net: remove TLS fallback for Google properties.

net/http/http_network_transaction.cc

Index: net/http/http_network_transaction.cc
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index a63a2aa43b974acbc11ec1ebe599e4f6ca294399..66b86c4cd9fe35eabcb41fccd5cfbfe9d3f0c952 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -1240,21 +1240,7 @@ int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
         // version_max should match the maximum protocol version supported
         // by the SSLClientSocket class.
         version_max--;
-
-        // Fallback to the lower SSL version.
-        // While SSL 3.0 fallback should be eliminated because of security
-        // reasons, there is a high risk of breaking the servers if this is
-        // done in general.
-        // For now SSL 3.0 fallback is disabled for Google servers first,
-        // and will be expanded to other servers after enough experiences
-        // have been gained showing that this experiment works well with
-        // today's Internet.
-        if (version_max > SSL_PROTOCOL_VERSION_SSL3 ||
-            (server_ssl_config_.unrestricted_ssl3_fallback_enabled ||
-             !TransportSecurityState::IsGooglePinnedProperty(
-                 request_->url.host(), true /* include SNI */))) {
-          should_fallback = true;
-        }
+        should_fallback = true;
       }
       break;
     case ERR_SSL_BAD_RECORD_MAC_ALERT:
@@ -1270,6 +1256,19 @@ int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
       break;
   }
 
+  // While fallback should be eliminated because of security reasons,
+  // there is a high risk of breaking the servers if this is done in
+  // general.
+  //
+  // For now fallback is disabled for Google servers first, and will be
+  // expanded to other servers after enough experiences have been gained
+  // showing that this experiment works well with today's Internet.
+  if (!server_ssl_config_.unrestricted_ssl3_fallback_enabled &&

[wtc, 2013/10/01 22:03:51]

Nit: this comment should be updated to note that
unrestricted_ssl3_fallback_enabled now affects fallback to any SSL/TLS version,
not just SSL3. Perhaps we should rename this config option?

[agl, 2013/10/02 16:33:17]

Done.

I lean against updating the config option name. It would anyone who is currently
using it on the command line for no great reason and might confuse diagnosis of
bugs in the case when we have both M31 and M32 in flight.

+      TransportSecurityState::IsGooglePinnedProperty(request_->url.host(),
+                                                     true /* include SNI */)) {
+    should_fallback = false;
+  }
+
   if (should_fallback) {
     net_log_.AddEvent(
         NetLog::TYPE_SSL_VERSION_FALLBACK,