diff options
| author | davidben <davidben@chromium.org> | 2015-02-23 10:00:37 -0800 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-02-23 18:01:12 +0000 |
| commit | 21ea1b4ef8d6c111605866108c7dac1b31440114 (patch) | |
| tree | 6fe3477e0904c7d745ed0286ce3fcec365d6719f /net/socket/ssl_client_socket_openssl.cc | |
| parent | 5bfb976c6c589c601d8c9dc03cf9a7668d2bfb6b (diff) | |
| download | chromium_src-21ea1b4ef8d6c111605866108c7dac1b31440114.zip chromium_src-21ea1b4ef8d6c111605866108c7dac1b31440114.tar.gz chromium_src-21ea1b4ef8d6c111605866108c7dac1b31440114.tar.bz2 | |
Shard the SSL session cache by version fallback.
This addresses two issues:
- NSS clamps client_version to the session version. This means that a
successful fallback connection is effectively cached, despite our fallback
being stateless. This causing our metrics to be under-reported and, more
problematic, makes spurious fallbacks stick.
- BoringSSL does not clamp, but many versions of OpenSSL on the server will
happily resume older sessions at newer protocol versions, rather than doing a
full handshake at the newer protocol version. This means a successful
spurious fallback causes us later resume with a weaker cipher than we should.
Moreover, this mismatch is forbidden by every other client implementation.
The metrics are reporting 0.06% of connections on beta channel hit this case.
I expect it to go down after this change.
Note: this will also increase traffic to version-intolerant servers on NSS
ports. But that's only Linux/CrOS/iOS now and the BoringSSL switch did the same
thing by losing the version clamp.
BUG=459690,441456
Review URL: https://codereview.chromium.org/947603002
Cr-Commit-Position: refs/heads/master@{#317605}
Diffstat (limited to 'net/socket/ssl_client_socket_openssl.cc')
| -rw-r--r-- | net/socket/ssl_client_socket_openssl.cc | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index f166b69..0389375 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -402,6 +402,27 @@ std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const { std::string result = host_and_port_.ToString(); result.append("/"); result.append(ssl_session_cache_shard_); + + // Shard the session cache based on maximum protocol version. This causes + // fallback connections to use a separate session cache. + result.append("/"); + switch (ssl_config_.version_max) { + case SSL_PROTOCOL_VERSION_SSL3: + result.append("ssl3"); + break; + case SSL_PROTOCOL_VERSION_TLS1: + result.append("tls1"); + break; + case SSL_PROTOCOL_VERSION_TLS1_1: + result.append("tls1.1"); + break; + case SSL_PROTOCOL_VERSION_TLS1_2: + result.append("tls1.2"); + break; + default: + NOTREACHED(); + } + return result; } |