net: Silently disable False Start when NetNanny is detected.

In r62209 we added code to detect ESET and NetNanny and to give users
instructions for disabling their HTTPS scanning. This was because these
products intercept Chrome's HTTPS connections and break because of False
Start.

NetNanny has been responsive to the issue and is rolling out a fix. In
the mean time, we silently disable False Start when NetNanny is detected
to give them time to update their users etc.

BUG=59798
TEST=Navigate to https://www.paypal.com on Windows with NetNanny installed.

http://codereview.chromium.org/4449003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@65199 0039d316-1c4b-4281-b951-d872f2087c98

5 files changed, 17 insertions, 37 deletions

diff --git a/chrome/app/generated_resources.grd b/chrome/app/generated_resources.grd
index f9c53f4..4614a69 100644
--- a/chrome/app/generated_resources.grd
+++ b/chrome/app/generated_resources.grd
@@ -5687,9 +5687,6 @@ Keep your key file in a safe place. You will need it to create new versions of y
       <message name="IDS_ERRORPAGES_HEADING_ESET_ANTI_VIRUS_SSL_INTERCEPTION" desc="Heading of the error page when we detect that ESET anti-virus is running and intercepting our HTTPS connections. 'ESET' is a product name and may be best left untranslated.">
         Cannot make secure connection because of ESET anti-virus
       </message>
-      <message name="IDS_ERRORPAGES_HEADING_NETNANNY_SSL_INTERCEPTION" desc="Heading of the error page when we detect that NetNanny is running and intercepting our HTTPS connections. 'NetNanny' is a product name and may be best left untranslated.">
-        Cannot make secure connection because of NetNanny
-      </message>
       <message name="IDS_ERRORPAGES_SUMMARY_NOT_AVAILABLE" desc="Summary in the error page when we can't connect to a site.">
         The webpage at <ph name="URL">&lt;strong jscontent="failedUrl"&gt;&lt;/strong&gt;</ph> might be temporarily down or it may have moved permanently to a new web address.
       </message>
diff --git a/chrome/renderer/localized_error.cc b/chrome/renderer/localized_error.cc
index f507ddd..d1a01f8 100644
--- a/chrome/renderer/localized_error.cc
+++ b/chrome/renderer/localized_error.cc
@@ -31,8 +31,6 @@ static const char kWeakDHKeyLearnMoreUrl[] =
     "http://sites.google.com/a/chromium.org/dev/err_ssl_weak_server_ephemeral_dh_key";
 static const char kESETLearnMoreUrl[] =
     "http://sites.google.com/a/chromium.org/dev/err_eset_anti_virus_ssl_interception";
-static const char kNetNannyLearnMoreUrl[] =
-    "http://sites.google.com/a/chromium.org/dev/err_netnanny_ssl_interception";
 
 enum NAV_SUGGESTIONS {
   SUGGEST_NONE     = 0,
@@ -149,13 +147,6 @@ const LocalizedErrorMap net_error_options[] = {
    IDS_ERRORPAGES_DETAILS_SSL_PROTOCOL_ERROR,
    SUGGEST_LEARNMORE,
   },
-  {net::ERR_NETNANNY_SSL_INTERCEPTION,
-   IDS_ERRORPAGES_TITLE_LOAD_FAILED,
-   IDS_ERRORPAGES_HEADING_NETNANNY_SSL_INTERCEPTION,
-   IDS_ERRORPAGES_SUMMARY_NETNANNY_SSL_INTERCEPTION,
-   IDS_ERRORPAGES_DETAILS_SSL_PROTOCOL_ERROR,
-   SUGGEST_LEARNMORE,
-  },
 };
 
 const LocalizedErrorMap http_error_options[] = {
@@ -444,9 +435,6 @@ void LocalizedError::GetStrings(const WebKit::WebURLError& error,
       case net::ERR_ESET_ANTI_VIRUS_SSL_INTERCEPTION:
         learn_more_url = GURL(kESETLearnMoreUrl);
         break;
-      case net::ERR_NETNANNY_SSL_INTERCEPTION:
-        learn_more_url = GURL(kNetNannyLearnMoreUrl);
-        break;
       default:
         break;
     }
diff --git a/net/base/net_error_list.h b/net/base/net_error_list.h
index 500228b..96b19ad 100644
--- a/net/base/net_error_list.h
+++ b/net/base/net_error_list.h
@@ -191,10 +191,7 @@ NET_ERROR(SSL_SNAP_START_NPN_MISPREDICTION, -131)
 // give the user a helpful error message rather than have the connection hang.
 NET_ERROR(ESET_ANTI_VIRUS_SSL_INTERCEPTION, -132)
 
-// We detected NetNanny intercepting our HTTPS connections. Since this product
-// is False Start intolerant, we return this error so that we can give the user
-// a helpful error message rather than have the connection hang.
-NET_ERROR(NETNANNY_SSL_INTERCEPTION, -133)
+// Missing -133. Feel free to reuse in the future.
 
 // The permission to use the SSL client certificate's private key was denied.
 NET_ERROR(SSL_CLIENT_AUTH_PRIVATE_KEY_ACCESS_DENIED, -134)
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 0434f6d..a6aa458 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -446,7 +446,6 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket,
       completed_handshake_(false),
       pseudo_connected_(false),
       eset_mitm_detected_(false),
-      netnanny_mitm_detected_(false),
       predicted_cert_chain_correct_(false),
       peername_initialized_(false),
       dnssec_provider_(NULL),
@@ -927,7 +926,6 @@ void SSLClientSocketNSS::Disconnect() {
   completed_handshake_   = false;
   pseudo_connected_      = false;
   eset_mitm_detected_    = false;
-  netnanny_mitm_detected_= false;
   predicted_cert_chain_correct_ = false;
   peername_initialized_  = false;
   nss_bufs_              = NULL;
@@ -1635,16 +1633,10 @@ SECStatus SSLClientSocketNSS::OwnAuthCertHandler(void* arg,
   // different reads or not, depending on network conditions.
   PRBool false_start = 0;
   SECStatus rv = SSL_OptionGet(socket, SSL_ENABLE_FALSE_START, &false_start);
-  if (rv != SECSuccess)
-    NOTREACHED();
+  DCHECK_EQ(SECSuccess, rv);
+
   if (false_start) {
     SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
-    if (!that->handshake_callback_called_) {
-      that->corked_ = true;
-      that->uncork_timer_.Start(
-          base::TimeDelta::FromMilliseconds(kCorkTimeoutMs),
-          that, &SSLClientSocketNSS::UncorkAfterTimeout);
-    }
 
     // ESET anti-virus is capable of intercepting HTTPS connections on Windows.
     // However, it is False Start intolerant and causes the connections to hang
@@ -1657,12 +1649,24 @@ SECStatus SSLClientSocketNSS::OwnAuthCertHandler(void* arg,
       if (common_name) {
         if (strcmp(common_name, "ESET_RootSslCert") == 0)
           that->eset_mitm_detected_ = true;
-        if (strcmp(common_name, "ContentWatch Root Certificate Authority") == 0)
-          that->netnanny_mitm_detected_ = true;
+        if (strcmp(common_name, "ContentWatch Root Certificate Authority") == 0) {
+          // This is NetNanny. NetNanny are updating their product so we
+          // silently disable False Start for now.
+          rv = SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE);
+          DCHECK_EQ(SECSuccess, rv);
+          false_start = 0;
+        }
         PORT_Free(common_name);
       }
       CERT_DestroyCertificate(cert);
     }
+
+    if (false_start && !that->handshake_callback_called_) {
+      that->corked_ = true;
+      that->uncork_timer_.Start(
+          base::TimeDelta::FromMilliseconds(kCorkTimeoutMs),
+          that, &SSLClientSocketNSS::UncorkAfterTimeout);
+    }
   }
 #endif
 
@@ -2094,8 +2098,6 @@ int SSLClientSocketNSS::DoHandshake() {
     if (handshake_callback_called_) {
       if (eset_mitm_detected_) {
         net_error = ERR_ESET_ANTI_VIRUS_SSL_INTERCEPTION;
-      } else if (netnanny_mitm_detected_) {
-        net_error = ERR_NETNANNY_SSL_INTERCEPTION;
       } else {
         // We need to see if the predicted certificate chain (in
         // |ssl_host_info_->state().certs) matches the actual certificate chain
diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h
index 2720c1d..87f7b92 100644
--- a/net/socket/ssl_client_socket_nss.h
+++ b/net/socket/ssl_client_socket_nss.h
@@ -204,10 +204,6 @@ class SSLClientSocketNSS : public SSLClientSocket {
   // HTTPS connections.
   bool eset_mitm_detected_;
 
-  // True iff we believe that the user has NetNanny intercepting our HTTPS
-  // connections.
-  bool netnanny_mitm_detected_;
-
   // True iff |ssl_host_info_| contained a predicted certificate chain and
   // that we found the prediction to be correct.
   bool predicted_cert_chain_correct_;