Chromium Code Reviews Chromium Code Reviews
Issue 14125003:
Do not roll back to SSL 3.0 for Google properties. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/http_network_transaction.h" | 5 #include "net/http/http_network_transaction.h" |
| 6 | 6 |
| 7 #include <set> | 7 #include <set> |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include "base/bind.h" | 10 #include "base/bind.h" |
| (...skipping 29 matching lines...) Expand all Loading... | |
| 40 #include "net/http/http_proxy_client_socket_pool.h" | 40 #include "net/http/http_proxy_client_socket_pool.h" |
| 41 #include "net/http/http_request_headers.h" | 41 #include "net/http/http_request_headers.h" |
| 42 #include "net/http/http_request_info.h" | 42 #include "net/http/http_request_info.h" |
| 43 #include "net/http/http_response_headers.h" | 43 #include "net/http/http_response_headers.h" |
| 44 #include "net/http/http_response_info.h" | 44 #include "net/http/http_response_info.h" |
| 45 #include "net/http/http_server_properties.h" | 45 #include "net/http/http_server_properties.h" |
| 46 #include "net/http/http_status_code.h" | 46 #include "net/http/http_status_code.h" |
| 47 #include "net/http/http_stream_base.h" | 47 #include "net/http/http_stream_base.h" |
| 48 #include "net/http/http_stream_factory.h" | 48 #include "net/http/http_stream_factory.h" |
| 49 #include "net/http/http_util.h" | 49 #include "net/http/http_util.h" |
| 50 #include "net/http/transport_security_state.h" | |
| 50 #include "net/http/url_security_manager.h" | 51 #include "net/http/url_security_manager.h" |
| 51 #include "net/socket/client_socket_factory.h" | 52 #include "net/socket/client_socket_factory.h" |
| 52 #include "net/socket/socks_client_socket_pool.h" | 53 #include "net/socket/socks_client_socket_pool.h" |
| 53 #include "net/socket/ssl_client_socket.h" | 54 #include "net/socket/ssl_client_socket.h" |
| 54 #include "net/socket/ssl_client_socket_pool.h" | 55 #include "net/socket/ssl_client_socket_pool.h" |
| 55 #include "net/socket/transport_client_socket_pool.h" | 56 #include "net/socket/transport_client_socket_pool.h" |
| 56 #include "net/spdy/spdy_http_stream.h" | 57 #include "net/spdy/spdy_http_stream.h" |
| 57 #include "net/spdy/spdy_session.h" | 58 #include "net/spdy/spdy_session.h" |
| 58 #include "net/spdy/spdy_session_pool.h" | 59 #include "net/spdy/spdy_session_pool.h" |
| 59 #include "net/ssl/ssl_cert_request_info.h" | 60 #include "net/ssl/ssl_cert_request_info.h" |
| (...skipping 1013 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1073 total_duration, base::TimeDelta::FromMilliseconds(1), | 1074 total_duration, base::TimeDelta::FromMilliseconds(1), |
| 1074 base::TimeDelta::FromMinutes(10), 100); | 1075 base::TimeDelta::FromMinutes(10), 100); |
| 1075 | 1076 |
| 1076 if (!reused_socket) { | 1077 if (!reused_socket) { |
| 1077 UMA_HISTOGRAM_CUSTOM_TIMES( | 1078 UMA_HISTOGRAM_CUSTOM_TIMES( |
| 1078 base::FieldTrial::MakeName("Net.Transaction_Connected_New_b", | 1079 base::FieldTrial::MakeName("Net.Transaction_Connected_New_b", |
| 1079 "SpdyImpact"), | 1080 "SpdyImpact"), |
| 1080 total_duration, base::TimeDelta::FromMilliseconds(1), | 1081 total_duration, base::TimeDelta::FromMilliseconds(1), |
| 1081 base::TimeDelta::FromMinutes(10), 100); | 1082 base::TimeDelta::FromMinutes(10), 100); |
| 1082 } | 1083 } |
| 1083 } | 1084 } |
|
thaidn_google
2013/04/19 01:42:55
Not me.
| |
| 1084 | 1085 |
| 1085 // Currently, non-HIGHEST priority requests are frame or sub-frame resource | 1086 // Currently, non-HIGHEST priority requests are frame or sub-frame resource |
| 1086 // types. This will change when we also prioritize certain subresources like | 1087 // types. This will change when we also prioritize certain subresources like |
| 1087 // css, js, etc. | 1088 // css, js, etc. |
| 1088 if (priority_ != HIGHEST) { | 1089 if (priority_ != HIGHEST) { |
| 1089 UMA_HISTOGRAM_CUSTOM_TIMES( | 1090 UMA_HISTOGRAM_CUSTOM_TIMES( |
| 1090 "Net.Priority_High_Latency_b", | 1091 "Net.Priority_High_Latency_b", |
| 1091 total_duration, | 1092 total_duration, |
| 1092 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), | 1093 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), |
| 1093 100); | 1094 100); |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1126 duration, | 1127 duration, |
| 1127 base::TimeDelta::FromMilliseconds(1), | 1128 base::TimeDelta::FromMilliseconds(1), |
| 1128 base::TimeDelta::FromMinutes(10), | 1129 base::TimeDelta::FromMinutes(10), |
| 1129 100); | 1130 100); |
| 1130 UMA_HISTOGRAM_CUSTOM_TIMES( | 1131 UMA_HISTOGRAM_CUSTOM_TIMES( |
| 1131 base::FieldTrial::MakeName("Net.Transaction_Latency_Total", | 1132 base::FieldTrial::MakeName("Net.Transaction_Latency_Total", |
| 1132 "WarmSocketImpact"), | 1133 "WarmSocketImpact"), |
| 1133 total_duration, | 1134 total_duration, |
| 1134 base::TimeDelta::FromMilliseconds(1), | 1135 base::TimeDelta::FromMilliseconds(1), |
| 1135 base::TimeDelta::FromMinutes(10), 100); | 1136 base::TimeDelta::FromMinutes(10), 100); |
| 1136 } | 1137 } |
|
thaidn_google
2013/04/19 01:42:55
Not me.
| |
| 1137 | 1138 |
| 1138 if (!stream_->IsConnectionReused()) { | 1139 if (!stream_->IsConnectionReused()) { |
| 1139 UMA_HISTOGRAM_CUSTOM_TIMES( | 1140 UMA_HISTOGRAM_CUSTOM_TIMES( |
| 1140 "Net.Transaction_Latency_Total_New_Connection", | 1141 "Net.Transaction_Latency_Total_New_Connection", |
| 1141 total_duration, base::TimeDelta::FromMilliseconds(1), | 1142 total_duration, base::TimeDelta::FromMilliseconds(1), |
| 1142 base::TimeDelta::FromMinutes(10), 100); | 1143 base::TimeDelta::FromMinutes(10), 100); |
| 1143 } | 1144 } |
| 1144 } | 1145 } |
| 1145 | 1146 |
| 1146 int HttpNetworkTransaction::HandleCertificateRequest(int error) { | 1147 int HttpNetworkTransaction::HandleCertificateRequest(int error) { |
| (...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1209 // by the endpoint host, request_->url, rather than considering if they were | 1210 // by the endpoint host, request_->url, rather than considering if they were |
| 1210 // generated by the SSL proxy. http://crbug.com/69329 | 1211 // generated by the SSL proxy. http://crbug.com/69329 |
| 1211 int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { | 1212 int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { |
| 1212 DCHECK(request_); | 1213 DCHECK(request_); |
| 1213 if (server_ssl_config_.send_client_cert && | 1214 if (server_ssl_config_.send_client_cert && |
| 1214 (error == ERR_SSL_PROTOCOL_ERROR || IsClientCertificateError(error))) { | 1215 (error == ERR_SSL_PROTOCOL_ERROR || IsClientCertificateError(error))) { |
| 1215 session_->ssl_client_auth_cache()->Remove( | 1216 session_->ssl_client_auth_cache()->Remove( |
| 1216 GetHostAndPort(request_->url)); | 1217 GetHostAndPort(request_->url)); |
| 1217 } | 1218 } |
| 1218 | 1219 |
| 1220 uint16 version_max = server_ssl_config_.version_max; | |
| 1221 | |
| 1219 switch (error) { | 1222 switch (error) { |
| 1220 case ERR_SSL_PROTOCOL_ERROR: | 1223 case ERR_SSL_PROTOCOL_ERROR: |
| 1221 case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: | 1224 case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: |
| 1222 if (server_ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 && | 1225 if (version_max >= SSL_PROTOCOL_VERSION_TLS1 && |
| 1223 server_ssl_config_.version_max > server_ssl_config_.version_min) { | 1226 version_max > server_ssl_config_.version_min) { |
| 1224 // This could be a TLS-intolerant server or a server that chose a | 1227 // This could be a TLS-intolerant server or a server that chose a |
| 1225 // cipher suite defined only for higher protocol versions (such as | 1228 // cipher suite defined only for higher protocol versions (such as |
| 1226 // an SSL 3.0 server that chose a TLS-only cipher suite). Fall | 1229 // an SSL 3.0 server that chose a TLS-only cipher suite). Fall |
| 1227 // back to the next lower version and retry. | 1230 // back to the next lower version and retry. |
| 1228 // NOTE: if the SSLClientSocket class doesn't support TLS 1.1, | 1231 // NOTE: if the SSLClientSocket class doesn't support TLS 1.1, |
| 1229 // specifying TLS 1.1 in version_max will result in a TLS 1.0 | 1232 // specifying TLS 1.1 in version_max will result in a TLS 1.0 |
| 1230 // handshake, so falling back from TLS 1.1 to TLS 1.0 will simply | 1233 // handshake, so falling back from TLS 1.1 to TLS 1.0 will simply |
| 1231 // repeat the TLS 1.0 handshake. To avoid this problem, the default | 1234 // repeat the TLS 1.0 handshake. To avoid this problem, the default |
| 1232 // version_max should match the maximum protocol version supported | 1235 // version_max should match the maximum protocol version supported |
| 1233 // by the SSLClientSocket class. | 1236 // by the SSLClientSocket class. |
| 1234 uint16 version_before = server_ssl_config_.version_max; | 1237 version_max--; |
| 1235 server_ssl_config_.version_max--; | 1238 |
| 1236 net_log_.AddEvent( | 1239 // Fallback to the lower SSL version. |
| 1237 NetLog::TYPE_SSL_VERSION_FALLBACK, | 1240 // While SSL 3.0 fallback should be eliminated because of security |
| 1238 base::Bind(&NetLogSSLVersionFallbackCallback, | 1241 // reasons, there is a high risk of breaking the servers if this is |
| 1239 &request_->url, error, version_before, | 1242 // done in general. |
| 1240 server_ssl_config_.version_max)); | 1243 // For now SSL 3.0 fallback is disabled for Google servers first, |
| 1241 server_ssl_config_.version_fallback = true; | 1244 // and will be expanded to other servers after enough experiences |
| 1242 ResetConnectionAndRequestForResend(); | 1245 // have been gained showing that this experiment works well with |
| 1243 error = OK; | 1246 // today's Internet. |
| 1244 } | 1247 if (version_max > SSL_PROTOCOL_VERSION_SSL3 || |
| 1245 break; | 1248 (version_max == SSL_PROTOCOL_VERSION_SSL3 && |
|
wtc
2013/04/18 18:15:34
Delete "(version_max == SSL_PROTOCOL_VERSION_SSL3
thaidn_google
2013/04/19 01:20:43
Nice catch.
Thanks!
On 2013/04/18 18:15:34, wtc w
| |
| 1246 case ERR_SSL_DECOMPRESSION_FAILURE_ALERT: | 1249 (server_ssl_config_.ssl3_fallback_enabled || |
| 1247 case ERR_SSL_BAD_RECORD_MAC_ALERT: | 1250 !TransportSecurityState::IsGooglePinnedProperty( |
| 1248 if (server_ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 && | 1251 request_->url.host(), true /* include SNI */)))) { |
| 1249 server_ssl_config_.version_min == SSL_PROTOCOL_VERSION_SSL3) { | 1252 net_log_.AddEvent( |
| 1250 // This could be a server with buggy DEFLATE support. Turn off TLS, | 1253 NetLog::TYPE_SSL_VERSION_FALLBACK, |
| 1251 // DEFLATE support and retry. | 1254 base::Bind(&NetLogSSLVersionFallbackCallback, |
| 1252 // TODO(wtc): turn off DEFLATE support only. Do not tie it to TLS. | 1255 &request_->url, error, server_ssl_config_.version_max, |
| 1253 uint16 version_before = server_ssl_config_.version_max; | 1256 version_max)); |
| 1254 server_ssl_config_.version_max = SSL_PROTOCOL_VERSION_SSL3; | 1257 server_ssl_config_.version_max = version_max; |
| 1255 net_log_.AddEvent( | 1258 server_ssl_config_.version_fallback = true; |
| 1256 NetLog::TYPE_SSL_VERSION_FALLBACK, | 1259 ResetConnectionAndRequestForResend(); |
| 1257 base::Bind(&NetLogSSLVersionFallbackCallback, | 1260 error = OK; |
| 1258 &request_->url, error, version_before, | 1261 } |
| 1259 server_ssl_config_.version_max)); | |
| 1260 server_ssl_config_.version_fallback = true; | |
| 1261 ResetConnectionAndRequestForResend(); | |
| 1262 error = OK; | |
| 1263 } | 1262 } |
| 1264 break; | 1263 break; |
| 1265 } | 1264 } |
| 1265 | |
| 1266 return error; | 1266 return error; |
| 1267 } | 1267 } |
| 1268 | 1268 |
| 1269 // This method determines whether it is safe to resend the request after an | 1269 // This method determines whether it is safe to resend the request after an |
| 1270 // IO error. It can only be called in response to request header or body | 1270 // IO error. It can only be called in response to request header or body |
| 1271 // write errors or response header read errors. It should not be used in | 1271 // write errors or response header read errors. It should not be used in |
| 1272 // other cases, such as a Connect error. | 1272 // other cases, such as a Connect error. |
| 1273 int HttpNetworkTransaction::HandleIOError(int error) { | 1273 int HttpNetworkTransaction::HandleIOError(int error) { |
| 1274 // SSL errors may happen at any time during the stream and indicate issues | 1274 // SSL errors may happen at any time during the stream and indicate issues |
| 1275 // with the underlying connection. Because the peer may request | 1275 // with the underlying connection. Because the peer may request |
| (...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1461 description = base::StringPrintf("Unknown state 0x%08X (%u)", state, | 1461 description = base::StringPrintf("Unknown state 0x%08X (%u)", state, |
| 1462 state); | 1462 state); |
| 1463 break; | 1463 break; |
| 1464 } | 1464 } |
| 1465 return description; | 1465 return description; |
| 1466 } | 1466 } |
| 1467 | 1467 |
| 1468 #undef STATE_CASE | 1468 #undef STATE_CASE |
| 1469 | 1469 |
| 1470 } // namespace net | 1470 } // namespace net |
| OLD | NEW |
