Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(375)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 22633004: Handle the TLS version fallback on the bad_record_mac alert error in (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Comment fix Created 7 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/http/http_network_transaction.cc ('K') | « net/http/http_network_transaction.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in 6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8 8
9 /* ***** BEGIN LICENSE BLOCK ***** 9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
(...skipping 1843 matching lines...) Expand 10 before | Expand all | Expand 10 after
1854 // fallback will be more painful for TLS 1.2 when we have GCM support. 1854 // fallback will be more painful for TLS 1.2 when we have GCM support.
1855 // 1855 //
1856 // ERR_CONNECTION_RESET is a common network error, so we don't want it 1856 // ERR_CONNECTION_RESET is a common network error, so we don't want it
1857 // to trigger a version fallback in general, especially the TLS 1.0 -> 1857 // to trigger a version fallback in general, especially the TLS 1.0 ->
1858 // SSL 3.0 fallback, which would drop TLS extensions. 1858 // SSL 3.0 fallback, which would drop TLS extensions.
1859 if (prerr == PR_CONNECT_RESET_ERROR && 1859 if (prerr == PR_CONNECT_RESET_ERROR &&
1860 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1_1) { 1860 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1_1) {
1861 net_error = ERR_SSL_PROTOCOL_ERROR; 1861 net_error = ERR_SSL_PROTOCOL_ERROR;
1862 } 1862 }
1863 1863
1864 // Some broken SSL devices negotiate TLS 1.0 when sent a TLS 1.1 or 1.2
1865 // ClientHello, but then return a bad-record-MAC alert. See
1866 // crbug.com/260358. In order to make the fallback as minimal as possible,
1867 // this fallback is only triggered for >= TLS 1.1.
1868 if (net_error == ERR_SSL_BAD_RECORD_MAC_ALERT &&
1869 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1_1) {
1870 net_error = ERR_SSL_PROTOCOL_ERROR;
1871 }
1872
1873 // If not done, stay in this state 1864 // If not done, stay in this state
1874 if (net_error == ERR_IO_PENDING) { 1865 if (net_error == ERR_IO_PENDING) {
1875 GotoState(STATE_HANDSHAKE); 1866 GotoState(STATE_HANDSHAKE);
1876 } else { 1867 } else {
1877 PostOrRunCallback( 1868 PostOrRunCallback(
1878 FROM_HERE, 1869 FROM_HERE,
1879 base::Bind(&AddLogEventWithCallback, weak_net_log_, 1870 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1880 NetLog::TYPE_SSL_HANDSHAKE_ERROR, 1871 NetLog::TYPE_SSL_HANDSHAKE_ERROR,
1881 CreateNetLogSSLErrorCallback(net_error, prerr))); 1872 CreateNetLogSSLErrorCallback(net_error, prerr)));
1882 } 1873 }
(...skipping 1621 matching lines...) Expand 10 before | Expand all | Expand 10 after
3504 EnsureThreadIdAssigned(); 3495 EnsureThreadIdAssigned();
3505 base::AutoLock auto_lock(lock_); 3496 base::AutoLock auto_lock(lock_);
3506 return valid_thread_id_ == base::PlatformThread::CurrentId(); 3497 return valid_thread_id_ == base::PlatformThread::CurrentId();
3507 } 3498 }
3508 3499
3509 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { 3500 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
3510 return server_bound_cert_service_; 3501 return server_bound_cert_service_;
3511 } 3502 }
3512 3503
3513 } // namespace net 3504 } // namespace net
OLDNEW
« net/http/http_network_transaction.cc ('K') | « net/http/http_network_transaction.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698