Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(181)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 19607008: net: allow fallback down to TLS 1.0 in the event of a bad-record-MAC alert. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 7 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in 6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8 8
9 /* ***** BEGIN LICENSE BLOCK ***** 9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
(...skipping 1843 matching lines...) Expand 10 before | Expand all | Expand 10 after
1854 // fallback will be more painful for TLS 1.2 when we have GCM support. 1854 // fallback will be more painful for TLS 1.2 when we have GCM support.
1855 // 1855 //
1856 // ERR_CONNECTION_RESET is a common network error, so we don't want it 1856 // ERR_CONNECTION_RESET is a common network error, so we don't want it
1857 // to trigger a version fallback in general, especially the TLS 1.0 -> 1857 // to trigger a version fallback in general, especially the TLS 1.0 ->
1858 // SSL 3.0 fallback, which would drop TLS extensions. 1858 // SSL 3.0 fallback, which would drop TLS extensions.
1859 if (prerr == PR_CONNECT_RESET_ERROR && 1859 if (prerr == PR_CONNECT_RESET_ERROR &&
1860 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1_1) { 1860 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1_1) {
1861 net_error = ERR_SSL_PROTOCOL_ERROR; 1861 net_error = ERR_SSL_PROTOCOL_ERROR;
1862 } 1862 }
1863 1863
1864 // Some broken SSL devices negotiate TLS 1.0 when sent a TLS 1.1 or 1.2
1865 // ClientHello, but then return a bad-record-MAC alert. See
1866 // crbug.com/260358. In order to make the fallback as minimal as possible,
1867 // this fallback is only triggered for >= TLS 1.1.
1868 if (net_error == ERR_SSL_BAD_RECORD_MAC_ALERT &&
1869 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1_1) {
1870 net_error = ERR_SSL_PROTOCOL_ERROR;
1871 }
1872
1864 // If not done, stay in this state 1873 // If not done, stay in this state
1865 if (net_error == ERR_IO_PENDING) { 1874 if (net_error == ERR_IO_PENDING) {
1866 GotoState(STATE_HANDSHAKE); 1875 GotoState(STATE_HANDSHAKE);
1867 } else { 1876 } else {
1868 PostOrRunCallback( 1877 PostOrRunCallback(
1869 FROM_HERE, 1878 FROM_HERE,
1870 base::Bind(&AddLogEventWithCallback, weak_net_log_, 1879 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1871 NetLog::TYPE_SSL_HANDSHAKE_ERROR, 1880 NetLog::TYPE_SSL_HANDSHAKE_ERROR,
1872 CreateNetLogSSLErrorCallback(net_error, prerr))); 1881 CreateNetLogSSLErrorCallback(net_error, prerr)));
1873 } 1882 }
(...skipping 1647 matching lines...) Expand 10 before | Expand all | Expand 10 after
3521 EnsureThreadIdAssigned(); 3530 EnsureThreadIdAssigned();
3522 base::AutoLock auto_lock(lock_); 3531 base::AutoLock auto_lock(lock_);
3523 return valid_thread_id_ == base::PlatformThread::CurrentId(); 3532 return valid_thread_id_ == base::PlatformThread::CurrentId();
3524 } 3533 }
3525 3534
3526 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { 3535 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
3527 return server_bound_cert_service_; 3536 return server_bound_cert_service_;
3528 } 3537 }
3529 3538
3530 } // namespace net 3539 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698