Add minimum TLS version control to about:flags and Finch gate it.

chrome/browser/net/ssl_config_service_manager_pref.cc

Index: chrome/browser/net/ssl_config_service_manager_pref.cc
diff --git a/chrome/browser/net/ssl_config_service_manager_pref.cc b/chrome/browser/net/ssl_config_service_manager_pref.cc
index 083b95498dea8463f6d3bfc13c033e3af4fad21c..0edb9c354a2f632fc9c6bca52cb590606dcf7554 100644
--- a/chrome/browser/net/ssl_config_service_manager_pref.cc
+++ b/chrome/browser/net/ssl_config_service_manager_pref.cc
@@ -9,11 +9,13 @@
 
 #include "base/basictypes.h"
 #include "base/bind.h"
+#include "base/metrics/field_trial.h"
 #include "base/prefs/pref_change_registrar.h"
 #include "base/prefs/pref_member.h"
 #include "base/prefs/pref_registry_simple.h"
 #include "base/prefs/pref_service.h"
 #include "chrome/browser/chrome_notification_types.h"
+#include "chrome/common/chrome_switches.h"
 #include "chrome/common/pref_names.h"
 #include "components/content_settings/core/browser/content_settings_utils.h"
 #include "components/content_settings/core/common/content_settings.h"
@@ -62,35 +64,17 @@ std::vector<uint16> ParseCipherSuites(
   return cipher_suites;
 }
 
-// Returns the string representation of an SSL protocol version. Returns an
-// empty string on error.
-std::string SSLProtocolVersionToString(uint16 version) {
-  switch (version) {
-    case net::SSL_PROTOCOL_VERSION_SSL3:
-      return "ssl3";
-    case net::SSL_PROTOCOL_VERSION_TLS1:
-      return "tls1";
-    case net::SSL_PROTOCOL_VERSION_TLS1_1:
-      return "tls1.1";
-    case net::SSL_PROTOCOL_VERSION_TLS1_2:
-      return "tls1.2";
-    default:
-      NOTREACHED();
-      return std::string();
-  }
-}
-
 // Returns the SSL protocol version (as a uint16) represented by a string.
 // Returns 0 if the string is invalid.
 uint16 SSLProtocolVersionFromString(const std::string& version_str) {
   uint16 version = 0;  // Invalid.
-  if (version_str == "ssl3") {
+  if (version_str == switches::kSSLVersionSSLv3) {
     version = net::SSL_PROTOCOL_VERSION_SSL3;
-  } else if (version_str == "tls1") {
+  } else if (version_str == switches::kSSLVersionTLSv1) {
     version = net::SSL_PROTOCOL_VERSION_TLS1;
-  } else if (version_str == "tls1.1") {
+  } else if (version_str == switches::kSSLVersionTLSv11) {
     version = net::SSL_PROTOCOL_VERSION_TLS1_1;
-  } else if (version_str == "tls1.2") {
+  } else if (version_str == switches::kSSLVersionTLSv12) {
     version = net::SSL_PROTOCOL_VERSION_TLS1_2;
   }
   return version;
@@ -229,16 +213,9 @@ void SSLConfigServiceManagerPref::RegisterPrefs(PrefRegistrySimple* registry) {
   registry->RegisterBooleanPref(
       prefs::kCertRevocationCheckingRequiredLocalAnchors,
       default_config.rev_checking_required_local_anchors);
-  std::string version_min_str =
-      SSLProtocolVersionToString(default_config.version_min);
-  std::string version_max_str =
-      SSLProtocolVersionToString(default_config.version_max);
-  std::string version_fallback_min_str =
-      SSLProtocolVersionToString(default_config.version_fallback_min);
-  registry->RegisterStringPref(prefs::kSSLVersionMin, version_min_str);
-  registry->RegisterStringPref(prefs::kSSLVersionMax, version_max_str);
-  registry->RegisterStringPref(prefs::kSSLVersionFallbackMin,
-                               version_fallback_min_str);
+  registry->RegisterStringPref(prefs::kSSLVersionMin, "");
+  registry->RegisterStringPref(prefs::kSSLVersionMax, "");
+  registry->RegisterStringPref(prefs::kSSLVersionFallbackMin, "");
   registry->RegisterBooleanPref(prefs::kDisableSSLRecordSplitting,
                                 !default_config.false_start_enabled);
   registry->RegisterListPref(prefs::kCipherSuiteBlacklist);
@@ -297,6 +274,12 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
     // versions by default.
     uint16 supported_version_min = config->version_min;
     config->version_min = std::max(supported_version_min, version_min);
+  } else {
+    const std::string group =
+        base::FieldTrialList::FindFullName("SSLv3");

[Ryan Hamilton, 2014/11/03 23:02:52]

Nit: it looks like this will all fit on one line?

[agl, 2014/11/04 19:00:32]

Done.

+    if (group == "Enabled") {
+      config->version_min = net::SSL_PROTOCOL_VERSION_SSL3;
+    }
   }
   if (version_max) {
     // TODO(wtc): get the maximum SSL protocol version supported by the