diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-05-18 15:09:00 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-05-18 15:09:00 +0000 |
| commit | 0ed9468567ab680c92db9ac6660f484cbd5cad2c (patch) | |
| tree | 0ecda6c4ada18d400d77aec58a536c6b814c99fe /net/http | |
| parent | dba9f8c9031b1a359e7cd62fa822ff3d04b77c3c (diff) | |
| download | chromium_src-0ed9468567ab680c92db9ac6660f484cbd5cad2c.zip chromium_src-0ed9468567ab680c92db9ac6660f484cbd5cad2c.tar.gz chromium_src-0ed9468567ab680c92db9ac6660f484cbd5cad2c.tar.bz2 | |
Trigger SSL fallback based on Bad MAC alert.
We have found a server (www.virginia.edu) which fails at DEFLATE
support in a new way: it returns a Bad MAC alert. Thus we add Bad MAC
to the list of triggers for falling back to SSLv3.
BUG=44251
http://codereview.chromium.org/2086008/show
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@47513 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/http')
| -rw-r--r-- | net/http/http_network_transaction.cc | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc index f40cdcd4..98effe3 100644 --- a/net/http/http_network_transaction.cc +++ b/net/http/http_network_transaction.cc @@ -1145,7 +1145,8 @@ int HttpNetworkTransaction::DoReadHeadersComplete(int result) { result = HandleCertificateRequest(result); if (result == OK) return result; - } else if (result == ERR_SSL_DECOMPRESSION_FAILURE_ALERT && + } else if ((result == ERR_SSL_DECOMPRESSION_FAILURE_ALERT || + result == ERR_SSL_BAD_RECORD_MAC_ALERT ) && ssl_config_.tls1_enabled) { // Some buggy servers select DEFLATE compression when offered and then // fail to ever decompress anything. They will send a fatal alert telling @@ -1670,9 +1671,11 @@ int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { case ERR_SSL_PROTOCOL_ERROR: case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: case ERR_SSL_DECOMPRESSION_FAILURE_ALERT: + case ERR_SSL_BAD_RECORD_MAC_ALERT: if (ssl_config_.tls1_enabled) { - // This could be a TLS-intolerant server or an SSL 3.0 server that - // chose a TLS-only cipher suite. Turn off TLS 1.0 and retry. + // This could be a TLS-intolerant server, an SSL 3.0 server that + // chose a TLS-only cipher suite or a server with buggy DEFLATE + // support. Turn off TLS 1.0, DEFLATE support and retry. g_tls_intolerant_servers->insert(GetHostAndPort(request_->url)); ResetConnectionAndRequestForResend(); error = OK; |