Only record fallback metrics on successful requests.
While this still counts spurious fallbacks, it won't count connections to https
URLs which never succeeded at all. Hopefully this'll be slightly more accurate.
BUG=459690
Review URL: https://codereview.chromium.org/1116063006
Cr-Commit-Position: refs/heads/master@{#328177}
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index 2de1399..981fcb6 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -771,6 +771,8 @@
CopyConnectionAttemptsFromStreamRequest();
if (result == OK) {
+ if (request_->url.SchemeIsCryptographic())
+ RecordSSLFallbackMetrics();
next_state_ = STATE_INIT_STREAM;
DCHECK(stream_.get());
} else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
@@ -1430,6 +1432,49 @@
establishing_tunnel_ = false;
}
+void HttpNetworkTransaction::RecordSSLFallbackMetrics() {
+ // Note: these values are used in histograms, so new values must be appended.
+ enum FallbackVersion {
+ FALLBACK_NONE = 0, // SSL version fallback did not occur.
+ FALLBACK_SSL3 = 1, // Fell back to SSL 3.0.
+ FALLBACK_TLS1 = 2, // Fell back to TLS 1.0.
+ FALLBACK_TLS1_1 = 3, // Fell back to TLS 1.1.
+ FALLBACK_MAX,
+ };
+
+ FallbackVersion fallback = FALLBACK_NONE;
+ if (server_ssl_config_.version_fallback) {
+ switch (server_ssl_config_.version_max) {
+ case SSL_PROTOCOL_VERSION_SSL3:
+ fallback = FALLBACK_SSL3;
+ break;
+ case SSL_PROTOCOL_VERSION_TLS1:
+ fallback = FALLBACK_TLS1;
+ break;
+ case SSL_PROTOCOL_VERSION_TLS1_1:
+ fallback = FALLBACK_TLS1_1;
+ break;
+ default:
+ NOTREACHED();
+ }
+ }
+ UMA_HISTOGRAM_ENUMERATION("Net.ConnectionUsedSSLVersionFallback2", fallback,
+ FALLBACK_MAX);
+
+ // Google servers are known to implement TLS 1.2 and FALLBACK_SCSV, so it
+ // should be impossible to successfully connect to them with the fallback.
+ // This helps estimate intolerant locally-configured SSL MITMs.
+ const std::string& host = request_->url.host();
+ if (EndsWith(host, "google.com", true) &&
+ (host.size() == 10 || host[host.size() - 11] == '.')) {
+ UMA_HISTOGRAM_ENUMERATION("Net.GoogleConnectionUsedSSLVersionFallback2",
+ fallback, FALLBACK_MAX);
+ }
+
+ UMA_HISTOGRAM_BOOLEAN("Net.ConnectionUsedSSLDeprecatedCipherFallback2",
+ server_ssl_config_.enable_deprecated_cipher_suites);
+}
+
HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const {
return response_.headers.get();
}
diff --git a/net/http/http_network_transaction.h b/net/http/http_network_transaction.h
index a3a9ef7..09e0a972 100644
--- a/net/http/http_network_transaction.h
+++ b/net/http/http_network_transaction.h
@@ -235,6 +235,9 @@
// to be maintained for multi-round auth.
void ResetStateForAuthRestart();
+ // Records metrics relating to SSL fallbacks.
+ void RecordSSLFallbackMetrics();
+
// Returns true if we should try to add a Proxy-Authorization header
bool ShouldApplyProxyAuth() const;
diff --git a/net/http/http_stream_factory_impl_job.cc b/net/http/http_stream_factory_impl_job.cc
index 8910c8f..38f185a4 100644
--- a/net/http/http_stream_factory_impl_job.cc
+++ b/net/http/http_stream_factory_impl_job.cc
@@ -1269,47 +1269,6 @@
ssl_config->false_start_enabled = false;
}
- enum {
- FALLBACK_NONE = 0, // SSL version fallback did not occur.
- FALLBACK_SSL3 = 1, // Fell back to SSL 3.0.
- FALLBACK_TLS1 = 2, // Fell back to TLS 1.0.
- FALLBACK_TLS1_1 = 3, // Fell back to TLS 1.1.
- FALLBACK_MAX
- };
-
- int fallback = FALLBACK_NONE;
- if (ssl_config->version_fallback) {
- switch (ssl_config->version_max) {
- case SSL_PROTOCOL_VERSION_SSL3:
- fallback = FALLBACK_SSL3;
- break;
- case SSL_PROTOCOL_VERSION_TLS1:
- fallback = FALLBACK_TLS1;
- break;
- case SSL_PROTOCOL_VERSION_TLS1_1:
- fallback = FALLBACK_TLS1_1;
- break;
- }
- }
- UMA_HISTOGRAM_ENUMERATION("Net.ConnectionUsedSSLVersionFallback",
- fallback, FALLBACK_MAX);
-
- UMA_HISTOGRAM_BOOLEAN("Net.ConnectionUsedSSLDeprecatedCipherFallback",
- ssl_config->enable_deprecated_cipher_suites);
-
- // We also wish to measure the amount of fallback connections for a host that
- // we know implements TLS up to 1.2. Ideally there would be no fallback here
- // but high numbers of SSLv3 would suggest that SSLv3 fallback is being
- // caused by network middleware rather than buggy HTTPS servers.
- const std::string& host = server.host();
- if (!is_proxy &&
- host.size() >= 10 &&
- host.compare(host.size() - 10, 10, "google.com") == 0 &&
- (host.size() == 10 || host[host.size()-11] == '.')) {
- UMA_HISTOGRAM_ENUMERATION("Net.GoogleConnectionUsedSSLVersionFallback",
- fallback, FALLBACK_MAX);
- }
-
if (request_info_.load_flags & LOAD_VERIFY_EV_CERT)
ssl_config->verify_ev_cert = true;
