Index: net/url_request/url_request_unittest.cc |
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc |
index 7c08b7f8988a3ec8662ba14d03048eacb09143a7..24fe7872b6d11fc5da2e358121ef13bf9f80c6b0 100644 |
--- a/net/url_request/url_request_unittest.cc |
+++ b/net/url_request/url_request_unittest.cc |
@@ -8710,21 +8710,33 @@ TEST_F(HTTPSFallbackTest, TLSv1NoFallback) { |
SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
+ ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); |
+} |
+ |
+// Tests the TLS 1.1 fallback doesn't happen but 1.2-intolerance is detected. |
+TEST_F(HTTPSFallbackTest, TLSv1_1NoFallback) { |
+ SpawnedTestServer::SSLOptions ssl_options( |
+ SpawnedTestServer::SSLOptions::CERT_OK); |
+ ssl_options.tls_intolerant = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; |
+ |
+ ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
ExpectFailure(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION); |
} |
-// Tests the TLS 1.1 fallback. |
+// Tests the TLS 1.1 fallback when explicitly enabled. |
TEST_F(HTTPSFallbackTest, TLSv1_1Fallback) { |
SpawnedTestServer::SSLOptions ssl_options( |
SpawnedTestServer::SSLOptions::CERT_OK); |
ssl_options.tls_intolerant = |
SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; |
+ set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); |
} |
-// Tests that the TLS 1.1 fallback triggers on closed connections. |
+// Tests that the TLS 1.1 fallback, if enabled, triggers on closed connections. |
TEST_F(HTTPSFallbackTest, TLSv1_1FallbackClosed) { |
SpawnedTestServer::SSLOptions ssl_options( |
SpawnedTestServer::SSLOptions::CERT_OK); |
@@ -8733,6 +8745,7 @@ TEST_F(HTTPSFallbackTest, TLSv1_1FallbackClosed) { |
ssl_options.tls_intolerance_type = |
SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
+ set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); |
} |
@@ -8740,7 +8753,7 @@ TEST_F(HTTPSFallbackTest, TLSv1_1FallbackClosed) { |
// This test is disabled on Android because the remote test server doesn't cause |
// a TCP reset. |
#if !defined(OS_ANDROID) |
-// Tests fallback to TLS 1.1 on connection reset. |
+// Tests fallback to TLS 1.1, if enabled, on connection reset. |
TEST_F(HTTPSFallbackTest, TLSv1_1FallbackReset) { |
SpawnedTestServer::SSLOptions ssl_options( |
SpawnedTestServer::SSLOptions::CERT_OK); |
@@ -8749,13 +8762,15 @@ TEST_F(HTTPSFallbackTest, TLSv1_1FallbackReset) { |
ssl_options.tls_intolerance_type = |
SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET; |
+ set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); |
} |
#endif // !OS_ANDROID |
-// Tests that we don't fallback on handshake failure with servers that implement |
-// TLS_FALLBACK_SCSV. Also ensure that the original error code is reported. |
+// Tests that we don't fallback, even if enabled, on handshake failure with |
+// servers that implement TLS_FALLBACK_SCSV. Also ensure that the original error |
+// code is reported. |
TEST_F(HTTPSFallbackTest, FallbackSCSV) { |
SpawnedTestServer::SSLOptions ssl_options( |
SpawnedTestServer::SSLOptions::CERT_OK); |
@@ -8767,6 +8782,7 @@ TEST_F(HTTPSFallbackTest, FallbackSCSV) { |
// connections are rejected. |
ssl_options.fallback_scsv_enabled = true; |
+ set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
// ERR_SSL_VERSION_OR_CIPHER_MISMATCH is how the server simulates version |
@@ -8776,8 +8792,9 @@ TEST_F(HTTPSFallbackTest, FallbackSCSV) { |
ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); |
} |
-// Tests that we don't fallback on connection closed with servers that implement |
-// TLS_FALLBACK_SCSV. Also ensure that the original error code is reported. |
+// Tests that we don't fallback, even if enabled, on connection closed with |
+// servers that implement TLS_FALLBACK_SCSV. Also ensure that the original error |
+// code is reported. |
TEST_F(HTTPSFallbackTest, FallbackSCSVClosed) { |
SpawnedTestServer::SSLOptions ssl_options( |
SpawnedTestServer::SSLOptions::CERT_OK); |
@@ -8791,6 +8808,7 @@ TEST_F(HTTPSFallbackTest, FallbackSCSVClosed) { |
// connections are rejected. |
ssl_options.fallback_scsv_enabled = true; |
+ set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
// The original error should be replayed on rejected fallback. |
@@ -8802,7 +8820,7 @@ TEST_F(HTTPSRequestTest, FallbackProbeNoCache) { |
SpawnedTestServer::SSLOptions ssl_options( |
SpawnedTestServer::SSLOptions::CERT_OK); |
ssl_options.tls_intolerant = |
- SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; |
ssl_options.tls_intolerance_type = |
SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
ssl_options.record_resume = true; |
@@ -8815,14 +8833,13 @@ TEST_F(HTTPSRequestTest, FallbackProbeNoCache) { |
SSLClientSocket::ClearSessionCache(); |
- // Make a connection that does a probe fallback to TLSv1 but fails because |
- // TLSv1 fallback is disabled. We don't wish a session for this connection to |
- // be inserted locally. |
+ // Make a connection that does a probe fallback to TLSv1.1 but fails because |
+ // fallback is disabled. We don't wish a session for this connection to be |
+ // inserted locally. |
{ |
TestDelegate delegate; |
FallbackTestURLRequestContext context(true); |
- context.set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_2); |
context.Init(); |
scoped_ptr<URLRequest> request(context.CreateRequest( |
test_server.GetURL("/"), DEFAULT_PRIORITY, &delegate)); |
@@ -8837,11 +8854,11 @@ TEST_F(HTTPSRequestTest, FallbackProbeNoCache) { |
request->status().error()); |
} |
- // Now allow TLSv1 fallback connections and request the session cache log. |
+ // Now allow TLSv1.1 fallback connections and request the session cache log. |
{ |
TestDelegate delegate; |
FallbackTestURLRequestContext context(true); |
- context.set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1); |
+ context.set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); |
context.Init(); |
scoped_ptr<URLRequest> request(context.CreateRequest( |
@@ -8853,7 +8870,7 @@ TEST_F(HTTPSRequestTest, FallbackProbeNoCache) { |
EXPECT_EQ(1, delegate.response_started_count()); |
EXPECT_NE(0, delegate.bytes_received()); |
EXPECT_EQ( |
- SSL_CONNECTION_VERSION_TLS1, |
+ SSL_CONNECTION_VERSION_TLS1_1, |
SSLConnectionStatusToVersion(request->ssl_info().connection_status)); |
EXPECT_TRUE(request->ssl_info().connection_status & |
SSL_CONNECTION_VERSION_FALLBACK); |