diff options
| author | davidben@chromium.org <davidben@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-07-02 01:57:31 +0000 |
|---|---|---|
| committer | davidben@chromium.org <davidben@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-07-02 01:57:31 +0000 |
| commit | 1283330e588bf1d5e73e7c2533af4c85e7cdc5a2 (patch) | |
| tree | 7936291d518e88b632067d2aeb5bbc5f819af7c1 /net/url_request | |
| parent | d233ff7eadb909914779089770dfb2e70f8beddf (diff) | |
| download | chromium_src-1283330e588bf1d5e73e7c2533af4c85e7cdc5a2.zip chromium_src-1283330e588bf1d5e73e7c2533af4c85e7cdc5a2.tar.gz chromium_src-1283330e588bf1d5e73e7c2533af4c85e7cdc5a2.tar.bz2 | |
Move SSLClientSocketNSS fallback logic to HttpNetworkTransaction.
In preparation for it to be shared with the OpenSSL logic once it reports
transport errors during handshaking.
This does result in a slight behavior change: if a handshake gives
ERR_CONNECTION_CLOSED, we now report that after the fallback chain ends (either
via TLS_FALLBACK_SCSV or hitting SSLv3). Before, we would always turn it into
ERR_SSL_PROTOCOL_ERROR. This is probably desirable and consistent with
Firefox's behavior. Add a test, FallbackSCSVClosed, to test this new behavior.
To that end, we should probably expect metrics to show some fraction of
ERR_SSL_PROTOCOL_ERROR turn into ERR_CONNECTION_CLOSED and
ERR_CONNECTION_RESET after this change.
BUG=372849
Review URL: https://codereview.chromium.org/353183005
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@280938 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/url_request')
| -rw-r--r-- | net/url_request/url_request_unittest.cc | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc index c770041..d139888 100644 --- a/net/url_request/url_request_unittest.cc +++ b/net/url_request/url_request_unittest.cc @@ -7046,7 +7046,8 @@ TEST_F(HTTPSFallbackTest, TLSv1FallbackReset) { } #endif // !OS_ANDROID -// Tests that we don't fallback with servers that implement TLS_FALLBACK_SCSV. +// Tests that we don't fallback on handshake failure with servers that implement +// TLS_FALLBACK_SCSV. Also ensure that the original error code is reported. #if defined(USE_OPENSSL) TEST_F(HTTPSFallbackTest, DISABLED_FallbackSCSV) { #else @@ -7071,6 +7072,31 @@ TEST_F(HTTPSFallbackTest, FallbackSCSV) { ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); } +// Tests that we don't fallback on connection closed with servers that implement +// TLS_FALLBACK_SCSV. Also ensure that the original error code is reported. +#if defined(USE_OPENSSL) +TEST_F(HTTPSFallbackTest, DISABLED_FallbackSCSVClosed) { +#else +TEST_F(HTTPSFallbackTest, FallbackSCSVClosed) { +#endif + SpawnedTestServer::SSLOptions ssl_options( + SpawnedTestServer::SSLOptions::CERT_OK); + // Configure HTTPS server to be intolerant of TLS >= 1.0 in order to trigger + // a version fallback. + ssl_options.tls_intolerant = + SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; + ssl_options.tls_intolerance_type = + SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; + // Have the server process TLS_FALLBACK_SCSV so that version fallback + // connections are rejected. + ssl_options.fallback_scsv_enabled = true; + + ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); + + // The original error should be replayed on rejected fallback. + ExpectFailure(ERR_CONNECTION_CLOSED); +} + // Tests that the SSLv3 fallback triggers on alert. TEST_F(HTTPSFallbackTest, SSLv3Fallback) { SpawnedTestServer::SSLOptions ssl_options( |