diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-10-10 21:54:43 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-10-10 21:54:43 +0000 |
| commit | b27d44756765a69a9c4cf034f9597d51b7081375 (patch) | |
| tree | 619660f27ebeb454ad302112eb4aae3b45cf12cf | |
| parent | f3ef0edaccc5b99d29e0052574c887190b7d53ce (diff) | |
| download | chromium_src-b27d44756765a69a9c4cf034f9597d51b7081375.zip chromium_src-b27d44756765a69a9c4cf034f9597d51b7081375.tar.gz chromium_src-b27d44756765a69a9c4cf034f9597d51b7081375.tar.bz2 | |
Merge 141941 - Allow ERR_CONNECTION_RESET during the SSL handshake to trigger a
TLS 1.1 -> TLS 1.0 fallback.
Original review URL: https://chromiumcodereview.appspot.com/10493003
R=agl@chromium.org
BUG=153573
TEST=none
Review URL: https://codereview.chromium.org/11093035
git-svn-id: svn://svn.chromium.org/chrome/branches/1271/src@161203 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index c2b886e..2f0e83d 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -2035,6 +2035,23 @@ int SSLClientSocketNSS::Core::DoHandshake() { PRErrorCode prerr = PR_GetError(); net_error = HandleNSSError(prerr, true); + // Some network devices that inspect application-layer packets seem to + // inject TCP reset packets to break the connections when they see + // TLS 1.1 in ClientHello or ServerHello. See http://crbug.com/130293. + // + // Only allow ERR_CONNECTION_RESET to trigger a TLS 1.1 -> TLS 1.0 + // fallback. We don't lose much in this fallback because the explicit + // IV for CBC mode in TLS 1.1 is approximated by record splitting in + // TLS 1.0. + // + // ERR_CONNECTION_RESET is a common network error, so we don't want it + // to trigger a version fallback in general, especially the TLS 1.0 -> + // SSL 3.0 fallback, which would drop TLS extensions. + if (prerr == PR_CONNECT_RESET_ERROR && + ssl_config_.version_max == SSL_PROTOCOL_VERSION_TLS1_1) { + net_error = ERR_SSL_PROTOCOL_ERROR; + } + // If not done, stay in this state if (net_error == ERR_IO_PENDING) { GotoState(STATE_HANDSHAKE); |