Disable the TLS version fallback.

components/ssl_config/ssl_config_service_manager_pref.cc

Index: components/ssl_config/ssl_config_service_manager_pref.cc
diff --git a/components/ssl_config/ssl_config_service_manager_pref.cc b/components/ssl_config/ssl_config_service_manager_pref.cc
index 8d8cf5ce4b90897a42b0ea1975187a0a149532e6..b0837137e56a4a171e180d82ce527ae4e70d9738 100644
--- a/components/ssl_config/ssl_config_service_manager_pref.cc
+++ b/components/ssl_config/ssl_config_service_manager_pref.cc
@@ -197,6 +197,12 @@ SSLConfigServiceManagerPref::SSLConfigServiceManagerPref(
       ssl_config::prefs::kRC4Enabled,
       new base::FundamentalValue(IsRC4EnabledByDefault()));
 
+  // TODO(davidben): Remove this when the fallback removal has succeeded.

[Alexei Svitkine (slow), 2016/02/11 16:24:06]

Nit: Can you make the comment reference a crbug?

[davidben, 2016/02/11 21:53:14]

Done.

+  local_state->SetDefaultPrefValue(
+      ssl_config::prefs::kSSLVersionFallbackMin,
+      new base::StringValue(
+          base::FieldTrialList::FindFullName("SSLVersionFallbackMin")));

[davidben, 2016/02/10 22:14:29]

+asvitkine, could you confirm that this works for configuring field trials? It
gets called after ChromeBrowserMainParts::SetupMetricsAndFieldTrials and works
with --force-fieldtrials. Are there other considerations here?

The intent is to have an emergency off switch in case this deprecation doesn't
work out.

[Alexei Svitkine (slow), 2016/02/11 16:24:06]

Yes this should work. However, I think it would be better to use variations
params here (go/variations-params) - as this relies on the name of the field
trial group, which often times proves to be insufficiently flexible (i.e. can't
have two groups with the same name).

But if it's just an emergency kill switch that you expect to either be not set
or turned on at 100% if there's an issue, then maybe this is fine. Up to you, I
guess.

[davidben, 2016/02/11 21:53:14]

Hrm. Are you suggesting I instead do something like.

std::map<std::string, std::string> params;
if (variations::GetVariationParams("SSLVersionFallbackMin", &params)) {
  local_state->SetDefaultPrefValue(
      ssl_config::prefs::kSSLVersionFallbackMin,
         new base::StringValue(params["version"]));
}

I'm not sure what I'd do with that extra flexibility. It's only ever going to
control this one toggle. It really may as well be a boolean, actually. This just
seemed easier. Should I be using base::FeatureList instead?

And, yeah, it's really just an emergency kill switch. This is mostly just
insurance and so some particularly risk-averse people stop grumping at me. I
think it's overkill (numbers are 10x below usual removal cutoff), but I'd
previously told them I'd do it, so I probably should. :-)

[Alexei Svitkine (slow), 2016/02/11 22:02:40]

If it's just a boolean, I would indeed suggest using base::FeatureList - and
hardcode the actual values of the prefs in the client. FeatureList was designed
to support these kinds of kill switches and does support extra flexibility by
default.

+
   PrefChangeRegistrar::NamedChangeCallback local_state_callback =
       base::Bind(&SSLConfigServiceManagerPref::OnPreferenceChanged,
                  base::Unretained(this), local_state);
@@ -294,7 +300,9 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
     uint16_t supported_version_max = config->version_max;
     config->version_max = std::min(supported_version_max, version_max);
   }
-  if (version_fallback_min) {
+  // Values below TLS 1.1 are invalid.
+  if (version_fallback_min &&
+      version_fallback_min >= net::SSL_PROTOCOL_VERSION_TLS1_1) {
     config->version_fallback_min = version_fallback_min;
   }
   config->disabled_cipher_suites = disabled_cipher_suites_;