-
davidben authored
It's believed that the majority (over 80%) of TLS version downgrades remaining come from out-of-date IIS servers with the AES-GCM bug (crbug/433406). From probing servers some time back, it appears that, of those, the IIS 8.0 ones prefer TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 over the broken GCMs. Adding that cipher may drive the number down enough to be worthwhile. Experimentally add this cipher to the list to see what it does to the metrics. It may yet be worth trying to drop the fallback without this workaround, since the server-side fix is so easy, but run with this a bit to get numbers on what the options are. As we otherwise would not have exposed a new legacy CBC mode cipher, this cipher is placed on the deprecated cipher fallback. This way we can continue to monitor things which need it and hopefully eventually phase it out once the install-base has taken their updates. BUG=536200 Review URL: https://codereview.chromium.org/1366253005 Cr-Commit-Position: refs/heads/master@{#351205}
91585690
