Handle the TLS version fallback on the bad_record_mac alert error in

http_network_transaction.cc, so that it applies to SSLClientSockets based on both NSS and OpenSSL. R=agl@chromium.org,rsleevi@chromium.org BUG=260358 TEST=net_unittests, plus manual testing: visit https://www.web-secured.com/. Should get a successful TLS 1.0 connection, rather than ERR_SSL_BAD_RECORD_MAC_ALERT. Review URL: https://chromiumcodereview.appspot.com/22633004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@216836 0039d316-1c4b-4281-b951-d872f2087c98
author: wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-08-10 13:38:26 +0000
committer: wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-08-10 13:38:26 +0000
commit: 02d1d4480b811b26d3e80aecf4a4f4777de858de (patch)
tree: 935359ef84f9141551994ecc90b8e7492b3984d2 /net/http/http_network_transaction.cc
parent: 5d26d2df402e6ea024e4f87e27391a6f11a8f4ad (diff)
download: chromium_src-02d1d4480b811b26d3e80aecf4a4f4777de858de.zip
chromium_src-02d1d4480b811b26d3e80aecf4a4f4777de858de.tar.gz
chromium_src-02d1d4480b811b26d3e80aecf4a4f4777de858de.tar.bz2
1 files changed, 25 insertions, 9 deletions
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index c26564c..70292be 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -1219,6 +1219,7 @@ int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
         GetHostAndPort(request_->url));
   }
 
+  bool should_fallback = false;
   uint16 version_max = server_ssl_config_.version_max;
 
   switch (error) {
@@ -1250,18 +1251,33 @@ int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
             (server_ssl_config_.unrestricted_ssl3_fallback_enabled ||
              !TransportSecurityState::IsGooglePinnedProperty(
                  request_->url.host(), true /* include SNI */))) {
-          net_log_.AddEvent(
-              NetLog::TYPE_SSL_VERSION_FALLBACK,
-              base::Bind(&NetLogSSLVersionFallbackCallback,
-                         &request_->url, error, server_ssl_config_.version_max,
-                         version_max));
-          server_ssl_config_.version_max = version_max;
-          server_ssl_config_.version_fallback = true;
-          ResetConnectionAndRequestForResend();
-          error = OK;
+          should_fallback = true;
         }
       }
       break;
+    case ERR_SSL_BAD_RECORD_MAC_ALERT:
+      if (version_max >= SSL_PROTOCOL_VERSION_TLS1_1 &&
+          version_max > server_ssl_config_.version_min) {
+        // Some broken SSL devices negotiate TLS 1.0 when sent a TLS 1.1 or
+        // 1.2 ClientHello, but then return a bad_record_mac alert. See
+        // crbug.com/260358. In order to make the fallback as minimal as
+        // possible, this fallback is only triggered for >= TLS 1.1.
+        version_max--;
+        should_fallback = true;
+      }
+      break;
+  }
+
+  if (should_fallback) {
+    net_log_.AddEvent(
+        NetLog::TYPE_SSL_VERSION_FALLBACK,
+        base::Bind(&NetLogSSLVersionFallbackCallback,
+                   &request_->url, error, server_ssl_config_.version_max,
+                   version_max));
+    server_ssl_config_.version_max = version_max;
+    server_ssl_config_.version_fallback = true;
+    ResetConnectionAndRequestForResend();
+    error = OK;
   }
 
   return error;
author	wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-08-10 13:38:26 +0000
committer	wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-08-10 13:38:26 +0000
commit	02d1d4480b811b26d3e80aecf4a4f4777de858de (patch)
tree	935359ef84f9141551994ecc90b8e7492b3984d2 /net/http/http_network_transaction.cc
parent	5d26d2df402e6ea024e4f87e27391a6f11a8f4ad (diff)
download	chromium_src-02d1d4480b811b26d3e80aecf4a4f4777de858de.zip chromium_src-02d1d4480b811b26d3e80aecf4a4f4777de858de.tar.gz chromium_src-02d1d4480b811b26d3e80aecf4a4f4777de858de.tar.bz2