Chromium Code Reviews Chromium Code Reviews
Issue 22633004:
Handle the TLS version fallback on the bad_record_mac alert error in (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/http_network_transaction.h" | 5 #include "net/http/http_network_transaction.h" |
| 6 | 6 |
| 7 #include <set> | 7 #include <set> |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include "base/bind.h" | 10 #include "base/bind.h" |
| (...skipping 1201 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1212 // by the endpoint host, request_->url, rather than considering if they were | 1212 // by the endpoint host, request_->url, rather than considering if they were |
| 1213 // generated by the SSL proxy. http://crbug.com/69329 | 1213 // generated by the SSL proxy. http://crbug.com/69329 |
| 1214 int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { | 1214 int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { |
| 1215 DCHECK(request_); | 1215 DCHECK(request_); |
| 1216 if (server_ssl_config_.send_client_cert && | 1216 if (server_ssl_config_.send_client_cert && |
| 1217 (error == ERR_SSL_PROTOCOL_ERROR || IsClientCertificateError(error))) { | 1217 (error == ERR_SSL_PROTOCOL_ERROR || IsClientCertificateError(error))) { |
| 1218 session_->ssl_client_auth_cache()->Remove( | 1218 session_->ssl_client_auth_cache()->Remove( |
| 1219 GetHostAndPort(request_->url)); | 1219 GetHostAndPort(request_->url)); |
| 1220 } | 1220 } |
| 1221 | 1221 |
| 1222 bool should_fallback = false; | |
| 1222 uint16 version_max = server_ssl_config_.version_max; | 1223 uint16 version_max = server_ssl_config_.version_max; |
| 1223 | 1224 |
| 1224 switch (error) { | 1225 switch (error) { |
| 1225 case ERR_SSL_PROTOCOL_ERROR: | 1226 case ERR_SSL_PROTOCOL_ERROR: |
| 1226 case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: | 1227 case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: |
| 1227 if (version_max >= SSL_PROTOCOL_VERSION_TLS1 && | 1228 if (version_max >= SSL_PROTOCOL_VERSION_TLS1 && |
| 1228 version_max > server_ssl_config_.version_min) { | 1229 version_max > server_ssl_config_.version_min) { |
| 1229 // This could be a TLS-intolerant server or a server that chose a | 1230 // This could be a TLS-intolerant server or a server that chose a |
| 1230 // cipher suite defined only for higher protocol versions (such as | 1231 // cipher suite defined only for higher protocol versions (such as |
| 1231 // an SSL 3.0 server that chose a TLS-only cipher suite). Fall | 1232 // an SSL 3.0 server that chose a TLS-only cipher suite). Fall |
| (...skipping 11 matching lines...) Expand all Loading... | |
| 1243 // reasons, there is a high risk of breaking the servers if this is | 1244 // reasons, there is a high risk of breaking the servers if this is |
| 1244 // done in general. | 1245 // done in general. |
| 1245 // For now SSL 3.0 fallback is disabled for Google servers first, | 1246 // For now SSL 3.0 fallback is disabled for Google servers first, |
| 1246 // and will be expanded to other servers after enough experiences | 1247 // and will be expanded to other servers after enough experiences |
| 1247 // have been gained showing that this experiment works well with | 1248 // have been gained showing that this experiment works well with |
| 1248 // today's Internet. | 1249 // today's Internet. |
| 1249 if (version_max > SSL_PROTOCOL_VERSION_SSL3 || | 1250 if (version_max > SSL_PROTOCOL_VERSION_SSL3 || |
| 1250 (server_ssl_config_.unrestricted_ssl3_fallback_enabled || | 1251 (server_ssl_config_.unrestricted_ssl3_fallback_enabled || |
| 1251 !TransportSecurityState::IsGooglePinnedProperty( | 1252 !TransportSecurityState::IsGooglePinnedProperty( |
| 1252 request_->url.host(), true /* include SNI */))) { | 1253 request_->url.host(), true /* include SNI */))) { |
| 1253 net_log_.AddEvent( | 1254 should_fallback = true; |
| 1254 NetLog::TYPE_SSL_VERSION_FALLBACK, | |
| 1255 base::Bind(&NetLogSSLVersionFallbackCallback, | |
| 1256 &request_->url, error, server_ssl_config_.version_max, | |
| 1257 version_max)); | |
| 1258 server_ssl_config_.version_max = version_max; | |
| 1259 server_ssl_config_.version_fallback = true; | |
| 1260 ResetConnectionAndRequestForResend(); | |
| 1261 error = OK; | |
| 1262 } | 1255 } |
| 1263 } | 1256 } |
| 1264 break; | 1257 break; |
| 1258 case ERR_SSL_BAD_RECORD_MAC_ALERT: | |
| 1259 if (version_max >= SSL_PROTOCOL_VERSION_TLS1_1 && | |
| 1260 version_max > server_ssl_config_.version_min) { | |
| 1261 // Some broken SSL devices negotiate TLS 1.0 when sent a TLS 1.1 or | |
| 1262 // 1.2 ClientHello, but then return a bad_record_mac alert. See | |
| 1263 // crbug.com/260358. In order to make the fallback as minimal as | |
| 1264 // possible, this fallback is only triggered for >= TLS 1.1. | |
| 1265 version_max--; | |
|
wtc
2013/08/09 21:28:31
We can also change version_max directly to SSL_PRO
| |
| 1266 should_fallback = true; | |
| 1267 } | |
| 1268 break; | |
| 1269 } | |
| 1270 | |
| 1271 if (should_fallback) { | |
| 1272 net_log_.AddEvent( | |
| 1273 NetLog::TYPE_SSL_VERSION_FALLBACK, | |
| 1274 base::Bind(&NetLogSSLVersionFallbackCallback, | |
| 1275 &request_->url, error, server_ssl_config_.version_max, | |
| 1276 version_max)); | |
| 1277 server_ssl_config_.version_max = version_max; | |
| 1278 server_ssl_config_.version_fallback = true; | |
| 1279 ResetConnectionAndRequestForResend(); | |
| 1280 error = OK; | |
| 1265 } | 1281 } |
| 1266 | 1282 |
| 1267 return error; | 1283 return error; |
| 1268 } | 1284 } |
| 1269 | 1285 |
| 1270 // This method determines whether it is safe to resend the request after an | 1286 // This method determines whether it is safe to resend the request after an |
| 1271 // IO error. It can only be called in response to request header or body | 1287 // IO error. It can only be called in response to request header or body |
| 1272 // write errors or response header read errors. It should not be used in | 1288 // write errors or response header read errors. It should not be used in |
| 1273 // other cases, such as a Connect error. | 1289 // other cases, such as a Connect error. |
| 1274 int HttpNetworkTransaction::HandleIOError(int error) { | 1290 int HttpNetworkTransaction::HandleIOError(int error) { |
| (...skipping 186 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1461 description = base::StringPrintf("Unknown state 0x%08X (%u)", state, | 1477 description = base::StringPrintf("Unknown state 0x%08X (%u)", state, |
| 1462 state); | 1478 state); |
| 1463 break; | 1479 break; |
| 1464 } | 1480 } |
| 1465 return description; | 1481 return description; |
| 1466 } | 1482 } |
| 1467 | 1483 |
| 1468 #undef STATE_CASE | 1484 #undef STATE_CASE |
| 1469 | 1485 |
| 1470 } // namespace net | 1486 } // namespace net |
| OLD | NEW |
