diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-26 18:45:34 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-26 18:45:34 +0000 |
| commit | e966201240463d794fa5f8d5055160fb209ba1e0 (patch) | |
| tree | eb2168dd771e24339872e8541d2ff1f229e782cc /net/url_request | |
| parent | 4714401a0dfb1f570a0dc3f0a237e31227c88f63 (diff) | |
| download | chromium_src-e966201240463d794fa5f8d5055160fb209ba1e0.zip chromium_src-e966201240463d794fa5f8d5055160fb209ba1e0.tar.gz chromium_src-e966201240463d794fa5f8d5055160fb209ba1e0.tar.bz2 | |
net: don't remember TLS intolerant servers.
I've seen a couple of reports recently where is was clear that an SNI-only
hostname had ended up in the list of TLS-intolerant servers. The result is that
the user sees the non-SNI certificate for that IP address, which doesn't match
the requested hostname. The only way to clear this is to restart Chrome.
This change partly reverts r45088 so that we will no longer remember
TLS-intolerant servers. This means that we'll perform SSLv3 fallback for every
connection, if needed. That's unfortunate for truly TLS-intolerant servers, but
it also means that we'll get back to TLS much faster in the event of a
transient network error trigger fallback.
BUG=none
TEST=net_unittests
Review URL: http://codereview.chromium.org/10218007
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@134129 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/url_request')
| -rw-r--r-- | net/url_request/url_request_unittest.cc | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc index d825711..7126fa3 100644 --- a/net/url_request/url_request_unittest.cc +++ b/net/url_request/url_request_unittest.cc @@ -1726,6 +1726,29 @@ TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) { EXPECT_FALSE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); } +TEST_F(HTTPSRequestTest, SSLv3Fallback) { + TestServer::HTTPSOptions https_options( + TestServer::HTTPSOptions::CERT_OK); + https_options.tls_intolerant = true; + TestServer test_server(https_options, + FilePath(FILE_PATH_LITERAL("net/data/ssl"))); + ASSERT_TRUE(test_server.Start()); + + TestDelegate d; + scoped_refptr<TestURLRequestContext> context(new TestURLRequestContext(true)); + context->Init(); + d.set_allow_certificate_errors(true); + URLRequest r(test_server.GetURL(""), &d); + r.set_context(context.get()); + r.Start(); + + MessageLoop::current()->Run(); + + EXPECT_EQ(1, d.response_started_count()); + EXPECT_NE(0, d.bytes_received()); + EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_SSL3_FALLBACK); +} + // This tests that a load of www.google.com with a certificate error sets // the |certificate_errors_are_fatal| flag correctly. This flag will cause // the interstitial to be fatal. |