diff options
| -rw-r--r-- | chrome/browser/browser_main.cc | 18 | ||||
| -rw-r--r-- | chrome/browser/browser_main.h | 4 | ||||
| -rw-r--r-- | net/base/ssl_config_service.cc | 11 | ||||
| -rw-r--r-- | net/base/ssl_config_service.h | 5 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 14 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_pool.cc | 19 |
6 files changed, 2 insertions, 69 deletions
diff --git a/chrome/browser/browser_main.cc b/chrome/browser/browser_main.cc index 02c5007..1e438fc 100644 --- a/chrome/browser/browser_main.cc +++ b/chrome/browser/browser_main.cc @@ -503,23 +503,6 @@ void BrowserMainParts::ConnectBackupJobsFieldTrial() { } } -void BrowserMainParts::RevocationCheckingDisabledFieldTrial() { - const base::FieldTrial::Probability kDivisor = 100; - base::FieldTrial::Probability probability = 50; // 50/50 trial - - // After August 30, 2011 builds, it will always be in default group. - scoped_refptr<base::FieldTrial> trial( - new base::FieldTrial( - "RevCheckingImpact", kDivisor, "control", 2011, 8, 30)); - - int disabled_group = trial->AppendGroup( - "disabled", probability); - - int trial_grp = trial->group(); - if (trial_grp == disabled_group) - net::SSLConfigService::DisableRevCheckingForPinnedSites(); -} - // BrowserMainParts: |MainMessageLoopStart()| and related ---------------------- void BrowserMainParts::MainMessageLoopStart() { @@ -610,7 +593,6 @@ void BrowserMainParts::SetupFieldTrials(bool metrics_recording_enabled) { prerender::ConfigurePrefetchAndPrerender(parsed_command_line()); SpdyFieldTrial(); ConnectBackupJobsFieldTrial(); - RevocationCheckingDisabledFieldTrial(); } // ----------------------------------------------------------------------------- diff --git a/chrome/browser/browser_main.h b/chrome/browser/browser_main.h index bffa401..417c622 100644 --- a/chrome/browser/browser_main.h +++ b/chrome/browser/browser_main.h @@ -129,10 +129,6 @@ class BrowserMainParts { // specified timeout value is reached. void ConnectBackupJobsFieldTrial(); - // A/B test for disabling revocation checking for sites with pinned - // certificates. - void RevocationCheckingDisabledFieldTrial(); - // Used to initialize NSPR where appropriate. virtual void InitializeSSL() = 0; diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc index c16e4c5..56ad78a 100644 --- a/net/base/ssl_config_service.cc +++ b/net/base/ssl_config_service.cc @@ -48,7 +48,6 @@ bool SSLConfigService::IsKnownFalseStartIncompatibleServer( static bool g_false_start_enabled = true; static bool g_dns_cert_provenance_checking = false; -static bool g_rev_checking_disabled_for_pinned_sites = false; // static void SSLConfigService::DisableFalseStart() { @@ -70,16 +69,6 @@ bool SSLConfigService::dns_cert_provenance_checking_enabled() { return g_dns_cert_provenance_checking; } -// static -void SSLConfigService::DisableRevCheckingForPinnedSites() { - g_rev_checking_disabled_for_pinned_sites = true; -} - -// static -bool SSLConfigService::rev_checking_disabled_for_pinned_sites() { - return g_rev_checking_disabled_for_pinned_sites; -} - void SSLConfigService::AddObserver(Observer* observer) { observer_list_.AddObserver(observer); } diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index d80937b..c44937e 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -142,11 +142,6 @@ class NET_API SSLConfigService static void EnableDNSCertProvenanceChecking(); static bool dns_cert_provenance_checking_enabled(); - // Disabled revocation checking for some sites that we have additional - // security on. - static void DisableRevCheckingForPinnedSites(); - static bool rev_checking_disabled_for_pinned_sites(); - // Is SNI available in this configuration? static bool IsSNIAvailable(SSLConfigService* service); diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index e1b69fc..c2bc843 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -1461,18 +1461,8 @@ int SSLClientSocketNSS::DoVerifyCert(int result) { } int flags = 0; - if (ssl_config_.rev_checking_enabled) { - const std::string& hostname = host_and_port_.host(); - // is_pinned is an approximation but is currently accurate. Even if more - // pinned sites are added, this errs on the site of caution. - bool is_pinned = hostname == "google.com" || - (hostname.size() > 11 && - hostname.rfind(".google.com") == hostname.size() - 11); - if (!is_pinned || - !SSLConfigService::rev_checking_disabled_for_pinned_sites()) { - flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; - } - } + if (ssl_config_.rev_checking_enabled) + flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; verifier_.reset(new SingleRequestCertVerifier(cert_verifier_)); diff --git a/net/socket/ssl_client_socket_pool.cc b/net/socket/ssl_client_socket_pool.cc index 565e064..56b2dde9 100644 --- a/net/socket/ssl_client_socket_pool.cc +++ b/net/socket/ssl_client_socket_pool.cc @@ -347,25 +347,6 @@ int SSLConnectJob::DoSSLConnectComplete(int result) { base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 100); - - base::FieldTrial* trial = base::FieldTrialList::Find("RevCheckingImpact"); - if (trial) { - std::string histogram_name; - if (trial->group() != base::FieldTrial::kDefaultGroupNumber || - !params_->ssl_config().rev_checking_enabled) { - histogram_name = - "Net.SSL_Connection_Latency_Google_No_Revocation_Checking"; - } else { - histogram_name = - "Net.SSL_Connection_Latency_Google_Revocation_Checking"; - } - - UMA_HISTOGRAM_CUSTOM_TIMES(histogram_name, - connect_duration, - base::TimeDelta::FromMilliseconds(1), - base::TimeDelta::FromMinutes(10), - 100); - } } } |