Unwind fallback metrics and SSLFailureState.

net/http/http_network_transaction.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_network_transaction.h"
 
 #include <memory>
 #include <set>
 #include <utility>
 #include <vector>
@@ skipping 56 matching lines @@
 #include "url/gurl.h"
 #include "url/url_canon.h"
 
 namespace net {
 
 namespace {
 
 std::unique_ptr<base::Value> NetLogSSLVersionFallbackCallback(
     const GURL* url,
     int net_error,
-    SSLFailureState ssl_failure_state,
     uint16_t version_before,
     uint16_t version_after,
     NetLogCaptureMode /* capture_mode */) {
   std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
   dict->SetString("host_and_port", GetHostAndPort(*url));
   dict->SetInteger("net_error", net_error);
-  dict->SetInteger("ssl_failure_state", ssl_failure_state);
   dict->SetInteger("version_before", version_before);
   dict->SetInteger("version_after", version_after);
   return std::move(dict);
 }
 
 std::unique_ptr<base::Value> NetLogSSLCipherFallbackCallback(
     const GURL* url,
     int net_error,
     NetLogCaptureMode /* capture_mode */) {
   std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
   dict->SetString("host_and_port", GetHostAndPort(*url));
   dict->SetInteger("net_error", net_error);
   return std::move(dict);
 }
 
 }  // namespace
 
 //-----------------------------------------------------------------------------
 
 HttpNetworkTransaction::HttpNetworkTransaction(RequestPriority priority,
                                                HttpNetworkSession* session)
     : pending_auth_target_(HttpAuth::AUTH_NONE),
       io_callback_(base::Bind(&HttpNetworkTransaction::OnIOComplete,
                               base::Unretained(this))),
       session_(session),
       request_(NULL),
       priority_(priority),
       headers_valid_(false),
-      server_ssl_failure_state_(SSL_FAILURE_NONE),
       fallback_error_code_(ERR_SSL_INAPPROPRIATE_FALLBACK),
-      fallback_failure_state_(SSL_FAILURE_NONE),
       request_headers_(),
       read_buf_len_(0),
       total_received_bytes_(0),
       total_sent_bytes_(0),
       next_state_(STATE_NONE),
       establishing_tunnel_(false),
       websocket_handshake_stream_base_create_helper_(NULL),
       net_error_details_() {
 }
 
@@ skipping 367 matching lines @@
 }
 
 void HttpNetworkTransaction::OnWebSocketHandshakeStreamReady(
     const SSLConfig& used_ssl_config,
     const ProxyInfo& used_proxy_info,
     WebSocketHandshakeStreamBase* stream) {
   OnStreamReady(used_ssl_config, used_proxy_info, stream);
 }
 
 void HttpNetworkTransaction::OnStreamFailed(int result,
-                                            const SSLConfig& used_ssl_config,
-                                            SSLFailureState ssl_failure_state) {
+                                            const SSLConfig& used_ssl_config) {
   DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
   DCHECK_NE(OK, result);
   DCHECK(stream_request_.get());
   DCHECK(!stream_.get());
   server_ssl_config_ = used_ssl_config;
-  server_ssl_failure_state_ = ssl_failure_state;
 
   OnIOComplete(result);
 }
 
 void HttpNetworkTransaction::OnCertificateError(
     int result,
     const SSLConfig& used_ssl_config,
     const SSLInfo& ssl_info) {
   DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
   DCHECK_NE(OK, result);
@@ skipping 959 matching lines @@
       // connection. |fallback_error_code_| is initialised to
       // ERR_SSL_INAPPROPRIATE_FALLBACK to catch this case.
       error = fallback_error_code_;
       break;
   }
 
   if (should_fallback) {
     net_log_.AddEvent(
         NetLog::TYPE_SSL_VERSION_FALLBACK,
         base::Bind(&NetLogSSLVersionFallbackCallback, &request_->url, error,
-                   server_ssl_failure_state_, server_ssl_config_.version_max,
-                   version_max));
+                   server_ssl_config_.version_max, version_max));
     fallback_error_code_ = error;
-    fallback_failure_state_ = server_ssl_failure_state_;
     server_ssl_config_.version_max = version_max;
     server_ssl_config_.version_fallback = true;
     ResetConnectionAndRequestForResend();
     error = OK;
   }
 
   return error;
 }
 
 // This method determines whether it is safe to resend the request after an
@@ skipping 71 matching lines @@
   referred_token_binding_key_.reset();
 }
 
 void HttpNetworkTransaction::CacheNetErrorDetailsAndResetStream() {
   if (stream_)
     stream_->PopulateNetErrorDetails(&net_error_details_);
   stream_.reset();
 }
 
 void HttpNetworkTransaction::RecordSSLFallbackMetrics(int result) {
-  if (result != OK && result != ERR_SSL_INAPPROPRIATE_FALLBACK)
-    return;
-
-  const std::string& host = request_->url.host();
-  bool is_google = base::EndsWith(host, "google.com",
-                                  base::CompareCase::SENSITIVE) &&
-                   (host.size() == 10 || host[host.size() - 11] == '.');
-  if (is_google) {
-    // Some fraction of successful connections use the fallback, but only due to
-    // a spurious network failure. To estimate this fraction, compare handshakes
-    // to Google servers which succeed against those that fail with an
-    // inappropriate_fallback alert. Google servers are known to implement
-    // FALLBACK_SCSV, so a spurious network failure while connecting would
-    // trigger the fallback, successfully connect, but fail with this alert.
-    UMA_HISTOGRAM_BOOLEAN("Net.GoogleConnectionInappropriateFallback",
-                          result == ERR_SSL_INAPPROPRIATE_FALLBACK);
-  }
-
   if (result != OK)
     return;
 
-  // Note: these values are used in histograms, so new values must be appended.
-  enum FallbackVersion {
-    FALLBACK_NONE = 0,  // SSL version fallback did not occur.
-    // Obsolete: FALLBACK_SSL3 = 1,
-    FALLBACK_TLS1 = 2,    // Fell back to TLS 1.0.
-    FALLBACK_TLS1_1 = 3,  // Fell back to TLS 1.1.
-    FALLBACK_MAX,
-  };
-
-  FallbackVersion fallback = FALLBACK_NONE;
-  if (server_ssl_config_.version_fallback) {
-    switch (server_ssl_config_.version_max) {
-      case SSL_PROTOCOL_VERSION_TLS1:
-        fallback = FALLBACK_TLS1;
-        break;
-      case SSL_PROTOCOL_VERSION_TLS1_1:
-        fallback = FALLBACK_TLS1_1;
-        break;
-      default:
-        NOTREACHED();
-    }
-  }
-  UMA_HISTOGRAM_ENUMERATION("Net.ConnectionUsedSSLVersionFallback2", fallback,
-                            FALLBACK_MAX);
-
-  // Google servers are known to implement TLS 1.2 and FALLBACK_SCSV, so it
-  // should be impossible to successfully connect to them with the fallback.
-  // This helps estimate intolerant locally-configured SSL MITMs.
-  if (is_google) {
-    UMA_HISTOGRAM_ENUMERATION("Net.GoogleConnectionUsedSSLVersionFallback2",
-                              fallback, FALLBACK_MAX);
-  }
-
   UMA_HISTOGRAM_BOOLEAN("Net.ConnectionUsedSSLDeprecatedCipherFallback2",
                         server_ssl_config_.deprecated_cipher_suites_enabled);

[davidben, 2016/06/24 00:33:28]

Left this around for now. I didn't end up using it much, but with DHE in the
state that it is, this will actually be pretty helpful. It'll finally tell us
what the false positive rate on these fallbacks is.

-
-  if (server_ssl_config_.version_fallback) {
-    // Record the error code which triggered the fallback and the state the
-    // handshake was in.
-    UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLFallbackErrorCode",
-                                -fallback_error_code_);
-    UMA_HISTOGRAM_ENUMERATION("Net.SSLFallbackFailureState",
-                              fallback_failure_state_, SSL_FAILURE_MAX);
-  }
 }
 
 HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const {
   return response_.headers.get();
 }
 
 bool HttpNetworkTransaction::ShouldResendRequest() const {
   bool connection_is_proven = stream_->IsConnectionReused();
   bool has_received_headers = GetResponseHeaders() != NULL;
 
@@ skipping 137 matching lines @@
   DCHECK(stream_request_);
 
   // Since the transaction can restart with auth credentials, it may create a
   // stream more than once. Accumulate all of the connection attempts across
   // those streams by appending them to the vector:
   for (const auto& attempt : stream_request_->connection_attempts())
     connection_attempts_.push_back(attempt);
 }
 
 }  // namespace net