Do not roll back to SSL 3.0 for Google properties.

chrome/browser/net/transport_security_persister.cc

Index: chrome/browser/net/transport_security_persister.cc
diff --git a/chrome/browser/net/transport_security_persister.cc b/chrome/browser/net/transport_security_persister.cc
index 140eb391242a845a3782d2666f747270a93aad28..8b70e8c73f7babf4899abb7f3818a6bd910125ab 100644
--- a/chrome/browser/net/transport_security_persister.cc
+++ b/chrome/browser/net/transport_security_persister.cc
@@ -78,6 +78,11 @@ const char kStrict[] = "strict";
 const char kDefault[] = "default";
 const char kPinningOnly[] = "pinning-only";
 const char kCreated[] = "created";
+const char kSSLVersionMin[] = "ssl_version_min";
+const char kSSLVersion30[] = "sslv3.0";

[agl, 2013/04/11 13:48:57]

We already have a convention for these strings I'm afraid: "ssl3", "tls1",
"tls1.1", "tls1.2".

+const char kTLSVersion10[] = "tlsv1.0";
+const char kTLSVersion11[] = "tlsv1.1";
+const char kTLSVersion12[] = "tlsv1.2";
 
 }  // namespace
 
@@ -174,6 +179,25 @@ bool TransportSecurityPersister::SerializeData(std::string* output) {
     serialized->SetDouble(kDynamicSPKIHashesExpiry,
                           domain_state.dynamic_spki_hashes_expiry.ToDoubleT());
 
+    switch (domain_state.ssl_version_min) {
+      case net::SSL_CONNECTION_VERSION_SSL3:
+        serialized->SetString(kSSLVersionMin, "sslv3.0");
+        break;
+      case net::SSL_CONNECTION_VERSION_TLS1:
+        serialized->SetString(kSSLVersionMin, "tlsv1.0");
+        break;
+      case net::SSL_CONNECTION_VERSION_TLS1_1:
+        serialized->SetString(kSSLVersionMin, "tlsv1.1");
+        break;
+      case net::SSL_CONNECTION_VERSION_TLS1_2:
+        serialized->SetString(kSSLVersionMin, "tlsv1.2");
+        break;
+      default:
+        NOTREACHED() << "DomainState with unknown ssl_version_min";
+        delete serialized;
+        continue;
+    }
+
     switch (domain_state.upgrade_mode) {
       case TransportSecurityState::DomainState::MODE_FORCE_HTTPS:
         serialized->SetString(kMode, kForceHTTPS);
@@ -269,6 +293,19 @@ bool TransportSecurityPersister::Deserialize(const std::string& serialized,
     if (parsed->GetList(kDynamicSPKIHashes, &pins_list))
       SPKIHashesFromListValue(*pins_list, &domain_state.dynamic_spki_hashes);
 
+    std::string ssl_version_min;
+    if (parsed->GetString(kSSLVersionMin, &ssl_version_min)) {
+      if (ssl_version_min == kSSLVersion30) {
+        domain_state.ssl_version_min = net::SSL_CONNECTION_VERSION_SSL3;
+      } else if (ssl_version_min == kTLSVersion10) {
+        domain_state.ssl_version_min = net::SSL_CONNECTION_VERSION_TLS1;
+      } else if (ssl_version_min == kTLSVersion11) {
+        domain_state.ssl_version_min = net::SSL_CONNECTION_VERSION_TLS1_1;
+      } else if (ssl_version_min == kTLSVersion12) {
+        domain_state.ssl_version_min = net::SSL_CONNECTION_VERSION_TLS1_2;
+      }
+    }
+
     if (mode_string == kForceHTTPS || mode_string == kStrict) {
       domain_state.upgrade_mode =
           TransportSecurityState::DomainState::MODE_FORCE_HTTPS;