Revert of Remove remnants of DHE support.

net/socket/ssl_client_socket_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_impl.h"
 
 #include <errno.h>
 #include <string.h>
 
 #include <algorithm>
@@ skipping 975 matching lines @@
   mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true);
   mode.ConfigureFlag(SSL_MODE_CBC_RECORD_SPLITTING, true);
 
   mode.ConfigureFlag(SSL_MODE_ENABLE_FALSE_START,
                      ssl_config_.false_start_enabled);
 
   SSL_set_mode(ssl_.get(), mode.set_mask);
   SSL_clear_mode(ssl_.get(), mode.clear_mask);
 
   // Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
-  // (note that SHA256 and SHA384 only select legacy CBC ciphers).
-  std::string command("ALL:!SHA256:!SHA384:!kDHE:!aPSK:!RC4");
+  // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable
+  // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not
+  // supported. As DHE is being deprecated, don't add a cipher only to remove
+  // it immediately.
+  //
+  // TODO(davidben): Remove the DHE_RSA_WITH_AES_256_GCM_SHA384 exclusion when
+  // the DHEEnabled administrative policy expires.
+  std::string command(
+      "ALL:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK:!RC4");
 
   if (ssl_config_.require_ecdhe)
     command.append(":!kRSA:!kDHE");
 
+  if (!ssl_config_.deprecated_cipher_suites_enabled) {
+    // Only offer DHE on the second handshake. https://crbug.com/538690
+    command.append(":!kDHE");
+  }
+
   // Additionally disable HMAC-SHA1 ciphers in ECDSA. These are the remaining
   // CBC-mode ECDSA ciphers.
   if (!AreLegacyECDSACiphersEnabled())
     command.append("!ECDSA+SHA1");
 
   // Remove any disabled ciphers.
   for (uint16_t id : ssl_config_.disabled_cipher_suites) {
     const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id);
     if (cipher) {
       command.append(":!");
@@ skipping 130 matching lines @@
   // handshakes that session was used in before we finished our handshake. This
   // is only recorded if the session from the cache was actually used, and only
   // if the ALPN protocol is h2 (under the assumption that TLS 1.3 servers will
   // be speaking h2). See https://crbug.com/631988.
   if (ssl_session_cache_lookup_count_ && negotiated_protocol_ == kProtoHTTP2 &&
       SSL_session_reused(ssl_.get())) {
     UMA_HISTOGRAM_EXACT_LINEAR("Net.SSLSessionConcurrentLookupCount",
                                ssl_session_cache_lookup_count_, 20);
   }
 
+  // DHE is offered on the deprecated cipher fallback and then rejected
+  // afterwards. This is to aid in diagnosing connection failures because a
+  // server requires DHE ciphers.
+  //
+  // TODO(davidben): A few releases after DHE's removal, remove this logic.
+  if (!ssl_config_.dhe_enabled &&
+      SSL_CIPHER_is_DHE(SSL_get_current_cipher(ssl_.get()))) {
+    return ERR_SSL_OBSOLETE_CIPHER;
+  }
+
   // Check that if token binding was negotiated, then extended master secret
   // and renegotiation indication must also be negotiated.
   if (tb_was_negotiated_ &&
       !(SSL_get_extms_support(ssl_.get()) &&
         SSL_get_secure_renegotiation_support(ssl_.get()))) {
     return ERR_SSL_PROTOCOL_ERROR;
   }
 
   const uint8_t* alpn_proto = NULL;
   unsigned alpn_len = 0;
@@ skipping 878 matching lines @@
     if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED &&
         !certificate_requested_) {
       net_error = ERR_SSL_PROTOCOL_ERROR;
     }
   }
 
   return net_error;
 }
 
 }  // namespace net