Index: components/ssl_config/ssl_config_service_manager_pref.cc |
diff --git a/components/ssl_config/ssl_config_service_manager_pref.cc b/components/ssl_config/ssl_config_service_manager_pref.cc |
index 8d8cf5ce4b90897a42b0ea1975187a0a149532e6..af1cd0939297658a92c2a2266974f36fdc10e9ca 100644 |
--- a/components/ssl_config/ssl_config_service_manager_pref.cc |
+++ b/components/ssl_config/ssl_config_service_manager_pref.cc |
@@ -10,6 +10,7 @@ |
#include <vector> |
#include "base/bind.h" |
+#include "base/feature_list.h" |
#include "base/macros.h" |
#include "base/metrics/field_trial.h" |
#include "base/single_thread_task_runner.h" |
@@ -88,6 +89,10 @@ bool IsRC4EnabledByDefault() { |
return base::StartsWith(group_name, "Enabled", base::CompareCase::SENSITIVE); |
} |
+const base::Feature kSSLVersionFallbackTLSv11 { |
+ "SSLVersionFallbackTLSv1.1", base::FEATURE_DISABLED_BY_DEFAULT, |
+}; |
+ |
} // namespace |
//////////////////////////////////////////////////////////////////////////////// |
@@ -197,6 +202,15 @@ SSLConfigServiceManagerPref::SSLConfigServiceManagerPref( |
ssl_config::prefs::kRC4Enabled, |
new base::FundamentalValue(IsRC4EnabledByDefault())); |
+ // Restore the TLS 1.1 fallback leg if enabled via features. |
+ // TODO(davidben): Remove this when the fallback removal has succeeded. |
+ // https://crbug.com/536200. |
+ if (base::FeatureList::IsEnabled(kSSLVersionFallbackTLSv11)) { |
+ local_state->SetDefaultPrefValue( |
+ ssl_config::prefs::kSSLVersionFallbackMin, |
+ new base::StringValue(switches::kSSLVersionTLSv11)); |
+ } |
+ |
PrefChangeRegistrar::NamedChangeCallback local_state_callback = |
base::Bind(&SSLConfigServiceManagerPref::OnPreferenceChanged, |
base::Unretained(this), local_state); |
@@ -294,7 +308,9 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs( |
uint16_t supported_version_max = config->version_max; |
config->version_max = std::min(supported_version_max, version_max); |
} |
- if (version_fallback_min) { |
+ // Values below TLS 1.1 are invalid. |
+ if (version_fallback_min && |
+ version_fallback_min >= net::SSL_PROTOCOL_VERSION_TLS1_1) { |
config->version_fallback_min = version_fallback_min; |
} |
config->disabled_cipher_suites = disabled_cipher_suites_; |