Unwind fallback metrics and SSLFailureState.

net/http/http_network_transaction.cc

Index: net/http/http_network_transaction.cc
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index e719a839c5b91e37096a55620c019f4255a1430a..2e131347450c7b11bf2ce8ad1e6ae23a8d7dee8e 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -74,14 +74,12 @@ namespace {
 std::unique_ptr<base::Value> NetLogSSLVersionFallbackCallback(
     const GURL* url,
     int net_error,
-    SSLFailureState ssl_failure_state,
     uint16_t version_before,
     uint16_t version_after,
     NetLogCaptureMode /* capture_mode */) {
   std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
   dict->SetString("host_and_port", GetHostAndPort(*url));
   dict->SetInteger("net_error", net_error);
-  dict->SetInteger("ssl_failure_state", ssl_failure_state);
   dict->SetInteger("version_before", version_before);
   dict->SetInteger("version_after", version_after);
   return std::move(dict);
@@ -110,9 +108,7 @@ HttpNetworkTransaction::HttpNetworkTransaction(RequestPriority priority,
       request_(NULL),
       priority_(priority),
       headers_valid_(false),
-      server_ssl_failure_state_(SSL_FAILURE_NONE),
       fallback_error_code_(ERR_SSL_INAPPROPRIATE_FALLBACK),
-      fallback_failure_state_(SSL_FAILURE_NONE),
       request_headers_(),
       read_buf_len_(0),
       total_received_bytes_(0),
@@ -500,14 +496,12 @@ void HttpNetworkTransaction::OnWebSocketHandshakeStreamReady(
 }
 
 void HttpNetworkTransaction::OnStreamFailed(int result,
-                                            const SSLConfig& used_ssl_config,
-                                            SSLFailureState ssl_failure_state) {
+                                            const SSLConfig& used_ssl_config) {
   DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
   DCHECK_NE(OK, result);
   DCHECK(stream_request_.get());
   DCHECK(!stream_.get());
   server_ssl_config_ = used_ssl_config;
-  server_ssl_failure_state_ = ssl_failure_state;
 
   OnIOComplete(result);
 }
@@ -1487,10 +1481,8 @@ int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
     net_log_.AddEvent(
         NetLog::TYPE_SSL_VERSION_FALLBACK,
         base::Bind(&NetLogSSLVersionFallbackCallback, &request_->url, error,
-                   server_ssl_failure_state_, server_ssl_config_.version_max,
-                   version_max));
+                   server_ssl_config_.version_max, version_max));
     fallback_error_code_ = error;
-    fallback_failure_state_ = server_ssl_failure_state_;
     server_ssl_config_.version_max = version_max;
     server_ssl_config_.version_fallback = true;
     ResetConnectionAndRequestForResend();
@@ -1582,71 +1574,11 @@ void HttpNetworkTransaction::CacheNetErrorDetailsAndResetStream() {
 }
 
 void HttpNetworkTransaction::RecordSSLFallbackMetrics(int result) {
-  if (result != OK && result != ERR_SSL_INAPPROPRIATE_FALLBACK)
-    return;
-
-  const std::string& host = request_->url.host();
-  bool is_google = base::EndsWith(host, "google.com",
-                                  base::CompareCase::SENSITIVE) &&
-                   (host.size() == 10 || host[host.size() - 11] == '.');
-  if (is_google) {
-    // Some fraction of successful connections use the fallback, but only due to
-    // a spurious network failure. To estimate this fraction, compare handshakes
-    // to Google servers which succeed against those that fail with an
-    // inappropriate_fallback alert. Google servers are known to implement
-    // FALLBACK_SCSV, so a spurious network failure while connecting would
-    // trigger the fallback, successfully connect, but fail with this alert.
-    UMA_HISTOGRAM_BOOLEAN("Net.GoogleConnectionInappropriateFallback",
-                          result == ERR_SSL_INAPPROPRIATE_FALLBACK);
-  }
-
   if (result != OK)
     return;
 
-  // Note: these values are used in histograms, so new values must be appended.
-  enum FallbackVersion {
-    FALLBACK_NONE = 0,  // SSL version fallback did not occur.
-    // Obsolete: FALLBACK_SSL3 = 1,
-    FALLBACK_TLS1 = 2,    // Fell back to TLS 1.0.
-    FALLBACK_TLS1_1 = 3,  // Fell back to TLS 1.1.
-    FALLBACK_MAX,
-  };
-
-  FallbackVersion fallback = FALLBACK_NONE;
-  if (server_ssl_config_.version_fallback) {
-    switch (server_ssl_config_.version_max) {
-      case SSL_PROTOCOL_VERSION_TLS1:
-        fallback = FALLBACK_TLS1;
-        break;
-      case SSL_PROTOCOL_VERSION_TLS1_1:
-        fallback = FALLBACK_TLS1_1;
-        break;
-      default:
-        NOTREACHED();
-    }
-  }
-  UMA_HISTOGRAM_ENUMERATION("Net.ConnectionUsedSSLVersionFallback2", fallback,
-                            FALLBACK_MAX);
-
-  // Google servers are known to implement TLS 1.2 and FALLBACK_SCSV, so it
-  // should be impossible to successfully connect to them with the fallback.
-  // This helps estimate intolerant locally-configured SSL MITMs.
-  if (is_google) {
-    UMA_HISTOGRAM_ENUMERATION("Net.GoogleConnectionUsedSSLVersionFallback2",
-                              fallback, FALLBACK_MAX);
-  }
-
   UMA_HISTOGRAM_BOOLEAN("Net.ConnectionUsedSSLDeprecatedCipherFallback2",
                         server_ssl_config_.deprecated_cipher_suites_enabled);

[davidben, 2016/06/24 00:33:28]

Left this around for now. I didn't end up using it much, but with DHE in the
state that it is, this will actually be pretty helpful. It'll finally tell us
what the false positive rate on these fallbacks is.

-
-  if (server_ssl_config_.version_fallback) {
-    // Record the error code which triggered the fallback and the state the
-    // handshake was in.
-    UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLFallbackErrorCode",
-                                -fallback_error_code_);
-    UMA_HISTOGRAM_ENUMERATION("Net.SSLFallbackFailureState",
-                              fallback_failure_state_, SSL_FAILURE_MAX);
-  }
 }
 
 HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const {