OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/http_network_transaction.h" | 5 #include "net/http/http_network_transaction.h" |
6 | 6 |
7 #include <set> | 7 #include <set> |
8 #include <vector> | 8 #include <vector> |
9 | 9 |
10 #include "base/bind.h" | 10 #include "base/bind.h" |
(...skipping 1279 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1290 // by the endpoint host, request_->url, rather than considering if they were | 1290 // by the endpoint host, request_->url, rather than considering if they were |
1291 // generated by the SSL proxy. http://crbug.com/69329 | 1291 // generated by the SSL proxy. http://crbug.com/69329 |
1292 int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { | 1292 int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { |
1293 DCHECK(request_); | 1293 DCHECK(request_); |
1294 HandleClientAuthError(error); | 1294 HandleClientAuthError(error); |
1295 | 1295 |
1296 bool should_fallback = false; | 1296 bool should_fallback = false; |
1297 uint16 version_max = server_ssl_config_.version_max; | 1297 uint16 version_max = server_ssl_config_.version_max; |
1298 | 1298 |
1299 switch (error) { | 1299 switch (error) { |
1300 case ERR_CONNECTION_CLOSED: | |
1300 case ERR_SSL_PROTOCOL_ERROR: | 1301 case ERR_SSL_PROTOCOL_ERROR: |
1301 case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: | 1302 case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: |
1302 if (version_max >= SSL_PROTOCOL_VERSION_TLS1 && | 1303 if (version_max >= SSL_PROTOCOL_VERSION_TLS1 && |
1303 version_max > server_ssl_config_.version_min) { | 1304 version_max > server_ssl_config_.version_min) { |
1304 // This could be a TLS-intolerant server or a server that chose a | 1305 // This could be a TLS-intolerant server or a server that chose a |
1305 // cipher suite defined only for higher protocol versions (such as | 1306 // cipher suite defined only for higher protocol versions (such as |
1306 // an SSL 3.0 server that chose a TLS-only cipher suite). Fall | 1307 // an SSL 3.0 server that chose a TLS-only cipher suite). Fall |
1307 // back to the next lower version and retry. | 1308 // back to the next lower version and retry. |
1308 // NOTE: if the SSLClientSocket class doesn't support TLS 1.1, | 1309 // NOTE: if the SSLClientSocket class doesn't support TLS 1.1, |
1309 // specifying TLS 1.1 in version_max will result in a TLS 1.0 | 1310 // specifying TLS 1.1 in version_max will result in a TLS 1.0 |
(...skipping 14 matching lines...) Expand all Loading... | |
1324 if (version_max >= SSL_PROTOCOL_VERSION_TLS1_1 && | 1325 if (version_max >= SSL_PROTOCOL_VERSION_TLS1_1 && |
1325 version_max > server_ssl_config_.version_min) { | 1326 version_max > server_ssl_config_.version_min) { |
1326 // Some broken SSL devices negotiate TLS 1.0 when sent a TLS 1.1 or | 1327 // Some broken SSL devices negotiate TLS 1.0 when sent a TLS 1.1 or |
1327 // 1.2 ClientHello, but then return a bad_record_mac alert. See | 1328 // 1.2 ClientHello, but then return a bad_record_mac alert. See |
1328 // crbug.com/260358. In order to make the fallback as minimal as | 1329 // crbug.com/260358. In order to make the fallback as minimal as |
1329 // possible, this fallback is only triggered for >= TLS 1.1. | 1330 // possible, this fallback is only triggered for >= TLS 1.1. |
1330 version_max--; | 1331 version_max--; |
1331 should_fallback = true; | 1332 should_fallback = true; |
1332 } | 1333 } |
1333 break; | 1334 break; |
1335 case ERR_CONNECTION_RESET: | |
1336 if (version_max >= SSL_PROTOCOL_VERSION_TLS1_1 && | |
1337 version_max > server_ssl_config_.version_min) { | |
1338 // Some network devices that inspect application-layer packets seem to | |
1339 // inject TCP reset packets to break the connections when they see TLS | |
1340 // 1.1 in ClientHello or ServerHello. See http://crbug.com/130293. | |
1341 // | |
1342 // Only allow ERR_CONNECTION_RESET to trigger a fallback from TLS 1.1 or | |
1343 // 1.2. We don't lose much in this fallback because the explicit IV for | |
1344 // CBC mode in TLS 1.1 is approximated by record splitting in TLS | |
1345 // 1.0. The fallback will be more painful for TLS 1.2 when we have GCM | |
1346 // support. | |
1347 // | |
1348 // ERR_CONNECTION_RESET is a common network error, so we don't want it | |
1349 // to trigger a version fallback in general, especially the TLS 1.0 -> | |
1350 // SSL 3.0 fallback, which would drop TLS extensions. | |
1351 version_max--; | |
1352 should_fallback = true; | |
Ryan Sleevi
2014/06/18 01:39:52
For future reference, changes like this should rea
davidben
2014/06/18 22:27:22
Yeah, I'll split this one out.
| |
1353 } | |
1354 break; | |
1334 case ERR_SSL_INAPPROPRIATE_FALLBACK: | 1355 case ERR_SSL_INAPPROPRIATE_FALLBACK: |
1335 // The server told us that we should not have fallen back. A buggy server | 1356 // The server told us that we should not have fallen back. A buggy server |
1336 // could trigger ERR_SSL_INAPPROPRIATE_FALLBACK with the initial | 1357 // could trigger ERR_SSL_INAPPROPRIATE_FALLBACK with the initial |
1337 // connection. |fallback_error_code_| is initialised to | 1358 // connection. |fallback_error_code_| is initialised to |
1338 // ERR_SSL_INAPPROPRIATE_FALLBACK to catch this case. | 1359 // ERR_SSL_INAPPROPRIATE_FALLBACK to catch this case. |
1339 error = fallback_error_code_; | 1360 error = fallback_error_code_; |
1340 break; | 1361 break; |
1341 } | 1362 } |
1342 | 1363 |
1343 if (should_fallback) { | 1364 if (should_fallback) { |
(...skipping 207 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1551 description = base::StringPrintf("Unknown state 0x%08X (%u)", state, | 1572 description = base::StringPrintf("Unknown state 0x%08X (%u)", state, |
1552 state); | 1573 state); |
1553 break; | 1574 break; |
1554 } | 1575 } |
1555 return description; | 1576 return description; |
1556 } | 1577 } |
1557 | 1578 |
1558 #undef STATE_CASE | 1579 #undef STATE_CASE |
1559 | 1580 |
1560 } // namespace net | 1581 } // namespace net |
OLD | NEW |