Improve the TLS intolerant server testing support added in r134129

(http://codereview.chromium.org/10218007).

Add the ability to simulate a server that is intolerant of only a
particular version of TLS. This will allow us to test the handling
of a TLS 1.1 intolerant server.

R=agl@chromium.org,phajdan.jr@chromium.org
BUG=126340
TEST=none

Review URL: https://chromiumcodereview.appspot.com/10412042

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@138537 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 27 insertions, 11 deletions

diff --git a/net/test/base_test_server.cc b/net/test/base_test_server.cc
index 07bef89..323ff70 100644
--- a/net/test/base_test_server.cc
+++ b/net/test/base_test_server.cc
@@ -59,7 +59,7 @@ BaseTestServer::HTTPSOptions::HTTPSOptions()
       request_client_certificate(false),
       bulk_ciphers(HTTPSOptions::BULK_CIPHER_ANY),
       record_resume(false),
-      tls_intolerant(false) {}
+      tls_intolerant(TLS_INTOLERANT_NONE) {}
 
 BaseTestServer::HTTPSOptions::HTTPSOptions(
     BaseTestServer::HTTPSOptions::ServerCertificate cert)
@@ -67,7 +67,7 @@ BaseTestServer::HTTPSOptions::HTTPSOptions(
       request_client_certificate(false),
       bulk_ciphers(HTTPSOptions::BULK_CIPHER_ANY),
       record_resume(false),
-      tls_intolerant(false) {}
+      tls_intolerant(TLS_INTOLERANT_NONE) {}
 
 BaseTestServer::HTTPSOptions::~HTTPSOptions() {}
 
@@ -377,8 +377,10 @@ bool BaseTestServer::GenerateArguments(base::DictionaryValue* arguments) const {
       arguments->Set("ssl-bulk-cipher", bulk_cipher_values.release());
     if (https_options_.record_resume)
       arguments->Set("https-record-resume", base::Value::CreateNullValue());
-    if (https_options_.tls_intolerant)
-      arguments->Set("tls-intolerant", base::Value::CreateNullValue());
+    if (https_options_.tls_intolerant != HTTPSOptions::TLS_INTOLERANT_NONE) {
+      arguments->Set("tls-intolerant",
+          base::Value::CreateIntegerValue(https_options_.tls_intolerant));
+    }
   }
   return true;
 }
diff --git a/net/test/base_test_server.h b/net/test/base_test_server.h
index f7d5654..9456f37 100644
--- a/net/test/base_test_server.h
+++ b/net/test/base_test_server.h
@@ -85,6 +85,15 @@ class BaseTestServer {
       BULK_CIPHER_3DES   = (1 << 3),
     };
 
+    // NOTE: the values of these enumerators are passed to the the Python test
+    // server. Do not change them.
+    enum TLSIntolerantLevel {
+      TLS_INTOLERANT_NONE = 0,
+      TLS_INTOLERANT_ALL = 1,  // Intolerant of all TLS versions.
+      TLS_INTOLERANT_TLS1_1 = 2,  // Intolerant of TLS 1.1 or higher.
+      TLS_INTOLERANT_TLS1_2 = 3,  // Intolerant of TLS 1.2 or higher.
+    };
+
     // Initialize a new HTTPSOptions using CERT_OK as the certificate.
     HTTPSOptions();
 
@@ -127,9 +136,9 @@ class BaseTestServer {
     // /ssl-session-cache.
     bool record_resume;
 
-    // If true, the server will abort any TLS handshake in order to test
-    // SSLv3 fallback.
-    bool tls_intolerant;
+    // If not TLS_INTOLERANT_NONE, the server will abort any handshake that
+    // negotiates an intolerant TLS version in order to test version fallback.
+    TLSIntolerantLevel tls_intolerant;
   };
 
   // Pass as the 'host' parameter during construction to server on 127.0.0.1
diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py
index 9fc92ee..82e9b61 100755
--- a/net/tools/testserver/testserver.py
+++ b/net/tools/testserver/testserver.py
@@ -2177,9 +2177,12 @@ if __name__ == '__main__':
                            'automatically generated certificate. One of '
                            '[ok,revoked,invalid]')
   option_parser.add_option('', '--tls-intolerant', dest='tls_intolerant',
-                           const=True, default=False, action='store_const',
-                           help='If true, TLS connections will be aborted '
-                           ' in order to test SSLv3 fallback.')
+                           default='0', type='int',
+                           help='If nonzero, certain TLS connections will be'
+                           ' aborted in order to test version fallback. 1'
+                           ' means all TLS versions will be aborted. 2 means'
+                           ' TLS 1.1 or higher will be aborted. 3 means TLS'
+                           ' 1.2 or higher will be aborted.')
   option_parser.add_option('', '--https-record-resume', dest='record_resume',
                            const=True, default=False, action='store_const',
                            help='Record resumption cache events rather than'
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index b1c3b07..aae4b4e 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -1734,7 +1734,7 @@ TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) {
 TEST_F(HTTPSRequestTest, SSLv3Fallback) {
   TestServer::HTTPSOptions https_options(
       TestServer::HTTPSOptions::CERT_OK);
-  https_options.tls_intolerant = true;
+  https_options.tls_intolerant = TestServer::HTTPSOptions::TLS_INTOLERANT_ALL;
   TestServer test_server(https_options,
                          FilePath(FILE_PATH_LITERAL("net/data/ssl")));
   ASSERT_TRUE(test_server.Start());
@@ -1751,6 +1751,8 @@ TEST_F(HTTPSRequestTest, SSLv3Fallback) {
 
   EXPECT_EQ(1, d.response_started_count());
   EXPECT_NE(0, d.bytes_received());
+  EXPECT_EQ(SSL_CONNECTION_VERSION_SSL3,
+            SSLConnectionStatusToVersion(r.ssl_info().connection_status));
   EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_SSL3_FALLBACK);
 }