrefChangeRegistrar user_prefs_change_registrar_;
 
   // The local_state prefs (should only be accessed from UI thread)
   BooleanPrefMember rev_checking_enabled_;
   StringPrefMember ssl_version_min_;
   StringPrefMember ssl_version_max_;
   BooleanPrefMember channel_id_enabled_;
   BooleanPrefMember ssl_record_splitting_disabled_;
+  BooleanPrefMember ssl_version_min_preloaded_disabled_;
 
   // The cached list of disabled SSL cipher suites.
   std::vector<uint16> disabled_cipher_suites_;
 
   // The user_prefs prefs (should only be accessed from UI thread).
   // |have_user_prefs_| will be false if no user_prefs are associated with this
   // instance.
   bool have_user_prefs_;
   BooleanPrefMember block_third_party_cookies_;
 
@@ skipping 19 matching lines @@
   rev_checking_enabled_.Init(
       prefs::kCertRevocationCheckingEnabled, local_state, local_state_callback);
   ssl_version_min_.Init(
       prefs::kSSLVersionMin, local_state, local_state_callback);
   ssl_version_max_.Init(
       prefs::kSSLVersionMax, local_state, local_state_callback);
   channel_id_enabled_.Init(
       prefs::kEnableOriginBoundCerts, local_state, local_state_callback);
   ssl_record_splitting_disabled_.Init(
       prefs::kDisableSSLRecordSplitting, local_state, local_state_callback);
+  ssl_version_min_preloaded_disabled_.Init(
+      prefs::kDisableSSLVersionMinPreloaded, local_state, local_state_callback);
 
   local_state_change_registrar_.Init(local_state);
   local_state_change_registrar_.Add(
       prefs::kCipherSuiteBlacklist, local_state_callback);
 
   OnDisabledCipherSuitesChange(local_state);
 
   if (user_prefs) {
     PrefChangeRegistrar::NamedChangeCallback user_prefs_callback = base::Bind(
         &SSLConfigServiceManagerPref::OnPreferenceChanged,
@@ skipping 21 matching lines @@
   std::string version_min_str =
       SSLProtocolVersionToString(default_config.version_min);
   std::string version_max_str =
       SSLProtocolVersionToString(default_config.version_max);
   registry->RegisterStringPref(prefs::kSSLVersionMin, version_min_str);
   registry->RegisterStringPref(prefs::kSSLVersionMax, version_max_str);
   registry->RegisterBooleanPref(prefs::kEnableOriginBoundCerts,
                                 default_config.channel_id_enabled);
   registry->RegisterBooleanPref(prefs::kDisableSSLRecordSplitting,
                                 !default_config.false_start_enabled);
+  registry->RegisterBooleanPref(
+      prefs::kDisableSSLVersionMinPreloaded,
+      default_config.ssl_version_min_preloaded_disabled);
   registry->RegisterListPref(prefs::kCipherSuiteBlacklist);
 }
 
 net::SSLConfigService* SSLConfigServiceManagerPref::Get() {
   return ssl_config_service_;
 }
 
 void SSLConfigServiceManagerPref::OnPreferenceChanged(
     PrefService* prefs,
     const std::string& pref_name_in) {
@@ skipping 18 matching lines @@
           new_config));
 }
 
 void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
     net::SSLConfig* config) {
   config->rev_checking_enabled = rev_checking_enabled_.GetValue();
   std::string version_min_str = ssl_version_min_.GetValue();
   std::string version_max_str = ssl_version_max_.GetValue();
   config->version_min = net::SSLConfigService::default_version_min();
   config->version_max = net::SSLConfigService::default_version_max();
-  uint16 version_min = SSLProtocolVersionFromString(version_min_str);
-  uint16 version_max = SSLProtocolVersionFromString(version_max_str);
+  uint16 version_min = SSLProtocolVersionFromString(
+      version_min_str);
+  uint16 version_max = SSLProtocolVersionFromString(
+      version_max_str);

[wtc, 2013/04/17 19:49:50]

Why reformat these two lines?

[thaidn_google, 2013/04/17 22:16:07]

Done.

   if (version_min) {
     // TODO(wtc): get the minimum SSL protocol version supported by the
     // SSLClientSocket class. Right now it happens to be the same as the
     // default minimum SSL protocol version because we enable all supported
     // versions by default.
     uint16 supported_version_min = config->version_min;
     config->version_min = std::max(supported_version_min, version_min);
   }
   if (version_max) {
     // TODO(wtc): get the maximum SSL protocol version supported by the
     // SSLClientSocket class.
     uint16 supported_version_max = config->version_max;
     config->version_max = std::min(supported_version_max, version_max);
   }
   config->disabled_cipher_suites = disabled_cipher_suites_;
   config->channel_id_enabled = channel_id_enabled_.GetValue();
   if (have_user_prefs_ &&
       (cookies_disabled_ || block_third_party_cookies_.GetValue()))
     config->channel_id_enabled = false;
   // disabling False Start also happens to disable record splitting.
   config->false_start_enabled = !ssl_record_splitting_disabled_.GetValue();
+  config->ssl_version_min_preloaded_disabled =
+      ssl_version_min_preloaded_disabled_.GetValue();
   SSLConfigServicePref::SetSSLConfigFlags(config);
 }
 
 void SSLConfigServiceManagerPref::OnDisabledCipherSuitesChange(
     PrefService* local_state) {
   const ListValue* value = local_state->GetList(prefs::kCipherSuiteBlacklist);
   disabled_cipher_suites_ = ParseCipherSuites(ListValueToStringVector(value));
 }
 
 void SSLConfigServiceManagerPref::OnDefaultContentSettingsChange(
@@ skipping 15 matching lines @@
 // static
 SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager(
     PrefService* local_state, PrefService* user_prefs) {
   return new SSLConfigServiceManagerPref(local_state, user_prefs);
 }
 
 // static
 void SSLConfigServiceManager::RegisterPrefs(PrefRegistrySimple* registry) {
   SSLConfigServiceManagerPref::RegisterPrefs(registry);
 }