Shard the SSL session cache by version fallback.

net/socket/ssl_client_socket_nss.cc

Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 1cc156bffdbc88b64e066ec645f7ef0519a62948..18f100af60c4a8a4a30af347fc1ed37a2cf5654e 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -3356,13 +3356,29 @@ int SSLClientSocketNSS::InitializeSSLPeerName() {
   // SSL tunnel through a proxy -- GetPeerName returns the proxy's address
   // rather than the destination server's address in that case.
   std::string peer_id = host_and_port_.ToString();
-  // If the ssl_session_cache_shard_ is non-empty, we append it to the peer id.
-  // This will cause session cache misses between sockets with different values
-  // of ssl_session_cache_shard_ and this is used to partition the session cache
-  // for incognito mode.
-  if (!ssl_session_cache_shard_.empty()) {
-    peer_id += "/" + ssl_session_cache_shard_;
+  // Append |ssl_session_cache_shard_| to the peer id. This is used to partition
+  // the session cache for incognito mode.
+  peer_id += "/" + ssl_session_cache_shard_;
+  peer_id += "/";
+  // Shard the session cache based on maximum protocol version. This causes
+  // fallback connections to use a separate session cache.
+  switch (ssl_config_.version_max) {
+    case SSL_PROTOCOL_VERSION_SSL3:
+      peer_id += "ssl3";
+      break;
+    case SSL_PROTOCOL_VERSION_TLS1:
+      peer_id += "tls1";
+      break;
+    case SSL_PROTOCOL_VERSION_TLS1_1:
+      peer_id += "tls1.1";
+      break;
+    case SSL_PROTOCOL_VERSION_TLS1_2:
+      peer_id += "tls1.2";
+      break;
+    default:
+      NOTREACHED();
   }
+
   SECStatus rv = SSL_SetSockPeerID(nss_fd_, const_cast<char*>(peer_id.c_str()));
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_SetSockPeerID", peer_id.c_str());