14 files changed, 36 insertions, 21 deletions
diff --git a/chrome/app/policy/policy_templates.json b/chrome/app/policy/policy_templates.json
index 9063542..29d0f00 100644
--- a/chrome/app/policy/policy_templates.json
+++ b/chrome/app/policy/policy_templates.json
@@ -112,7 +112,7 @@
 #   persistent IDs for all fields (but not for groups!) are needed. These are
 #   specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
 #   because doing so would break the deployed wire format!
-#   For your editing convenience: highest ID currently used: 117
+#   For your editing convenience: highest ID currently used: 118
 #
 # Placeholders:
 #   The following placeholder strings are automatically substituted:
@@ -2270,6 +2270,18 @@
 
       This setting is used to force the use of the system print dialog instead of print preview.''',
     },
+    {
+      'name': 'DisableSSLRecordSplitting',
+      'type': 'main',
+      'supported_on': ['chrome.*:18-','chrome_os:0.18-'],
+      'features': {'dynamic_refresh': True},
+      'example_value': True,
+      'id': 118,
+      'caption': '''Disable SSL record splitting''',
+      'desc': '''Specifies whether SSL record splitting should be disabled. Record splitting is a workaround for a weakness in SSL 3.0 and TLS 1.0 but can cause compatibility issues with some HTTPS servers and proxies.
+
+      If the policy is not set, or is set to false, then record splitting will be used on SSL/TLS connections which use CBC ciphersuites.''',
+    },
   ],
   'messages': {
     # Messages that are not associated to any policies.
diff --git a/chrome/browser/net/ssl_config_service_manager_pref.cc b/chrome/browser/net/ssl_config_service_manager_pref.cc
index 92c1c3b..883d7cb 100644
--- a/chrome/browser/net/ssl_config_service_manager_pref.cc
+++ b/chrome/browser/net/ssl_config_service_manager_pref.cc
@@ -140,6 +140,7 @@ class SSLConfigServiceManagerPref
   BooleanPrefMember ssl3_enabled_;
   BooleanPrefMember tls1_enabled_;
   BooleanPrefMember origin_bound_certs_enabled_;
+  BooleanPrefMember ssl_record_splitting_disabled_;
 
   // The cached list of disabled SSL cipher suites.
   std::vector<uint16> disabled_cipher_suites_;
@@ -160,6 +161,8 @@ SSLConfigServiceManagerPref::SSLConfigServiceManagerPref(
   tls1_enabled_.Init(prefs::kTLS1Enabled, local_state, this);
   origin_bound_certs_enabled_.Init(prefs::kEnableOriginBoundCerts,
                                    local_state, this);
+  ssl_record_splitting_disabled_.Init(prefs::kDisableSSLRecordSplitting,
+                                      local_state, this);
   pref_change_registrar_.Init(local_state);
   pref_change_registrar_.Add(prefs::kCipherSuiteBlacklist, this);
 
@@ -180,6 +183,8 @@ void SSLConfigServiceManagerPref::RegisterPrefs(PrefService* prefs) {
                              default_config.tls1_enabled);
   prefs->RegisterBooleanPref(prefs::kEnableOriginBoundCerts,
                              default_config.origin_bound_certs_enabled);
+  prefs->RegisterBooleanPref(prefs::kDisableSSLRecordSplitting,
+                             !default_config.false_start_enabled);
   prefs->RegisterListPref(prefs::kCipherSuiteBlacklist);
   // The Options menu used to allow changing the ssl.ssl3.enabled and
   // ssl.tls1.enabled preferences, so some users' Local State may have
@@ -226,6 +231,8 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
   config->tls1_enabled = tls1_enabled_.GetValue();
   config->disabled_cipher_suites = disabled_cipher_suites_;
   config->origin_bound_certs_enabled = origin_bound_certs_enabled_.GetValue();
+  // disabling False Start also happens to disable record splitting.
+  config->false_start_enabled = !ssl_record_splitting_disabled_.GetValue();
   SSLConfigServicePref::SetSSLConfigFlags(config);
 }
 
diff --git a/chrome/browser/policy/configuration_policy_handler_list.cc b/chrome/browser/policy/configuration_policy_handler_list.cc
index 7ed55b8..c001837 100644
--- a/chrome/browser/policy/configuration_policy_handler_list.cc
+++ b/chrome/browser/policy/configuration_policy_handler_list.cc
@@ -177,6 +177,9 @@ const PolicyToPreferenceMapEntry kSimplePolicyMap[] = {
   { key::kEnableOriginBoundCerts,
     prefs::kEnableOriginBoundCerts,
     Value::TYPE_BOOLEAN },
+  { key::kDisableSSLRecordSplitting,
+    prefs::kDisableSSLRecordSplitting,
+    Value::TYPE_BOOLEAN },
   { key::kAuthSchemes,
     prefs::kAuthSchemes,
     Value::TYPE_STRING },
diff --git a/chrome/browser/policy/configuration_policy_pref_store_unittest.cc b/chrome/browser/policy/configuration_policy_pref_store_unittest.cc
index 7e458de..f7082bf 100644
--- a/chrome/browser/policy/configuration_policy_pref_store_unittest.cc
+++ b/chrome/browser/policy/configuration_policy_pref_store_unittest.cc
@@ -219,6 +219,8 @@ INSTANTIATE_TEST_CASE_P(
                       prefs::kSavingBrowserHistoryDisabled),
         PolicyAndPref(key::kEnableOriginBoundCerts,
                       prefs::kEnableOriginBoundCerts),
+        PolicyAndPref(key::kDisableSSLRecordSplitting,
+                      prefs::kDisableSSLRecordSplitting),
         PolicyAndPref(key::kDisableAuthNegotiateCnameLookup,
                       prefs::kDisableAuthNegotiateCnameLookup),
         PolicyAndPref(key::kEnableAuthNegotiatePort,
diff --git a/chrome/browser/prefs/command_line_pref_store.cc b/chrome/browser/prefs/command_line_pref_store.cc
index 07c10ef..6865954 100644
--- a/chrome/browser/prefs/command_line_pref_store.cc
+++ b/chrome/browser/prefs/command_line_pref_store.cc
@@ -51,6 +51,8 @@ const CommandLinePrefStore::BooleanSwitchToPreferenceMapEntry
       { switches::kDisableTLS1, prefs::kTLS1Enabled, false },
       { switches::kEnableOriginBoundCerts, prefs::kEnableOriginBoundCerts,
           true },
+      { switches::kDisableSSLFalseStart, prefs::kDisableSSLRecordSplitting,
+          true },
       { switches::kEnableMemoryInfo, prefs::kEnableMemoryInfo, false },
 #if defined(GOOGLE_CHROME_BUILD)
       { switches::kDisablePrintPreview, prefs::kPrintPreviewDisabled, true },
diff --git a/chrome/common/pref_names.cc b/chrome/common/pref_names.cc
index 98a8a0e..9fe2425 100644
--- a/chrome/common/pref_names.cc
+++ b/chrome/common/pref_names.cc
@@ -946,6 +946,7 @@ const char kSSL3Enabled[] = "ssl.ssl3.enabled";
 const char kTLS1Enabled[] = "ssl.tls1.enabled";
 const char kCipherSuiteBlacklist[] = "ssl.cipher_suites.blacklist";
 const char kEnableOriginBoundCerts[] = "ssl.origin_bound_certs.enabled";
+const char kDisableSSLRecordSplitting[] = "ssl.ssl_record_splitting.disabled";
 
 // The metrics client GUID and session ID.
 const char kMetricsClientID[] = "user_experience_metrics.client_id";
diff --git a/chrome/common/pref_names.h b/chrome/common/pref_names.h
index 5e2a545..1d0be21 100644
--- a/chrome/common/pref_names.h
+++ b/chrome/common/pref_names.h
@@ -339,6 +339,7 @@ extern const char kSSL3Enabled[];
 extern const char kTLS1Enabled[];
 extern const char kCipherSuiteBlacklist[];
 extern const char kEnableOriginBoundCerts[];
+extern const char kDisableSSLRecordSplitting[];
 extern const char kEnableMemoryInfo[];
 
 extern const char kMetricsClientID[];
diff --git a/chrome/test/data/enterprise/chrome-reverse.json b/chrome/test/data/enterprise/chrome-reverse.json
index 2d91988..b072a7e 100644
--- a/chrome/test/data/enterprise/chrome-reverse.json
+++ b/chrome/test/data/enterprise/chrome-reverse.json
@@ -25,6 +25,7 @@
   "EnableAuthNegotiatePort": true,
   "EnableMemoryInfo": true,
   "EnableOriginBoundCerts": true,
+  "DisableSSLRecordSplitting": true,
   "HomepageIsNewTabPage": false,
   "HomepageLocation": "http://chromium.org",
   "IncognitoEnabled": false,
diff --git a/chrome/test/data/enterprise/chrome.json b/chrome/test/data/enterprise/chrome.json
index 85c63a8..6c184b2 100644
--- a/chrome/test/data/enterprise/chrome.json
+++ b/chrome/test/data/enterprise/chrome.json
@@ -41,6 +41,7 @@
   "EnableAuthNegotiatePort": false,
   "EnableMemoryInfo": false,
   "EnableOriginBoundCerts": false,
+  "DisableSSLRecordSplitting": false,
   "EnabledPlugins": ["Java"],
   "ExtensionInstallBlacklist": ["extension_id1", "extension_id2"],
   "ExtensionInstallForcelist": ["extension_id1;https://clients2.google.com/service/update2/crx"],
diff --git a/chrome/test/functional/policy_prefs_ui.py b/chrome/test/functional/policy_prefs_ui.py
index db4f392..9ede39b 100755
--- a/chrome/test/functional/policy_prefs_ui.py
+++ b/chrome/test/functional/policy_prefs_ui.py
@@ -123,6 +123,7 @@ class PolicyPrefsUITest(policy_base.PolicyTestBase):
     # Note: this policy is only used internally for now.
     'ProxySettings': ({}, [], []),
     'EnableOriginBoundCerts': (False, []),
+    'DisableSSLRecordSplitting': (False, []),
     'AuthSchemes': ('AuthSchemes', []),
     'DisableAuthNegotiateCnameLookup': (True, []),
     'EnableAuthNegotiatePort': (False, []),
diff --git a/content/browser/browser_main_loop.cc b/content/browser/browser_main_loop.cc
index 8203333..8579b78 100644
--- a/content/browser/browser_main_loop.cc
+++ b/content/browser/browser_main_loop.cc
@@ -256,8 +256,6 @@ void BrowserMainLoop::EarlyInitialization() {
   SetupSandbox(parsed_command_line_);
 #endif
 
-  if (parsed_command_line_.HasSwitch(switches::kDisableSSLFalseStart))
-    net::SSLConfigService::DisableFalseStart();
   if (parsed_command_line_.HasSwitch(switches::kEnableSSLCachedInfo))
     net::SSLConfigService::EnableCachedInfo();
   if (parsed_command_line_.HasSwitch(
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc
index fba5373..983795e 100644
--- a/net/base/ssl_config_service.cc
+++ b/net/base/ssl_config_service.cc
@@ -60,7 +60,6 @@ bool SSLConfigService::IsKnownFalseStartIncompatibleServer(
 }
 
 static bool g_cached_info_enabled = false;
-static bool g_false_start_enabled = true;
 static bool g_dns_cert_provenance_checking = false;
 
 // GlobalCRLSet holds a reference to the global CRLSet. It simply wraps a lock
@@ -88,16 +87,6 @@ base::LazyInstance<GlobalCRLSet,
     g_crl_set = LAZY_INSTANCE_INITIALIZER;
 
 // static
-void SSLConfigService::DisableFalseStart() {
-  g_false_start_enabled = false;
-}
-
-// static
-bool SSLConfigService::false_start_enabled() {
-  return g_false_start_enabled;
-}
-
-// static
 void SSLConfigService::EnableDNSCertProvenanceChecking() {
   g_dns_cert_provenance_checking = true;
 }
@@ -140,7 +129,6 @@ SSLConfigService::~SSLConfigService() {
 
 // static
 void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) {
-  ssl_config->false_start_enabled = g_false_start_enabled;
   ssl_config->dns_cert_provenance_checking_enabled =
       g_dns_cert_provenance_checking;
   ssl_config->cached_info_enabled = g_cached_info_enabled;
@@ -155,7 +143,9 @@ void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
       (orig_config.disabled_cipher_suites !=
        new_config.disabled_cipher_suites) ||
       (orig_config.origin_bound_certs_enabled !=
-       new_config.origin_bound_certs_enabled);
+       new_config.origin_bound_certs_enabled) ||
+      (orig_config.false_start_enabled !=
+       new_config.false_start_enabled);
 
   if (config_changed)
     FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged());
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h
index 5a17750..e897db2 100644
--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -139,11 +139,6 @@ class NET_EXPORT SSLConfigService
   // False Start.
   static bool IsKnownFalseStartIncompatibleServer(const std::string& hostname);
 
-  // Disables False Start in SSL connections.
-  static void DisableFalseStart();
-  // True if we use False Start for SSL and TLS.
-  static bool false_start_enabled();
-
   // Enables DNS side checks for certificates.
   static void EnableDNSCertProvenanceChecking();
   static bool dns_cert_provenance_checking_enabled();
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 50b7514..7989cdb 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -915,6 +915,7 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
 #endif
 
 #ifdef SSL_ENABLE_FALSE_START
+  LOG(ERROR) << "FALSE START " << ssl_config_.false_start_enabled;
   rv = SSL_OptionSet(
       nss_fd_, SSL_ENABLE_FALSE_START,
       ssl_config_.false_start_enabled &&