net: don't remember TLS intolerant servers.

I've seen a couple of reports recently where is was clear that an SNI-only
hostname had ended up in the list of TLS-intolerant servers. The result is that
the user sees the non-SNI certificate for that IP address, which doesn't match
the requested hostname. The only way to clear this is to restart Chrome.

This change partly reverts r45088 so that we will no longer remember
TLS-intolerant servers. This means that we'll perform SSLv3 fallback for every
connection, if needed. That's unfortunate for truly TLS-intolerant servers, but
it also means that we'll get back to TLS much faster in the event of a
transient network error trigger fallback.

BUG=none
TEST=net_unittests


Review URL: http://codereview.chromium.org/10218007

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@134129 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 72 insertions, 5 deletions

diff --git a/third_party/tlslite/README.chromium b/third_party/tlslite/README.chromium
index ea99656..916fd36 100644
--- a/third_party/tlslite/README.chromium
+++ b/third_party/tlslite/README.chromium
@@ -30,3 +30,4 @@ Local Modifications:
 - patches/parse_chain.patch: tlslite/X509CertChain.py and tlslite/X509.py were
   updated to add a parseChain method, that can parse multiple certificates from
   a PEM string.
+- patches/tls_intolerant.patch: allow TLSLite to simulate a TLS-intolerant server.
diff --git a/third_party/tlslite/patches/tls_intolerant.patch b/third_party/tlslite/patches/tls_intolerant.patch
new file mode 100644
index 0000000..506b4d3c
--- /dev/null
+++ b/third_party/tlslite/patches/tls_intolerant.patch
@@ -0,0 +1,60 @@
+diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py
+index 7e38a23..02c7478 100644
+--- a/third_party/tlslite/tlslite/TLSConnection.py
++++ b/third_party/tlslite/tlslite/TLSConnection.py
+@@ -932,7 +932,7 @@ class TLSConnection(TLSRecordLayer):
+     def handshakeServer(self, sharedKeyDB=None, verifierDB=None,
+                         certChain=None, privateKey=None, reqCert=False,
+                         sessionCache=None, settings=None, checker=None,
+-                        reqCAs=None):
++                        reqCAs=None, tlsIntolerant=False):
+         """Perform a handshake in the role of server.
+ 
+         This function performs an SSL or TLS handshake.  Depending on
+@@ -1012,14 +1012,14 @@ class TLSConnection(TLSRecordLayer):
+         """
+         for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
+                 certChain, privateKey, reqCert, sessionCache, settings,
+-                checker, reqCAs):
++                checker, reqCAs, tlsIntolerant):
+             pass
+ 
+ 
+     def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None,
+                              certChain=None, privateKey=None, reqCert=False,
+                              sessionCache=None, settings=None, checker=None,
+-                             reqCAs=None):
++                             reqCAs=None, tlsIntolerant=False):
+         """Start a server handshake operation on the TLS connection.
+ 
+         This function returns a generator which behaves similarly to
+@@ -1036,14 +1036,15 @@ class TLSConnection(TLSRecordLayer):
+             verifierDB=verifierDB, certChain=certChain,
+             privateKey=privateKey, reqCert=reqCert,
+             sessionCache=sessionCache, settings=settings,
+-            reqCAs=reqCAs)
++            reqCAs=reqCAs,
++            tlsIntolerant=tlsIntolerant)
+         for result in self._handshakeWrapperAsync(handshaker, checker):
+             yield result
+ 
+ 
+     def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB,
+                              certChain, privateKey, reqCert, sessionCache,
+-                             settings, reqCAs):
++                             settings, reqCAs, tlsIntolerant):
+ 
+         self._handshakeStart(client=False)
+ 
+@@ -1111,6 +1112,11 @@ class TLSConnection(TLSRecordLayer):
+                   "Too old version: %s" % str(clientHello.client_version)):
+                 yield result
+ 
++        if tlsIntolerant and clientHello.client_version > (3, 0):
++            for result in self._sendError(\
++                    AlertDescription.handshake_failure):
++                yield result
++
+         #If client's version is too high, propose my highest version
+         elif clientHello.client_version > settings.maxVersion:
+             self.version = settings.maxVersion
diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py
index 7e38a23..02c7478 100644
--- a/third_party/tlslite/tlslite/TLSConnection.py
+++ b/third_party/tlslite/tlslite/TLSConnection.py
@@ -932,7 +932,7 @@ class TLSConnection(TLSRecordLayer):
     def handshakeServer(self, sharedKeyDB=None, verifierDB=None,
                         certChain=None, privateKey=None, reqCert=False,
                         sessionCache=None, settings=None, checker=None,
-                        reqCAs=None):
+                        reqCAs=None, tlsIntolerant=False):
         """Perform a handshake in the role of server.
 
         This function performs an SSL or TLS handshake.  Depending on
@@ -1012,14 +1012,14 @@ class TLSConnection(TLSRecordLayer):
         """
         for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
                 certChain, privateKey, reqCert, sessionCache, settings,
-                checker, reqCAs):
+                checker, reqCAs, tlsIntolerant):
             pass
 
 
     def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None,
                              certChain=None, privateKey=None, reqCert=False,
                              sessionCache=None, settings=None, checker=None,
-                             reqCAs=None):
+                             reqCAs=None, tlsIntolerant=False):
         """Start a server handshake operation on the TLS connection.
 
         This function returns a generator which behaves similarly to
@@ -1036,14 +1036,15 @@ class TLSConnection(TLSRecordLayer):
             verifierDB=verifierDB, certChain=certChain,
             privateKey=privateKey, reqCert=reqCert,
             sessionCache=sessionCache, settings=settings,
-            reqCAs=reqCAs)
+            reqCAs=reqCAs,
+            tlsIntolerant=tlsIntolerant)
         for result in self._handshakeWrapperAsync(handshaker, checker):
             yield result
 
 
     def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB,
                              certChain, privateKey, reqCert, sessionCache,
-                             settings, reqCAs):
+                             settings, reqCAs, tlsIntolerant):
 
         self._handshakeStart(client=False)
 
@@ -1111,6 +1112,11 @@ class TLSConnection(TLSRecordLayer):
                   "Too old version: %s" % str(clientHello.client_version)):
                 yield result
 
+        if tlsIntolerant and clientHello.client_version > (3, 0):
+            for result in self._sendError(\
+                    AlertDescription.handshake_failure):
+                yield result
+
         #If client's version is too high, propose my highest version
         elif clientHello.client_version > settings.maxVersion:
             self.version = settings.maxVersion