commit ca9d6916c5fedf6f0ee73dfc397cb0f65ad326b9
author davidben <davidben@chromium.org> Mon May 04 20:18:45 2015
committer Commit bot <commit-bot@chromium.org> Mon May 04 20:19:12 2015
tree d501aaa7d371629bb82345ffd6ce3bb355704901
parent 5d570de9f52eb44773ae7af8615717e367dde2e1

Only record fallback metrics on successful requests.

While this still counts spurious fallbacks, it won't count connections to https
URLs which never succeeded at all. Hopefully this'll be slightly more accurate.

BUG=459690

Review URL: https://codereview.chromium.org/1116063006

Cr-Commit-Position: refs/heads/master@{#328177}

net/http/http_network_transaction.cc

diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index 2de1399..981fcb6 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -771,6 +771,8 @@
     CopyConnectionAttemptsFromStreamRequest();
 
   if (result == OK) {
+    if (request_->url.SchemeIsCryptographic())
+      RecordSSLFallbackMetrics();
     next_state_ = STATE_INIT_STREAM;
     DCHECK(stream_.get());
   } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
@@ -1430,6 +1432,49 @@
   establishing_tunnel_ = false;
 }
 
+void HttpNetworkTransaction::RecordSSLFallbackMetrics() {
+  // Note: these values are used in histograms, so new values must be appended.
+  enum FallbackVersion {
+    FALLBACK_NONE = 0,    // SSL version fallback did not occur.
+    FALLBACK_SSL3 = 1,    // Fell back to SSL 3.0.
+    FALLBACK_TLS1 = 2,    // Fell back to TLS 1.0.
+    FALLBACK_TLS1_1 = 3,  // Fell back to TLS 1.1.
+    FALLBACK_MAX,
+  };
+
+  FallbackVersion fallback = FALLBACK_NONE;
+  if (server_ssl_config_.version_fallback) {
+    switch (server_ssl_config_.version_max) {
+      case SSL_PROTOCOL_VERSION_SSL3:
+        fallback = FALLBACK_SSL3;
+        break;
+      case SSL_PROTOCOL_VERSION_TLS1:
+        fallback = FALLBACK_TLS1;
+        break;
+      case SSL_PROTOCOL_VERSION_TLS1_1:
+        fallback = FALLBACK_TLS1_1;
+        break;
+      default:
+        NOTREACHED();
+    }
+  }
+  UMA_HISTOGRAM_ENUMERATION("Net.ConnectionUsedSSLVersionFallback2", fallback,
+                            FALLBACK_MAX);
+
+  // Google servers are known to implement TLS 1.2 and FALLBACK_SCSV, so it
+  // should be impossible to successfully connect to them with the fallback.
+  // This helps estimate intolerant locally-configured SSL MITMs.
+  const std::string& host = request_->url.host();
+  if (EndsWith(host, "google.com", true) &&
+      (host.size() == 10 || host[host.size() - 11] == '.')) {
+    UMA_HISTOGRAM_ENUMERATION("Net.GoogleConnectionUsedSSLVersionFallback2",
+                              fallback, FALLBACK_MAX);
+  }
+
+  UMA_HISTOGRAM_BOOLEAN("Net.ConnectionUsedSSLDeprecatedCipherFallback2",
+                        server_ssl_config_.enable_deprecated_cipher_suites);
+}
+
 HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const {
   return response_.headers.get();
 }