Implement SSLClientSocket::GetMaxSupportedSSLVersion, this time without breaking the build.

Implement SSLClientSocket::GetMaxSupportedSSLVersion, this time without breaking
the build.

This is the first step to stop advertising HTTP/2 when we do not support TLS
1.2.

Patch Set 1 originally landed as https://crrev.com/742473004.  It broke the
build on Linux Builder (dbg)(32) and was reverted.  Let's try again.

BUG=436835

Review URL: https://codereview.chromium.org/768413002

Cr-Commit-Position: refs/heads/master@{#306506}

5 files changed, 31 insertions, 7 deletions

diff --git a/chrome/browser/net/ssl_config_service_manager_pref.cc b/chrome/browser/net/ssl_config_service_manager_pref.cc
index 2ce8e9a..decd895 100644
--- a/chrome/browser/net/ssl_config_service_manager_pref.cc
+++ b/chrome/browser/net/ssl_config_service_manager_pref.cc
@@ -20,6 +20,7 @@
 #include "components/content_settings/core/browser/content_settings_utils.h"
 #include "components/content_settings/core/common/content_settings.h"
 #include "content/public/browser/browser_thread.h"
+#include "net/socket/ssl_client_socket.h"
 #include "net/ssl/ssl_cipher_suite_names.h"
 #include "net/ssl/ssl_config_service.h"
 
@@ -261,7 +262,7 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
   std::string version_max_str = ssl_version_max_.GetValue();
   std::string version_fallback_min_str = ssl_version_fallback_min_.GetValue();
   config->version_min = net::kDefaultSSLVersionMin;
-  config->version_max = net::kDefaultSSLVersionMax;
+  config->version_max = net::SSLClientSocket::GetMaxSupportedSSLVersion();
   config->version_fallback_min = net::kDefaultSSLVersionFallbackMin;
   uint16 version_min = SSLProtocolVersionFromString(version_min_str);
   uint16 version_max = SSLProtocolVersionFromString(version_max_str);
@@ -276,8 +277,6 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
     }
   }
   if (version_max) {
-    // TODO(wtc): get the maximum SSL protocol version supported by the
-    // SSLClientSocket class.
     uint16 supported_version_max = config->version_max;
     config->version_max = std::min(supported_version_max, version_max);
   }
diff --git a/chrome/browser/net/ssl_config_service_manager_pref_unittest.cc b/chrome/browser/net/ssl_config_service_manager_pref_unittest.cc
index 366a529..f0a413c 100644
--- a/chrome/browser/net/ssl_config_service_manager_pref_unittest.cc
+++ b/chrome/browser/net/ssl_config_service_manager_pref_unittest.cc
@@ -18,6 +18,7 @@
 #include "components/content_settings/core/browser/host_content_settings_map.h"
 #include "components/content_settings/core/common/content_settings.h"
 #include "content/public/test/test_browser_thread.h"
+#include "net/socket/ssl_client_socket.h"
 #include "net/ssl/ssl_config_service.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -127,7 +128,7 @@ TEST_F(SSLConfigServiceManagerPrefTest, BadDisabledCipherSuites) {
 }
 
 // Test that without command-line settings for minimum and maximum SSL versions,
-// TLS 1.0 ~ kDefaultSSLVersionMax are enabled.
+// TLS versions from 1.0 up to 1.1 or 1.2 are enabled.
 TEST_F(SSLConfigServiceManagerPrefTest, NoCommandLinePrefs) {
   scoped_refptr<TestingPrefStore> local_state_store(new TestingPrefStore());
 
@@ -146,10 +147,12 @@ TEST_F(SSLConfigServiceManagerPrefTest, NoCommandLinePrefs) {
 
   SSLConfig ssl_config;
   config_service->GetSSLConfig(&ssl_config);
-  // The default value in the absence of command-line options is that
-  // SSL 3.0 ~ kDefaultSSLVersionMax are enabled.
+  // In the absence of command-line options, TLS versions from 1.0 up to 1.1 or
+  // 1.2 (depending on the underlying library and cryptographic implementation)
+  // are enabled.
   EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1, ssl_config.version_min);
-  EXPECT_EQ(net::kDefaultSSLVersionMax, ssl_config.version_max);
+  EXPECT_EQ(net::SSLClientSocket::GetMaxSupportedSSLVersion(),
+            ssl_config.version_max);
 
   // The settings should not be added to the local_state.
   EXPECT_FALSE(local_state->HasPrefPath(prefs::kSSLVersionMin));
diff --git a/net/socket/ssl_client_socket.h b/net/socket/ssl_client_socket.h
index 7adfa8c..af4f3ba 100644
--- a/net/socket/ssl_client_socket.h
+++ b/net/socket/ssl_client_socket.h
@@ -149,6 +149,10 @@ class NET_EXPORT SSLClientSocket : public SSLSocket {
   // sessions.
   static void ClearSessionCache();
 
+  // Get the maximum SSL version supported by the underlying library and
+  // cryptographic implementation.
+  static uint16 GetMaxSupportedSSLVersion();
+
   virtual bool set_was_npn_negotiated(bool negotiated);
 
   virtual bool was_spdy_negotiated() const;
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 7eef078..1319e4b 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -2853,6 +2853,19 @@ void SSLClientSocket::ClearSessionCache() {
   SSL_ClearSessionCache();
 }
 
+#if !defined(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)
+#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
+#endif
+
+// static
+uint16 SSLClientSocket::GetMaxSupportedSSLVersion() {
+  if (PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)) {
+    return SSL_PROTOCOL_VERSION_TLS1_2;
+  } else {
+    return SSL_PROTOCOL_VERSION_TLS1_1;
+  }
+}
+
 bool SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) {
   EnterFunction("");
   ssl_info->Reset();
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 2e8ba87..b417e13 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -344,6 +344,11 @@ void SSLClientSocket::ClearSessionCache() {
   context->session_cache()->Flush();
 }
 
+// static
+uint16 SSLClientSocket::GetMaxSupportedSSLVersion() {
+  return SSL_PROTOCOL_VERSION_TLS1_2;
+}
+
 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
     scoped_ptr<ClientSocketHandle> transport_socket,
     const HostPortPair& host_and_port,