11 files changed, 54 insertions, 10 deletions

diff --git a/chrome/browser/browser_main.cc b/chrome/browser/browser_main.cc
index dad1cec..5f518a4 100644
--- a/chrome/browser/browser_main.cc
+++ b/chrome/browser/browser_main.cc
@@ -180,6 +180,8 @@ void BrowserMainParts::EarlyInitialization() {
     net::SSLConfigService::EnableDNSSEC();
   if (parsed_command_line().HasSwitch(switches::kDisableSSLFalseStart))
     net::SSLConfigService::DisableFalseStart();
+  if (parsed_command_line().HasSwitch(switches::kAllowSSLMITMProxies))
+    net::SSLConfigService::AllowMITMProxies();
 
   PostEarlyInitialization();
 }
diff --git a/chrome/browser/net/ssl_config_service_manager_pref.cc b/chrome/browser/net/ssl_config_service_manager_pref.cc
index 23954c1..ab81ea3 100644
--- a/chrome/browser/net/ssl_config_service_manager_pref.cc
+++ b/chrome/browser/net/ssl_config_service_manager_pref.cc
@@ -145,8 +145,7 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
   config->ssl2_enabled = ssl2_enabled_.GetValue();
   config->ssl3_enabled = ssl3_enabled_.GetValue();
   config->tls1_enabled = tls1_enabled_.GetValue();
-  config->dnssec_enabled = net::SSLConfigService::dnssec_enabled();
-  config->false_start_enabled = net::SSLConfigService::false_start_enabled();
+  net::SSLConfigService::SetSSLConfigFlags(config);
 }
 
 ////////////////////////////////////////////////////////////////////////////////
diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
index bc00a4ef..529e7a4 100644
--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -22,6 +22,12 @@ const char kActivateOnLaunch[]              = "activate-on-launch";
 // override for developers who need the old behavior for testing.
 const char kAllowFileAccessFromFiles[]      = "allow-file-access-from-files";
 
+// Disable checking of the renegotiation extension and any future checks over
+// and above what a "traditional" SSL stack might do. This has been requested
+// in order to support some web development tools that intercept SSL
+// connections.
+const char kAllowSSLMITMProxies[]           = "allow-ssl-mitm-proxies";
+
 // Allows debugging of sandboxed processes (see zygote_main_linux.cc).
 const char kAllowSandboxDebugging[]         = "allow-sandbox-debugging";
 
diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h
index 6f0ce67..86eba94 100644
--- a/chrome/common/chrome_switches.h
+++ b/chrome/common/chrome_switches.h
@@ -22,6 +22,7 @@ namespace switches {
 // alongside the definition of their values in the .cc file.
 extern const char kActivateOnLaunch[];
 extern const char kAllowFileAccessFromFiles[];
+extern const char kAllowSSLMITMProxies[];
 extern const char kAllowSandboxDebugging[];
 extern const char kAllowScriptingGallery[];
 extern const char kAlwaysEnableDevTools[];
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc
index 1b367ed..226798d 100644
--- a/net/base/ssl_config_service.cc
+++ b/net/base/ssl_config_service.cc
@@ -75,6 +75,14 @@ bool SSLConfigService::IsKnownFalseStartIncompatibleServer(
 
 static bool g_dnssec_enabled = false;
 static bool g_false_start_enabled = true;
+static bool g_mitm_proxies_allowed = false;
+
+// static
+void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) {
+  ssl_config->dnssec_enabled = g_dnssec_enabled;
+  ssl_config->false_start_enabled = g_false_start_enabled;
+  ssl_config->mitm_proxies_allowed = g_mitm_proxies_allowed;
+}
 
 // static
 void SSLConfigService::EnableDNSSEC() {
@@ -96,4 +104,14 @@ bool SSLConfigService::false_start_enabled() {
   return g_false_start_enabled;
 }
 
+// static
+void SSLConfigService::AllowMITMProxies() {
+  g_mitm_proxies_allowed = true;
+}
+
+// static
+bool SSLConfigService::mitm_proxies_allowed() {
+  return g_mitm_proxies_allowed;
+}
+
 }  // namespace net
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h
index 75a4f74..748d8e4 100644
--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -20,7 +20,7 @@ struct SSLConfig {
   SSLConfig()
       : rev_checking_enabled(true),  ssl2_enabled(false), ssl3_enabled(true),
         tls1_enabled(true), ssl3_fallback(false), dnssec_enabled(false),
-        false_start_enabled(true),
+        mitm_proxies_allowed(false), false_start_enabled(true),
         send_client_cert(false), verify_ev_cert(false) {
   }
 
@@ -33,6 +33,15 @@ struct SSLConfig {
                        // needs to clear tls1_enabled).
   bool dnssec_enabled;  // True if we'll accept DNSSEC chains in certificates.
 
+  // True if we believe that this connection might be MITM attacked. This
+  // sounds a little worse than it is: large networks sometimes MITM attack all
+  // SSL connections on egress. We want to know this because we might not have
+  // the end-to-end connection that we believe that we have based on the
+  // hostname. Therefore, certain certificate checks can't be performed and we
+  // can't use outside knowledge about whether the server has the renegotiation
+  // extension.
+  bool mitm_proxies_allowed;
+
   bool false_start_enabled;  // True if we'll use TLS False Start.
 
   // TODO(wtc): move the following members to a new SSLParams structure.  They
@@ -109,12 +118,20 @@ class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> {
   static void EnableDNSSEC();
   static bool dnssec_enabled();
 
+  // Enables the |may_be_manipulated| flag in SSLConfig objects. See the
+  // comment about this flag in |SSLConfig|.
+  static void AllowMITMProxies();
+  static bool mitm_proxies_allowed();
+
   // Disables False Start in SSL connections.
   static void DisableFalseStart();
   // True if we use False Start for SSL and TLS.
   static bool false_start_enabled();
 
  protected:
+  // SetFlags sets the values of several flags based on global configuration.
+  static void SetSSLConfigFlags(SSLConfig*);
+
   friend class base::RefCountedThreadSafe<SSLConfigService>;
 
   virtual ~SSLConfigService() {}
diff --git a/net/base/ssl_config_service_defaults.h b/net/base/ssl_config_service_defaults.h
index 04eff1c..58d0f2d 100644
--- a/net/base/ssl_config_service_defaults.h
+++ b/net/base/ssl_config_service_defaults.h
@@ -20,8 +20,7 @@ class SSLConfigServiceDefaults : public SSLConfigService {
   // Store default SSL config settings in |config|.
   virtual void GetSSLConfig(SSLConfig* config) {
     *config = default_config_;
-    config->dnssec_enabled = SSLConfigService::dnssec_enabled();
-    config->false_start_enabled = SSLConfigService::false_start_enabled();
+    SetSSLConfigFlags(config);
   }
 
  private:
diff --git a/net/base/ssl_config_service_mac.cc b/net/base/ssl_config_service_mac.cc
index 63fc017..492312c 100644
--- a/net/base/ssl_config_service_mac.cc
+++ b/net/base/ssl_config_service_mac.cc
@@ -95,8 +95,7 @@ bool SSLConfigServiceMac::GetSSLConfigNow(SSLConfig* config) {
                                              kSSL3EnabledDefaultValue);
   config->tls1_enabled = SSLVersionIsEnabled(kTLS1EnabledKey,
                                              kTLS1EnabledDefaultValue);
-  config->dnssec_enabled = SSLConfigService::dnssec_enabled();
-  config->false_start_enabled = SSLConfigService::false_start_enabled();
+  SSLConfigService::SetSSLConfigFlags(config);
 
   return true;
 }
diff --git a/net/base/ssl_config_service_win.cc b/net/base/ssl_config_service_win.cc
index 646e264..b4232aa 100644
--- a/net/base/ssl_config_service_win.cc
+++ b/net/base/ssl_config_service_win.cc
@@ -75,8 +75,7 @@ bool SSLConfigServiceWin::GetSSLConfigNow(SSLConfig* config) {
   config->ssl2_enabled = ((protocols & SSL2) != 0);
   config->ssl3_enabled = ((protocols & SSL3) != 0);
   config->tls1_enabled = ((protocols & TLS1) != 0);
-  config->dnssec_enabled = SSLConfigService::dnssec_enabled();
-  config->false_start_enabled = SSLConfigService::false_start_enabled();
+  SSLConfigService::SetSSLConfigFlags(config);
 
   return true;
 }
diff --git a/net/http/http_stream_request.cc b/net/http/http_stream_request.cc
index f50c3c2..b3310a8 100644
--- a/net/http/http_stream_request.cc
+++ b/net/http/http_stream_request.cc
@@ -520,6 +520,9 @@ int HttpStreamRequest::DoInitConnection() {
     if (request_info().load_flags & LOAD_VERIFY_EV_CERT)
       ssl_config()->verify_ev_cert = true;
 
+    if (proxy_info()->proxy_server().scheme() == ProxyServer::SCHEME_HTTP)
+      ssl_config()->mitm_proxies_allowed = true;
+
     scoped_refptr<SSLSocketParams> ssl_params =
         new SSLSocketParams(tcp_params, http_proxy_params, socks_params,
                             proxy_info()->proxy_server().scheme(),
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index b02eb2b..c676c08 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -513,7 +513,8 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
 #endif
 
 #ifdef SSL_ENABLE_RENEGOTIATION
-  if (SSLConfigService::IsKnownStrictTLSServer(hostname_)) {
+  if (SSLConfigService::IsKnownStrictTLSServer(hostname_) &&
+      !ssl_config_.mitm_proxies_allowed) {
     rv = SSL_OptionSet(nss_fd_, SSL_REQUIRE_SAFE_NEGOTIATION, PR_TRUE);
     if (rv != SECSuccess)
        LOG(INFO) << "SSL_REQUIRE_SAFE_NEGOTIATION failed.";