Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(561)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/http/http_network_transaction.cc

Issue 14125003: Do not roll back to SSL 3.0 for Google properties. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Cleanup. Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/http/http_network_transaction.h ('k') | net/http/http_network_transaction_spdy2_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/http_network_transaction.cc
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index 9496c0720284fc7315daabc59947ee365884af6d..f3e95d5a134158fce06444894b62bd03d41a2018 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -47,6 +47,7 @@
#include "net/http/http_stream_base.h"
#include "net/http/http_stream_factory.h"
#include "net/http/http_util.h"
+#include "net/http/transport_security_state.h"
#include "net/http/url_security_manager.h"
#include "net/socket/client_socket_factory.h"
#include "net/socket/socks_client_socket_pool.h"
@@ -1183,11 +1184,13 @@ int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
GetHostAndPort(request_->url));
}
+ uint16 version_max = server_ssl_config_.version_max;
+
switch (error) {
case ERR_SSL_PROTOCOL_ERROR:
case ERR_SSL_VERSION_OR_CIPHER_MISMATCH:
- if (server_ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 &&
- server_ssl_config_.version_max > server_ssl_config_.version_min) {
+ if (version_max >= SSL_PROTOCOL_VERSION_TLS1 &&
+ version_max > server_ssl_config_.version_min) {
// This could be a TLS-intolerant server or a server that chose a
// cipher suite defined only for higher protocol versions (such as
// an SSL 3.0 server that chose a TLS-only cipher suite). Fall
@@ -1198,38 +1201,34 @@ int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
// repeat the TLS 1.0 handshake. To avoid this problem, the default
// version_max should match the maximum protocol version supported
// by the SSLClientSocket class.
- uint16 version_before = server_ssl_config_.version_max;
- server_ssl_config_.version_max--;
- net_log_.AddEvent(
- NetLog::TYPE_SSL_VERSION_FALLBACK,
- base::Bind(&NetLogSSLVersionFallbackCallback,
- &request_->url, error, version_before,
- server_ssl_config_.version_max));
- server_ssl_config_.version_fallback = true;
- ResetConnectionAndRequestForResend();
- error = OK;
- }
- break;
- case ERR_SSL_DECOMPRESSION_FAILURE_ALERT:
- case ERR_SSL_BAD_RECORD_MAC_ALERT:
- if (server_ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 &&
- server_ssl_config_.version_min == SSL_PROTOCOL_VERSION_SSL3) {
- // This could be a server with buggy DEFLATE support. Turn off TLS,
- // DEFLATE support and retry.
- // TODO(wtc): turn off DEFLATE support only. Do not tie it to TLS.
- uint16 version_before = server_ssl_config_.version_max;
- server_ssl_config_.version_max = SSL_PROTOCOL_VERSION_SSL3;
- net_log_.AddEvent(
- NetLog::TYPE_SSL_VERSION_FALLBACK,
- base::Bind(&NetLogSSLVersionFallbackCallback,
- &request_->url, error, version_before,
- server_ssl_config_.version_max));
- server_ssl_config_.version_fallback = true;
- ResetConnectionAndRequestForResend();
- error = OK;
+ version_max--;
+
+ // Fallback to the lower SSL version.
+ // While SSL 3.0 fallback should be eliminated because of security
+ // reasons, there is a high risk of breaking the servers if this is
+ // done in general.
+ // For now SSL 3.0 fallback is disabled for Google servers first,
+ // and will be expanded to other servers after enough experiences
+ // have been gained showing that this experiment works well with
+ // today's Internet.
+ if (version_max > SSL_PROTOCOL_VERSION_SSL3 ||
+ (server_ssl_config_.unrestricted_ssl3_fallback_enabled ||
+ !TransportSecurityState::IsGooglePinnedProperty(
+ request_->url.host(), true /* include SNI */))) {
+ net_log_.AddEvent(
+ NetLog::TYPE_SSL_VERSION_FALLBACK,
+ base::Bind(&NetLogSSLVersionFallbackCallback,
+ &request_->url, error, server_ssl_config_.version_max,
+ version_max));
+ server_ssl_config_.version_max = version_max;
+ server_ssl_config_.version_fallback = true;
+ ResetConnectionAndRequestForResend();
+ error = OK;
+ }
}
break;
}
+
return error;
}
« no previous file with comments | « net/http/http_network_transaction.h ('k') | net/http/http_network_transaction_spdy2_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698