Add tests for TLS fallback on connection reset and close.

net/url_request/url_request_unittest.cc

Index: net/url_request/url_request_unittest.cc
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index 42a083505ef04493c2dc1e976f108ca144a4f0d9..21dc9b18bfb7ab211ae21e0a42a6b403cad27f81 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -6592,6 +6592,48 @@ TEST_F(HTTPSRequestTest, TLSv1Fallback) {
   EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK);
 }
 
+// This test is disabled on Android because the remote test server doesn't cause
+// a TCP reset.
+#if !defined(OS_ANDROID)
+// Tests fallback to TLS 1.0 on connection reset.
+TEST_F(HTTPSRequestTest, TLSv1FallbackReset) {
+  // The OpenSSL library in use may not support TLS 1.1.
+#if !defined(USE_OPENSSL)

[wtc, 2014/06/24 21:33:29]

I think we should delete this check now. Please also remove the check from lines
6561-6562.

[davidben, 2014/06/25 21:19:56]

Good idea. We don't support building against old OpenSSLs anyway. Done.

+  EXPECT_GT(kDefaultSSLVersionMax, SSL_PROTOCOL_VERSION_TLS1);
+#endif
+  if (kDefaultSSLVersionMax <= SSL_PROTOCOL_VERSION_TLS1)
+    return;
+
+  SpawnedTestServer::SSLOptions ssl_options(
+      SpawnedTestServer::SSLOptions::CERT_OK);
+  ssl_options.tls_intolerant =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1;
+  ssl_options.tls_intolerance_type =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET;

[wtc, 2014/06/24 21:33:29]

Rather than duplicating the code of TLSv1Fallback, can you try to iterate over
an array of ssl_options.tls_intolerance_type values?

You can either add a for loop inside TLSv1Fallback manually, or use
INSTANTIATE_TEST_CASE_P.

Note: Same for the SSLv3Fallback test below.

[davidben, 2014/06/25 21:19:56]

I moved it to a fixture but didn't use INSTANTIATE_TEST_CASE_P since it seemed
messier with the reset case being so different.

+  SpawnedTestServer test_server(
+      SpawnedTestServer::TYPE_HTTPS,
+      ssl_options,
+      base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+  ASSERT_TRUE(test_server.Start());
+
+  TestDelegate d;
+  TestURLRequestContext context(true);
+  context.Init();
+  d.set_allow_certificate_errors(true);
+  URLRequest r(
+      test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context);
+  r.Start();
+
+  base::RunLoop().Run();
+
+  EXPECT_EQ(1, d.response_started_count());
+  EXPECT_NE(0, d.bytes_received());
+  EXPECT_EQ(static_cast<int>(SSL_CONNECTION_VERSION_TLS1),
+            SSLConnectionStatusToVersion(r.ssl_info().connection_status));
+  EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK);
+}
+#endif  // !OS_ANDROID
+
 // Tests that we don't fallback with servers that implement TLS_FALLBACK_SCSV.
 #if defined(USE_OPENSSL)
 TEST_F(HTTPSRequestTest, DISABLED_FallbackSCSV) {
@@ -6808,11 +6850,14 @@ TEST_F(HTTPSRequestTest, HSTSPreservesPosts) {
   TestLoadTimingCacheHitNoNetwork(load_timing_info);
 }
 
+// Tests that the SSLv3 fallback triggers on alert.
 TEST_F(HTTPSRequestTest, SSLv3Fallback) {
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_OK);
   ssl_options.tls_intolerant =
       SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL;
+  ssl_options.tls_intolerance_type =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_ALERT;
   SpawnedTestServer test_server(
       SpawnedTestServer::TYPE_HTTPS,
       ssl_options,
@@ -6836,6 +6881,70 @@ TEST_F(HTTPSRequestTest, SSLv3Fallback) {
   EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK);
 }
 
+// Tests that the SSLv3 fallback triggers on closed connections.
+TEST_F(HTTPSRequestTest, SSLv3FallbackClosed) {
+  SpawnedTestServer::SSLOptions ssl_options(
+      SpawnedTestServer::SSLOptions::CERT_OK);
+  ssl_options.tls_intolerant =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL;
+  ssl_options.tls_intolerance_type =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE;
+  SpawnedTestServer test_server(
+      SpawnedTestServer::TYPE_HTTPS,
+      ssl_options,
+      base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+  ASSERT_TRUE(test_server.Start());
+
+  TestDelegate d;
+  TestURLRequestContext context(true);
+  context.Init();
+  d.set_allow_certificate_errors(true);
+  URLRequest r(
+      test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context);
+  r.Start();
+
+  base::RunLoop().Run();
+
+  EXPECT_EQ(1, d.response_started_count());
+  EXPECT_NE(0, d.bytes_received());
+  EXPECT_EQ(static_cast<int>(SSL_CONNECTION_VERSION_SSL3),
+            SSLConnectionStatusToVersion(r.ssl_info().connection_status));
+  EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK);
+}
+
+// This test is disabled on Android because the remote test server doesn't cause
+// a TCP reset. It also does not pass on OpenSSL. https://crbug.com/372849
+#if !defined(OS_ANDROID) && !defined(USE_OPENSSL)
+// Tests that a reset connection does not fallback down to SSL3.
+TEST_F(HTTPSRequestTest, SSLv3NoFallbackReset) {
+  SpawnedTestServer::SSLOptions ssl_options(
+      SpawnedTestServer::SSLOptions::CERT_OK);
+  ssl_options.tls_intolerant =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL;
+  ssl_options.tls_intolerance_type =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET;
+  SpawnedTestServer test_server(
+      SpawnedTestServer::TYPE_HTTPS,
+      ssl_options,
+      base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+  ASSERT_TRUE(test_server.Start());
+
+  TestDelegate d;
+  TestURLRequestContext context(true);
+  context.Init();
+  d.set_allow_certificate_errors(true);
+  URLRequest r(
+      test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context);
+  r.Start();
+
+  base::RunLoop().Run();
+
+  EXPECT_FALSE(r.status().is_success());
+  EXPECT_EQ(URLRequestStatus::FAILED, r.status().status());
+  EXPECT_EQ(ERR_CONNECTION_RESET, r.status().error());
+}
+#endif  // !OS_ANDROID && !USE_OPENSSL
+
 namespace {
 
 class SSLClientAuthTestDelegate : public TestDelegate {