Disable the TLS version fallback.

components/policy/resources/policy_templates.json

Index: components/policy/resources/policy_templates.json
diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json
index a628c92e51fca1210f40ab12fc49d0f9d0a2b8c1..54e8f77128990e4579ecf2cb6de58e1862e2f928 100644
--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -7836,18 +7836,12 @@
       'schema': {
         'type': 'string',
         'enum': [
-          'tls1',
           'tls1.1',
           'tls1.2',
         ],
       },
       'items': [
         {
-          'name': 'TLSv1',
-          'value': 'tls1',
-          'caption': 'TLS 1.0',
-        },
-        {
           'name': 'TLSv1.1',
           'value': 'tls1.1',
           'caption': 'TLS 1.1',
@@ -7859,10 +7853,10 @@
         },
       ],
       'supported_on': [
-        'chrome.*:45-47',
-        'chrome_os:45-47',
-        'android:45-47',
-        'ios:45-47',
+        'chrome.*:50-52',
+        'chrome_os:50-52',
+        'android:50-52',
+        'ios:50-52',
       ],
       'features': {
         'dynamic_refresh': True,
@@ -7871,16 +7865,14 @@
       'example_value': 'tls1.1',
       'id': 280,
       'caption': '''Minimum TLS version to fallback to''',
-      'tags': [],
-      'desc': '''Warning: The TLS 1.0 version fallback will be removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> after version 47 (around January 2016) and the "tls1" option will stop working then.
-
-      When a TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will retry the connection with a lesser version of TLS in order to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly (i.e. without breaking the connection) then this setting doesn't apply. Regardless, the resulting connection must still comply with SSLVersionMin.
+      'tags': ['system-security'],
+      'desc': '''Warning: The TLS version fallback will be removed from <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> after version 52 (around September 2016) and this policy will stop working then.
 
-      If this policy is not configured then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> uses a default minimum version which is TLS 1.0 in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 44 and TLS 1.1 in later versions. Note this does not disable support for TLS 1.0, only whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will work around buggy servers which cannot negotiate versions correctly.
+      When a TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> would previously retry the connection with a lesser version of TLS in order to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly (i.e. without breaking the connection) then this setting doesn't apply. Regardless, the resulting connection must still comply with SSLVersionMin.
 
-      Otherwise it may be set to one of the following values: "tls1", "tls1.1" or "tls1.2". If compatibility with a buggy server must be maintained, this may be set to "tls1". This is a stopgap measure and the server should be rapidly fixed.
+      If this policy is not configured then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> no longer performs this fallback. Note this does not disable support for older TLS versions, only whether <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will work around buggy servers which cannot negotiate versions correctly.

[Thiemo Nagel, 2016/02/15 14:30:23]

I'd suggest: 'If this policy is not configured' --> 'If this policy is not
configured or if it is set to "tls1.2"'

[davidben, 2016/02/16 17:01:08]

Done.

 
-      A setting of "tls1.2" disables all fallback but this may have a significant compatibility impact.''',
+      Otherwise it may be set to one of the following values: "tls1.1" or "tls1.2". If compatibility with a buggy server must be maintained, this may be set to "tls1.1". This is a stopgap measure and the server should be rapidly fixed.''',

[Thiemo Nagel, 2016/02/15 14:30:23]

In my opinion it would be cleaner to drop 'tls1.2' from that paragraph and only
mention it in the previous paragraph, see comment above.

[davidben, 2016/02/16 17:01:08]

Done. That's much better, thanks!

     },
     {
       'name': 'RC4Enabled',