Index: net/url_request/url_request_unittest.cc |
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc |
index 42a083505ef04493c2dc1e976f108ca144a4f0d9..30c475e8854734a0f2b2d4750b016fa8e4dab7ca 100644 |
--- a/net/url_request/url_request_unittest.cc |
+++ b/net/url_request/url_request_unittest.cc |
@@ -6592,6 +6592,48 @@ TEST_F(HTTPSRequestTest, TLSv1Fallback) { |
EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK); |
} |
+// This test is disabled on Android because the remote test server doesn't cause |
+// a TCP reset. |
+#if !defined(OS_ANDROID) |
+// Tests fallback to TLS 1.1 on connection reset. |
+TEST_F(HTTPSRequestTest, TLSv1FallbackReset) { |
+ // The OpenSSL library in use may not support TLS 1.1. |
+#if !defined(USE_OPENSSL) |
+ EXPECT_GT(kDefaultSSLVersionMax, SSL_PROTOCOL_VERSION_TLS1); |
+#endif |
+ if (kDefaultSSLVersionMax <= SSL_PROTOCOL_VERSION_TLS1) |
+ return; |
+ |
+ SpawnedTestServer::SSLOptions ssl_options( |
+ SpawnedTestServer::SSLOptions::CERT_OK); |
+ ssl_options.tls_intolerant = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
+ ssl_options.tls_intolerance_type = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET; |
+ SpawnedTestServer test_server( |
+ SpawnedTestServer::TYPE_HTTPS, |
+ ssl_options, |
+ base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
+ ASSERT_TRUE(test_server.Start()); |
+ |
+ TestDelegate d; |
+ TestURLRequestContext context(true); |
+ context.Init(); |
+ d.set_allow_certificate_errors(true); |
+ URLRequest r( |
+ test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context); |
+ r.Start(); |
+ |
+ base::RunLoop().Run(); |
+ |
+ EXPECT_EQ(1, d.response_started_count()); |
+ EXPECT_NE(0, d.bytes_received()); |
+ EXPECT_EQ(static_cast<int>(SSL_CONNECTION_VERSION_TLS1), |
+ SSLConnectionStatusToVersion(r.ssl_info().connection_status)); |
+ EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK); |
+} |
+#endif // !OS_ANDROID |
+ |
// Tests that we don't fallback with servers that implement TLS_FALLBACK_SCSV. |
#if defined(USE_OPENSSL) |
TEST_F(HTTPSRequestTest, DISABLED_FallbackSCSV) { |
@@ -6808,11 +6850,14 @@ TEST_F(HTTPSRequestTest, HSTSPreservesPosts) { |
TestLoadTimingCacheHitNoNetwork(load_timing_info); |
} |
+// Tests that the SSLv3 fallback triggers on alert. |
TEST_F(HTTPSRequestTest, SSLv3Fallback) { |
SpawnedTestServer::SSLOptions ssl_options( |
SpawnedTestServer::SSLOptions::CERT_OK); |
ssl_options.tls_intolerant = |
SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
+ ssl_options.tls_intolerance_type = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_ALERT; |
SpawnedTestServer test_server( |
SpawnedTestServer::TYPE_HTTPS, |
ssl_options, |
@@ -6836,6 +6881,70 @@ TEST_F(HTTPSRequestTest, SSLv3Fallback) { |
EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK); |
} |
+// Tests that the SSLv3 fallback triggers on closed connections. |
+TEST_F(HTTPSRequestTest, SSLv3FallbackClosed) { |
+ SpawnedTestServer::SSLOptions ssl_options( |
+ SpawnedTestServer::SSLOptions::CERT_OK); |
+ ssl_options.tls_intolerant = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
+ ssl_options.tls_intolerance_type = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
+ SpawnedTestServer test_server( |
+ SpawnedTestServer::TYPE_HTTPS, |
+ ssl_options, |
+ base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
+ ASSERT_TRUE(test_server.Start()); |
+ |
+ TestDelegate d; |
+ TestURLRequestContext context(true); |
+ context.Init(); |
+ d.set_allow_certificate_errors(true); |
+ URLRequest r( |
+ test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context); |
+ r.Start(); |
+ |
+ base::RunLoop().Run(); |
+ |
+ EXPECT_EQ(1, d.response_started_count()); |
+ EXPECT_NE(0, d.bytes_received()); |
+ EXPECT_EQ(static_cast<int>(SSL_CONNECTION_VERSION_SSL3), |
+ SSLConnectionStatusToVersion(r.ssl_info().connection_status)); |
+ EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK); |
+} |
+ |
+// This test is disabled on Android because the remote test server doesn't cause |
+// a TCP reset. |
+#if !defined(OS_ANDROID) |
+// Tests that a reset connection does not fallback down to SSL3. |
+TEST_F(HTTPSRequestTest, SSLv3NoFallbackReset) { |
+ SpawnedTestServer::SSLOptions ssl_options( |
+ SpawnedTestServer::SSLOptions::CERT_OK); |
+ ssl_options.tls_intolerant = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
+ ssl_options.tls_intolerance_type = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET; |
+ SpawnedTestServer test_server( |
+ SpawnedTestServer::TYPE_HTTPS, |
+ ssl_options, |
+ base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
+ ASSERT_TRUE(test_server.Start()); |
+ |
+ TestDelegate d; |
+ TestURLRequestContext context(true); |
+ context.Init(); |
+ d.set_allow_certificate_errors(true); |
+ URLRequest r( |
+ test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context); |
+ r.Start(); |
+ |
+ base::RunLoop().Run(); |
+ |
+ EXPECT_FALSE(r.status().is_success()); |
+ EXPECT_EQ(URLRequestStatus::FAILED, r.status().status()); |
+ EXPECT_EQ(ERR_CONNECTION_RESET, r.status().error()); |
+} |
+#endif // !OS_ANDROID |
+ |
namespace { |
class SSLClientAuthTestDelegate : public TestDelegate { |