net: allow fallback down to TLS 1.0 in the event of a bad-record-MAC alert.

TLS 1.1 support has uncovered several examples of a new kind of broken server:
they negotiate TLS 1.0 correctly in the face of a 1.1 or 1.2 ClientHello, but
then fail with a bad-record-MAC alert when processing the client's Finished
message.

This bug is exhibited by at least two different types of SSL "accelerator"
device, which will probably take forever to be fixed. So, with a heavy heart,
this change adds yet another workaround.

BUG=260358
R=rsleevi@chromium.org

Review URL: https://codereview.chromium.org/19607008

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@212122 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 9 insertions, 0 deletions

diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index a984f58..ee29fde 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1861,6 +1861,15 @@ int SSLClientSocketNSS::Core::DoHandshake() {
       net_error = ERR_SSL_PROTOCOL_ERROR;
     }
 
+    // Some broken SSL devices negotiate TLS 1.0 when sent a TLS 1.1 or 1.2
+    // ClientHello, but then return a bad-record-MAC alert. See
+    // crbug.com/260358. In order to make the fallback as minimal as possible,
+    // this fallback is only triggered for >= TLS 1.1.
+    if (net_error == ERR_SSL_BAD_RECORD_MAC_ALERT &&
+        ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1_1) {
+      net_error = ERR_SSL_PROTOCOL_ERROR;
+    }
+
     // If not done, stay in this state
     if (net_error == ERR_IO_PENDING) {
       GotoState(STATE_HANDSHAKE);