Disable the TLS version fallback.

components/ssl_config/ssl_config_service_manager_pref_unittest.cc

Index: components/ssl_config/ssl_config_service_manager_pref_unittest.cc
diff --git a/components/ssl_config/ssl_config_service_manager_pref_unittest.cc b/components/ssl_config/ssl_config_service_manager_pref_unittest.cc
index 72b881809acad96d1736a1234a7ad7956981eaab..62ef9016abdcae827b2eafd2b229b55204cf7514 100644
--- a/components/ssl_config/ssl_config_service_manager_pref_unittest.cc
+++ b/components/ssl_config/ssl_config_service_manager_pref_unittest.cc
@@ -173,3 +173,25 @@ TEST_F(SSLConfigServiceManagerPrefTest, NoSSL3) {
   // The command-line option must not have been honored.
   EXPECT_LE(net::SSL_PROTOCOL_VERSION_TLS1, ssl_config.version_min);
 }
+
+// Tests that fallback beyond TLS 1.0 cannot be re-enabled.

[Ryan Sleevi, 2016/02/09 07:22:29]

And if they force a field trial via --force-fieldtrial?

+TEST_F(SSLConfigServiceManagerPrefTest, NoTLS1Fallback) {
+  scoped_refptr<TestingPrefStore> local_state_store(new TestingPrefStore());
+
+  TestingPrefServiceSimple local_state;
+  local_state.SetUserPref(ssl_config::prefs::kSSLVersionFallbackMin,
+                          new base::StringValue("tls1"));
+  SSLConfigServiceManager::RegisterPrefs(local_state.registry());
+
+  scoped_ptr<SSLConfigServiceManager> config_manager(
+      SSLConfigServiceManager::CreateDefaultManager(
+          &local_state, base::ThreadTaskRunnerHandle::Get()));
+  ASSERT_TRUE(config_manager.get());
+  scoped_refptr<SSLConfigService> config_service(config_manager->Get());
+  ASSERT_TRUE(config_service.get());
+
+  SSLConfig ssl_config;
+  config_service->GetSSLConfig(&ssl_config);
+  // The command-line option must not have been honored.
+  EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1_2, ssl_config.version_fallback_min);
+}