diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-26 18:45:34 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-26 18:45:34 +0000 |
| commit | e966201240463d794fa5f8d5055160fb209ba1e0 (patch) | |
| tree | eb2168dd771e24339872e8541d2ff1f229e782cc /net/test | |
| parent | 4714401a0dfb1f570a0dc3f0a237e31227c88f63 (diff) | |
| download | chromium_src-e966201240463d794fa5f8d5055160fb209ba1e0.zip chromium_src-e966201240463d794fa5f8d5055160fb209ba1e0.tar.gz chromium_src-e966201240463d794fa5f8d5055160fb209ba1e0.tar.bz2 | |
net: don't remember TLS intolerant servers.
I've seen a couple of reports recently where is was clear that an SNI-only
hostname had ended up in the list of TLS-intolerant servers. The result is that
the user sees the non-SNI certificate for that IP address, which doesn't match
the requested hostname. The only way to clear this is to restart Chrome.
This change partly reverts r45088 so that we will no longer remember
TLS-intolerant servers. This means that we'll perform SSLv3 fallback for every
connection, if needed. That's unfortunate for truly TLS-intolerant servers, but
it also means that we'll get back to TLS much faster in the event of a
transient network error trigger fallback.
BUG=none
TEST=net_unittests
Review URL: http://codereview.chromium.org/10218007
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@134129 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/test')
| -rw-r--r-- | net/test/base_test_server.cc | 8 | ||||
| -rw-r--r-- | net/test/base_test_server.h | 4 |
2 files changed, 10 insertions, 2 deletions
diff --git a/net/test/base_test_server.cc b/net/test/base_test_server.cc index eefd953..533cb9d 100644 --- a/net/test/base_test_server.cc +++ b/net/test/base_test_server.cc @@ -58,14 +58,16 @@ BaseTestServer::HTTPSOptions::HTTPSOptions() ocsp_status(OCSP_OK), request_client_certificate(false), bulk_ciphers(HTTPSOptions::BULK_CIPHER_ANY), - record_resume(false) {} + record_resume(false), + tls_intolerant(false) {} BaseTestServer::HTTPSOptions::HTTPSOptions( BaseTestServer::HTTPSOptions::ServerCertificate cert) : server_certificate(cert), request_client_certificate(false), bulk_ciphers(HTTPSOptions::BULK_CIPHER_ANY), - record_resume(false) {} + record_resume(false), + tls_intolerant(false) {} BaseTestServer::HTTPSOptions::~HTTPSOptions() {} @@ -375,6 +377,8 @@ bool BaseTestServer::GenerateArguments(base::DictionaryValue* arguments) const { arguments->Set("ssl-bulk-cipher", bulk_cipher_values.release()); if (https_options_.record_resume) arguments->Set("https-record-resume", base::Value::CreateNullValue()); + if (https_options_.tls_intolerant) + arguments->Set("tls-intolerant", base::Value::CreateNullValue()); } return true; } diff --git a/net/test/base_test_server.h b/net/test/base_test_server.h index fd04e55..f7d5654 100644 --- a/net/test/base_test_server.h +++ b/net/test/base_test_server.h @@ -126,6 +126,10 @@ class BaseTestServer { // causes it to log session cache actions and echo the log on // /ssl-session-cache. bool record_resume; + + // If true, the server will abort any TLS handshake in order to test + // SSLv3 fallback. + bool tls_intolerant; }; // Pass as the 'host' parameter during construction to server on 127.0.0.1 |