Update SSL error handling code to account for Subject CN deprecation

components/ssl_errors/error_classification.h

Index: components/ssl_errors/error_classification.h
diff --git a/components/ssl_errors/error_classification.h b/components/ssl_errors/error_classification.h
index b8c472df6697f0607b8cd6b37185ed63fd3c3d9a..27f9636bc3b6aabc1356def4fa07a7570a16db4a 100644
--- a/components/ssl_errors/error_classification.h
+++ b/components/ssl_errors/error_classification.h
@@ -28,6 +28,34 @@ typedef std::vector<std::string> HostnameTokens;
 
 // Methods for identifying specific error causes. ------------------------------
 
+// Events for UMA. Do not reorder or change!

[Mark P, 2017/04/05 18:18:25]

nit: Please follow the comment and value setting recommendations here.
https://chromium.googlesource.com/chromium/src.git/+/HEAD/tools/metrics/histo...

[elawrence, 2017/04/05 23:05:16]

Done.

+enum SSLInterstitialCause {
+  CLOCK_PAST,
+  CLOCK_FUTURE,
+  WWW_SUBDOMAIN_MATCH,         // Deprecated

[Mark P, 2017/04/05 18:18:25]

nit: in M__
here and below

[elawrence, 2017/04/05 23:05:16]

Done.

+  SUBDOMAIN_MATCH,             // Deprecated
+  SUBDOMAIN_INVERSE_MATCH,     // Deprecated
+  SUBDOMAIN_OUTSIDE_WILDCARD,  // Deprecated
+  HOST_NAME_NOT_KNOWN_TLD,
+  LIKELY_MULTI_TENANT_HOSTING,  // Deprecated
+  LOCALHOST,
+  PRIVATE_URL,
+  AUTHORITY_ERROR_CAPTIVE_PORTAL,  // Deprecated in M47.
+  SELF_SIGNED,
+  EXPIRED_RECENTLY,
+  LIKELY_SAME_DOMAIN,  // Deprecated
+  // In Chrome 58, SubjectCN matching was deprecated, deprecating original

[Mark P, 2017/04/05 18:18:25]

optional nit: This comment seems out of place to me.  (Also, I don't know what
SubjectCN means, but maybe that's okay.)  Perhaps the comment better goes right
above the 2-suffixed variants?  Or perhaps you don't need it because the 2's
make things obvious?  Or perhaps you can saw in the deprecated lines above, ";
replace with #2 version"?
Just some thoughts.

[Mark P, 2017/04/05 18:18:25]

^58^59, right?

[elawrence, 2017/04/05 23:05:16]

I've just removed this.

[elawrence, 2017/04/05 23:05:16]

SubjectCN matching was deprecated in M58. This change is going to M59 now, and
might possibly merge to M58 (but given the late date, probably will be
rejected).

+  // metrics to be replaced with the 2-suffixed variants below.
+  NO_SUBJECT_ALT_NAME,
+  WWW_SUBDOMAIN_MATCH2,
+  SUBDOMAIN_MATCH2,
+  SUBDOMAIN_INVERSE_MATCH2,
+  SUBDOMAIN_OUTSIDE_WILDCARD2,
+  LIKELY_MULTI_TENANT_HOSTING2,
+  LIKELY_SAME_DOMAIN2,
+  UNUSED_INTERSTITIAL_CAUSE_ENTRY,

[Mark P, 2017/04/05 18:18:25]

Please use a name like SLL_INTERSTITIAL_CAUSE_MAX.  The current name is
confusing.

[elawrence, 2017/04/05 23:05:16]

Done.

+};
+
 // What is known about the accuracy of system clock.  Do not change or
 // reorder; these values are used in an UMA histogram.
 enum ClockState {
@@ -110,14 +138,9 @@ bool IsCertLikelyFromMultiTenantHosting(const GURL& request_url,
 bool IsCertLikelyFromSameDomain(const GURL& request_url,
                                 const net::X509Certificate& cert);
 
-// Returns true if the site's hostname differs from one of the DNS
-// names in the certificate (CN or SANs) only by the presence or
-// absence of the single-label prefix "www". E.g.: (The first domain
-// is hostname and the second domain is a DNS name in the certificate)
-//     www.example.com ~ example.com -> true
-//     example.com ~ www.example.com -> true
-//     www.food.example.com ~ example.com -> false
-//     mail.example.com ~ example.com -> false
+// Returns true if the site's hostname differs from one of the DNS names in
+// |dns_names| only by the presence or absence of the single-label prefix "www".
+// The matching name from the certificate is returned in |www_match_host_name|.
 bool GetWWWSubDomainMatch(const GURL& request_url,
                           const std::vector<std::string>& dns_names,
                           std::string* www_match_host_name);