Do not roll back to SSL 3.0 for Google properties.

net/http/transport_security_state.h

Index: net/http/transport_security_state.h
diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h
index a4e3f33b7641c9f414ab9362755fc99bdf8d18c9..5d8d35f9787e830e791688085c75f3c7a95209b0 100644
--- a/net/http/transport_security_state.h
+++ b/net/http/transport_security_state.h
@@ -17,6 +17,7 @@
 #include "net/base/net_export.h"
 #include "net/cert/x509_cert_types.h"
 #include "net/cert/x509_certificate.h"
+#include "net/ssl/ssl_connection_status_flags.h"
 
 namespace net {
 
@@ -135,6 +136,18 @@ class NET_EXPORT TransportSecurityState
     // certificate chain.
     HashValueVector bad_static_spki_hashes;
 
+    // The minimum SSL version that servers serving this domain expect. This
+    // version can be specified as part of HSTS preloading, or it will be
+    // extracted from succesfull handshakes. The default value is SSLv3.
+    // Chrome must not roll back to an older version, even if the connection
+    // handhsake failed. That is, if the server indicates support of TLS 1.1,
+    // but the connection fails, then we do not attempt to connect to the
+    // server using TLS 1.0, but allow the connection to fail.
+
+    // The default value is SSL_CONNECTION_VERSION_3.
+    // TODO(thaidn): define a HSTS extension for this.
+    SSL_CONNECTION_VERSION ssl_version_min;
+
     // The following members are not valid when stored in |enabled_hosts_|:
 
     // The domain which matched during a search for this DomainState entry.
@@ -271,6 +284,7 @@ class NET_EXPORT TransportSecurityState
 
  private:
   friend class TransportSecurityStateTest;
+  friend class SSLClientSocketNSS;

[thaidn_google, 2013/04/11 01:31:52]

This is ugly. Should I make |EnableHost| public?

 
   typedef std::map<std::string, DomainState> DomainStateMap;