Expose TLS settings in the Security panel overview, and call out individual obsolete settings.

net/socket/ssl_client_socket_nss.cc

Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index e3d0a36bde4cab2402d52c77c3da0638615b7bad..a1014680df449b8f7758e7aa89b23a0e3f421e6f 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1270,7 +1270,7 @@ SECStatus SSLClientSocketNSS::Core::CanFalseStartCallback(
       SSL_GetChannelInfo(socket, &channel_info, sizeof(channel_info));
   if (ok != SECSuccess || channel_info.length != sizeof(channel_info) ||
       channel_info.protocolVersion < SSL_LIBRARY_VERSION_TLS_1_2 ||
-      !IsSecureTLSCipherSuite(channel_info.cipherSuite)) {
+      IsObsoleteTLSCipherSuite(channel_info.cipherSuite)) {

[estark, 2016/04/18 11:46:44]

I thought this change would be unnecessary based on patch set 4's description,
but it doesn't look like patch set 4 actually reintroduces
IsObsoleteTLSCipherSuite, so now I'm confused.

[estark, 2016/04/18 11:47:35]

Also, presumably there's a corresponding change needed in
ssl_client_socket_openssl.cc?

[davidben, 2016/04/19 17:47:01]

BoringSSL does the False Start check internally. That NPN has a callback is due
to some silly NSS politics if I recall.

Aside: ssl_client_socket_nss.cc is doomed to be deleted real soon now once
https://codereview.chromium.org/1882433002/ lands.

[estark, 2016/04/19 21:31:47]

Oh, gotcha, ok. Confusion about patch set 4 description not matching the code
still stands though.

[lgarron, 2016/04/25 23:56:54]

Sorry, I made the patch description concise to the point of vagueness. :-(
"Reintroduce IsSecureTLSCipherSuite() as its negative" meant "Introduce
IsObsoleteTLSCipherSuite() to substitute for the purpose for which we used to
have IsSecureTLSCipherSuite()."

Anyhow, I'm glad we don't have to worry about it; the latest patch removes it.

     *can_false_start = PR_FALSE;
     return SECSuccess;
   }