Add an escape hatch for the ECDSA CBC cipher removal.

net/socket/ssl_client_socket_impl.cc

Index: net/socket/ssl_client_socket_impl.cc
diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc
index a5d2afd7d8483a4996e04f9b68e3756f55af5d1a..27c2bba8c586d84e2425a030d474a341984c2489 100644
--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -11,6 +11,7 @@
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
+#include "base/feature_list.h"
 #include "base/lazy_instance.h"
 #include "base/macros.h"
 #include "base/memory/singleton.h"
@@ -216,6 +217,20 @@ int GetBufferSize(const char* field_trial) {
   return buffer_size;
 }
 
+#if defined(OS_NACL)
+bool AreLegacyECDSACiphersEnabled() {
+  return false;
+}
+#else
+// TODO(davidben): Remove this after the ECDSA CBC removal sticks.

[Ryan Sleevi, 2016/11/17 04:06:28]

File a crbug? :)

Also: In addition to not working on nacl, this won't work for Chromium. Is that
a concern? Or not?

[davidben, 2016/11/17 05:15:58]

Done.
I think that's fine. This is the sort of thing where recovering from the problem
on the server (deploy AEAD ciphers) is pretty straightforward and desirable
anyway. This is just in case the volume is higher than expected and we need to
roll back. Otherwise we'll end up with these kinds of removals not affecting
Chromium.

+const base::Feature kLegacyECDSACiphersFeature{
+    "SSLLegacyECDSACiphers", base::FEATURE_DISABLED_BY_DEFAULT};
+
+bool AreLegacyECDSACiphersEnabled() {
+  return base::FeatureList::IsEnabled(kLegacyECDSACiphersFeature);
+}
+#endif
+
 }  // namespace
 
 class SSLClientSocketImpl::SSLContext {
@@ -943,16 +958,14 @@ int SSLClientSocketImpl::Init() {
   }
 
   // Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
-  // (note that SHA256 and SHA384 only select legacy CBC ciphers). Additionally
-  // disable HMAC-SHA1 ciphers in ECDSA. Also disable
+  // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable
   // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not
-  // supported. As DHE is being deprecated, don't add a cipher only to remove it
-  // immediately.
+  // supported. As DHE is being deprecated, don't add a cipher only to remove
+  // it immediately.
   //
   // TODO(davidben): Remove the DHE_RSA_WITH_AES_256_GCM_SHA384 exclusion when
   // the DHEEnabled administrative policy expires.
-  command.append(
-      "ALL:!SHA256:!SHA384:!ECDSA+SHA1:!DHE-RSA-AES256-GCM-SHA384:!aPSK:!RC4");
+  command.append("ALL:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK:!RC4");
 
   if (ssl_config_.require_ecdhe)
     command.append(":!kRSA:!kDHE");
@@ -962,6 +975,11 @@ int SSLClientSocketImpl::Init() {
     command.append(":!kDHE");
   }
 
+  // Additionally disable HMAC-SHA1 ciphers in ECDSA. These are the remaining
+  // CBC-mode ECDSA ciphers.
+  if (!AreLegacyECDSACiphersEnabled())
+    command.append("!ECDSA+SHA1");
+
   // Remove any disabled ciphers.
   for (uint16_t id : ssl_config_.disabled_cipher_suites) {
     const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id);