Disable the TLS version fallback.

components/ssl_config/ssl_config_service_manager_pref.cc

Index: components/ssl_config/ssl_config_service_manager_pref.cc
diff --git a/components/ssl_config/ssl_config_service_manager_pref.cc b/components/ssl_config/ssl_config_service_manager_pref.cc
index 8d8cf5ce4b90897a42b0ea1975187a0a149532e6..b0837137e56a4a171e180d82ce527ae4e70d9738 100644
--- a/components/ssl_config/ssl_config_service_manager_pref.cc
+++ b/components/ssl_config/ssl_config_service_manager_pref.cc
@@ -197,6 +197,12 @@ SSLConfigServiceManagerPref::SSLConfigServiceManagerPref(
       ssl_config::prefs::kRC4Enabled,
       new base::FundamentalValue(IsRC4EnabledByDefault()));
 
+  // TODO(davidben): Remove this when the fallback removal has succeeded.
+  local_state->SetDefaultPrefValue(
+      ssl_config::prefs::kSSLVersionFallbackMin,
+      new base::StringValue(
+          base::FieldTrialList::FindFullName("SSLVersionFallbackMin")));

[Ryan Sleevi, 2016/02/09 02:16:12]

I think you want to indirect this through a function; AIUI, on the first call
(e.g. before Finch seeds are fetched), this simply returns "Default" - is that
what you expect?

[davidben, 2016/02/09 02:58:36]

I believe these get called at a point where fetch state is seeded. (Otherwise
the RC4 one wouldn't work.) I don't know if it's possible to tell the pref
system to indirect through a function since it needs to know when the value
changed. Other code does something similar:

https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/io_...

[davidben, 2016/02/09 02:59:08]

(I believe it's the empty string, not "Default".)

[Ryan Sleevi, 2016/02/09 03:28:43]

I don't believe the RC4 one would necessarily work correctly. That was certainly
my (negative) experience with handling things like certificate expiration
policies or EV whitelists. I'm not terribly keen to couple with the Finch state.

Just looking through code search, this seems *wrong* to me. Perhaps check with
one of the metrics/prefs owners?

[davidben, 2016/02/09 05:11:56]

It works. It's pretty easy to test this with --force-fieldtrials. I tested the
various cases extensively before uploading, just as with RC4. That was why I did
RC4 this way rather than in RegisterPrefs which would be more natural. Doing it
in RegisterPrefs is the one that doesn't work.

This code runs in CreateDefaultManager which is called right next to all the
QUIC field trial bits in the link earlier.
Yup. They reviewed the RC4 code and I'll add them to this CL as well when
getting the rest of the OWNERS in.

+
   PrefChangeRegistrar::NamedChangeCallback local_state_callback =
       base::Bind(&SSLConfigServiceManagerPref::OnPreferenceChanged,
                  base::Unretained(this), local_state);
@@ -294,7 +300,9 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
     uint16_t supported_version_max = config->version_max;
     config->version_max = std::min(supported_version_max, version_max);
   }
-  if (version_fallback_min) {
+  // Values below TLS 1.1 are invalid.
+  if (version_fallback_min &&
+      version_fallback_min >= net::SSL_PROTOCOL_VERSION_TLS1_1) {
     config->version_fallback_min = version_fallback_min;
   }
   config->disabled_cipher_suites = disabled_cipher_suites_;