net/http/http_network_transaction.cc - Issue 25547003: net: remove TLS fallback for Google properties.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/http/http_network_transaction.cc

Issue 25547003: net: remove TLS fallback for Google properties. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Addressing wtc's comments. Created 7 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/http/http_network_transaction.cc

diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc

index 9e24da8863e1c35eb6c5fa25effdf1ded10274b9..707751a79c3338a43b6e38dfc7c36fa08a8dcacf 100644

--- a/net/http/http_network_transaction.cc

+++ b/net/http/http_network_transaction.cc

@@ -1243,21 +1243,7 @@ int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {

// version_max should match the maximum protocol version supported

// by the SSLClientSocket class.

version_max--;

- // Fallback to the lower SSL version.

- // While SSL 3.0 fallback should be eliminated because of security

- // reasons, there is a high risk of breaking the servers if this is

- // done in general.

- // For now SSL 3.0 fallback is disabled for Google servers first,

- // and will be expanded to other servers after enough experiences

- // have been gained showing that this experiment works well with

- // today's Internet.

- if (version_max > SSL_PROTOCOL_VERSION_SSL3 ||

- (server_ssl_config_.unrestricted_ssl3_fallback_enabled ||

- !TransportSecurityState::IsGooglePinnedProperty(

- request_->url.host(), true /* include SNI */))) {

- should_fallback = true;

- }

+ should_fallback = true;

}

break;

case ERR_SSL_BAD_RECORD_MAC_ALERT:

@@ -1273,6 +1259,22 @@ int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {

break;

}

+ // While fallback should be eliminated because of security reasons,

+ // there is a high risk of breaking the servers if this is done in

+ // general.

+ //

+ // For now fallback is disabled for Google servers first, and will be

+ // expanded to other servers after enough experiences have been gained

+ // showing that this experiment works well with today's Internet.

+ //

+ // The --enable-unrestricted-ssl3-fallback command-line flag exists to allow

+ // fallback to any version, all the way down to SSLv3.

+ if (!server_ssl_config_.unrestricted_ssl3_fallback_enabled &&

+ TransportSecurityState::IsGooglePinnedProperty(request_->url.host(),

+ true /* include SNI */)) {

+ should_fallback = false;

+ }

if (should_fallback) {

net_log_.AddEvent(

NetLog::TYPE_SSL_VERSION_FALLBACK,

« no previous file with comments | « no previous file | no next file » | no next file with comments »