diff options
author | Ben Murdoch <benm@google.com> | 2011-01-16 15:17:15 +0000 |
---|---|---|
committer | Ben Murdoch <benm@google.com> | 2011-01-16 15:18:37 +0000 |
commit | ac1e49eb6695f711d72215fcdf9388548942a00d (patch) | |
tree | 88c78e7d66603996cf0dc78d7676b11d57a305bd /net/http/http_network_transaction.cc | |
parent | dac52a1b6f0c401bccca1e5713f782a8b26345b3 (diff) | |
download | external_chromium-ac1e49eb6695f711d72215fcdf9388548942a00d.zip external_chromium-ac1e49eb6695f711d72215fcdf9388548942a00d.tar.gz external_chromium-ac1e49eb6695f711d72215fcdf9388548942a00d.tar.bz2 |
Merge Chromium at 9.0.597.69: Trivial merge by Git.
/branches/597/src@71538
Change-Id: Id9fad65a5e6d2ab901d9c8bff6dbf96ab7977f36
Diffstat (limited to 'net/http/http_network_transaction.cc')
-rw-r--r-- | net/http/http_network_transaction.cc | 81 |
1 files changed, 54 insertions, 27 deletions
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc index c84dfa4..7621e5a 100644 --- a/net/http/http_network_transaction.cc +++ b/net/http/http_network_transaction.cc @@ -537,6 +537,10 @@ int HttpNetworkTransaction::DoCreateStreamComplete(int result) { result = HandleCertificateRequest(result); } + // Handle possible handshake errors that may have occurred if the stream + // used SSL for one or more of the layers. + result = HandleSSLHandshakeError(result); + // At this point we are done with the stream_request_. stream_request_.reset(); return result; @@ -679,23 +683,6 @@ int HttpNetworkTransaction::DoReadHeadersComplete(int result) { result = HandleCertificateRequest(result); if (result == OK) return result; - } else if ((result == ERR_SSL_DECOMPRESSION_FAILURE_ALERT || - result == ERR_SSL_BAD_RECORD_MAC_ALERT) && - ssl_config_.tls1_enabled && - !SSLConfigService::IsKnownStrictTLSServer(request_->url.host())) { - // Some buggy servers select DEFLATE compression when offered and then - // fail to ever decompress anything. They will send a fatal alert telling - // us this. Normally we would pick this up during the handshake because - // our Finished message is compressed and we'll never get the server's - // Finished if it fails to process ours. - // - // However, with False Start, we'll believe that the handshake is - // complete as soon as we've /sent/ our Finished message. In this case, - // we only find out that the server is buggy here, when we try to read - // the initial reply. - session_->http_stream_factory()->AddTLSIntolerantServer(request_->url); - ResetConnectionAndRequestForResend(); - return OK; } if (result < 0 && result != ERR_CONNECTION_CLOSED) @@ -1007,11 +994,61 @@ int HttpNetworkTransaction::HandleCertificateRequest(int error) { return OK; } +// TODO(rch): This does not correctly handle errors when an SSL proxy is +// being used, as all of the errors are handled as if they were generated +// by the endpoint host, request_->url, rather than considering if they were +// generated by the SSL proxy. http://crbug.com/66424 +int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { + DCHECK(request_); + if (ssl_config_.send_client_cert && + (error == ERR_SSL_PROTOCOL_ERROR || + error == ERR_BAD_SSL_CLIENT_AUTH_CERT)) { + session_->ssl_client_auth_cache()->Remove( + GetHostAndPort(request_->url)); + } + + switch (error) { + case ERR_SSL_PROTOCOL_ERROR: + case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: + case ERR_SSL_DECOMPRESSION_FAILURE_ALERT: + case ERR_SSL_BAD_RECORD_MAC_ALERT: + if (ssl_config_.tls1_enabled && + !SSLConfigService::IsKnownStrictTLSServer(request_->url.host())) { + // This could be a TLS-intolerant server, an SSL 3.0 server that + // chose a TLS-only cipher suite or a server with buggy DEFLATE + // support. Turn off TLS 1.0, DEFLATE support and retry. + session_->http_stream_factory()->AddTLSIntolerantServer(request_->url); + ResetConnectionAndRequestForResend(); + error = OK; + } + break; + case ERR_SSL_SNAP_START_NPN_MISPREDICTION: + // This means that we tried to Snap Start a connection, but we + // mispredicted the NPN result. This isn't a problem from the point of + // view of the SSL layer because the server will ignore the application + // data in the Snap Start extension. However, at the HTTP layer, we have + // already decided that it's a HTTP or SPDY connection and it's easier to + // abort and start again. + ResetConnectionAndRequestForResend(); + error = OK; + break; + } + return error; +} + // This method determines whether it is safe to resend the request after an // IO error. It can only be called in response to request header or body // write errors or response header read errors. It should not be used in // other cases, such as a Connect error. int HttpNetworkTransaction::HandleIOError(int error) { + // SSL errors may happen at any time during the stream and indicate issues + // with the underlying connection. Because the peer may request + // renegotiation at any time, check and handle any possible SSL handshake + // related errors. In addition to renegotiation, TLS False/Snap Start may + // cause SSL handshake errors to be delayed until the first Read on the + // underlying connection. + error = HandleSSLHandshakeError(error); + switch (error) { // If we try to reuse a connection that the server is in the process of // closing, we may end up successfully writing out our request (or a @@ -1025,16 +1062,6 @@ int HttpNetworkTransaction::HandleIOError(int error) { error = OK; } break; - case ERR_SSL_SNAP_START_NPN_MISPREDICTION: - // This means that we tried to Snap Start a connection, but we - // mispredicted the NPN result. This isn't a problem from the point of - // view of the SSL layer because the server will ignore the application - // data in the Snap Start extension. However, at the HTTP layer, we have - // already decided that it's a HTTP or SPDY connection and it's easier to - // abort and start again. - ResetConnectionAndRequestForResend(); - error = OK; - break; } return error; } |