Google Git
Sign in
chromium / chromium / src.git / 14b1a53362ffb727e02bdf27e24e93c5f9b2d423^! / . / net / http / http_network_transaction.cc
commit14b1a53362ffb727e02bdf27e24e93c5f9b2d423[log] [tgz]
authordavidben <[email protected]>Fri Oct 30 16:01:09 2015
committerCommit bot <[email protected]>Fri Oct 30 16:01:50 2015
treeef03cdd99d7ac614726fcddab2d43ce037d8dad2
parentf330e8a8ccdb236c8520c113983ce98bbca1256f [diff] [blame]
Remove RC4 by default.

RC4 may still be re-enabled via the RC4Enabled administrative policy, until
sometime around September. Also control it via a field trial so we still have
an escape hatch should something catastrophic happen.

Keep the deprecated cipher suite fallback around (rename the parameter since I
got the naming convention wrong) since it's still got the IIS AES-GCM
workaround in it, and it will be used in not too long for DHE_RSA instead.

BUG=375342
TEST=Loading https://rc4.badssl.com/ fails with ERR_SSL_VERSION_OR_CIPHER_MISMATCH
     Relaunching Chrome with --force-fieldtrials=RC4Ciphers/Enabled/ makes that page succeed.
     Relaunching Chrome after setting the RC4Enabled polcy to true makes that page succeed.
     (Note: press refresh when loading the site to make sure it's not cached.)

Review URL: https://codereview.chromium.org/1422293002

Cr-Commit-Position: refs/heads/master@{#357114}

diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index e0c4100..8a8e742 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc

@@ -1291,13 +1291,13 @@
   // reflect servers require a deprecated cipher rather than merely prefer
   // it. This, however, has no security benefit until the ciphers are actually
   // removed.
-  if (!server_ssl_config_.enable_deprecated_cipher_suites &&
+  if (!server_ssl_config_.deprecated_cipher_suites_enabled &&
       (error == ERR_SSL_VERSION_OR_CIPHER_MISMATCH ||
        error == ERR_CONNECTION_CLOSED || error == ERR_CONNECTION_RESET)) {
     net_log_.AddEvent(
         NetLog::TYPE_SSL_CIPHER_FALLBACK,
         base::Bind(&NetLogSSLCipherFallbackCallback, &request_->url, error));
-    server_ssl_config_.enable_deprecated_cipher_suites = true;
+    server_ssl_config_.deprecated_cipher_suites_enabled = true;
     ResetConnectionAndRequestForResend();
     return OK;
   }
@@ -1514,7 +1514,7 @@
   }
 
   UMA_HISTOGRAM_BOOLEAN("Net.ConnectionUsedSSLDeprecatedCipherFallback2",
-                        server_ssl_config_.enable_deprecated_cipher_suites);
+                        server_ssl_config_.deprecated_cipher_suites_enabled);
 
   if (server_ssl_config_.version_fallback) {
     // Record the error code which triggered the fallback and the state the