summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorwtc@google.com <wtc@google.com@0039d316-1c4b-4281-b951-d872f2087c98>2008-10-13 18:10:59 +0000
committerwtc@google.com <wtc@google.com@0039d316-1c4b-4281-b951-d872f2087c98>2008-10-13 18:10:59 +0000
commit5a179bcc5dace716b7bf87622ac1cac960c2ad9b (patch)
treece07b8debf70cbaf5b9b3c8097d3ea9828ae39df /net
parentd9399e62798b6759e8ecee1323bbe0723c8533fa (diff)
downloadchromium_src-5a179bcc5dace716b7bf87622ac1cac960c2ad9b.zip
chromium_src-5a179bcc5dace716b7bf87622ac1cac960c2ad9b.tar.gz
chromium_src-5a179bcc5dace716b7bf87622ac1cac960c2ad9b.tar.bz2
The Schannel considers some cipher suites (e.g., the
AES cipher suites) to be TLS only, and won't allow them to be used in SSL 3.0. If an SSL 3.0 server picks such a cipher suite, we need to handle it as if it were TLS intolerant by turning off TLS and retrying. R=darin BUG=3203,3001 Review URL: http://codereview.chromium.org/7242 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@3295 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
-rw-r--r--net/base/net_error_list.h4
-rw-r--r--net/base/ssl_client_socket.cc2
-rw-r--r--net/http/http_network_transaction.cc28
-rw-r--r--net/http/http_transaction_winhttp.cc9
4 files changed, 30 insertions, 13 deletions
diff --git a/net/base/net_error_list.h b/net/base/net_error_list.h
index c45e96f..da21182 100644
--- a/net/base/net_error_list.h
+++ b/net/base/net_error_list.h
@@ -80,6 +80,10 @@ NET_ERROR(TUNNEL_CONNECTION_FAILED, -111)
// No SSL protocol versions are enabled.
NET_ERROR(NO_SSL_VERSIONS_ENABLED, -112)
+// The client and server don't support a common SSL protocol version or
+// cipher suite.
+NET_ERROR(SSL_VERSION_OR_CIPHER_MISMATCH, -113)
+
// Certificate error codes
//
// The values of certificate error codes must be consecutive.
diff --git a/net/base/ssl_client_socket.cc b/net/base/ssl_client_socket.cc
index 6341db1..8380664 100644
--- a/net/base/ssl_client_socket.cc
+++ b/net/base/ssl_client_socket.cc
@@ -42,6 +42,8 @@ static int MapSecurityError(SECURITY_STATUS err) {
// from the server.
case SEC_E_ILLEGAL_MESSAGE:
return ERR_SSL_PROTOCOL_ERROR;
+ case SEC_E_ALGORITHM_MISMATCH:
+ return ERR_SSL_VERSION_OR_CIPHER_MISMATCH;
case SEC_E_OK:
return OK;
default:
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index 3ee086c..9d2c398 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -496,10 +496,10 @@ int HttpNetworkTransaction::DoConnectComplete(int result) {
next_state_ = STATE_WRITE_HEADERS;
if (using_tunnel_)
establishing_tunnel_ = true;
- } else if (result == ERR_SSL_PROTOCOL_ERROR) {
- result = HandleSSLHandshakeError(result);
} else {
- result = ReconsiderProxyAfterError(result);
+ result = HandleSSLHandshakeError(result);
+ if (result != OK)
+ result = ReconsiderProxyAfterError(result);
}
return result;
}
@@ -521,7 +521,7 @@ int HttpNetworkTransaction::DoSSLConnectOverTunnelComplete(int result) {
if (result == OK) {
next_state_ = STATE_WRITE_HEADERS;
- } else if (result == ERR_SSL_PROTOCOL_ERROR) {
+ } else {
result = HandleSSLHandshakeError(result);
}
return result;
@@ -881,13 +881,19 @@ int HttpNetworkTransaction::HandleCertificateError(int error) {
int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
#if defined(OS_WIN)
- if (ssl_version_mask_ & SSLClientSocket::TLS1) {
- // This could be a TLS-intolerant server. Turn off TLS 1.0 and retry.
- ssl_version_mask_ &= ~SSLClientSocket::TLS1;
- connection_.set_socket(NULL);
- connection_.Reset();
- next_state_ = STATE_INIT_CONNECTION;
- error = OK;
+ switch (error) {
+ case ERR_SSL_PROTOCOL_ERROR:
+ case ERR_SSL_VERSION_OR_CIPHER_MISMATCH:
+ if (ssl_version_mask_ & SSLClientSocket::TLS1) {
+ // This could be a TLS-intolerant server or an SSL 3.0 server that
+ // chose a TLS-only cipher suite. Turn off TLS 1.0 and retry.
+ ssl_version_mask_ &= ~SSLClientSocket::TLS1;
+ connection_.set_socket(NULL);
+ connection_.Reset();
+ next_state_ = STATE_INIT_CONNECTION;
+ error = OK;
+ }
+ break;
}
#endif
return error;
diff --git a/net/http/http_transaction_winhttp.cc b/net/http/http_transaction_winhttp.cc
index 14d82a6..239d93d 100644
--- a/net/http/http_transaction_winhttp.cc
+++ b/net/http/http_transaction_winhttp.cc
@@ -58,6 +58,8 @@ static int TranslateOSError(DWORD error) {
case ERROR_WINHTTP_SECURE_FAILURE:
case SEC_E_ILLEGAL_MESSAGE:
return ERR_SSL_PROTOCOL_ERROR;
+ case SEC_E_ALGORITHM_MISMATCH:
+ return ERR_SSL_VERSION_OR_CIPHER_MISMATCH;
case ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED:
return ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
case ERROR_WINHTTP_UNRECOGNIZED_SCHEME:
@@ -1343,10 +1345,13 @@ int HttpTransactionWinHttp::DidReceiveError(DWORD error,
last_error_ = error;
rv = TranslateOSError(error);
- if (rv == ERR_SSL_PROTOCOL_ERROR &&
+ if ((rv == ERR_SSL_PROTOCOL_ERROR ||
+ rv == ERR_SSL_VERSION_OR_CIPHER_MISMATCH) &&
!session_callback_->request_was_probably_sent() &&
session_->tls_enabled() && !is_tls_intolerant_) {
- // The server might be TLS intolerant. Downgrade to SSL 3.0 and retry.
+ // The server might be TLS intolerant. Or it might be an SSL 3.0 server
+ // that chose a TLS-only cipher suite, which we handle in the same way.
+ // Downgrade to SSL 3.0 and retry.
is_tls_intolerant_ = true;
if (!ReopenRequest())
return TranslateLastOSError();