DescriptionPreserve transport errors for OpenSSL sockets.
This makes the OpenSSL BIO pair behave like nss_memio with respect to errors,
eliminating many discrepancies between the two backends in
ssl_client_socket_unittest.cc. (While adding one as it exposes a difference in
how OpenSSL and NSS behave internally.) This also makes our fallback behavior
on TCP reset match; in NSS we take care to only fall back to TLS 1, but our
OpenSSL code falls back all the way to SSL3.
The new behavior is as follows:
- As before, on transport read error, BIO_read will fail after consuming the
buffer. The read error is now preserved even when returned synchronously.
- On write error, future writes will fail as before. Unlike before, a write
error does not prevent further data from the OS to be buffered into the read
end of the BIO. Instead, on transport write failure, we continue to read
from the transport and fill our read buffer. Whenever the buffer is empty,
the write error is surfaced. This is so the consumer is still notified of
a write failure on its final Write() call.
- When interpreting an OpenSSL error, return the saved transport read or
write error when appropriate by determining if the OpenSSL operation
failed reading from the BIO (SSL_ERROR_WANT_READ) or writing to it
(writing to a closed BIO pair gives BIO_R_RESET_PIPE).
- On transport error, always pump the OpenSSL state machine first. This is
so that, if OpenSSL provides its own error, that is used instead of the
transport error.
- Always return the transport error on handshake failure. Move the fallback
logic for ERR_CONNECTION_CLOSED and ERR_CONNECTION_RESET out of
SSLClientSocketNSS and into HttpNetworkTransaction with the rest of the
fallback logic.
- If, after there is no more to fallback (either we're at SSLv3 or got an
inappropriate_fallback), ERR_CONNECTION_CLOSED or ERR_CONNECTION_RESET is
sent, the user will now see an error page for one of those codes rather
than ERR_SSL_PROTOCOL_ERROR.
Add a test to assert that transport errors are returned out of the handshake
and another to assert that TCP reset fallback behaves as expected.
BUG=372849, 341178
Patch Set 1 #Patch Set 2 : Sort out error handling a bit. #Patch Set 3 : ERR_LIB_USER #Patch Set 4 : New version of error-handling. #Patch Set 5 : Rietveld, please behave. #Patch Set 6 : USE_NSS -> USE_OPENSSL for Windows and Mac #
Total comments: 4
Patch Set 7 : Fix small typo (try jobs on previous patchset) #Patch Set 8 : ERR_CONNECTION_CLOSED joys. #Patch Set 9 : Fix clang build. Android failures still expected. #Patch Set 10 : Disable TCP reset tests on Android. #
Total comments: 1
Patch Set 11 : Don't use a BIO callback. #Patch Set 12 : Rebase. #
Total comments: 19
Patch Set 13 : Rephrase a lot of comments. #
Total comments: 2
Messages
Total messages: 10 (0 generated)
|